impr

src/linux-hardening/privilege-escalation/write-to-root.md

@@ -47,6 +47,19 @@ TODO
 
 The file located in `/proc/sys/fs/binfmt_misc` indicates which binary should execute whic type of files. TODO: check the requirements to abuse this to execute a rev shell when a common file type is open.
 
+### Overwrite schema handlers (like http: or https:)
+
+An attacker with write permissions to a victim's configuration directories can easily replace or create files that change system behavior, resulting in unintended code execution. By modifying the `$HOME/.config/mimeapps.list` file to point HTTP and HTTPS URL handlers to a malicious file (e.g., setting `x-scheme-handler/http=evil.desktop`), the attacker ensures that **clicking any http or https link triggers code specified in that `evil.desktop` file**. For example, after placing the following malicious code in `evil.desktop` in `$HOME/.local/share/applications`, any external URL click runs the embedded command:
+
+```bash
+[Desktop Entry]
+Exec=sh -c 'zenity --info --title="$(uname -n)" --text="$(id)"'
+Type=Application
+Name=Evil Desktop Entry
+```
+
+For more info check [**this post**](https://chatgpt.com/c/67fac01f-0214-8006-9db3-19c40e45ee49) where it was used to exploit a real vulnerability.
+
 {{#include ../../banners/hacktricks-training.md}}
 
 

src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md

@@ -43,6 +43,23 @@ These are the hosts that the browser extension can access freely. This is becaus
 
 ## Abusing `permissions` and `host_permissions`
 
+### Cookies
+
+The **`cookies`** permission allows the extension to access **all the cookies** of the browser. In [**this blog post**](https://theindiannetwork.medium.com/reverse-engineering-a-browser-extension-led-me-to-a-dangerous-exploit-25-000-bounty-c7dda4601753) this permissions was abused through a **vulnerable backdound script** to abuse a browser extension to give the attacker all cookies of the browser of the victim user that accessed the malicious web page. The vulnerable code was just sending back all the cookies:
+
+```javascript
+chrome.runtime.onMessage.addListener(
+  function(request, sender, sendResponse) {
+    if (request.action == "getCookies") {
+      chrome.cookies.getAll({}, function(cookies) {
+        sendResponse({data: cookies});
+      });
+    }
+    return true;
+  }
+);
+```
+
 ### Tabs
 
 Moreover, **`host_permissions`** also unlock “advanced” [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **functionality.** They allow the extension to call [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query) and not only get a **list of user’s browser tabs** back but also learn which **web page (meaning address and title) is loaded**.

src/windows-hardening/active-directory-methodology/constrained-delegation.md

@@ -87,7 +87,7 @@ tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.mo
 Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
 ```
 
-[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
+[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation) and [**https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61**](https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61)
 
 {{#include ../../banners/hacktricks-training.md}}