GitBook: [#3418] No subject

This commit is contained in:
CPol 2022-08-21 22:53:18 +00:00 committed by gitbook-bot
parent 7c171af1f2
commit 4327676c00
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
29 changed files with 180 additions and 50 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 1.6 KiB

After

Width:  |  Height:  |  Size: 84 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 84 KiB

After

Width:  |  Height:  |  Size: 74 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 94 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 94 KiB

After

Width:  |  Height:  |  Size: 51 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 150 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 346 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 346 KiB

After

Width:  |  Height:  |  Size: 71 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 71 KiB

After

Width:  |  Height:  |  Size: 16 KiB

View file

@ -472,6 +472,7 @@
* [Formula/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
* [HTTP Connection Request Smuggling](pentesting-web/http-connection-request-smuggling.md)
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
* [Browser HTTP Request Smuggling](pentesting-web/http-request-smuggling/browser-http-request-smuggling.md)
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)

View file

@ -103,13 +103,13 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
![](<../.gitbook/assets/image (2) (1).png>)
![](<../.gitbook/assets/image (2) (1) (1).png>)
### Install DllExport for this project
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
![](<../.gitbook/assets/image (3) (1).png>)
![](<../.gitbook/assets/image (3) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -238,7 +238,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -154,7 +154,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
You can see that in [the next tutorial](frida-tutorial-2.md).
{% hint style="danger" %}
<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -67,7 +67,7 @@ Content-Length: 267
* `port:15672 http`
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -16,13 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
{% endhint %}
## Basic Information
@ -313,13 +311,11 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
{% endhint %}
## HackTricks Automatic Commands

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -47,7 +47,7 @@ inurl:status EJInvokerServlet
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -127,7 +127,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -212,7 +212,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
{% hint style="danger" %}
<img src="../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -202,7 +202,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -96,7 +96,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -52,22 +52,6 @@ This could be chained with [**Host header attacks**](https://portswigger.net/web
You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler.
{% endhint %}
## CL.0 browser-compatible desync
This vulnerability occurs when the **Content Length** (CL) header is being completely **ignored** by the **backend server**. Then, the back-end treats the **body** as the **start of the second request's method**. Ignoring the CL is equivalent to treating it as having a value of 0, so this is a CL.0 desync - a [known](https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf) but lesser-explored attack class.
![](../.gitbook/assets/image.png)
The attack was possible because the back-end server simply **wasn't expecting a POST request**.
{% hint style="warning" %}
Note that this vulnerability is being **triggered** by a completely **valid**, specification-compliant **HTTP request**. This meant the **front-end has zero chance of protecting** against it, and it could even be triggered by a browser.
{% endhint %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>

