From 91b0736ced0922f62b0a070bf960e211b20d9055 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Wed, 1 Jan 2025 23:58:47 +0100 Subject: [PATCH] translations 1 --- .github/pull_request_template.md | 1 + .github/workflows/translate_af.yml | 2 +- .github/workflows/translate_de.yml | 2 +- .github/workflows/translate_el.yml | 2 +- .github/workflows/translate_es.yml | 2 +- .github/workflows/translate_fr.yml | 2 +- .github/workflows/translate_in.yml | 2 +- .github/workflows/translate_it.yml | 2 +- .github/workflows/translate_ja.yml | 2 +- .github/workflows/translate_ko.yml | 2 +- .github/workflows/translate_pl.yml | 2 +- .github/workflows/translate_pt.yml | 2 +- .github/workflows/translate_sr.yml | 2 +- .github/workflows/translate_sw.yml | 2 +- .github/workflows/translate_tr.yml | 2 +- .github/workflows/translate_uk.yml | 2 +- .github/workflows/translate_zh.yml | 2 +- book.toml | 2 +- src/1911-pentesting-fox.md | 1 + src/6881-udp-pentesting-bittorrent.md | 1 + src/LICENSE.md | 1 + src/android-forensics.md | 1 + src/burp-suite.md | 1 + src/emails-vulns.md | 1 + src/interesting-http.md | 1 + src/online-platforms-with-api.md | 1 + src/pentesting-web/file-inclusion/README.md | 1 + ...ompress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md | 1 + .../file-inclusion/lfi2rce-via-eternal-waiting.md | 1 + .../file-inclusion/lfi2rce-via-nginx-temp-files.md | 1 + src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md | 1 + src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md | 1 + .../file-inclusion/lfi2rce-via-segmentation-fault.md | 1 + .../file-inclusion/lfi2rce-via-temp-file-uploads.md | 1 + src/pentesting-web/file-inclusion/phar-deserialization.md | 1 + .../file-inclusion/via-php_session_upload_progress.md | 1 + src/pentesting-web/file-upload/README.md | 1 + .../file-upload/pdf-upload-xxe-and-cors-bypass.md | 1 + src/pentesting-web/hacking-with-cookies/README.md | 1 + src/pentesting-web/hacking-with-cookies/cookie-bomb.md | 1 + src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md | 1 + src/pentesting-web/hacking-with-cookies/cookie-tossing.md | 1 + src/pentesting-web/http-request-smuggling/README.md | 1 + .../http-request-smuggling/browser-http-request-smuggling.md | 1 + .../request-smuggling-in-http-2-downgrades.md | 1 + src/pentesting-web/login-bypass/README.md | 1 + src/pentesting-web/login-bypass/sql-login-bypass.md | 1 + src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md | 1 + .../pocs-and-polygloths-cheatsheet/web-vulns-list.md | 1 + src/pentesting-web/postmessage-vulnerabilities/README.md | 1 + .../blocking-main-page-to-steal-postmessage.md | 1 + .../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md | 1 + .../postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md | 1 + .../steal-postmessage-modifying-iframe-location.md | 1 + src/pentesting-web/saml-attacks/README.md | 1 + src/pentesting-web/saml-attacks/saml-basics.md | 1 + src/pentesting-web/sql-injection/README.md | 1 + src/pentesting-web/sql-injection/cypher-injection-neo4j.md | 1 + src/pentesting-web/sql-injection/ms-access-sql-injection.md | 1 + src/pentesting-web/sql-injection/mssql-injection.md | 1 + src/pentesting-web/sql-injection/mysql-injection/README.md | 1 + src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md | 1 + src/pentesting-web/sql-injection/oracle-injection.md | 1 + src/pentesting-web/sql-injection/postgresql-injection/README.md | 1 + .../postgresql-injection/big-binary-files-upload-postgresql.md | 1 + .../postgresql-injection/dblink-lo_import-data-exfiltration.md | 1 + ...vesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md | 1 + .../postgresql-injection/pl-pgsql-password-bruteforce.md | 1 + .../postgresql-injection/rce-with-postgresql-extensions.md | 1 + .../postgresql-injection/rce-with-postgresql-languages.md | 1 + src/pentesting-web/sql-injection/sqlmap.md | 1 + src/pentesting-web/sql-injection/sqlmap/README.md | 1 + .../sql-injection/sqlmap/second-order-injection-sqlmap.md | 1 + src/pentesting-web/ssrf-server-side-request-forgery/README.md | 1 + .../ssrf-server-side-request-forgery/cloud-ssrf.md | 1 + .../ssrf-vulnerable-platforms.md | 1 + .../ssrf-server-side-request-forgery/url-format-bypass.md | 1 + .../ssti-server-side-template-injection/README.md | 1 + .../el-expression-language.md | 1 + .../ssti-server-side-template-injection/jinja2-ssti.md | 1 + src/pentesting-web/unicode-injection/README.md | 1 + src/pentesting-web/unicode-injection/unicode-normalization.md | 1 + src/pentesting-web/web-vulnerabilities-methodology/README.md | 1 + src/pentesting-web/xs-search/README.md | 1 + .../xs-search/connection-pool-by-destination-example.md | 1 + src/pentesting-web/xs-search/connection-pool-example.md | 1 + src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md | 1 + src/pentesting-web/xs-search/css-injection/README.md | 1 + .../xs-search/css-injection/css-injection-code.md | 1 + .../xs-search/event-loop-blocking-+-lazy-images.md | 1 + src/pentesting-web/xs-search/javascript-execution-xs-leak.md | 1 + .../xs-search/performance.now-+-force-heavy-task.md | 1 + src/pentesting-web/xs-search/performance.now-example.md | 1 + src/pentesting-web/xs-search/url-max-length-client-side.md | 1 + src/pentesting-web/xss-cross-site-scripting/README.md | 1 + .../xss-cross-site-scripting/abusing-service-workers.md | 1 + .../xss-cross-site-scripting/chrome-cache-to-xss.md | 1 + .../xss-cross-site-scripting/debugging-client-side-js.md | 1 + src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md | 1 + src/pentesting-web/xss-cross-site-scripting/dom-invader.md | 1 + src/pentesting-web/xss-cross-site-scripting/dom-xss.md | 1 + .../xss-cross-site-scripting/iframes-in-xss-and-csp.md | 1 + src/pentesting-web/xss-cross-site-scripting/integer-overflow.md | 1 + src/pentesting-web/xss-cross-site-scripting/js-hoisting.md | 1 + src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md | 1 + src/pentesting-web/xss-cross-site-scripting/pdf-injection.md | 1 + .../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md | 1 + src/pentesting-web/xss-cross-site-scripting/shadow-dom.md | 1 + src/pentesting-web/xss-cross-site-scripting/sniff-leak.md | 1 + .../some-same-origin-method-execution.md | 1 + src/pentesting-web/xss-cross-site-scripting/steal-info-js.md | 1 + src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md | 1 + src/physical-attacks/escaping-from-gui-applications/README.md | 1 + src/physical-attacks/firmware-analysis/README.md | 1 + src/physical-attacks/firmware-analysis/bootloader-testing.md | 1 + src/physical-attacks/firmware-analysis/firmware-integrity.md | 1 + src/physical-attacks/physical-attacks.md | 1 + src/radio-hacking/README.md | 1 + src/radio-hacking/low-power-wide-area-network.md | 1 + src/radio-hacking/pentesting-ble-bluetooth-low-energy.md | 1 + src/radio-hacking/pentesting-rfid.md | 1 + .../linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md | 1 + .../arbitrary-write-2-exec/aw2exec-__malloc_hook.md | 1 + .../arbitrary-write-2-exec/aw2exec-got-plt.md | 1 + .../arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md | 1 + .../common-binary-protections-and-bypasses/README.md | 1 + .../common-binary-protections-and-bypasses/aslr/README.md | 1 + .../common-binary-protections-and-bypasses/aslr/ret2plt.md | 1 + .../common-binary-protections-and-bypasses/no-exec-nx.md | 1 + .../common-binary-protections-and-bypasses/pie/README.md | 1 + .../pie/bypassing-canary-and-pie.md | 1 + .../common-binary-protections-and-bypasses/relro.md | 1 + .../stack-canaries/README.md | 1 + .../stack-canaries/bf-forked-stack-canaries.md | 1 + .../stack-canaries/print-stack-canary.md | 1 + .../linux-exploiting-basic-esp/common-exploiting-problems.md | 1 + .../linux-exploiting-basic-esp/elf-tricks.md | 1 + .../linux-exploiting-basic-esp/format-strings/README.md | 1 + .../format-strings/format-strings-template.md | 1 + .../linux-exploiting-basic-esp/one-gadget.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/README.md | 1 + .../stack-overflow/pointer-redirecting.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/ret2csu.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md | 1 + .../stack-overflow/ret2esp-ret2reg.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md | 1 + .../stack-overflow/ret2lib/rop-leaking-libc-address/README.md | 1 + .../rop-leaking-libc-address/rop-leaking-libc-template.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/ret2ret.md | 1 + .../linux-exploiting-basic-esp/stack-overflow/ret2win.md | 1 + .../stack-overflow/rop-return-oriented-programing.md | 1 + .../stack-overflow/rop-syscall-execv.md | 1 + .../stack-overflow/srop-sigreturn-oriented-programming.md | 1 + .../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md | 1 + .../stack-overflow/stack-shellcode.md | 1 + src/reversing/common-api-used-in-malware.md | 1 + src/reversing/cryptographic-algorithms/README.md | 1 + src/reversing/cryptographic-algorithms/unpacking-binaries.md | 1 + src/reversing/reversing-tools-basic-methods/README.md | 1 + src/reversing/reversing-tools-basic-methods/angr/README.md | 1 + .../reversing-tools-basic-methods/angr/angr-examples.md | 1 + src/reversing/reversing-tools-basic-methods/blobrunner.md | 1 + src/reversing/reversing-tools-basic-methods/cheat-engine.md | 1 + .../satisfiability-modulo-theories-smt-z3.md | 1 + src/reversing/reversing-tools/README.md | 1 + src/reversing/reversing-tools/blobrunner.md | 1 + src/reversing/word-macros.md | 1 + src/stego/esoteric-languages.md | 1 + src/stego/stego-tricks.md | 1 + src/todo/6881-udp-pentesting-bittorrent.md | 1 + src/todo/android-forensics.md | 1 + src/todo/burp-suite.md | 1 + src/todo/cookies-policy.md | 1 + src/todo/hardware-hacking/README.md | 1 + src/todo/hardware-hacking/fault_injection_attacks.md | 1 + src/todo/hardware-hacking/i2c.md | 1 + src/todo/hardware-hacking/jtag.md | 1 + src/todo/hardware-hacking/radio.md | 1 + src/todo/hardware-hacking/side_channel_analysis.md | 1 + src/todo/hardware-hacking/spi.md | 1 + src/todo/hardware-hacking/uart.md | 1 + src/todo/industrial-control-systems-hacking/README.md | 1 + src/todo/industrial-control-systems-hacking/modbus.md | 1 + src/todo/interesting-http.md | 1 + src/todo/investment-terms.md | 1 + src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md | 1 + src/todo/llm-training-data-preparation/1.-tokenizing.md | 1 + src/todo/llm-training-data-preparation/2.-data-sampling.md | 1 + src/todo/llm-training-data-preparation/3.-token-embeddings.md | 1 + .../llm-training-data-preparation/4.-attention-mechanisms.md | 1 + src/todo/llm-training-data-preparation/5.-llm-architecture.md | 1 + .../6.-pre-training-and-loading-models.md | 1 + .../7.0.-lora-improvements-in-fine-tuning.md | 1 + .../7.1.-fine-tuning-for-classification.md | 1 + .../7.2.-fine-tuning-to-follow-instructions.md | 1 + src/todo/llm-training-data-preparation/README.md | 1 + src/todo/misc.md | 1 + src/todo/more-tools.md | 1 + src/todo/online-platforms-with-api.md | 1 + src/todo/other-web-tricks.md | 1 + src/todo/pentesting-dns.md | 1 + src/todo/post-exploitation.md | 1 + src/todo/radio-hacking/README.md | 1 + src/todo/radio-hacking/fissure-the-rf-framework.md | 1 + src/todo/radio-hacking/flipper-zero/README.md | 1 + src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md | 1 + src/todo/radio-hacking/flipper-zero/fz-ibutton.md | 1 + src/todo/radio-hacking/flipper-zero/fz-infrared.md | 1 + src/todo/radio-hacking/flipper-zero/fz-nfc.md | 1 + src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md | 1 + src/todo/radio-hacking/ibutton.md | 1 + src/todo/radio-hacking/infrared.md | 1 + src/todo/radio-hacking/low-power-wide-area-network.md | 1 + src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md | 1 + src/todo/radio-hacking/pentesting-rfid.md | 1 + src/todo/radio-hacking/proxmark-3.md | 1 + src/todo/radio-hacking/sub-ghz-rf.md | 1 + src/todo/references.md | 1 + src/todo/rust-basics.md | 1 + .../stealing-sensitive-information-disclosure-from-a-web.md | 1 + src/todo/test-llms.md | 1 + src/todo/tr-069.md | 1 + src/welcome/about-the-author.md | 1 + src/welcome/hacktricks-values-and-faq.md | 1 + src/windows-hardening/active-directory-methodology/README.md | 1 + .../active-directory-methodology/abusing-ad-mssql.md | 1 + .../acl-persistence-abuse/README.md | 1 + .../acl-persistence-abuse/shadow-credentials.md | 1 + .../active-directory-methodology/ad-certificates.md | 1 + .../active-directory-methodology/ad-certificates/README.md | 1 + .../ad-certificates/account-persistence.md | 1 + .../ad-certificates/certificate-theft.md | 1 + .../ad-certificates/domain-escalation.md | 1 + .../ad-certificates/domain-persistence.md | 1 + .../active-directory-methodology/ad-dns-records.md | 1 + .../active-directory-methodology/ad-information-in-printers.md | 1 + .../active-directory-methodology/asreproast.md | 1 + .../active-directory-methodology/bloodhound.md | 1 + .../active-directory-methodology/constrained-delegation.md | 1 + .../active-directory-methodology/custom-ssp.md | 1 + src/windows-hardening/active-directory-methodology/dcshadow.md | 1 + src/windows-hardening/active-directory-methodology/dcsync.md | 1 + .../active-directory-methodology/diamond-ticket.md | 1 + .../active-directory-methodology/dsrm-credentials.md | 1 + .../external-forest-domain-one-way-outbound.md | 1 + .../external-forest-domain-oneway-inbound.md | 1 + .../active-directory-methodology/golden-ticket.md | 1 + .../active-directory-methodology/kerberoast.md | 1 + .../active-directory-methodology/kerberos-authentication.md | 1 + .../active-directory-methodology/kerberos-double-hop-problem.md | 1 + src/windows-hardening/active-directory-methodology/laps.md | 1 + .../over-pass-the-hash-pass-the-key.md | 1 + .../active-directory-methodology/pass-the-ticket.md | 1 + .../active-directory-methodology/password-spraying.md | 1 + .../printers-spooler-service-abuse.md | 1 + .../active-directory-methodology/printnightmare.md | 1 + .../privileged-groups-and-token-privileges.md | 1 + .../active-directory-methodology/rdp-sessions-abuse.md | 1 + .../resource-based-constrained-delegation.md | 1 + .../active-directory-methodology/security-descriptors.md | 1 + .../active-directory-methodology/sid-history-injection.md | 1 + .../active-directory-methodology/silver-ticket.md | 1 + .../active-directory-methodology/skeleton-key.md | 1 + .../active-directory-methodology/unconstrained-delegation.md | 1 + src/windows-hardening/authentication-credentials-uac-and-efs.md | 1 + .../authentication-credentials-uac-and-efs/README.md | 1 + .../uac-user-account-control.md | 1 + src/windows-hardening/av-bypass.md | 1 + src/windows-hardening/basic-cmd-for-pentesters.md | 1 + src/windows-hardening/basic-powershell-for-pentesters/README.md | 1 + .../basic-powershell-for-pentesters/powerview.md | 1 + src/windows-hardening/checklist-windows-privilege-escalation.md | 1 + src/windows-hardening/cobalt-strike.md | 1 + src/windows-hardening/lateral-movement/README.md | 1 + src/windows-hardening/lateral-movement/atexec.md | 1 + src/windows-hardening/lateral-movement/dcom-exec.md | 1 + src/windows-hardening/lateral-movement/psexec-and-winexec.md | 1 + src/windows-hardening/lateral-movement/smbexec.md | 1 + src/windows-hardening/lateral-movement/winrm.md | 1 + src/windows-hardening/lateral-movement/wmiexec.md | 1 + src/windows-hardening/ntlm/README.md | 1 + src/windows-hardening/ntlm/atexec.md | 1 + src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md | 1 + src/windows-hardening/ntlm/psexec-and-winexec.md | 1 + src/windows-hardening/ntlm/smbexec.md | 1 + src/windows-hardening/ntlm/winrm.md | 1 + src/windows-hardening/ntlm/wmiexec.md | 1 + src/windows-hardening/stealing-credentials/README.md | 1 + .../stealing-credentials/credentials-mimikatz.md | 1 + .../stealing-credentials/credentials-protections.md | 1 + src/windows-hardening/stealing-credentials/wts-impersonator.md | 1 + .../windows-local-privilege-escalation/README.md | 1 + .../windows-local-privilege-escalation/access-tokens.md | 1 + .../windows-local-privilege-escalation/acls-dacls-sacls-aces.md | 1 + ...penddata-addsubdirectory-permission-over-service-registry.md | 1 + .../windows-local-privilege-escalation/com-hijacking.md | 1 + .../windows-local-privilege-escalation/create-msi-with-wix.md | 1 + .../windows-local-privilege-escalation/dll-hijacking.md | 1 + .../windows-local-privilege-escalation/dll-hijacking/README.md | 1 + .../dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md | 1 + .../dpapi-extracting-passwords.md | 1 + .../from-high-integrity-to-system-with-name-pipes.md | 1 + .../windows-local-privilege-escalation/integrity-levels.md | 1 + .../windows-local-privilege-escalation/juicypotato.md | 1 + .../leaked-handle-exploitation.md | 1 + .../windows-local-privilege-escalation/msi-wrapper.md | 1 + .../named-pipe-client-impersonation.md | 1 + .../privilege-escalation-abusing-tokens.md | 1 + .../privilege-escalation-abusing-tokens/README.md | 1 + .../privilege-escalation-with-autorun-binaries.md | 1 + .../roguepotato-and-printspoofer.md | 1 + .../sedebug-+-seimpersonate-copy-token.md | 1 + .../seimpersonate-from-high-to-system.md | 1 + .../windows-local-privilege-escalation/windows-c-payloads.md | 1 + .../windows-security-controls/uac-user-account-control.md | 1 + 315 files changed, 315 insertions(+), 17 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b167e2a0c..f0cb22fd0 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,3 +6,4 @@ We value your knowledge and encourage you to share content. Please ensure that y Thank you for contributing to HackTricks! + diff --git a/.github/workflows/translate_af.yml b/.github/workflows/translate_af.yml index 19aaa50ed..804afe44d 100644 --- a/.github/workflows/translate_af.yml +++ b/.github/workflows/translate_af.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_de.yml b/.github/workflows/translate_de.yml index 9c9567cd1..2f83fefa1 100644 --- a/.github/workflows/translate_de.yml +++ b/.github/workflows/translate_de.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_el.yml b/.github/workflows/translate_el.yml index db8ff97e0..8857a75b9 100644 --- a/.github/workflows/translate_el.yml +++ b/.github/workflows/translate_el.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_es.yml b/.github/workflows/translate_es.yml index 1042e78af..8322446a9 100644 --- a/.github/workflows/translate_es.yml +++ b/.github/workflows/translate_es.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_fr.yml b/.github/workflows/translate_fr.yml index eb1fb5450..046fe3b20 100644 --- a/.github/workflows/translate_fr.yml +++ b/.github/workflows/translate_fr.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_in.yml b/.github/workflows/translate_in.yml index 333fc60cf..c9c285a44 100644 --- a/.github/workflows/translate_in.yml +++ b/.github/workflows/translate_in.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_it.yml b/.github/workflows/translate_it.yml index 104dcebef..b5b4ec27c 100644 --- a/.github/workflows/translate_it.yml +++ b/.github/workflows/translate_it.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_ja.yml b/.github/workflows/translate_ja.yml index e1a2b51e7..9c635e1da 100644 --- a/.github/workflows/translate_ja.yml +++ b/.github/workflows/translate_ja.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_ko.yml b/.github/workflows/translate_ko.yml index ac2aa2f47..d39c84266 100644 --- a/.github/workflows/translate_ko.yml +++ b/.github/workflows/translate_ko.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_pl.yml b/.github/workflows/translate_pl.yml index d02e0eec1..0dd53dd0c 100644 --- a/.github/workflows/translate_pl.yml +++ b/.github/workflows/translate_pl.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_pt.yml b/.github/workflows/translate_pt.yml index 77238a795..e8842d728 100644 --- a/.github/workflows/translate_pt.yml +++ b/.github/workflows/translate_pt.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_sr.yml b/.github/workflows/translate_sr.yml index 70a218dd2..4f80bc8d3 100644 --- a/.github/workflows/translate_sr.yml +++ b/.github/workflows/translate_sr.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_sw.yml b/.github/workflows/translate_sw.yml index 9075f05b1..4c63a2558 100644 --- a/.github/workflows/translate_sw.yml +++ b/.github/workflows/translate_sw.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_tr.yml b/.github/workflows/translate_tr.yml index e8e23b91a..13571575b 100644 --- a/.github/workflows/translate_tr.yml +++ b/.github/workflows/translate_tr.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_uk.yml b/.github/workflows/translate_uk.yml index c3261a9b8..4991a185c 100644 --- a/.github/workflows/translate_uk.yml +++ b/.github/workflows/translate_uk.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/.github/workflows/translate_zh.yml b/.github/workflows/translate_zh.yml index 3873e948c..ed59a8d34 100644 --- a/.github/workflows/translate_zh.yml +++ b/.github/workflows/translate_zh.yml @@ -33,7 +33,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.12 - name: Install python dependencies run: | diff --git a/book.toml b/book.toml index fa5b5e7ca..55f8eeb4f 100644 --- a/book.toml +++ b/book.toml @@ -1,5 +1,5 @@ [book] -authors = ["Carlos Polop"] +authors = ["HackTricks Team"] language = "en" multilingual = false src = "src" diff --git a/src/1911-pentesting-fox.md b/src/1911-pentesting-fox.md index a71e1c696..2e0a865a3 100644 --- a/src/1911-pentesting-fox.md +++ b/src/1911-pentesting-fox.md @@ -27,3 +27,4 @@ InfluxDB ![]() {{#include ./banners/hacktricks-training.md}} + diff --git a/src/6881-udp-pentesting-bittorrent.md b/src/6881-udp-pentesting-bittorrent.md index 070c6aef8..9f63dc33c 100644 --- a/src/6881-udp-pentesting-bittorrent.md +++ b/src/6881-udp-pentesting-bittorrent.md @@ -1,3 +1,4 @@ {{#include ./banners/hacktricks-training.md}} {{#include ./banners/hacktricks-training.md}} + diff --git a/src/LICENSE.md b/src/LICENSE.md index 96d34efb2..e800395f9 100644 --- a/src/LICENSE.md +++ b/src/LICENSE.md @@ -170,3 +170,4 @@ Creative Commons may be contacted at [creativecommons.org](http://creativecommon ``` {{#include ./banners/hacktricks-training.md}} + diff --git a/src/android-forensics.md b/src/android-forensics.md index 9e713f641..f9be87b51 100644 --- a/src/android-forensics.md +++ b/src/android-forensics.md @@ -25,3 +25,4 @@ Create an [android backup using adb](mobile-pentesting/android-app-pentesting/ad Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb. {{#include ./banners/hacktricks-training.md}} + diff --git a/src/burp-suite.md b/src/burp-suite.md index 2fe9a6ecc..fbf2d5429 100644 --- a/src/burp-suite.md +++ b/src/burp-suite.md @@ -15,3 +15,4 @@ [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator) {{#include ./banners/hacktricks-training.md}} + diff --git a/src/emails-vulns.md b/src/emails-vulns.md index 8d0de7cff..15d9cc343 100644 --- a/src/emails-vulns.md +++ b/src/emails-vulns.md @@ -7,3 +7,4 @@ ## {{#include ./banners/hacktricks-training.md}} + diff --git a/src/interesting-http.md b/src/interesting-http.md index 94e7198e9..8bfee0950 100644 --- a/src/interesting-http.md +++ b/src/interesting-http.md @@ -37,3 +37,4 @@ You can override this rule using an HTML meta tag (the attacker needs to exploit Never put any sensitive data inside GET parameters or paths in the URL. {{#include ./banners/hacktricks-training.md}} + diff --git a/src/online-platforms-with-api.md b/src/online-platforms-with-api.md index d23fce7e4..51e09bc72 100644 --- a/src/online-platforms-with-api.md +++ b/src/online-platforms-with-api.md @@ -119,3 +119,4 @@ Search by domain and email and get if it was pwned and passwords. Commercial? [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/) \(in a commercial tool?\) {{#include ./banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md index 18356bc00..544e2fefd 100644 --- a/src/pentesting-web/file-inclusion/README.md +++ b/src/pentesting-web/file-inclusion/README.md @@ -734,3 +734,4 @@ Stay informed with the newest bug bounties launching and crucial platform update **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md b/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md index 9c31495b7..5d2d08e13 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md @@ -41,3 +41,4 @@ However, there is a check in the web server that **prevents loading files that c For more information check the description of the Race Condition and the CTF in [https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md b/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md index e39e0448f..14e46702f 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md @@ -99,3 +99,4 @@ Yes, it's possible to generate 100000 temporary files in an EC2 medium size inst It looks like by default Nginx supports **512 parallel connections** at the same time (and this number can be improved). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md index 14dfe4aee..bca754883 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md @@ -52,3 +52,4 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\ ``` ``` + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md index 5cff00041..53d0694bc 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md @@ -273,3 +273,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and {% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md index e380bd111..15d63930e 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md @@ -71,3 +71,4 @@ print('[x] Something went wrong, please try again') {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md b/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md index a46fe76e2..27d277345 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md @@ -62,3 +62,4 @@ if __name__ == "__main__": ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md index ded0b9eaa..892ce4bf6 100644 --- a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md +++ b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md @@ -32,3 +32,4 @@ In certain situations, a more specific mask (like `php1<<` or `phpA<<`) might be For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/phar-deserialization.md b/src/pentesting-web/file-inclusion/phar-deserialization.md index bd440b5cb..1e3d5a30e 100644 --- a/src/pentesting-web/file-inclusion/phar-deserialization.md +++ b/src/pentesting-web/file-inclusion/phar-deserialization.md @@ -82,3 +82,4 @@ php vuln.php {% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md b/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md index ffec939c6..1fa5abf50 100644 --- a/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md +++ b/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md @@ -37,3 +37,4 @@ More information in the original writeup [https://blog.orange.tw/2018/10/](https Another writeup in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index c2d7739ce..ddb1b831a 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -337,3 +337,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h {% embed url="https://www.stmcyber.com/careers" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md b/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md index 2b75d5a51..3bc15ed15 100644 --- a/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md +++ b/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md @@ -5,3 +5,4 @@ **Check [https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html](https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/hacking-with-cookies/README.md b/src/pentesting-web/hacking-with-cookies/README.md index 4404fca68..b6b527f10 100644 --- a/src/pentesting-web/hacking-with-cookies/README.md +++ b/src/pentesting-web/hacking-with-cookies/README.md @@ -298,3 +298,4 @@ There should be a pattern (with the size of a used block). So, knowing how are a - [https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md index 25988ec0f..34ae43eae 100644 --- a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md +++ b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md @@ -7,3 +7,4 @@ A nice **example** can be seen in this write-up: [https://hackerone.com/reports/ And for more information, you can check this presentation: [https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md index 24a11a53b..8c4ee8556 100644 --- a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md +++ b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md @@ -22,3 +22,4 @@ Notice, that third party cookies pointing to a different domain won't be overwri > Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md index 2137b84a3..f7196fafe 100644 --- a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md +++ b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md @@ -65,3 +65,4 @@ cookie-bomb.md - [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F_wAzF4a7Xg) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md index 5e31ea26b..f5567a0d1 100644 --- a/src/pentesting-web/http-request-smuggling/README.md +++ b/src/pentesting-web/http-request-smuggling/README.md @@ -774,3 +774,4 @@ def handleResponse(req, interesting): {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md index b5540df41..33be45744 100644 --- a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md +++ b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md @@ -5,3 +5,4 @@ **Check the post [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md index ba7445bfa..cf988ec09 100644 --- a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md +++ b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md @@ -5,3 +5,4 @@ **Check the post [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/login-bypass/README.md b/src/pentesting-web/login-bypass/README.md index 6794ca7a1..4795c3cb4 100644 --- a/src/pentesting-web/login-bypass/README.md +++ b/src/pentesting-web/login-bypass/README.md @@ -107,3 +107,4 @@ Pages usually redirects users after login, check if you can alter that redirect {% embed url="https://www.rootedcon.com/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/login-bypass/sql-login-bypass.md b/src/pentesting-web/login-bypass/sql-login-bypass.md index c3e99d58a..1c22b7e31 100644 --- a/src/pentesting-web/login-bypass/sql-login-bypass.md +++ b/src/pentesting-web/login-bypass/sql-login-bypass.md @@ -828,3 +828,4 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")# {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md b/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md index 7e6136b93..dc17847bd 100644 --- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md +++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md @@ -243,3 +243,4 @@ javascript:"/*'/*`/*--> select version(); {% embed url="https://www.rootedcon.com/" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md b/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md index 87391afc5..0e8996fcb 100644 --- a/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md +++ b/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md @@ -27,3 +27,4 @@ The process varies if the `@@plugin_dir` is not writable, especially for MySQL v Automation of these processes can be facilitated by tools such as SQLMap, which supports UDF injection, and for blind SQL injections, output redirection or DNS request smuggling techniques may be utilized. