diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md index 3bd7abfdb..d036f5586 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md @@ -165,7 +165,7 @@ gef➤ bt **Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\ For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\ -&#xNAN;_Remember that the first 0x08 from where the RIP is saved belongs to the RBP._ +_Remember that the first 0x08 from where the RIP is saved belongs to the RBP._ ![](<../../../images/image (1061).png>) @@ -180,8 +180,8 @@ Get every opcode executed in the program. ## GCC **gcc -fno-stack-protector -D_FORTIFY_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\ -&#xNAN;**-o** --> Output\ -&#xNAN;**-g** --> Save code (GDB will be able to see it)\ +**-o** --> Output\ +**-g** --> Save code (GDB will be able to see it)\ **echo 0 > /proc/sys/kernel/randomize_va_space** --> To deactivate the ASLR in linux **To compile a shellcode:**\ @@ -191,13 +191,13 @@ Get every opcode executed in the program. ## Objdump **-d** --> **Disassemble executable** sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\ -&#xNAN;**-Mintel** --> **Intel** syntax\ -&#xNAN;**-t** --> **Symbols** table\ -&#xNAN;**-D** --> **Disassemble all** (address of static variable)\ -&#xNAN;**-s -j .dtors** --> dtors section\ -&#xNAN;**-s -j .got** --> got section\ +**-Mintel** --> **Intel** syntax\ +**-t** --> **Symbols** table\ +**-D** --> **Disassemble all** (address of static variable)\ +**-s -j .dtors** --> dtors section\ +**-s -j .got** --> got section\ -D -s -j .plt --> **plt** section **decompiled**\ -&#xNAN;**-TR** --> **Relocations**\ +**-TR** --> **Relocations**\ **ojdump -t --dynamic-relo ./exec | grep puts** --> Address of "puts" to modify in GOT\ **objdump -D ./exec | grep "VAR_NAME"** --> Address or a static variable (those are stored in DATA section). diff --git a/src/generic-hacking/tunneling-and-port-forwarding.md b/src/generic-hacking/tunneling-and-port-forwarding.md index 53be489b6..62d747abe 100644 --- a/src/generic-hacking/tunneling-and-port-forwarding.md +++ b/src/generic-hacking/tunneling-and-port-forwarding.md @@ -574,7 +574,7 @@ ssh -D 9050 -p 2222 -l user 127.0.0.1 ## ngrok [**ngrok**](https://ngrok.com/) **is a tool to expose solutions to Internet in one command line.**\ -&#xNAN;_Exposition URI are like:_ **UID.ngrok.io** +_Exposition URI are like:_ **UID.ngrok.io** ### Installation diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/README.md b/src/generic-methodologies-and-resources/external-recon-methodology/README.md index 752eab1ad..7a03395de 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -196,7 +196,7 @@ You could access the **TLS certificate** of the main web page, obtain the **Orga Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company. If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ -&#xNAN;_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ +_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ ## Subdomains @@ -539,7 +539,7 @@ Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdoma If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html). If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ -&#xNAN;_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ +_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ ## IPs diff --git a/src/generic-methodologies-and-resources/pentesting-methodology.md b/src/generic-methodologies-and-resources/pentesting-methodology.md index ea38ab2dd..4e4262245 100644 --- a/src/generic-methodologies-and-resources/pentesting-methodology.md +++ b/src/generic-methodologies-and-resources/pentesting-methodology.md @@ -60,7 +60,7 @@ If at this point you haven't found any interesting vulnerability you **may need Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/index.html). -Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.**\\ +Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.** ### 8- Inside diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index e97b23bbc..8c98a15de 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -21,7 +21,7 @@ DOCX files referencing a remote template (File –Options –Add-ins –Manage: ### External Image Load Go to: _Insert --> Quick Parts --> Field_\ -&#xNAN;_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\/whatever +_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\/whatever ![](<../../images/image (155).png>) diff --git a/src/hardware-physical-access/escaping-from-gui-applications.md b/src/hardware-physical-access/escaping-from-gui-applications.md index 197b229ab..0e5b2a629 100644 --- a/src/hardware-physical-access/escaping-from-gui-applications.md +++ b/src/hardware-physical-access/escaping-from-gui-applications.md @@ -159,7 +159,7 @@ Check this page for more information: [https://www.howtohaven.com/system/show-fi Backup iKat versions: [http://swin.es/k/](http://swin.es/k/)\ -[http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\\ +[http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net) Create a common dialog using JavaScript and access file explorer: `document.write('')`\ Source: https://medium.com/@Rend\_/give-me-a-browser-ill-give-you-a-shell-de19811defa0 diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 61528f275..121901b48 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -538,7 +538,7 @@ Sockets can be configured using `.socket` files. ### Writable .socket files If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\ -&#xNAN;_Note that the system must be using that socket file configuration or the backdoor won't be executed_ +_Note that the system must be using that socket file configuration or the backdoor won't be executed_ ### Writable sockets @@ -1640,14 +1640,14 @@ cisco-vmanage.md ## References -- [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\\ -- [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)\\ -- [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744)\\ -- [http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html](http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html)\\ -- [https://touhidshaikh.com/blog/?p=827](https://touhidshaikh.com/blog/?p=827)\\ -- [https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf](https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf)\\ -- [https://github.com/frizb/Linux-Privilege-Escalation](https://github.com/frizb/Linux-Privilege-Escalation)\\ -- [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits)\\ +- [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) +- [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/) +- [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744) +- [http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html](http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html) +- [https://touhidshaikh.com/blog/?p=827](https://touhidshaikh.com/blog/?p=827) +- [https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf](https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf) +- [https://github.com/frizb/Linux-Privilege-Escalation](https://github.com/frizb/Linux-Privilege-Escalation) +- [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) - [https://github.com/rtcrowley/linux-private-i](https://github.com/rtcrowley/linux-private-i) - [https://www.linux.com/news/what-socket/](https://www.linux.com/news/what-socket/) - [https://muzec0318.github.io/posts/PG/peppo.html](https://muzec0318.github.io/posts/PG/peppo.html) diff --git a/src/network-services-pentesting/9200-pentesting-elasticsearch.md b/src/network-services-pentesting/9200-pentesting-elasticsearch.md index 12dbe733e..16d33e635 100644 --- a/src/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/src/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -124,7 +124,7 @@ _Take a moment to compare the contents of the each document (entry) inside the b So, at this point you may notice that **there is a field called "total" inside "hits"** that indicates that **1000 documents were found** inside this index but only 10 were retried. This is because **by default there is a limit of 10 documents**.\ But, now that you know that **this index contains 1000 documents**, you can **dump all of them** indicating the number of entries you want to dump in the **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd\ -\&#xNAN;_Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate `size=9999` and it will be weird if there were more entries (but you should check)._ +\_Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate `size=9999` and it will be weird if there were more entries (but you should check)._ ### Dump all diff --git a/src/network-services-pentesting/pentesting-ftp/README.md b/src/network-services-pentesting/pentesting-ftp/README.md index 514247b79..365455e68 100644 --- a/src/network-services-pentesting/pentesting-ftp/README.md +++ b/src/network-services-pentesting/pentesting-ftp/README.md @@ -98,8 +98,8 @@ STAT ### Anonymous login _anonymous : anonymous_\ -\&#xNAN;_anonymous :_\ -\&#xNAN;_ftp : ftp_ +\_anonymous :_\ +\_ftp : ftp_ ```bash ftp diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 2c5e863f6..a003109da 100644 --- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -6,7 +6,7 @@ From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server): -> **Microsoft SQL Server** is a **relational database** management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).\\ +> **Microsoft SQL Server** is a **relational database** management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). **Default port:** 1433 diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md index 2375e6f2a..57ebf62dc 100644 --- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -65,7 +65,7 @@ Check the full writeup in: [https://blog.mindedsecurity.com/2018/10/from-path-tr > [!NOTE] > As summary, there are several web.config files inside the folders of the application with references to "**assemblyIdentity**" files and "**namespaces**". With this information it's possible to know **where are executables located** and download them.\ > From the **downloaded Dlls** it's also possible to find **new namespaces** where you should try to access and get the web.config file in order to find new namespaces and assemblyIdentity.\ -> Also, the files **connectionstrings.config** and **global.asax** may contain interesting information.\\ +> Also, the files **connectionstrings.config** and **global.asax** may contain interesting information. In **.Net MVC applications**, the **web.config** file plays a crucial role by specifying each binary file the application relies on through **"assemblyIdentity"** XML tags. diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md index 3b5a74076..bc8d06ad2 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md @@ -226,7 +226,7 @@ php-ssrf.md ## Code execution **system("ls");**\ -&#xNAN;**\`ls\`;**\ +**\`ls\`;**\ **shell_exec("ls");** [Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/index.html) diff --git a/src/network-services-pentesting/pentesting-web/put-method-webdav.md b/src/network-services-pentesting/pentesting-web/put-method-webdav.md index 122249ee4..6286ca130 100644 --- a/src/network-services-pentesting/pentesting-web/put-method-webdav.md +++ b/src/network-services-pentesting/pentesting-web/put-method-webdav.md @@ -58,7 +58,7 @@ Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ## Post credentials If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:\ -\&#xNAN;_**/etc/apache2/sites-enabled/000-default**_ +\_**/etc/apache2/sites-enabled/000-default**_ Inside it you could find something like: diff --git a/src/pentesting-web/clickjacking.md b/src/pentesting-web/clickjacking.md index aadcd1184..af33957a0 100644 --- a/src/pentesting-web/clickjacking.md +++ b/src/pentesting-web/clickjacking.md @@ -97,7 +97,7 @@ background: #F00; If you have identified an **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\ Example:\ -&#xNAN;_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters._\ +_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters._\ \_\_An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**. ## Strategies to Mitigate Clickjacking diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index 7092bd9a0..60779ba7c 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -205,7 +205,7 @@ Check for [further information here](
