From 007ec718312fedaa1dbbea9aaeb05caf49a9ee85 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 24 Jan 2023 00:08:38 +0000 Subject: [PATCH] GitBook: [#3764] No subject --- SUMMARY.md | 16 ++++----- .../partitions-file-systems-carving/ntfs.md | 2 +- .../volatility-cheatsheet.md | 18 +++------- .../pentesting-methodology.md | 6 ++-- .../linux-privilege-escalation-checklist.md | 20 +++++------ .../privilege-escalation/README.md | 18 +++++----- .../README.md | 0 .../lxd-privilege-escalation.md | 0 .../prototype-pollution-to-rce.md | 12 ++++--- .../active-directory-methodology/README.md | 24 ++++++------- ...ers.md => basic-win-cmd-for-pentesters.md} | 0 windows-hardening/ntlm/README.md | 34 +++++++------------ .../README.md | 28 +++++++-------- .../credentials-mimikatz.md | 0 .../windows-credentials-protections.md} | 0 .../{av-bypass.md => windows-av-bypass.md} | 0 .../README.md | 22 ++++++------ 17 files changed, 90 insertions(+), 110 deletions(-) rename linux-hardening/privilege-escalation/{interesting-groups-linux-pe => interesting-groups-linux-privesc}/README.md (100%) rename linux-hardening/privilege-escalation/{interesting-groups-linux-pe => interesting-groups-linux-privesc}/lxd-privilege-escalation.md (100%) rename windows-hardening/{basic-cmd-for-pentesters.md => basic-win-cmd-for-pentesters.md} (100%) rename windows-hardening/{stealing-credentials => stealing-windows-credentials}/README.md (89%) rename windows-hardening/{stealing-credentials => stealing-windows-credentials}/credentials-mimikatz.md (100%) rename windows-hardening/{stealing-credentials/credentials-protections.md => stealing-windows-credentials/windows-credentials-protections.md} (100%) rename windows-hardening/{av-bypass.md => windows-av-bypass.md} (100%) diff --git a/SUMMARY.md b/SUMMARY.md index 7f67a828d..5e600649b 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -103,9 +103,9 @@ * [Logstash](linux-hardening/privilege-escalation/logstash.md) * [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md) * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md) - * [Interesting Groups - Linux PE](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md) - * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md) - * [ld.so exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md) + * [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md) + * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md) + * [ld.so privesc exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md) * [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md) * [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md) * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-hardening/privilege-escalation/nfs-no\_root\_squash-misconfiguration-pe.md) @@ -215,13 +215,13 @@ * [WinRM](windows-hardening/ntlm/winrm.md) * [WmicExec](windows-hardening/ntlm/wmicexec.md) * [Pivoting to the Cloud](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements) -* [Stealing Credentials](windows-hardening/stealing-credentials/README.md) - * [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md) - * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md) -* [Basic CMD for Pentesters](windows-hardening/basic-cmd-for-pentesters.md) +* [Stealing Windows Credentials](windows-hardening/stealing-windows-credentials/README.md) + * [Windows Credentials Protections](windows-hardening/stealing-windows-credentials/windows-credentials-protections.md) + * [Mimikatz](windows-hardening/stealing-windows-credentials/credentials-mimikatz.md) +* [Basic Win CMD for Pentesters](windows-hardening/basic-win-cmd-for-pentesters.md) * [Basic PowerShell for Pentesters](windows-hardening/basic-powershell-for-pentesters/README.md) * [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md) -* [AV Bypass](windows-hardening/av-bypass.md) +* [AV Bypass](windows-hardening/windows-av-bypass.md) ## πŸ“± Mobile Pentesting diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md index 525924f4c..260564bdf 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md @@ -204,7 +204,7 @@ The **`$BitMap`** is a special file within the NTFS file system. This file keeps ### ADS (Alternate Data Stream) Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\ -In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`. +In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-win-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`. Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate\_data\_streams.html) you can search and export all the files with some ADS. diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md index 6ead44520..6c97f9cf5 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -20,8 +20,6 @@ {% embed url="https://www.rootedcon.com/" %} - - If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility) ```bash @@ -154,7 +152,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners* ## Hashes/Passwords -Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). +Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-windows-credentials/windows-credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets). {% tabs %} {% tab title="vol3" %} @@ -182,8 +180,6 @@ The memory dump of a process will **extract everything** of the current status o volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/ ``` - - ​
@@ -415,8 +411,6 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist {% endtab %} {% endtabs %} - - ​
@@ -812,8 +806,6 @@ volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp The MBR holds the information on how the logical partitions, containing [file systems](https://en.wikipedia.org/wiki/File\_system), are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating systemβ€”usually by passing control over to the loader's [second stage](https://en.wikipedia.org/wiki/Second-stage\_boot\_loader), or in conjunction with each partition's [volume boot record](https://en.wikipedia.org/wiki/Volume\_boot\_record) (VBR). This MBR code is usually referred to as a [boot loader](https://en.wikipedia.org/wiki/Boot\_loader). From [here](https://en.wikipedia.org/wiki/Master\_boot\_record). - - ​