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/oracle-injection.md b/src/pentesting-web/sql-injection/oracle-injection.md index caebdb7e7..c0c88c97c 100644 --- a/src/pentesting-web/sql-injection/oracle-injection.md +++ b/src/pentesting-web/sql-injection/oracle-injection.md @@ -159,3 +159,4 @@ A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual; {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/README.md b/src/pentesting-web/sql-injection/postgresql-injection/README.md index 8a0a7efc2..c29de3a29 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/README.md @@ -99,3 +99,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h {% embed url="https://www.stmcyber.com/careers" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md index d0f7795c8..839c37bb5 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md @@ -81,3 +81,4 @@ select lo_unlink(173454); -- Deletes the specified large object It's noted that **large objects may have ACLs** (Access Control Lists), potentially restricting access even to objects created by your user. However, older objects with permissive ACLs may still be accessible for content exfiltration. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md b/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md index a55254b15..8163d6ce5 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md @@ -7,3 +7,4 @@ **Check the solution from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md index 5e9b23431..283b6a243 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md @@ -109,3 +109,4 @@ SELECT testfunc(); ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md b/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md index 0d9f00063..fca5e37fe 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md @@ -119,3 +119,4 @@ select brute_force('127.0.0.1', '5432', 'postgres', 'postgres'); ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index f20d12da9..bd0555075 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -351,3 +351,4 @@ print(" drop function connect_back(text, integer);") - [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md index 342a407d1..cfa98bb50 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md @@ -322,3 +322,4 @@ rce-with-postgresql-extensions.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/sqlmap.md b/src/pentesting-web/sql-injection/sqlmap.md index 7d4080808..710dc83cf 100644 --- a/src/pentesting-web/sql-injection/sqlmap.md +++ b/src/pentesting-web/sql-injection/sqlmap.md @@ -191,3 +191,4 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch | xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' | {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/sqlmap/README.md b/src/pentesting-web/sql-injection/sqlmap/README.md index 44216ba3f..e28e1592a 100644 --- a/src/pentesting-web/sql-injection/sqlmap/README.md +++ b/src/pentesting-web/sql-injection/sqlmap/README.md @@ -237,3 +237,4 @@ Remember that **you can create your own tamper in python** and it's very simple. {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md index c105bd9ff..3851e7244 100644 --- a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md +++ b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md @@ -77,3 +77,4 @@ sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md index e902f6c6d..0d8f4c8ed 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -403,3 +403,4 @@ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&u Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %} + diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 7f5422f54..dbbcca9d2 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -657,3 +657,4 @@ Rancher's metadata can be accessed using: - `curl http://rancher-metadata//` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md index d417b3626..cf8100b6c 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md @@ -5,3 +5,4 @@ Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index 8cf0010fd..5a10ea866 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -221,3 +221,4 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing- - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md index 03f341b23..416d41580 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/README.md +++ b/src/pentesting-web/ssti-server-side-template-injection/README.md @@ -1121,3 +1121,4 @@ If you think it could be useful, read: {% embed url="https://www.rootedcon.com/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md b/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md index 1532b7d33..c4870ee7a 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md +++ b/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md @@ -248,3 +248,4 @@ Check [https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/](https://h1pm - [https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt](https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md index 2ca9c1b76..8212ed7bf 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md +++ b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md @@ -366,3 +366,4 @@ The request will be urlencoded by default according to the HTTP format, which ca - [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/unicode-injection/README.md b/src/pentesting-web/unicode-injection/README.md index 019abc08b..80b0a24cd 100644 --- a/src/pentesting-web/unicode-injection/README.md +++ b/src/pentesting-web/unicode-injection/README.md @@ -50,3 +50,4 @@ Emoji lists: - [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/unicode-injection/unicode-normalization.md b/src/pentesting-web/unicode-injection/unicode-normalization.md index 716201425..a12e863ef 100644 --- a/src/pentesting-web/unicode-injection/unicode-normalization.md +++ b/src/pentesting-web/unicode-injection/unicode-normalization.md @@ -104,3 +104,4 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows t - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/web-vulnerabilities-methodology/README.md b/src/pentesting-web/web-vulnerabilities-methodology/README.md index 99c7677c9..4ffaa5c16 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology/README.md +++ b/src/pentesting-web/web-vulnerabilities-methodology/README.md @@ -127,3 +127,4 @@ These vulnerabilities might help to exploit other vulnerabilities. - [ ] [**Unicode Normalization vulnerability**](../unicode-injection/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/README.md b/src/pentesting-web/xs-search/README.md index b10bccfc2..ccd4e1822 100644 --- a/src/pentesting-web/xs-search/README.md +++ b/src/pentesting-web/xs-search/README.md @@ -964,3 +964,4 @@ Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banne Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %} + diff --git a/src/pentesting-web/xs-search/connection-pool-by-destination-example.md b/src/pentesting-web/xs-search/connection-pool-by-destination-example.md index f5cf245df..a7fd44064 100644 --- a/src/pentesting-web/xs-search/connection-pool-by-destination-example.md +++ b/src/pentesting-web/xs-search/connection-pool-by-destination-example.md @@ -115,3 +115,4 @@ Let's see how this exploit work: ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/connection-pool-example.md b/src/pentesting-web/xs-search/connection-pool-example.md index 30957a266..f9a6deec4 100644 --- a/src/pentesting-web/xs-search/connection-pool-example.md +++ b/src/pentesting-web/xs-search/connection-pool-example.md @@ -526,3 +526,4 @@ In the exploit you can see: ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md index 14a58880b..58eaf2547 100644 --- a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md +++ b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md @@ -60,3 +60,4 @@ The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/e ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/css-injection/README.md b/src/pentesting-web/xs-search/css-injection/README.md index 71cae10e6..aae3b5c92 100644 --- a/src/pentesting-web/xs-search/css-injection/README.md +++ b/src/pentesting-web/xs-search/css-injection/README.md @@ -781,3 +781,4 @@ So, if the font does not match, the response time when visiting the bot is expec - [https://x-c3ll.github.io/posts/CSS-Injection-Primitives/](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/css-injection/css-injection-code.md b/src/pentesting-web/xs-search/css-injection/css-injection-code.md index 098127a48..0be473785 100644 --- a/src/pentesting-web/xs-search/css-injection/css-injection-code.md +++ b/src/pentesting-web/xs-search/css-injection/css-injection-code.md @@ -280,3 +280,4 @@ input[value=]{list-style:url(http://localhost:5001/end?token=&)}; ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md b/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md index 7e597b33b..72861a35a 100644 --- a/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md +++ b/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md @@ -154,3 +154,4 @@ Let's check the code: ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/javascript-execution-xs-leak.md b/src/pentesting-web/xs-search/javascript-execution-xs-leak.md index 7e5b03721..9a758a00b 100644 --- a/src/pentesting-web/xs-search/javascript-execution-xs-leak.md +++ b/src/pentesting-web/xs-search/javascript-execution-xs-leak.md @@ -71,3 +71,4 @@ Main page that generates iframes to the previous `/guessing` page to test each p ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md b/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md index 8ffb65a82..0c6db5caf 100644 --- a/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md +++ b/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md @@ -103,3 +103,4 @@ In this challenge the user could sent thousands of chars and if the flag was con ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/performance.now-example.md b/src/pentesting-web/xs-search/performance.now-example.md index 79ba96b71..bf1727a86 100644 --- a/src/pentesting-web/xs-search/performance.now-example.md +++ b/src/pentesting-web/xs-search/performance.now-example.md @@ -55,3 +55,4 @@ document.addEventListener("DOMContentLoaded", main) ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xs-search/url-max-length-client-side.md b/src/pentesting-web/xs-search/url-max-length-client-side.md index 5edce625a..50a6b32d7 100644 --- a/src/pentesting-web/xs-search/url-max-length-client-side.md +++ b/src/pentesting-web/xs-search/url-max-length-client-side.md @@ -73,3 +73,4 @@ if __name__ == '__main__': ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index f3da6da4a..036976f3c 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -1753,3 +1753,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h {% embed url="https://www.stmcyber.com/careers" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md b/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md index 8833c5312..48c197187 100644 --- a/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md +++ b/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md @@ -107,3 +107,4 @@ For an example of this check the reference link. - [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md b/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md index a73166d31..3956e07e0 100644 --- a/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md +++ b/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md @@ -27,3 +27,4 @@ Verification that the disk cache was utilized can be confirmed through the use o For further details on bfcache and disk cache, references can be found at [web.dev on bfcache](https://web.dev/i18n/en/bfcache/) and [Chromium's design documents on disk cache](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/), respectively. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md b/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md index a7f8fd41c..51ac054c8 100644 --- a/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md +++ b/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md @@ -30,3 +30,4 @@ This will **copy the JS file locally** and you will be able to **modify that cop - [https://www.youtube.com/watch?v=BW\_-RCo9lo8\&t=1529s](https://www.youtube.com/watch?v=BW_-RCo9lo8&t=1529s) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md b/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md index 90b21e8cd..f96865080 100644 --- a/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md +++ b/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md @@ -249,3 +249,4 @@ It's possible to add **new entries inside a form** just by **specifying the `for - Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md index d1f8838a7..c2163fd75 100644 --- a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md +++ b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md @@ -89,3 +89,4 @@ In the previous image it's possible to see that DOM clobbering scan can be turne - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md index d022030ac..b47099d68 100644 --- a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md +++ b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md @@ -326,3 +326,4 @@ dom-clobbering.