View file

@ -0,0 +1,149 @@
# Browser HTTP Request Smuggling
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## CL.0/H2.0 browser-compatible desync
This vulnerability occurs when the **Content Length** (CL) header is being completely **ignored** by the **backend server**. Then, the back-end treats the **body** as the **start of the second request's method**. Ignoring the CL is equivalent to treating it as having a value of 0, so this is a CL.0 desync - a [known](https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf) but lesser-explored attack class.
![](<../../.gitbook/assets/image (3).png>)
The attack was possible because the back-end server simply **wasn't expecting a POST request**.
{% hint style="warning" %}
Note that this vulnerability is being **triggered** by a completely **valid**, specification-compliant **HTTP request**. This meant the **front-end has zero chance of protecting** against it, and it could even be triggered by a browser.
{% endhint %}
The only **difference** between **CL.0** and **H2.0** is that the second one is using **HTTP2** (which has an implicit content-length header) but the **backend isn't using that either**.
## Client-Side Desync
Traditional desync attacks **poison** the **connection** between a **front-end and back-end** server, and are therefore impossible on websites that don't use a front-end/back-end architecture. These are **server-side desync** from now on. Most **server-side desyncs** can only be triggered by a **custom HTTP client issuing a malformed request.**
The ability for a **browser to cause a desync** enables a whole new class of threat called **client-side desync** (CSD).\
A CSD attack starts with the **victim visiting the attacker's website**, which then makes their browser send **two cross-domain requests to the vulnerable website**. The **first** request is crafted to **desync the browser's connection** and make the **second request trigger** a harmful response, typically giving the attacker control of the victim's account.
### Detect
A CSD vector is a HTTP request with **two** **key** properties.
First, the **server must ignore the request's Content-Length (CL)**. This typically happens because the request either **triggered a server error**, or the server simply **wasn't expecting a POST request** to the chosen endpoint. Try targeting **static files** and **server-level redirects**, and triggering errors via **overlong-URLs**, and **semi-malformed** ones like /%2e%2e.
Secondly, the request must be **triggerable in a web-browser cross-domain**. Browsers severely restrict control over cross-domain requests, so you have limited control over headers, and if your request has a body you'll need to use the HTTP POST method. Ultimately you only **control** the **URL**, plus a few odds and ends like the **Referer header**, the **body**, and **latter part of the Content-Type.**
#### CL ignore testing
The way to test this missconfig is to **send 2 requests and smuggle one** in the **middle**. If the **smuggled** connection **affected** the response of the **second** **request**, it means that it's **vulnerable**:
![](<../../.gitbook/assets/image (1).png>)
{% hint style="warning" %}
Note that you **cannot** test this vuln by just sending a **Content-Length bigger** than the one sent and **looking for a timeout** because some servers **respond** even if they **didn't receive the whole body**.
{% endhint %}
It's important to note whether the **target website supports HTTP**/2. CSD attacks typically exploit HTTP/1.1 connection reuse and web **browsers prefer to use HTTP/2** whenever possible, so if the target **website supports HTTP/2 your attacks are unlikely to work**. There's one **exception**; some **forward proxies don't support HTTP/2** so you can exploit anyone using them. This includes corporate proxies, certain intrusive VPNs and even some security tools.
### Confirm
First, select a site to launch the attack from. This site must be **accessed over HTTPS** and located on a **different domain than the target**.
Next, ensure that you **don't have a proxy configured**, then browse to your attack site. Open the **developer tools** and switch to the **Network tab**. To help with debugging potential issues later, I recommend making the following adjustments:
* Select the **"Preserve log"** checkbox.
* Right-click on the column headers and **enable the "Connection ID" column**.
Switch to the developer console and execute JavaScript to replicate your attack sequence using fetch(). This may look something like:
```javascript
fetch('https://example.com/', {
method: 'POST',
body: "GET /hopefully404 HTTP/1.1\r\nX: Y", // malicious prefix
mode: 'no-cors', // ensure connection ID is visible
credentials: 'include' // poison 'with-cookies' pool
}).then(() => {
location = 'https://example.com/' // use the poisoned connection
})
```
I've set the fetch mode **'no-cors'** to ensure Chrome **displays the connection ID** in the Network tab. I've also set **credentials: 'include'** as Chrome has [**two separate connection pools**](https://www.chromium.org/developers/design-documents/network-stack/preconnect) - one for requests with cookies and one for requests without. You'll usually want to exploit **navigations**, and those **use the 'with-cookies' pool**, so it's worth getting into the habit of always poisoning that pool.
When you execute this, you should see **two requests** in the Network tab with the **same connection ID**, and the **second** one should trigger a **404**:
![](../../.gitbook/assets/image.png)
If this works as expected, congratulations - you've found yourself a client-side desync!
### Exploitation - Store
One option is to identify functionality on the target site that lets you **store text data**, and craft the prefix so that your victim's cookies, authentication headers, or password end up being **stored somewhere you can retrieve them**. This attack flow works [almost identically to server-side request smuggling](https://portswigger.net/web-security/request-smuggling/exploiting#capturing-other-users-requests), so I won't dwell on it.
### Exploitation - **Chain\&pivot**
Under normal circumstances, many classes of **server-side attack** can only be launched by an attacker with direct access to the target website as they **rely on HTTP requests that browsers refuse to send**, like **tampering** with **HTTP headers** - web cache poisoning, most server-side request smuggling, host-header attacks, User-Agent based [SQLi](https://portswigger.net/web-security/sql-injection), CSRF JSON Content-type and numerous others.
The simplest path to a successful attack came from two key techniques usually used for server-side desync attacks: [**JavaScript resource poisoning via Host-header redirects**](https://portswigger.net/web-security/request-smuggling/exploiting#using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect), and using the [**HEAD method**](https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling#non-blind-request-tunnelling-using-head) to splice together a response with harmful HTML. Both techniques needed to be **adapted** to overcome some novel challenges associated with operating in the **victim's browser**.
## Exploit Examples
### Stacked HEAD example
* Coloured exploit
![](<../../.gitbook/assets/image (2).png>)
* **JS exploit**
```javascript
fetch('https://www.capitalone.ca/assets', {
method: 'POST',
// use a cache-buster to delay the response
body: `HEAD /404/?cb=${Date.now()} HTTP/1.1\r\nHost: www.capitalone.ca\r\n\r\nGET /x?x=<script>alert(1)</script> HTTP/1.1\r\nX: Y`,
credentials: 'include',
mode: 'cors' // throw an error instead of following redirect
}).catch(() => {
location = 'https://www.capitalone.ca/'
})va
```
Explanation:
* **Abuse of CL.0** in /assets (it redirects to /assets/ and doesn't check the CL)
* **Smuggle** a **HEAD** request (because HEAD responses still contains a content-length)
* **Smuggle** a **GET** request whose **content** is going be **reflected** in the response with the payload.
* Because of the **content-length of the HEAD** req, the **response** of this request will be the **body of the HEAD req**
* Set **cors mode**. Normally this isn't done, but in this case the **response** of the server to de **initial** **POST** is a **redirect** that if **followed** the **exploit won't work**. Therefore, **cors mode** is used to **trigger** an **error** and **redirect** the victim with the **`catch`**.
### **Host header redirect + client-side cache poisoning**
## **References**
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

View file

@ -104,7 +104,7 @@ However, this technique can be used **in HTTP/2** because if the endpoint was **
### Tunnel-vision Problem
There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the **reverse prox**y is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the **reverse proxy** is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
However, the **HEAD** request **doesn't contain a body** but it usually **contains** the **Content-Length** as if the request was a GET request. Therefore, sending a **HEAD** request **instead of a POST** request you can **read the HEAD Content-Length** bytes of the smuggled request response.

View file

@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes \x00:
![](<../../.gitbook/assets/image (2).png>)
![](<../../.gitbook/assets/image (2) (1).png>)
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
![](<../../.gitbook/assets/image (1).png>)
![](<../../.gitbook/assets/image (1) (1).png>)
## References

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -175,7 +175,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
{% endcontent-ref %}
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -43,7 +43,7 @@ The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
![](<../../.gitbook/assets/image (3).png>)
![](<../../.gitbook/assets/image (3) (1).png>)
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -224,7 +224,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
```
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

View file

@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@ -358,7 +358,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
{% hint style="danger" %}
<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="original">
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).