@@ -824,12 +816,12 @@ The MBR holds the information on how the logical partitions, containing [file sy
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index 58c95b252..25d68dd86 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -91,7 +91,7 @@ Specially in Windows you could need some help to **avoid antiviruses**: \[Check If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters: * [**Linux**](../linux-hardening/useful-linux-commands/) -* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md) +* [**Windows (CMD)**](../windows-hardening/basic-win-cmd-for-pentesters.md) * [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) ### **9 -** [**Exfiltration**](exfiltration.md) @@ -108,7 +108,7 @@ You should also check this pages about how does **Windows work**: * [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md) * How does [**NTLM works**](../windows-hardening/ntlm/) -* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows +* How to [**steal credentials**](../windows-hardening/stealing-windows-credentials/) in Windows * Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/) **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) @@ -122,7 +122,7 @@ Here you can find a [**methodology explaining the most common actions to enumera #### **11**.1 - Looting Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\ -Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-credentials/). +Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-windows-credentials/). #### 11.2 - Persistence diff --git a/linux-hardening/linux-privilege-escalation-checklist.md b/linux-hardening/linux-privilege-escalation-checklist.md index 3e1c04f56..a5d336924 100644 --- a/linux-hardening/linux-privilege-escalation-checklist.md +++ b/linux-hardening/linux-privilege-escalation-checklist.md @@ -2,22 +2,22 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.​ +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).​
Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ -****This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ +\*\*\*\*This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among crypto projects.\ -[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. +[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. {% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %} @@ -91,7 +91,7 @@ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among * [ ] Generic users/groups **enumeration** * [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**? -* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to? +* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-privesc/) you belong to? * [ ] **Clipboard** data? * [ ] Password Policy? * [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password. @@ -159,25 +159,23 @@ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among * [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)? * [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)? - -
Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ -****This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ +\*\*\*\*This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among crypto projects.\ -[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. +[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. {% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/linux-hardening/privilege-escalation/README.md b/linux-hardening/privilege-escalation/README.md index 9cec3b1d0..7a81a5e23 100644 --- a/linux-hardening/privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/README.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -638,7 +638,7 @@ Now, you can execute commands on the container from this `socat` connection. ### Others -Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). +Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-privesc/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). Check **more ways to break out from docker or abuse it to escalate privileges** in: @@ -775,8 +775,8 @@ Some Linux versions were affected by a bug that allows users with **UID > INT\_M Check if you are a **member of some group** that could grant you root privileges: -{% content-ref url="interesting-groups-linux-pe/" %} -[interesting-groups-linux-pe](interesting-groups-linux-pe/) +{% content-ref url="interesting-groups-linux-privesc/" %} +[interesting-groups-linux-privesc](interesting-groups-linux-privesc/) {% endcontent-ref %} ### Clipboard @@ -1039,7 +1039,7 @@ void hijack() { } ``` -If you get an error such as +If you get an error such as ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name @@ -1500,7 +1500,7 @@ aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` -In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful. +In order to **read logs the group** [**adm**](interesting-groups-linux-privesc/#adm-group) will be really helpful. ### Shell files @@ -1635,12 +1635,12 @@ Files that ship in packages downloaded from the distribution repository go into
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md similarity index 100% rename from linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md rename to linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md diff --git a/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md similarity index 100% rename from linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md rename to linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md index ff90a46e7..70c904239 100644 --- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md +++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -51,6 +51,8 @@ var proc = fork('a_file.js'); ## PP2RCE via env vars +**PP2RCE** means **Prototype Pollution to RCE** (Remote Coxe Execution). + According to this [**writeup**](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) when a **process is spawned** with some method from **`child_process`** (like `fork` or `spawn` or others) it calls the method `normalizeSpawnArguments` which a **prototype pollution gadget to create new env vars**: ```javascript @@ -662,7 +664,7 @@ Please, note that prototype pollution works if the **attribute** of an object th In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\ At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!). -In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject` ** instead of **`{}`.** +In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to \*\*`kEmptyObject` \*\* instead of **`{}`.** ## References @@ -672,12 +674,12 @@ In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156c