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md index e497a56ea..b3d8cee29 100644 --- a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md +++ b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md @@ -165,3 +165,4 @@ Check the following pages: {{#endref}} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md index 2100fbae7..237c20562 100644 --- a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md +++ b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md @@ -9,3 +9,4 @@ Check: {{#endref}} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md b/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md index 098c4a3dd..39591b5b5 100644 --- a/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md +++ b/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md @@ -139,3 +139,4 @@ let config;` - - [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md b/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md index 43387d1e8..e1cceafaa 100644 --- a/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md +++ b/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md @@ -508,3 +508,4 @@ async function sleep(ms) { ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md index 5d5a1c77e..152a1c202 100644 --- a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md +++ b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md @@ -5,3 +5,4 @@ Chec the post: [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md index 6336a5851..535d92ca4 100644 --- a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md +++ b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md @@ -187,3 +187,4 @@ Capturing the **PDF response** with burp should also **show the attachment in cl - [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md b/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md index 35af51406..c665cb6a6 100644 --- a/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md +++ b/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md @@ -5,3 +5,4 @@ **Check out this blog: [https://blog.ankursundara.com/shadow-dom/](https://blog.ankursundara.com/shadow-dom/)** and this **CTF challenge: [https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md](https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md b/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md index f0851af52..bcb1b3b25 100644 --- a/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md +++ b/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md @@ -11,3 +11,4 @@ [**The next writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#precisionism3-solves) leaks the script content by loading it as if it was an ICO image accessing the `width` parameter. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md b/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md index 5a34aa88e..f53513fb5 100644 --- a/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md +++ b/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md @@ -40,3 +40,4 @@ Basically, the attack flow is the following: - [https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/](https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md b/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md index 198fc0d79..93e3808b7 100644 --- a/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md +++ b/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md @@ -222,3 +222,4 @@ window.onmessage = function (e) { {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md index c9087c12b..272bd3fa0 100644 --- a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md +++ b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md @@ -169,3 +169,4 @@ _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoA ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/physical-attacks/escaping-from-gui-applications/README.md b/src/physical-attacks/escaping-from-gui-applications/README.md index 021d64d5c..ea8540f34 100644 --- a/src/physical-attacks/escaping-from-gui-applications/README.md +++ b/src/physical-attacks/escaping-from-gui-applications/README.md @@ -274,3 +274,4 @@ These shortcuts are for the visual settings and sound settings, depending on the - [http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html](http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/physical-attacks/firmware-analysis/README.md b/src/physical-attacks/firmware-analysis/README.md index d94e49edc..3ed5b4588 100644 --- a/src/physical-attacks/firmware-analysis/README.md +++ b/src/physical-attacks/firmware-analysis/README.md @@ -252,3 +252,4 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl - [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/physical-attacks/firmware-analysis/bootloader-testing.md b/src/physical-attacks/firmware-analysis/bootloader-testing.md index b6998cdb0..53ce0e7d5 100644 --- a/src/physical-attacks/firmware-analysis/bootloader-testing.md +++ b/src/physical-attacks/firmware-analysis/bootloader-testing.md @@ -50,3 +50,4 @@ The following steps are recommended for modifying device startup configurations - [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/physical-attacks/firmware-analysis/firmware-integrity.md b/src/physical-attacks/firmware-analysis/firmware-integrity.md index f2f5a3b6d..e0555f08f 100644 --- a/src/physical-attacks/firmware-analysis/firmware-integrity.md +++ b/src/physical-attacks/firmware-analysis/firmware-integrity.md @@ -33,3 +33,4 @@ If possible, vulnerabilities within startup scripts can be exploited to gain per - For further information check [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/physical-attacks/physical-attacks.md b/src/physical-attacks/physical-attacks.md index e805014b7..3b46d1808 100644 --- a/src/physical-attacks/physical-attacks.md +++ b/src/physical-attacks/physical-attacks.md @@ -55,3 +55,4 @@ BitLocker encryption can potentially be bypassed if the **recovery password** is A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/radio-hacking/README.md b/src/radio-hacking/README.md index 882b2e8b2..3ce0def86 100644 --- a/src/radio-hacking/README.md +++ b/src/radio-hacking/README.md @@ -1,3 +1,4 @@ # Radio Hacking + diff --git a/src/radio-hacking/low-power-wide-area-network.md b/src/radio-hacking/low-power-wide-area-network.md index f94c0d49d..ea4953a97 100644 --- a/src/radio-hacking/low-power-wide-area-network.md +++ b/src/radio-hacking/low-power-wide-area-network.md @@ -14,3 +14,4 @@ Long Range (**LoRa**) it’s popular in multiple countries and has an open sourc [https://github.com/IOActive/laf](https://github.com/IOActive/laf) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md index 366fa4079..e2e4fcd76 100644 --- a/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md +++ b/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md @@ -69,3 +69,4 @@ sudo bettercap --eval "ble.recon on" ``` {{#include ../banners/hacktricks-training.md}} + diff --git a/src/radio-hacking/pentesting-rfid.md b/src/radio-hacking/pentesting-rfid.md index c2ce8e357..ab61000e2 100644 --- a/src/radio-hacking/pentesting-rfid.md +++ b/src/radio-hacking/pentesting-rfid.md @@ -97,3 +97,4 @@ Or using the **proxmark**: - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md index 117d2440a..5383590f1 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md @@ -1,3 +1,4 @@ # Arbitrary Write 2 Exec + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md index 48f7b7030..b34e56591 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md @@ -23,3 +23,4 @@ More info about One Gadget in: - [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md index 965deaf04..4c0fdfbee 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -62,3 +62,4 @@ The **Full RELRO** protection is meant to protect agains this kind of technique - [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md index 3a3ce97c3..2f0be3c09 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md @@ -43,3 +43,4 @@ Note that this **won't** **create** an **eternal loop** because when you get bac > Note that with [Full RELRO](../common-binary-protections-and-bypasses/relro.md), the section `.fini_array` is made **read-only**. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md index bea778170..28c79dd97 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md @@ -33,3 +33,4 @@ gdb /path/to/executable /path/to/core_file This command loads the executable and the core file into GDB, allowing you to inspect the state of the program at the time of the crash. You can use GDB commands to explore the stack, examine variables, and understand the cause of the crash. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md index 4af86f44f..f6dfa6c56 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md @@ -173,3 +173,4 @@ Try to bypass ASLR abusing addresses inside the stack: {{#endref}} {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md index f01abaf09..353d08f68 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md @@ -80,3 +80,4 @@ p.interactive() - 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget. {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md index e84eb9619..b18b18057 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md @@ -14,3 +14,4 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter - **Ret2...** {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md index 6bffcd088..e5a76b498 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md @@ -30,3 +30,4 @@ bypassing-canary-and-pie.md - [https://ir0nstone.gitbook.io/notes/types/stack/pie](https://ir0nstone.gitbook.io/notes/types/stack/pie) {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md index 76445dc4c..042e036ba 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md @@ -88,3 +88,4 @@ elf.address = RIP - (RIP & 0xfff) ``` {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md index 2cf87d2f9..a50cebd5e 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md @@ -31,3 +31,4 @@ If Full RELRO is enabled, the only way to bypass it is to find another way that Note that LIBC's GOT is usually Partial RELRO, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries). {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md index c324210a5..acf11cf1e 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md @@ -68,3 +68,4 @@ If the binary has Partial RELRO, then you can use an arbitrary write to modify t - 64 bits, no PIE, nx, write-what-where primitive. Modify GOT entry of `__stack_chk_fail`. {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md index 7536d2492..b54248b8b 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md @@ -234,3 +234,4 @@ io.interactive() - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there. - [http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads](http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads) - 64 bits, no PIE, nx, modify thread and master canary. + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md index c85283b63..8d32c23b9 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md @@ -26,3 +26,4 @@ With an arbitrary read like the one provided by format **strings** it might be p {{#endref}} {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md index 00333fd9d..6c2500990 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md @@ -36,3 +36,4 @@ In order to bypass this the **escape character `\x16` must be prepended to any ` **Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md index a923dc63b..54cfbee51 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md @@ -394,3 +394,4 @@ Each variable will hace an entry in the TLS header specifying the size and the T The `__TLS_MODULE_BASE` is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md index a30ad146c..5150b15e8 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md @@ -168,3 +168,4 @@ p.interactive() - 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md index 4d121058f..bb4c3a570 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md @@ -140,3 +140,4 @@ P.interactive() ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md index b25320083..3b03a8a87 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md @@ -20,3 +20,4 @@ To the address indicated by One Gadget you need to **add the base address where > One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplify ROP chains** as you only need to call one address (and fulfill the requirements). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md index 081a79e39..6e7d04a48 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md @@ -93,3 +93,4 @@ There are several protections trying to prevent the exploitation of vulnerabilit {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md index 3e295018c..5fb38ad2c 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md @@ -27,3 +27,4 @@ You can find an example in: - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md index 8994a05ea..2561b80e4 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md @@ -80,3 +80,4 @@ print(p.recvline()) # should receive "Awesome work!" Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md index 3e315d946..874110244 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md @@ -63,3 +63,4 @@ p.interactive() - [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md index 353d6ca3a..bcc05b476 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md @@ -64,3 +64,4 @@ You can find an example here: [https://ir0nstone.gitbook.io/notes/types/stack/re - [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md index 5daa750b3..4b92b59f2 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md @@ -141,3 +141,4 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format - 64 bits, no pie, no canary, no relro, nx. Uses write function to leak the address of write (libc) and calls one gadget. {{#include ../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md index f6c4f46f9..290f5e1e9 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md @@ -303,3 +303,4 @@ BINSH = next(libc.search("/bin/sh")) - 64 ``` {{#include ../../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md index 456c9852c..06dcb8f9c 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md @@ -217,3 +217,4 @@ BINSH = next(libc.search("/bin/sh")) - 64 ``` {{#include ../../../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md index dea542893..dfb290e28 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md @@ -31,3 +31,4 @@ Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overf - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md index 0c1bfb741..eac6e55ee 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md @@ -97,3 +97,4 @@ The Python script sends a carefully crafted message that, when processed by the - 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md index 3463ef60d..c7271512d 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md @@ -178,3 +178,4 @@ stack-pivoting-ebp2ret-ebp-chaining.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md index 50d327031..5ddd42e31 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md @@ -197,3 +197,4 @@ target.interactive() - 32 bits, no ASLR, use vDSO to find ROP gadgets and call `execve`. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md index c39c68869..a22550e5e 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md @@ -60,3 +60,4 @@ p.interactive() - [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index 64693c7f5..53e6040e0 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -188,3 +188,4 @@ xchg , rsp - [https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md index c9b59e54d..18f3baff0 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md @@ -93,3 +93,4 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w - 32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing/common-api-used-in-malware.md b/src/reversing/common-api-used-in-malware.md index 6948eeece..435a2e2bc 100644 --- a/src/reversing/common-api-used-in-malware.md +++ b/src/reversing/common-api-used-in-malware.md @@ -137,3 +137,4 @@ The malware will unmap the legitimate code from memory of the process and load a - **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/reversing/cryptographic-algorithms/README.md b/src/reversing/cryptographic-algorithms/README.md index f53a628eb..5b458b43e 100644 --- a/src/reversing/cryptographic-algorithms/README.md +++ b/src/reversing/cryptographic-algorithms/README.md @@ -183,3 +183,4 @@ Check **3 comparisons to recognise it**: ![](<../../images/image (384).png>) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/cryptographic-algorithms/unpacking-binaries.md b/src/reversing/cryptographic-algorithms/unpacking-binaries.md index 6699ec26f..3320953a8 100644 --- a/src/reversing/cryptographic-algorithms/unpacking-binaries.md +++ b/src/reversing/cryptographic-algorithms/unpacking-binaries.md @@ -22,3 +22,4 @@ - When you dump an executable from a region of memory you can fix some headers using [PE-bear](https://github.com/hasherezade/pe-bear-releases/releases). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/README.md b/src/reversing/reversing-tools-basic-methods/README.md index 33fef0bd5..09e8d9224 100644 --- a/src/reversing/reversing-tools-basic-methods/README.md +++ b/src/reversing/reversing-tools-basic-methods/README.md @@ -410,3 +410,4 @@ So, in this challenge, knowing the values of the buttons, you needed to **press - [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/angr/README.md b/src/reversing/reversing-tools-basic-methods/angr/README.md index e0cb18040..6e4ef0b11 100644 --- a/src/reversing/reversing-tools-basic-methods/angr/README.md +++ b/src/reversing/reversing-tools-basic-methods/angr/README.md @@ -209,3 +209,4 @@ Furthermore, you can use `proj.hook_symbol(name, hook)`, providing the name of a # Examples {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md b/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md index 791eeb374..ea909b2ee 100644 --- a/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md +++ b/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md @@ -834,3 +834,4 @@ if __name__ == '__main__': ``` {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/blobrunner.md b/src/reversing/reversing-tools-basic-methods/blobrunner.md index e5f11c08b..88542d62a 100644 --- a/src/reversing/reversing-tools-basic-methods/blobrunner.md +++ b/src/reversing/reversing-tools-basic-methods/blobrunner.md @@ -208,3 +208,4 @@ int main(int argc, char* argv[]) ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/cheat-engine.md b/src/reversing/reversing-tools-basic-methods/cheat-engine.md index 2b88f4958..a99760698 100644 --- a/src/reversing/reversing-tools-basic-methods/cheat-engine.md +++ b/src/reversing/reversing-tools-basic-methods/cheat-engine.md @@ -161,3 +161,4 @@ So, insert your new assembly code in the "**newmem**" section and remove the ori - **Cheat Engine tutorial, complete it to learn how to start with Cheat Engine** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md index 131515b1e..e093a5889 100644 --- a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md +++ b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md @@ -186,3 +186,4 @@ else: - [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools/README.md b/src/reversing/reversing-tools/README.md index 1e3b963a0..6d380db1c 100644 --- a/src/reversing/reversing-tools/README.md +++ b/src/reversing/reversing-tools/README.md @@ -112,3 +112,4 @@ To decompile Java bytecode, these tools can be very helpful: - [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/reversing-tools/blobrunner.md b/src/reversing/reversing-tools/blobrunner.md index e5f11c08b..88542d62a 100644 --- a/src/reversing/reversing-tools/blobrunner.md +++ b/src/reversing/reversing-tools/blobrunner.md @@ -208,3 +208,4 @@ int main(int argc, char* argv[]) ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/reversing/word-macros.md b/src/reversing/word-macros.md index 464cc3918..b6a9c2f09 100644 --- a/src/reversing/word-macros.md +++ b/src/reversing/word-macros.md @@ -16,3 +16,4 @@ Using the **GetObject** function it's possible to obtain data from forms of the ![](<../images/image (344).png>) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/stego/esoteric-languages.md b/src/stego/esoteric-languages.md index 8c836fca8..1309f8212 100644 --- a/src/stego/esoteric-languages.md +++ b/src/stego/esoteric-languages.md @@ -67,3 +67,4 @@ Kukarek ``` {{#include ../banners/hacktricks-training.md}} + diff --git a/src/stego/stego-tricks.md b/src/stego/stego-tricks.md index 91ed86406..81d967435 100644 --- a/src/stego/stego-tricks.md +++ b/src/stego/stego-tricks.md @@ -218,3 +218,4 @@ For translating Braille, the [Branah Braille Translator](https://www.branah.com/ - [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/6881-udp-pentesting-bittorrent.md b/src/todo/6881-udp-pentesting-bittorrent.md index b58833f93..e94bb9223 100644 --- a/src/todo/6881-udp-pentesting-bittorrent.md +++ b/src/todo/6881-udp-pentesting-bittorrent.md @@ -1,3 +1,4 @@ {{#include ../banners/hacktricks-training.md}} {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/android-forensics.md b/src/todo/android-forensics.md index 194fce5b5..4baba3332 100644 --- a/src/todo/android-forensics.md +++ b/src/todo/android-forensics.md @@ -25,3 +25,4 @@ Create an [android backup using adb](../mobile-pentesting/android-app-pentesting Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/burp-suite.md b/src/todo/burp-suite.md index d847f428a..24d0abbc0 100644 --- a/src/todo/burp-suite.md +++ b/src/todo/burp-suite.md @@ -15,3 +15,4 @@ [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/cookies-policy.md b/src/todo/cookies-policy.md index 06d211e85..8b7ee8459 100644 --- a/src/todo/cookies-policy.md +++ b/src/todo/cookies-policy.md @@ -44,3 +44,4 @@ We may update this Cookies Policy from time to time to reflect changes in our pr If you have any questions or concerns about this Cookies Policy, please contact us at [support@hacktricks.xyz](mailto:support@hacktricks.xyz) + diff --git a/src/todo/hardware-hacking/README.md b/src/todo/hardware-hacking/README.md index 35a14cc79..85c0219a2 100644 --- a/src/todo/hardware-hacking/README.md +++ b/src/todo/hardware-hacking/README.md @@ -50,3 +50,4 @@ SWD is an ARM-specific protocol designed for debugging. The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/hardware-hacking/fault_injection_attacks.md b/src/todo/hardware-hacking/fault_injection_attacks.md index 8fb4018e2..0d7c35bd5 100644 --- a/src/todo/hardware-hacking/fault_injection_attacks.md +++ b/src/todo/hardware-hacking/fault_injection_attacks.md @@ -4,3 +4,4 @@ Fault injections attacks includes introducing external distrubance in electronic There are a lot of methods and mediums for injecting fault into an electronic circuit. + diff --git a/src/todo/hardware-hacking/i2c.md b/src/todo/hardware-hacking/i2c.md index e7503404f..9252b3078 100644 --- a/src/todo/hardware-hacking/i2c.md +++ b/src/todo/hardware-hacking/i2c.md @@ -210,3 +210,4 @@ Any key to exit ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/hardware-hacking/jtag.md b/src/todo/hardware-hacking/jtag.md index dded0c9a6..f0aa21727 100644 --- a/src/todo/hardware-hacking/jtag.md +++ b/src/todo/hardware-hacking/jtag.md @@ -24,3 +24,4 @@ Send the command s to start scanning: If you are contacting a JTAG, you will find one or several **lines starting by FOUND!** indicating the pins of JTAG. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/hardware-hacking/radio.md b/src/todo/hardware-hacking/radio.md index 38339a229..ecbe4ef9f 100644 --- a/src/todo/hardware-hacking/radio.md +++ b/src/todo/hardware-hacking/radio.md @@ -196,3 +196,4 @@ You can use the **same technique as the one used in the AM example** to get the You can use the **same technique as the one used in the AM example** to get the bits once you have **found the signal is modulated in frequency** and the **symbol rate**. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/hardware-hacking/side_channel_analysis.md b/src/todo/hardware-hacking/side_channel_analysis.md index f9218c0b6..5803cf9e9 100644 --- a/src/todo/hardware-hacking/side_channel_analysis.md +++ b/src/todo/hardware-hacking/side_channel_analysis.md @@ -6,3 +6,4 @@ Analysing the vibrations in glass sheets which is near the sound source, but the These attacks are very popular in case of leaking data such as private keys or finding operations in the processors. An electronic circuit is has a lot of channels from which, information is constantly leaked. Monitoring and analysing can be useful for diclosing a lot of information about the circuit and internals of it. + diff --git a/src/todo/hardware-hacking/spi.md b/src/todo/hardware-hacking/spi.md index 9770e09ef..a8a0dc64e 100644 --- a/src/todo/hardware-hacking/spi.md +++ b/src/todo/hardware-hacking/spi.md @@ -65,3 +65,4 @@ flashrom -VV -c "W25Q64.V" -p buspirate_spi:dev=COM3 -r flash_content.img ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/hardware-hacking/uart.md b/src/todo/hardware-hacking/uart.md index 4342b4ad4..4a5af6a49 100644 --- a/src/todo/hardware-hacking/uart.md +++ b/src/todo/hardware-hacking/uart.md @@ -183,3 +183,4 @@ This will list the possible contents from the EEPROM as per the signatures found Although, it is necessary to note that it's not always the case that the uboot is unlocked even if it is being used. If the Enter Key doesn't do anything, check for different keys like Space Key, etc. If the bootloader is locked and does not get interrupted, this method would not work. To check if uboot is the bootloader for the device, check the output on the UART Console while booting of the device. It might mention uboot while booting. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/industrial-control-systems-hacking/README.md b/src/todo/industrial-control-systems-hacking/README.md index b6935efee..4075078a3 100644 --- a/src/todo/industrial-control-systems-hacking/README.md +++ b/src/todo/industrial-control-systems-hacking/README.md @@ -15,3 +15,4 @@ Industrial Control Systems can be complicated at times and hence require a lot o These techniques can also be used to protect against attacks and blue teaming for industrial control systems. + diff --git a/src/todo/industrial-control-systems-hacking/modbus.md b/src/todo/industrial-control-systems-hacking/modbus.md index dcef88f0f..0bcc6aa89 100644 --- a/src/todo/industrial-control-systems-hacking/modbus.md +++ b/src/todo/industrial-control-systems-hacking/modbus.md @@ -32,3 +32,4 @@ Due to it's large scale use and lack of upgradations, attacking Modbus provides + diff --git a/src/todo/interesting-http.md b/src/todo/interesting-http.md index cc6bfed4b..c8c86356e 100644 --- a/src/todo/interesting-http.md +++ b/src/todo/interesting-http.md @@ -37,3 +37,4 @@ You can override this rule using an HTML meta tag (the attacker needs to exploit Never put any sensitive data inside GET parameters or paths in the URL. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/investment-terms.md b/src/todo/investment-terms.md index e5191ce2f..fdb3bbb9f 100644 --- a/src/todo/investment-terms.md +++ b/src/todo/investment-terms.md @@ -67,3 +67,4 @@ However, the buyer will be paying some fee to the seller for opening the option * **Futures:** The profit or loss is based on the difference between the market price at expiration and the agreed-upon price in the contract. * **Options:** The buyer profits when the market moves favorably beyond the strike price by more than the premium paid. The seller profits by keeping the premium if the option is not exercised. + diff --git a/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md b/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md index 7539125f3..64317434b 100644 --- a/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md +++ b/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md @@ -297,3 +297,4 @@ During the backward pass: - **Efficiency:** Avoids redundant calculations by reusing intermediate results. - **Accuracy:** Provides exact derivatives up to machine precision. - **Ease of Use:** Eliminates manual computation of derivatives. + diff --git a/src/todo/llm-training-data-preparation/1.-tokenizing.md b/src/todo/llm-training-data-preparation/1.-tokenizing.md index 7430be340..454605faa 100644 --- a/src/todo/llm-training-data-preparation/1.-tokenizing.md +++ b/src/todo/llm-training-data-preparation/1.-tokenizing.md @@ -95,3 +95,4 @@ print(token_ids[:50]) ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/2.-data-sampling.md b/src/todo/llm-training-data-preparation/2.-data-sampling.md index cb81241b7..9909261e1 100644 --- a/src/todo/llm-training-data-preparation/2.-data-sampling.md +++ b/src/todo/llm-training-data-preparation/2.-data-sampling.md @@ -237,3 +237,4 @@ tensor([[ 367, 2885, 1464, 1807], ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/3.-token-embeddings.md b/src/todo/llm-training-data-preparation/3.-token-embeddings.md index c32035d93..7db973e25 100644 --- a/src/todo/llm-training-data-preparation/3.-token-embeddings.md +++ b/src/todo/llm-training-data-preparation/3.-token-embeddings.md @@ -215,3 +215,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256]) ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md b/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md index 97c561cb7..86c81104c 100644 --- a/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md +++ b/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md @@ -426,3 +426,4 @@ For another compact and efficient implementation you could use the [`torch.nn.Mu ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/5.-llm-architecture.md b/src/todo/llm-training-data-preparation/5.-llm-architecture.md index d41157a9d..dc2f7f2e3 100644 --- a/src/todo/llm-training-data-preparation/5.-llm-architecture.md +++ b/src/todo/llm-training-data-preparation/5.-llm-architecture.md @@ -698,3 +698,4 @@ print("Output length:", len(out[0])) ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/6.-pre-training-and-loading-models.md b/src/todo/llm-training-data-preparation/6.-pre-training-and-loading-models.md index 7a1dfad33..a9e0a9bb9 100644 --- a/src/todo/llm-training-data-preparation/6.-pre-training-and-loading-models.md +++ b/src/todo/llm-training-data-preparation/6.