## References -- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)\\ +- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal) - [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders) {{#file}} diff --git a/src/pentesting-web/ldap-injection.md b/src/pentesting-web/ldap-injection.md index ba6378cb0..479e605db 100644 --- a/src/pentesting-web/ldap-injection.md +++ b/src/pentesting-web/ldap-injection.md @@ -33,8 +33,8 @@ EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf **Substring** = attr ”=” \[initial] \* \[final]\ **Initial** = assertionvalue\ **Final** = assertionvalue\ -&#xNAN;**(&)** = Absolute TRUE\ -&#xNAN;**(|)** = Absolute FALSE +**(&)** = Absolute TRUE\ +**(|)** = Absolute FALSE For example:\ `(&(!(objectClass=Impresoras))(uid=s*))`\ diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md index eac68ee3e..bafa2f075 100644 --- a/src/pentesting-web/open-redirect.md +++ b/src/pentesting-web/open-redirect.md @@ -178,8 +178,8 @@ exit; ## Resources -- In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.\\ -- [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\ +- In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists. +- [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a) diff --git a/src/pentesting-web/saml-attacks/README.md b/src/pentesting-web/saml-attacks/README.md index e80a7996d..c2ca605d7 100644 --- a/src/pentesting-web/saml-attacks/README.md +++ b/src/pentesting-web/saml-attacks/README.md @@ -299,7 +299,7 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList: ## References - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/) -- [https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)\\ +- [https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/) - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/) - [https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/) diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md index 3d75b4332..317f7b928 100644 --- a/src/pentesting-web/sql-injection/README.md +++ b/src/pentesting-web/sql-injection/README.md @@ -315,7 +315,7 @@ admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055' **Recommended list**: You should use as username each line of the list and as password always: _**Pass1234.**_\ -&#xNAN;_(This payloads are also included in the big list mentioned at the beginning of this section)_ +_(This payloads are also included in the big list mentioned at the beginning of this section)_ {{#file}} sqli-hashbypass.txt diff --git a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md index d211b9e21..fb8d60cf0 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md @@ -21,7 +21,7 @@ local all all trust ``` _Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it._\ -&#xNAN;_Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._ +_Note also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._ This case is **useful if** you **already** have a **shell** inside the victim as it will allow you to connect to postgresql database. diff --git a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md index 544fc742e..ca1fd9a08 100644 --- a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md +++ b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md @@ -424,8 +424,8 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt ## **References** -- [XSLT_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf)\\ -- [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\ +- [XSLT_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf) +- [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf) - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) {{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index 1e15ea419..12c1cd2f1 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -157,7 +157,7 @@ server-side-xss-dynamic-pdf.md When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\ For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ -&#xNAN;_**Note: A HTML comment can be closed using\*\*\*\*\*\*** \***\*`-->`\*\*** \***\*or \*\*\*\*\*\***`--!>`\*\*_ +_**Note: A HTML comment can be closed using\*\*\*\*\*\*** \***\*`-->`\*\*** \***\*or \*\*\*\*\*\***`--!>`\*\*_ In this case and if no black/whitelisting is used, you could use payloads like: diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md index 7c773ebe1..a1a66c50f 100644 --- a/src/pentesting-web/xxe-xee-xml-external-entity.md +++ b/src/pentesting-web/xxe-xee-xml-external-entity.md @@ -771,13 +771,13 @@ https://github.com/luisfontes19/xxexploiter ## References -- [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)\\ -- [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)\\ -- Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)\\ -- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)\\ -- [https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4)\\ -- [https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9)\\ -- [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\\ +- [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf) +- [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html) +- Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/) +- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection) +- [https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4) +- [https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9) +- [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) - [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7) {{#include ../banners/hacktricks-training.md}} diff --git a/src/reversing/reversing-tools-basic-methods/cheat-engine.md b/src/reversing/reversing-tools-basic-methods/cheat-engine.md index 2e0b2442e..4b57f71c4 100644 --- a/src/reversing/reversing-tools-basic-methods/cheat-engine.md +++ b/src/reversing/reversing-tools-basic-methods/cheat-engine.md @@ -55,7 +55,7 @@ Then, you do something so that **value changes**, and you **stop** the game and ![](<../../images/image (684).png>) Cheat Engine will search for the **values** that **went from 100 to the new value**. Congrats, you **found** the **address** of the value you were looking for, you can now modify it.