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/active-directory-methodology/README.md b/windows-hardening/active-directory-methodology/README.md index 73ae6a7f3..b408df987 100644 --- a/windows-hardening/active-directory-methodology/README.md +++ b/windows-hardening/active-directory-methodology/README.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -118,7 +118,7 @@ Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password ``` {% hint style="warning" %} -You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) **** and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)). +You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) \*\*\*\* and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)). However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames. {% endhint %} @@ -145,7 +145,7 @@ You might be able to **obtain** some challenge **hashes** to crack **poisoning** ### NTML Relay -If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTML [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) **** to get access to the AD env. +If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTML [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) \*\*\*\* to get access to the AD env. ### Steal NTLM Creds @@ -171,12 +171,12 @@ Having compromised an account is a **big step to start compromising the whole do Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords. -* You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info) +* You could use the [**CMD to perform a basic recon**](../basic-win-cmd-for-pentesters.md#domain-info) * You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier * You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information * Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc. * **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.** -* ****[**DNS records of the AD**](ad-dns-records.md) **** as they might contain interesting information. +* \*\*\*\*[**DNS records of the AD**](ad-dns-records.md) \*\*\*\* as they might contain interesting information. * A **tool with GUI** that you can use to enumerate the directory is **AdExplorer.exe** from **SysInternal** Suite. * You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods. * If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview). @@ -228,7 +228,7 @@ If you have managed to enumerate the active directory you will have **more email Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check). -****[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search)**** +[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb.md#domain-shared-folders-search) ### Steal NTLM Creds @@ -254,7 +254,7 @@ This vulnerability allowed any authenticated user to **compromise the domain con Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\ Then, its time to dump all the hashes in memory and locally.\ -[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/) +[**Read this page about different ways to obtain the hashes.**](../stealing-windows-credentials/) ### Pass the Hash @@ -383,7 +383,7 @@ Once you get **Domain Admin** or even better **Enterprise Admin** privileges, yo [**More information about DCSync attack can be found here**](dcsync.md). -[**More information about how to steal the NTDS.dit can be found here**](../stealing-credentials/) +[**More information about how to steal the NTDS.dit can be found here**](../stealing-windows-credentials/) ### Privesc as Persistence @@ -672,7 +672,7 @@ Moreover, if the **victim mounted his hard drive**, from the **RDP session** pro ## Some General Defenses -[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)\ +[**Learn more about how to protect credentials here.**](../stealing-windows-credentials/windows-credentials-protections.md)\ **Please, find some migrations against each technique in the description of the technique.** * Not allow Domain Admins to login on any other hosts apart from Domain Controllers @@ -734,12 +734,12 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/basic-cmd-for-pentesters.md b/windows-hardening/basic-win-cmd-for-pentesters.md similarity index 100% rename from windows-hardening/basic-cmd-for-pentesters.md rename to windows-hardening/basic-win-cmd-for-pentesters.md diff --git a/windows-hardening/ntlm/README.md b/windows-hardening/ntlm/README.md index 269e8d6d0..6042cf3c7 100644 --- a/windows-hardening/ntlm/README.md +++ b/windows-hardening/ntlm/README.md @@ -2,17 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -193,7 +189,7 @@ wce.exe -s ::: ## Extracting credentials from a Windows Host -**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.** +**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-windows-credentials/)**.** ## NTLM Relay and Responder @@ -209,16 +205,12 @@ wce.exe -s :::
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/stealing-credentials/README.md b/windows-hardening/stealing-windows-credentials/README.md similarity index 89% rename from windows-hardening/stealing-credentials/README.md rename to windows-hardening/stealing-windows-credentials/README.md index 1e18f8ebe..3bdd08331 100644 --- a/windows-hardening/stealing-credentials/README.md +++ b/windows-hardening/stealing-windows-credentials/README.md @@ -1,14 +1,14 @@ -# Stealing Credentials +# Stealing Windows Credentials