-pre-training-and-loading-models.md @@ -967,3 +967,4 @@ There 2 quick scripts to load the GPT2 weights locally. For both you can clone t ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md b/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md index 217248caf..fa5817f83 100644 --- a/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md +++ b/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md @@ -61,3 +61,4 @@ def replace_linear_with_lora(model, rank, alpha): ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/7.1.-fine-tuning-for-classification.md b/src/todo/llm-training-data-preparation/7.1.-fine-tuning-for-classification.md index d85cdb648..447524b91 100644 --- a/src/todo/llm-training-data-preparation/7.1.-fine-tuning-for-classification.md +++ b/src/todo/llm-training-data-preparation/7.1.-fine-tuning-for-classification.md @@ -114,3 +114,4 @@ You can find all the code to fine-tune GPT2 to be a spam classifier in [https:// ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md b/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md index ee4f82407..13342ef1a 100644 --- a/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md +++ b/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md @@ -104,3 +104,4 @@ You can find an example of the code to perform this fine tuning in [https://gith ## References - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch) + diff --git a/src/todo/llm-training-data-preparation/README.md b/src/todo/llm-training-data-preparation/README.md index cf1b3d825..35cbc6ae9 100644 --- a/src/todo/llm-training-data-preparation/README.md +++ b/src/todo/llm-training-data-preparation/README.md @@ -96,3 +96,4 @@ You should start by reading this post for some basic concepts you should know ab {{#ref}} 7.2.-fine-tuning-to-follow-instructions.md {{#endref}} + diff --git a/src/todo/misc.md b/src/todo/misc.md index 59ca35c7d..3e00501dd 100644 --- a/src/todo/misc.md +++ b/src/todo/misc.md @@ -58,3 +58,4 @@ Snow --> Hide messages using spaces and tabs %E2%80%AE => RTL Character (writes payloads backwards) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/more-tools.md b/src/todo/more-tools.md index fab4e584a..380fe4b8a 100644 --- a/src/todo/more-tools.md +++ b/src/todo/more-tools.md @@ -124,3 +124,4 @@ Firmware emulation: FIRMADYNE (https://github.com/firmadyne/firmadyne/) is a pla {% embed url="https://websec.nl/" %} {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/online-platforms-with-api.md b/src/todo/online-platforms-with-api.md index aeedf1fa4..3c12740af 100644 --- a/src/todo/online-platforms-with-api.md +++ b/src/todo/online-platforms-with-api.md @@ -125,3 +125,4 @@ It detects IP geolocation, data center, ASN and even VPN information. It offers [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/) (in a commercial tool?) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/other-web-tricks.md b/src/todo/other-web-tricks.md index 11d7a0331..265b2ef1e 100644 --- a/src/todo/other-web-tricks.md +++ b/src/todo/other-web-tricks.md @@ -33,3 +33,4 @@ Developers might forget to disable various debugging options in the production e ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png) {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/pentesting-dns.md b/src/todo/pentesting-dns.md index b06dfdf08..97ee7c6dc 100644 --- a/src/todo/pentesting-dns.md +++ b/src/todo/pentesting-dns.md @@ -7,3 +7,4 @@ **DNS in IPv6** {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/post-exploitation.md b/src/todo/post-exploitation.md index 3a4f3338f..bff441463 100644 --- a/src/todo/post-exploitation.md +++ b/src/todo/post-exploitation.md @@ -14,3 +14,4 @@ - [**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/README.md b/src/todo/radio-hacking/README.md index 882b2e8b2..3ce0def86 100644 --- a/src/todo/radio-hacking/README.md +++ b/src/todo/radio-hacking/README.md @@ -1,3 +1,4 @@ # Radio Hacking + diff --git a/src/todo/radio-hacking/fissure-the-rf-framework.md b/src/todo/radio-hacking/fissure-the-rf-framework.md index 3049cf1a1..34c1e70a6 100644 --- a/src/todo/radio-hacking/fissure-the-rf-framework.md +++ b/src/todo/radio-hacking/fissure-the-rf-framework.md @@ -183,3 +183,4 @@ We acknowledge and are grateful to these developers: Special thanks to Dr. Samuel Mantravadi and Joseph Reith for their contributions to this project. + diff --git a/src/todo/radio-hacking/flipper-zero/README.md b/src/todo/radio-hacking/flipper-zero/README.md index 4cc18032d..99c99363e 100644 --- a/src/todo/radio-hacking/flipper-zero/README.md +++ b/src/todo/radio-hacking/flipper-zero/README.md @@ -16,3 +16,4 @@ With [**Flipper Zero**](https://flipperzero.one/) you can: **Other Flipper Zero resources in** [**https://github.com/djsime1/awesome-flipperzer**](https://github.com/djsime1/awesome-flipperzero) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md b/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md index b14083210..b12a38fcd 100644 --- a/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md +++ b/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md @@ -59,3 +59,4 @@ After **copying** a card or **entering** the ID **manually** it's possible to ** {% embed url="https://websec.nl/" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/flipper-zero/fz-ibutton.md b/src/todo/radio-hacking/flipper-zero/fz-ibutton.md index 9ff81f107..4cd74e1ef 100644 --- a/src/todo/radio-hacking/flipper-zero/fz-ibutton.md +++ b/src/todo/radio-hacking/flipper-zero/fz-ibutton.md @@ -40,3 +40,4 @@ It's possible to **emulate** saved iButtons (read or manually added). - [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/flipper-zero/fz-infrared.md b/src/todo/radio-hacking/flipper-zero/fz-infrared.md index 402f510db..ec5bbb74e 100644 --- a/src/todo/radio-hacking/flipper-zero/fz-infrared.md +++ b/src/todo/radio-hacking/flipper-zero/fz-infrared.md @@ -38,3 +38,4 @@ If it doesn't, Flipper can **store** the **signal** and will allow you to **repl - [https://blog.flipperzero.one/infrared/](https://blog.flipperzero.one/infrared/) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/flipper-zero/fz-nfc.md b/src/todo/radio-hacking/flipper-zero/fz-nfc.md index d0b2b76a3..91236c1e7 100644 --- a/src/todo/radio-hacking/flipper-zero/fz-nfc.md +++ b/src/todo/radio-hacking/flipper-zero/fz-nfc.md @@ -77,3 +77,4 @@ However, you **can't read the CVV this way** (the 3 digits on the back of the ca - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md index 9dfa35b93..22c32f58a 100644 --- a/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md +++ b/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md @@ -102,3 +102,4 @@ Check the list in [https://docs.flipperzero.one/sub-ghz/frequencies](https://doc - [https://docs.flipperzero.one/sub-ghz](https://docs.flipperzero.one/sub-ghz) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/ibutton.md b/src/todo/radio-hacking/ibutton.md index 4bcded233..112378be0 100644 --- a/src/todo/radio-hacking/ibutton.md +++ b/src/todo/radio-hacking/ibutton.md @@ -43,3 +43,4 @@ flipper-zero/fz-ibutton.md - [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/infrared.md b/src/todo/radio-hacking/infrared.md index 1d90ded7c..5e2a12b64 100644 --- a/src/todo/radio-hacking/infrared.md +++ b/src/todo/radio-hacking/infrared.md @@ -79,3 +79,4 @@ flipper-zero/fz-infrared.md - [https://blog.flipperzero.one/infrared/](https://blog.flipperzero.one/infrared/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/low-power-wide-area-network.md b/src/todo/radio-hacking/low-power-wide-area-network.md index ddca5b83c..369b139a2 100644 --- a/src/todo/radio-hacking/low-power-wide-area-network.md +++ b/src/todo/radio-hacking/low-power-wide-area-network.md @@ -14,3 +14,4 @@ Long Range (**LoRa**) it’s popular in multiple countries and has an open sourc [https://github.com/IOActive/laf](https://github.com/IOActive/laf) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md index 30a2da9f9..6ecba8e30 100644 --- a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md +++ b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md @@ -71,3 +71,4 @@ sudo bettercap --eval "ble.recon on" ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/pentesting-rfid.md b/src/todo/radio-hacking/pentesting-rfid.md index 9fddd0e2f..44c0e32dc 100644 --- a/src/todo/radio-hacking/pentesting-rfid.md +++ b/src/todo/radio-hacking/pentesting-rfid.md @@ -97,3 +97,4 @@ proxmark-3.md - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/proxmark-3.md b/src/todo/radio-hacking/proxmark-3.md index fb4e563f2..1d510b3e9 100644 --- a/src/todo/radio-hacking/proxmark-3.md +++ b/src/todo/radio-hacking/proxmark-3.md @@ -62,3 +62,4 @@ proxmark3> script run mfkeys You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/radio-hacking/sub-ghz-rf.md b/src/todo/radio-hacking/sub-ghz-rf.md index 497c69ca3..47b089f28 100644 --- a/src/todo/radio-hacking/sub-ghz-rf.md +++ b/src/todo/radio-hacking/sub-ghz-rf.md @@ -85,3 +85,4 @@ Testing against an aftermarket rolling code system installed on a car, **sending - [https://hackaday.io/project/164566-how-to-hack-a-car/details](https://hackaday.io/project/164566-how-to-hack-a-car/details) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/todo/references.md b/src/todo/references.md index 9e5dd6281..cbb355a3a 100644 --- a/src/todo/references.md +++ b/src/todo/references.md @@ -47,3 +47,4 @@ {% embed url="https://ippsec.rocks/" %} {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/rust-basics.md b/src/todo/rust-basics.md index 668aaafef..4a276273b 100644 --- a/src/todo/rust-basics.md +++ b/src/todo/rust-basics.md @@ -317,3 +317,4 @@ fn main() { } ``` + diff --git a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md index 3df87ec7d..a7f90758b 100644 --- a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md +++ b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md @@ -11,3 +11,4 @@ Here I present you the main ways to can try to achieve it: - [**Clickjaking**](../pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). {{#include ../banners/hacktricks-training.md}} + diff --git a/src/todo/test-llms.md b/src/todo/test-llms.md index 16ee8d258..e81afde87 100644 --- a/src/todo/test-llms.md +++ b/src/todo/test-llms.md @@ -49,3 +49,4 @@ It offers several sections like: * **Models:** A repository of machine learning models contributed by the community which users can browse, try, and integrate models into their applications with minimal effort. * **API Access:** Simple APIs for running models the enable developers to deploy and scale models effortlessly within their own applications. + diff --git a/src/todo/tr-069.md b/src/todo/tr-069.md index 499d0b04e..828848138 100644 --- a/src/todo/tr-069.md +++ b/src/todo/tr-069.md @@ -1,3 +1,4 @@ # TR-069 + diff --git a/src/welcome/about-the-author.md b/src/welcome/about-the-author.md index 1939aed77..9c8ff5fa9 100644 --- a/src/welcome/about-the-author.md +++ b/src/welcome/about-the-author.md @@ -11,3 +11,4 @@ HackTricks is a educational Wiki that compiles knowledge about **cyber-security* HackTricks is also a wiki were **a lot of researches also share their latest findings**, so it's a great place to keep up to date with the latest hacking techniques. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index ebf2aaea7..93e608850 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -143,3 +143,4 @@ This license does not grant any trademark or branding rights in relation to the > By using this book, the user agrees to release the authors and publishers from any and all liability and responsibility for any damages, losses, or harm that may result from the use of this book or any of the information contained within it. {{#include ../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 8905d4bd1..bf83630d5 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -721,3 +721,4 @@ rdp-sessions-abuse.md - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md b/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md index b2606eaa0..153cc0d05 100644 --- a/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md +++ b/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md @@ -292,3 +292,4 @@ A strategy that many authors have come up with is to force a SYSTEM service to a {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md index 5482cc629..8963c0a92 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md @@ -200,3 +200,4 @@ Furthermore, additional methods for executing code or maintaining persistence, s - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md index e35444715..cede72578 100644 --- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md +++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md @@ -65,3 +65,4 @@ ShadowSpray aims to **exploit GenericWrite/GenericAll permissions that wide user - [https://github.com/ShutdownRepo/pywhisker](https://github.com/ShutdownRepo/pywhisker) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates.md b/src/windows-hardening/active-directory-methodology/ad-certificates.md index efbb702cc..6b3f66cbf 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates.md @@ -127,3 +127,4 @@ certutil -v -dstemplate - [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/README.md b/src/windows-hardening/active-directory-methodology/ad-certificates/README.md index b581de966..d619085f1 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates/README.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates/README.md @@ -127,3 +127,4 @@ certutil -v -dstemplate - [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html) {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md b/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md index 351de3e57..b726249af 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md @@ -53,3 +53,4 @@ The final method discussed involves leveraging the **validity** and **renewal pe This approach allows for an **extended persistence** method, minimizing the risk of detection through fewer interactions with the CA server and avoiding the generation of artifacts that could alert administrators to the intrusion. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md b/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md index d5cace05e..56c155a71 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md @@ -115,3 +115,4 @@ Additionally, it is noted that Kekeo can process smartcard-protected certificate This explanation encapsulates the process and tools involved in NTLM credential theft via PKINIT, focusing on the retrieval of NTLM hashes through TGT obtained using PKINIT, and the utilities that facilitate this process. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md index 9e3b91e35..46ca77321 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md @@ -741,3 +741,4 @@ Both scenarios lead to an **increase in the attack surface** from one forest to {% embed url="https://websec.nl/" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md index 31a9852c0..db5b40f9a 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md @@ -65,3 +65,4 @@ Opportunities for **persistence** through **security descriptor modifications of An example of malicious implementation would involve an attacker, who has **elevated permissions** in the domain, adding the **`WriteOwner`** permission to the default **`User`** certificate template, with the attacker being the principal for the right. To exploit this, the attacker would first change the ownership of the **`User`** template to themselves. Following this, the **`mspki-certificate-name-flag`** would be set to **1** on the template to enable **`ENROLLEE_SUPPLIES_SUBJECT`**, allowing a user to provide a Subject Alternative Name in the request. Subsequently, the attacker could **enroll** using the **template**, choosing a **domain administrator** name as an alternative name, and utilize the acquired certificate for authentication as the DA. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-dns-records.md b/src/windows-hardening/active-directory-methodology/ad-dns-records.md index ebed33a5c..0c1a6f19d 100644 --- a/src/windows-hardening/active-directory-methodology/ad-dns-records.md +++ b/src/windows-hardening/active-directory-methodology/ad-dns-records.md @@ -18,3 +18,4 @@ cat records.csv For more information read [https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md index 7d6579b72..a726f5bfd 100644 --- a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md +++ b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md @@ -54,3 +54,4 @@ slapd -d 2 - [https://grimhacker.com/2018/03/09/just-a-printer/](https://grimhacker.com/2018/03/09/just-a-printer/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/asreproast.md b/src/windows-hardening/active-directory-methodology/asreproast.md index 8877a1dc5..cb2e308af 100644 --- a/src/windows-hardening/active-directory-methodology/asreproast.md +++ b/src/windows-hardening/active-directory-methodology/asreproast.md @@ -111,3 +111,4 @@ Stay informed with the newest bug bounties launching and crucial platform update **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/bloodhound.md b/src/windows-hardening/active-directory-methodology/bloodhound.md index 426c228f0..8ea9c71c0 100644 --- a/src/windows-hardening/active-directory-methodology/bloodhound.md +++ b/src/windows-hardening/active-directory-methodology/bloodhound.md @@ -95,3 +95,4 @@ group3r.exe -f To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/constrained-delegation.md b/src/windows-hardening/active-directory-methodology/constrained-delegation.md index dde2fa0f0..14d1d1fcf 100644 --- a/src/windows-hardening/active-directory-methodology/constrained-delegation.md +++ b/src/windows-hardening/active-directory-methodology/constrained-delegation.md @@ -81,3 +81,4 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp. [**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/custom-ssp.md b/src/windows-hardening/active-directory-methodology/custom-ssp.md index 87a411610..979a785ef 100644 --- a/src/windows-hardening/active-directory-methodology/custom-ssp.md +++ b/src/windows-hardening/active-directory-methodology/custom-ssp.md @@ -44,3 +44,4 @@ This won't survive reboots. Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/dcshadow.md b/src/windows-hardening/active-directory-methodology/dcshadow.md index aaa01d964..904153ec7 100644 --- a/src/windows-hardening/active-directory-methodology/dcshadow.md +++ b/src/windows-hardening/active-directory-methodology/dcshadow.md @@ -72,3 +72,4 @@ Notice that in this case you need to make **several changes,** not just one. So, [**More information about DCShadow in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/dcsync.md b/src/windows-hardening/active-directory-methodology/dcsync.md index 76a78af53..5c16fec40 100644 --- a/src/windows-hardening/active-directory-methodology/dcsync.md +++ b/src/windows-hardening/active-directory-methodology/dcsync.md @@ -88,3 +88,4 @@ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&u Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=dcsync" %} + diff --git a/src/windows-hardening/active-directory-methodology/diamond-ticket.md b/src/windows-hardening/active-directory-methodology/diamond-ticket.md index da81c8d03..f866ff502 100644 --- a/src/windows-hardening/active-directory-methodology/diamond-ticket.md +++ b/src/windows-hardening/active-directory-methodology/diamond-ticket.md @@ -30,3 +30,4 @@ powershell Get-DomainUser -Identity -Properties objectsid ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md index d1146c237..471c6d1c3 100644 --- a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md +++ b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md @@ -32,3 +32,4 @@ More info about this in: [https://adsecurity.org/?p=1714](https://adsecurity.org - Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa DsrmAdminLogonBehavior` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md index 8adf6424f..6921ec4cc 100644 --- a/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md +++ b/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md @@ -81,3 +81,4 @@ The cleartext password can be used to perform regular authentication as the trus - [https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md b/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md index 5d9f7c510..7a8d88e24 100644 --- a/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md +++ b/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md @@ -127,3 +127,4 @@ Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /d ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/golden-ticket.md b/src/windows-hardening/active-directory-methodology/golden-ticket.md index afe4e4835..314ee03cc 100644 --- a/src/windows-hardening/active-directory-methodology/golden-ticket.md +++ b/src/windows-hardening/active-directory-methodology/golden-ticket.md @@ -62,3 +62,4 @@ Other little tricks defenders can do is **alert on 4769's for sensitive users** - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets] (https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/kerberoast.md b/src/windows-hardening/active-directory-methodology/kerberoast.md index 399cc2220..150eaaa5d 100644 --- a/src/windows-hardening/active-directory-methodology/kerberoast.md +++ b/src/windows-hardening/active-directory-methodology/kerberoast.md @@ -195,3 +195,4 @@ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&u Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=kerberoast" %} + diff --git a/src/windows-hardening/active-directory-methodology/kerberos-authentication.md b/src/windows-hardening/active-directory-methodology/kerberos-authentication.md index f33d267fe..7e73c6993 100644 --- a/src/windows-hardening/active-directory-methodology/kerberos-authentication.md +++ b/src/windows-hardening/active-directory-methodology/kerberos-authentication.md @@ -5,3 +5,4 @@ **Check the amazing post from:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md index 3a3d4e727..93f25bf78 100644 --- a/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md +++ b/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md @@ -109,3 +109,4 @@ icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/laps.md b/src/windows-hardening/active-directory-methodology/laps.md index e669138dd..16b6f32e0 100644 --- a/src/windows-hardening/active-directory-methodology/laps.md +++ b/src/windows-hardening/active-directory-methodology/laps.md @@ -147,3 +147,4 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md b/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md index 54f5be3db..f2461c9c7 100644 --- a/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md +++ b/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md @@ -48,3 +48,4 @@ To conform to operational security and use AES256, the following command can be {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/pass-the-ticket.md b/src/windows-hardening/active-directory-methodology/pass-the-ticket.md index 0d09dfd09..4a5483d48 100644 --- a/src/windows-hardening/active-directory-methodology/pass-the-ticket.md +++ b/src/windows-hardening/active-directory-methodology/pass-the-ticket.md @@ -61,3 +61,4 @@ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/password-spraying.md b/src/windows-hardening/active-directory-methodology/password-spraying.md index c37f6b2a8..f7d77f596 100644 --- a/src/windows-hardening/active-directory-methodology/password-spraying.md +++ b/src/windows-hardening/active-directory-methodology/password-spraying.md @@ -159,3 +159,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and {% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index 1f62f5481..efeef58e0 100644 --- a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -128,3 +128,4 @@ If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlm &#xNAN;_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_ {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/printnightmare.md b/src/windows-hardening/active-directory-methodology/printnightmare.md index 2429688d9..37db1ab28 100644 --- a/src/windows-hardening/active-directory-methodology/printnightmare.md +++ b/src/windows-hardening/active-directory-methodology/printnightmare.md @@ -5,3 +5,4 @@ **Check this awesome blog post about PrintNightmare in 2024: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md index f2c80ef5b..4d79df258 100644 --- a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md +++ b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md @@ -319,3 +319,4 @@ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md index 4993d3731..46d8956aa 100644 --- a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md +++ b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md @@ -73,3 +73,4 @@ beacon> upload C:\Payloads\pivot.exe ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md index cdeccab1b..9093a7241 100644 --- a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md +++ b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md @@ -140,3 +140,4 @@ Lear about the [**available service tickets here**](silver-ticket.md#available-s {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/security-descriptors.md b/src/windows-hardening/active-directory-methodology/security-descriptors.md index e92394d85..707e4f162 100644 --- a/src/windows-hardening/active-directory-methodology/security-descriptors.md +++ b/src/windows-hardening/active-directory-methodology/security-descriptors.md @@ -49,3 +49,4 @@ Get-RemoteCachedCredential -ComputerName -Verbose Check [**Silver Tickets**](silver-ticket.md) to learn how you could use the hash of the computer account of a Domain Controller. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/sid-history-injection.md b/src/windows-hardening/active-directory-methodology/sid-history-injection.md index e2e47c0da..dc53783a0 100644 --- a/src/windows-hardening/active-directory-methodology/sid-history-injection.md +++ b/src/windows-hardening/active-directory-methodology/sid-history-injection.md @@ -137,3 +137,4 @@ raiseChild.py -target-exec 10.10.10.10 /username - [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/silver-ticket.md b/src/windows-hardening/active-directory-methodology/silver-ticket.md index d69ad6ea6..002963e2c 100644 --- a/src/windows-hardening/active-directory-methodology/silver-ticket.md +++ b/src/windows-hardening/active-directory-methodology/silver-ticket.md @@ -160,3 +160,4 @@ dcsync.md {% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/skeleton-key.md b/src/windows-hardening/active-directory-methodology/skeleton-key.md index 624042c13..934b0890a 100644 --- a/src/windows-hardening/active-directory-methodology/skeleton-key.md +++ b/src/windows-hardening/active-directory-methodology/skeleton-key.md @@ -29,3 +29,4 @@ Verification after a system reboot is crucial to ensure that the protective meas - [https://blog.netwrix.com/2022/11/29/skeleton-key-attack-active-directory/](https://blog.netwrix.com/2022/11/29/skeleton-key-attack-active-directory/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md index 287241f93..eff0a89b2 100644 --- a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md +++ b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md @@ -53,3 +53,4 @@ printers-spooler-service-abuse.md - Set "Account is sensitive and cannot be delegated" for privileged accounts. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs.md b/src/windows-hardening/authentication-credentials-uac-and-efs.md index 4e4d3ef68..aaae81847 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs.md @@ -282,3 +282,4 @@ Get Access Today: --- {{#include ../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md index fab28f6f3..64df480dd 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md @@ -282,3 +282,4 @@ Get Access Today: --- {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md index c97cd027f..cd589f967 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md @@ -216,3 +216,4 @@ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md index 5b908f2b0..9692c0fb8 100644 --- a/src/windows-hardening/av-bypass.md +++ b/src/windows-hardening/av-bypass.md @@ -578,3 +578,4 @@ If you are interested in **hacking career** and hack the unhackable - **we are h {% embed url="https://www.stmcyber.com/careers" %} {{#include ../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/basic-cmd-for-pentesters.md b/src/windows-hardening/basic-cmd-for-pentesters.md index da33f8fe6..d47497701 100644 --- a/src/windows-hardening/basic-cmd-for-pentesters.md +++ b/src/windows-hardening/basic-cmd-for-pentesters.md @@ -479,3 +479,4 @@ powershell -ep bypass - < c:\temp:ttt {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/basic-powershell-for-pentesters/README.md b/src/windows-hardening/basic-powershell-for-pentesters/README.md index bb17cbaca..e2ab70a69 100644 --- a/src/windows-hardening/basic-powershell-for-pentesters/README.md +++ b/src/windows-hardening/basic-powershell-for-pentesters/README.md @@ -465,3 +465,4 @@ RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/basic-powershell-for-pentesters/powerview.md b/src/windows-hardening/basic-powershell-for-pentesters/powerview.md index 180cc7497..0a894a6ed 100644 --- a/src/windows-hardening/basic-powershell-for-pentesters/powerview.md +++ b/src/windows-hardening/basic-powershell-for-pentesters/powerview.md @@ -341,3 +341,4 @@ Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/checklist-windows-privilege-escalation.md b/src/windows-hardening/checklist-windows-privilege-escalation.md index cbe613ac6..2280ec460 100644 --- a/src/windows-hardening/checklist-windows-privilege-escalation.md +++ b/src/windows-hardening/checklist-windows-privilege-escalation.md @@ -112,3 +112,4 @@ - [ ] Check if you can abuse it {{#include ../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/cobalt-strike.md b/src/windows-hardening/cobalt-strike.md index 66c38052a..b2f3eba1e 100644 --- a/src/windows-hardening/cobalt-strike.md +++ b/src/windows-hardening/cobalt-strike.md @@ -234,3 +234,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe . ``` + diff --git a/src/windows-hardening/lateral-movement/README.md b/src/windows-hardening/lateral-movement/README.md index 7d59ac66a..523202d49 100644 --- a/src/windows-hardening/lateral-movement/README.md +++ b/src/windows-hardening/lateral-movement/README.md @@ -15,3 +15,4 @@ There are different different ways to execute commands in external systems, here - [**Pass the AzureAD Certificate**](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/az-pass-the-certificate) (cloud) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/atexec.md b/src/windows-hardening/lateral-movement/atexec.md index 02c53fe52..3829b036f 100644 --- a/src/windows-hardening/lateral-movement/atexec.md +++ b/src/windows-hardening/lateral-movement/atexec.md @@ -31,3 +31,4 @@ SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskNa More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/dcom-exec.md b/src/windows-hardening/lateral-movement/dcom-exec.md index 4909a20d1..538e316d6 100644 --- a/src/windows-hardening/lateral-movement/dcom-exec.md +++ b/src/windows-hardening/lateral-movement/dcom-exec.md @@ -117,3 +117,4 @@ SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe - [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/psexec-and-winexec.md b/src/windows-hardening/lateral-movement/psexec-and-winexec.md index bad566e81..8f7c69ff6 100644 --- a/src/windows-hardening/lateral-movement/psexec-and-winexec.md +++ b/src/windows-hardening/lateral-movement/psexec-and-winexec.md @@ -40,3 +40,4 @@ SharpLateral.exe redexec HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe {% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/smbexec.md b/src/windows-hardening/lateral-movement/smbexec.md index 93121b07e..138380f7b 100644 --- a/src/windows-hardening/lateral-movement/smbexec.md +++ b/src/windows-hardening/lateral-movement/smbexec.md @@ -54,3 +54,4 @@ FOr further details check [https://blog.ropnop.com/using-credentials-to-own-wind {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/winrm.md b/src/windows-hardening/lateral-movement/winrm.md index 5627c8b81..44cca4241 100644 --- a/src/windows-hardening/lateral-movement/winrm.md +++ b/src/windows-hardening/lateral-movement/winrm.md @@ -5,3 +5,4 @@ For information about [**WinRM read this page**](../../network-services-pentesting/5985-5986-pentesting-winrm.md). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/lateral-movement/wmiexec.md b/src/windows-hardening/lateral-movement/wmiexec.md index 9cbe62ba2..f893fbae1 100644 --- a/src/windows-hardening/lateral-movement/wmiexec.md +++ b/src/windows-hardening/lateral-movement/wmiexec.md @@ -128,3 +128,4 @@ SharpLateral redwmi HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index a431d24dc..c35fc4a55 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -285,3 +285,4 @@ wce.exe -s ::: **You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/atexec.md b/src/windows-hardening/ntlm/atexec.md index 02c53fe52..3829b036f 100644 --- a/src/windows-hardening/ntlm/atexec.md +++ b/src/windows-hardening/ntlm/atexec.md @@ -31,3 +31,4 @@ SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskNa More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md index c45938b26..3aea077ca 100644 --- a/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md +++ b/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md @@ -5,3 +5,4 @@ **Check all the great ideas from [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/psexec-and-winexec.md b/src/windows-hardening/ntlm/psexec-and-winexec.md index 69b2fa370..47a06f34b 100644 --- a/src/windows-hardening/ntlm/psexec-and-winexec.md +++ b/src/windows-hardening/ntlm/psexec-and-winexec.md @@ -52,3 +52,4 @@ Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/smbexec.md b/src/windows-hardening/ntlm/smbexec.md index 6f9d0f792..ea27ebb13 100644 --- a/src/windows-hardening/ntlm/smbexec.md +++ b/src/windows-hardening/ntlm/smbexec.md @@ -38,3 +38,4 @@ FOr further details check [https://blog.ropnop.com/using-credentials-to-own-wind - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/winrm.md b/src/windows-hardening/ntlm/winrm.md index 5627c8b81..44cca4241 100644 --- a/src/windows-hardening/ntlm/winrm.md +++ b/src/windows-hardening/ntlm/winrm.md @@ -5,3 +5,4 @@ For information about [**WinRM read this page**](../../network-services-pentesting/5985-5986-pentesting-winrm.md). {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/ntlm/wmiexec.md b/src/windows-hardening/ntlm/wmiexec.md index 9cbe62ba2..f893fbae1 100644 --- a/src/windows-hardening/ntlm/wmiexec.md +++ b/src/windows-hardening/ntlm/wmiexec.md @@ -128,3 +128,4 @@ SharpLateral redwmi HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/stealing-credentials/README.md b/src/windows-hardening/stealing-credentials/README.md index 4e56fce6f..a823eff48 100644 --- a/src/windows-hardening/stealing-credentials/README.md +++ b/src/windows-hardening/stealing-credentials/README.md @@ -322,3 +322,4 @@ Download it from:[ http://www.tarasco.org/security/pwdump_7](http://www.tarasco. [**Learn about some credentials protections here.**](credentials-protections.md) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/stealing-credentials/credentials-mimikatz.md b/src/windows-hardening/stealing-credentials/credentials-mimikatz.md index a072d7d51..9b30e2307 100644 --- a/src/windows-hardening/stealing-credentials/credentials-mimikatz.md +++ b/src/windows-hardening/stealing-credentials/credentials-mimikatz.md @@ -220,3 +220,4 @@ Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and {% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/stealing-credentials/credentials-protections.md b/src/windows-hardening/stealing-credentials/credentials-protections.md index 62c835087..4ab516c04 100644 --- a/src/windows-hardening/stealing-credentials/credentials-protections.md +++ b/src/windows-hardening/stealing-credentials/credentials-protections.md @@ -116,3 +116,4 @@ For more detailed information, consult the official [documentation](https://docs | Server Operators | Server Operators | Server Operators | Server Operators | {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/stealing-credentials/wts-impersonator.md b/src/windows-hardening/stealing-credentials/wts-impersonator.md index 500a39467..969b3c713 100644 --- a/src/windows-hardening/stealing-credentials/wts-impersonator.md +++ b/src/windows-hardening/stealing-credentials/wts-impersonator.md @@ -48,3 +48,4 @@ WTSEnumerateSessionsA β†’ WTSQuerySessionInformationA β†’ WTSQueryUserToken β†’ ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 173b6f629..b8e4ebc83 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -1618,3 +1618,4 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md b/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md index 083376b74..1d69a45f6 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md +++ b/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md @@ -108,3 +108,4 @@ Take a look to [**all the possible token privileges and some definitions on this Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md index 511b07054..555657d79 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md +++ b/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md @@ -174,3 +174,4 @@ Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&u Get Access Today: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces" %} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md index e9afc6be0..8c2c0577c 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md +++ b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md @@ -26,3 +26,4 @@ The persistence and potential implications of this vulnerability were underscore Although the vulnerability was initially disclosed unintentionally through the script, it was emphasized that its exploitation is constrained to outdated Windows versions (e.g., **Windows 7 / Server 2008 R2**) and requires local access. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md index 2b40e5561..8fbd33416 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md +++ b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md @@ -79,3 +79,4 @@ Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5 Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md index b07ebeab7..05571cade 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md +++ b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md @@ -67,3 +67,4 @@ Please note that while this summary aims to provide valuable information, it is [wixtools](http://wixtoolset.org) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md index be27ad579..8c85631d0 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md @@ -245,3 +245,4 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser {% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md index 36edde86d..51fe854d6 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md @@ -245,3 +245,4 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser {% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md index 6acef6708..626de6839 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md @@ -82,3 +82,4 @@ Having **generated the malicious Dll** (_in my case I used x64 rev shell and I g When the service is re-started, the **dll should be loaded and executed** (you can **reuse** the **procmon** trick to check if the **library was loaded as expected**). {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index ee3185910..bd48a4ae9 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -114,3 +114,4 @@ With extracted from LDAP computers list you can find every sub network even if y {% embed url="https://www.rootedcon.com/" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md index 800a5d38b..80302fd1e 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md +++ b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md @@ -118,3 +118,4 @@ int main() { ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md index c4970b569..c220d9937 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md +++ b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md @@ -97,3 +97,4 @@ Not all files and folders have a minimum integrity level, **but all processes ar Due to the restrictions commented in this and the previous section, from a security point of view, it's always **recommended to run a process in the lower level of integrity possible**. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md index 705051d83..9ffe0a8b4 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md +++ b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md @@ -131,3 +131,4 @@ Then download [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master - [https://github.com/ohpe/juicy-potato/blob/master/README.md](https://github.com/ohpe/juicy-potato/blob/master/README.md) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md b/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md index dfada3b83..be8aed0cb 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md +++ b/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md @@ -691,3 +691,4 @@ Another tool to leak a handle and exploit it. - [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md b/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md index e512fe3f9..259f6b6f5 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md +++ b/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md @@ -20,3 +20,4 @@ And this is the most important part of the configuration: From here just click on **next buttons** and the last **build button and your installer/wrapper will be generated.** {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md b/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md index 00633c31d..76b843a24 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md +++ b/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md @@ -7,3 +7,4 @@ Check: [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md index d3bca52b9..faf1557bc 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md +++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md @@ -182,3 +182,4 @@ Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](http - Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) about privesc with tokens. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md index 5ab0f4fd8..23c897e22 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens/README.md @@ -191,3 +191,4 @@ Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](http - Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) about privesc with tokens. {{#include ../../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md index 908e71019..40a10125e 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md +++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md @@ -349,3 +349,4 @@ autorunsc.exe -m -nobanner -a * -ct /accepteula {% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md index 091ded400..e398595ef 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md +++ b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md @@ -94,3 +94,4 @@ nt authority\system - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato) {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md index 0a0aed2dd..7b3e0046e 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md +++ b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md @@ -213,3 +213,4 @@ int _tmain( int argc, TCHAR* argv[] ) ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md b/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md index 6b87f0c0f..a6068b533 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md +++ b/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md @@ -178,3 +178,4 @@ See the privileges "Administrators" have over `winlogon.exe`: Inside that process "Administrators" can "Read Memory" and "Read Permissions" which probably allows Administrators to impersonate the token used by this process. {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md index 8dd3692d5..56957d947 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md +++ b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md @@ -16,3 +16,4 @@ int main () ``` {{#include ../../banners/hacktricks-training.md}} + diff --git a/src/windows-hardening/windows-security-controls/uac-user-account-control.md b/src/windows-hardening/windows-security-controls/uac-user-account-control.md index 2900185ab..8f1515ef3 100644 --- a/src/windows-hardening/windows-security-controls/uac-user-account-control.md +++ b/src/windows-hardening/windows-security-controls/uac-user-account-control.md @@ -216,3 +216,4 @@ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {{#include ../../banners/hacktricks-training.md}} +