\ -&#xNAN;_If you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._ +_If you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._ ### Unknown Value, known change diff --git a/src/todo/hardware-hacking/radio.md b/src/todo/hardware-hacking/radio.md index d6df4f802..52b1284a6 100644 --- a/src/todo/hardware-hacking/radio.md +++ b/src/todo/hardware-hacking/radio.md @@ -9,7 +9,7 @@ ### Basic Config After installing there are a few things that you could consider configuring.\ -In settings (the second tab button) you can select the **SDR device** or **select a file** to read and which frequency to syntonise and the Sample rate (recommended to up to 2.56Msps if your PC support it)\\ +In settings (the second tab button) you can select the **SDR device** or **select a file** to read and which frequency to syntonise and the Sample rate (recommended to up to 2.56Msps if your PC support it) ![](<../../images/image (245).png>) diff --git a/src/todo/llm-training-data-preparation/1.-tokenizing.md b/src/todo/llm-training-data-preparation/1.-tokenizing.md index 6a8c8eaf9..de60ffaa1 100644 --- a/src/todo/llm-training-data-preparation/1.-tokenizing.md +++ b/src/todo/llm-training-data-preparation/1.-tokenizing.md @@ -27,7 +27,7 @@ - **Handling Unknown Words:**\ If a word like `"Bye"` isn't in the vocabulary, it is replaced with `[UNK]`.\ `"Bye, world!"` → `["[UNK]", ",", "world", "!"]` → `[987, 455, 78, 467]`\ - &#xNAN;_(Assuming `[UNK]` has ID `987`)_ + _(Assuming `[UNK]` has ID `987`)_ ### **Advanced Tokenizing Methods** diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index ad92623b4..e016edcca 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -482,7 +482,7 @@ skeleton-key.md ### Custom SSP [Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/index.html#security-support-provider-interface-sspi)\ -You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\ +You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine. {{#ref}} custom-ssp.md @@ -690,7 +690,7 @@ https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movement ## Some General Defenses -[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)\\ +[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md) ### **Defensive Measures for Credential Protection** diff --git a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index 049821d46..03871e915 100644 --- a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -127,6 +127,6 @@ If you can perform a MitM attack to a computer and inject HTML in a page he will ## Cracking NTLMv1 If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/index.html#ntlmv1-attack).\ -&#xNAN;_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_ +_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_ {{#include ../../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md index 8a682afe3..98930bba2 100644 --- a/src/windows-hardening/ntlm/README.md +++ b/src/windows-hardening/ntlm/README.md @@ -83,7 +83,7 @@ Nowadays is becoming less common to find environments with Unconstrained Delegat You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.\ If you are using `responder` you could try to \*\*use the flag `--lm` \*\* to try to **downgrade** the **authentication**.\ -&#xNAN;_Note that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._ +_Note that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._ Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example). diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index b663aa7b6..bdaac5e23 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -506,7 +506,7 @@ accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version If you are having this error (for example with SSDPSRV): _System error 1058 has occurred._\ -&#xNAN;_The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._ +_The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._ You can enable it using @@ -1604,21 +1604,21 @@ You have to compile the project using the correct version of .NET ([see this](ht C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line ``` -## Bibliography +## References -- [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)\\ -- [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)\\ -- [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html)\\ -- [https://github.com/sagishahar/lpeworkshop](https://github.com/sagishahar/lpeworkshop)\\ -- [https://www.youtube.com/watch?v=\_8xJaaQlpBo](https://www.youtube.com/watch?v=_8xJaaQlpBo)\\ -- [https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html)\\ -- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)\\ -- [https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)\\ -- [https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)\\ -- [https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation)\\ -- [https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/)\\ -- [https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation)\\ -- [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html)\\ +- [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) +- [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) +- [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html) +- [https://github.com/sagishahar/lpeworkshop](https://github.com/sagishahar/lpeworkshop) +- [https://www.youtube.com/watch?v=\_8xJaaQlpBo](https://www.youtube.com/watch?v=_8xJaaQlpBo) +- [https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html) +- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md) +- [https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) +- [https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md) +- [https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation) +- [https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/) +- [https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation) +- [http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections) {{#include ../../banners/hacktricks-training.md}}