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -19,7 +19,7 @@ Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among crypto projects.\ -[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. +[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. {% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %} @@ -49,7 +49,7 @@ Invoke-Mimikatz -DumpCreds #Dump creds from memory Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"' ``` -[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** +[**Learn about some possible credentials protections here.**](windows-credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.** ## Credentials with Meterpreter @@ -166,16 +166,12 @@ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet ``` - - - -
​Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ -****This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ +\*\*\*\*This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among crypto projects.\ -[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. +[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. {% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %} @@ -334,27 +330,27 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco ## Defenses -[**Learn about some credentials protections here.**](credentials-protections.md) +[**Learn about some credentials protections here.**](windows-credentials-protections.md) ​
​Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\ -****This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ +\*\*\*\*This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among crypto projects.\ -[**Sign up on HackenProof**](https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. +[**Sign up on HackenProof**](https://hackenproof.com/register?referral\_code=i\_E6M25i\_Um9gB56o-XsIA) to get rewarded without delays and become the web3 hacker legend. {% embed url="https://hackenproof.com/register?referral_code=i_E6M25i_Um9gB56o-XsIA" %}
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/stealing-credentials/credentials-mimikatz.md b/windows-hardening/stealing-windows-credentials/credentials-mimikatz.md similarity index 100% rename from windows-hardening/stealing-credentials/credentials-mimikatz.md rename to windows-hardening/stealing-windows-credentials/credentials-mimikatz.md diff --git a/windows-hardening/stealing-credentials/credentials-protections.md b/windows-hardening/stealing-windows-credentials/windows-credentials-protections.md similarity index 100% rename from windows-hardening/stealing-credentials/credentials-protections.md rename to windows-hardening/stealing-windows-credentials/windows-credentials-protections.md diff --git a/windows-hardening/av-bypass.md b/windows-hardening/windows-av-bypass.md similarity index 100% rename from windows-hardening/av-bypass.md rename to windows-hardening/windows-av-bypass.md diff --git a/windows-hardening/windows-local-privilege-escalation/README.md b/windows-hardening/windows-local-privilege-escalation/README.md index f3e7e4845..78607f12f 100644 --- a/windows-hardening/windows-local-privilege-escalation/README.md +++ b/windows-hardening/windows-local-privilege-escalation/README.md @@ -2,13 +2,13 @@
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -322,7 +322,7 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs ### WDigest If active, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\ -[**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest). +[**More info about WDigest in this page**](../stealing-windows-credentials/windows-credentials-protections.md#wdigest). ``` reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential @@ -331,7 +331,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Use ### LSA Protection Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code.\ -[**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection). +[**More info about LSA Protection here**](../stealing-windows-credentials/windows-credentials-protections.md#lsa-protection). ``` reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL @@ -340,7 +340,7 @@ reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL ### Credentials Guard **Credential Guard** is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.\ -[**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard) +[**More info about Credentials Guard here.**](../stealing-windows-credentials/windows-credentials-protections.md#credential-guard) ``` reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags @@ -349,7 +349,7 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags ### Cached Credentials **Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.\ -[**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials). +[**More info about Cached Credentials here**](../stealing-windows-credentials/windows-credentials-protections.md#cached-credentials). ``` reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT @@ -775,9 +775,9 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L ### Firewall Rules -[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)** +[**Check this page for Firewall related commands**](../basic-win-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)** -More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network) +More[ commands for network enumeration here](../basic-win-cmd-for-pentesters.md#network) ### Windows Subsystem for Linux (wsl) @@ -1340,7 +1340,7 @@ Tools to extract passwords from browsers: * Mimikatz: `dpapi::chrome` * [**SharpWeb**](https://github.com/djhohnstein/SharpWeb) * [**SharpChromium**](https://github.com/djhohnstein/SharpChromium) -* [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI)**** +* [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI)\*\*\*\* ### **COM DLL Overwriting** @@ -1563,12 +1563,12 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
-πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ +πŸŽ™οΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) πŸŽ™οΈ - πŸŽ₯ Youtube πŸŽ₯ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. +* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).