diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
new file mode 100644
index 000000000..e70bceed6
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index e70bceed6..847a8c4e7 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 847a8c4e7..03b2fa6b3 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
new file mode 100644
index 000000000..eaa792ed6
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index eaa792ed6..0f8a86733 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 0f8a86733..70165d798 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
new file mode 100644
index 000000000..455fbb8b7
Binary files /dev/null and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 455fbb8b7..371b81139 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 371b81139..14d3447dc 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 14d3447dc..7ad845a6e 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 659823706..5f8c6d8d8 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -472,6 +472,7 @@
* [Formula/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
* [HTTP Connection Request Smuggling](pentesting-web/http-connection-request-smuggling.md)
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
+ * [Browser HTTP Request Smuggling](pentesting-web/http-request-smuggling/browser-http-request-smuggling.md)
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)
* [Upgrade Header Smuggling](pentesting-web/h2c-smuggling.md)
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index eef250702..2431c6bb1 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -103,13 +103,13 @@ Open the SalseoLoader project using Visual Studio.
### Add before the main function: \[DllExport]
- (1).png>)
+ (1) (1).png>)
### Install DllExport for this project
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
- (1).png>)
+ (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index e5f137188..853ea5bf4 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
- (1).png)
+ (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -238,7 +238,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index 6c8ba845d..627e78897 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -154,7 +154,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
You can see that in [the next tutorial](frida-tutorial-2.md).
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
index 8c859dbdd..6f9c1be8a 100644
--- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md
+++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
- (1).png)
+ (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -67,7 +67,7 @@ Content-Length: 267
* `port:15672 http`
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index e8dd26f0c..980066107 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -16,13 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
-{% endhint %}
## Basic Information
@@ -313,13 +311,11 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
{% embed url="https://www.stmcyber.com/careers" %}
-{% endhint %}
## HackTricks Automatic Commands
diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index 6ab7cf3b9..c3f6f2ddc 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
- (1).png)
+ (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -47,7 +47,7 @@ inurl:status EJInvokerServlet
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index 3f4ddcefb..bdbe5940a 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -127,7 +127,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index 225682546..86e6f70be 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -212,7 +212,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index fb0d94d8c..cb94cad0e 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -202,7 +202,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index 3695e7845..244d8cd0b 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -96,7 +96,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/http-connection-request-smuggling.md b/pentesting-web/http-connection-request-smuggling.md
index 3d0f24de6..ba04d2084 100644
--- a/pentesting-web/http-connection-request-smuggling.md
+++ b/pentesting-web/http-connection-request-smuggling.md
@@ -52,22 +52,6 @@ This could be chained with [**Host header attacks**](https://portswigger.net/web
You can scan for these two flaws using the 'connection-state probe' option in HTTP Request Smuggler.
{% endhint %}
-## CL.0 browser-compatible desync
-
-This vulnerability occurs when the **Content Length** (CL) header is being completely **ignored** by the **backend server**. Then, the back-end treats the **body** as the **start of the second request's method**. Ignoring the CL is equivalent to treating it as having a value of 0, so this is a CL.0 desync - a [known](https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf) but lesser-explored attack class.
-
-
-
-The attack was possible because the back-end server simply **wasn't expecting a POST request**.
-
-{% hint style="warning" %}
-Note that this vulnerability is being **triggered** by a completely **valid**, specification-compliant **HTTP request**. This meant the **front-end has zero chance of protecting** against it, and it could even be triggered by a browser.
-{% endhint %}
-
-
-
-
-
Support HackTricks and get benefits!
diff --git a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
new file mode 100644
index 000000000..fafbc166b
--- /dev/null
+++ b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
@@ -0,0 +1,149 @@
+# Browser HTTP Request Smuggling
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
+
+## CL.0/H2.0 browser-compatible desync
+
+This vulnerability occurs when the **Content Length** (CL) header is being completely **ignored** by the **backend server**. Then, the back-end treats the **body** as the **start of the second request's method**. Ignoring the CL is equivalent to treating it as having a value of 0, so this is a CL.0 desync - a [known](https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf) but lesser-explored attack class.
+
+.png>)
+
+The attack was possible because the back-end server simply **wasn't expecting a POST request**.
+
+{% hint style="warning" %}
+Note that this vulnerability is being **triggered** by a completely **valid**, specification-compliant **HTTP request**. This meant the **front-end has zero chance of protecting** against it, and it could even be triggered by a browser.
+{% endhint %}
+
+The only **difference** between **CL.0** and **H2.0** is that the second one is using **HTTP2** (which has an implicit content-length header) but the **backend isn't using that either**.
+
+## Client-Side Desync
+
+Traditional desync attacks **poison** the **connection** between a **front-end and back-end** server, and are therefore impossible on websites that don't use a front-end/back-end architecture. These are **server-side desync** from now on. Most **server-side desyncs** can only be triggered by a **custom HTTP client issuing a malformed request.**
+
+The ability for a **browser to cause a desync** enables a whole new class of threat called **client-side desync** (CSD).\
+A CSD attack starts with the **victim visiting the attacker's website**, which then makes their browser send **two cross-domain requests to the vulnerable website**. The **first** request is crafted to **desync the browser's connection** and make the **second request trigger** a harmful response, typically giving the attacker control of the victim's account.
+
+### Detect
+
+A CSD vector is a HTTP request with **two** **key** properties.
+
+First, the **server must ignore the request's Content-Length (CL)**. This typically happens because the request either **triggered a server error**, or the server simply **wasn't expecting a POST request** to the chosen endpoint. Try targeting **static files** and **server-level redirects**, and triggering errors via **overlong-URLs**, and **semi-malformed** ones like /%2e%2e.
+
+Secondly, the request must be **triggerable in a web-browser cross-domain**. Browsers severely restrict control over cross-domain requests, so you have limited control over headers, and if your request has a body you'll need to use the HTTP POST method. Ultimately you only **control** the **URL**, plus a few odds and ends like the **Referer header**, the **body**, and **latter part of the Content-Type.**
+
+#### CL ignore testing
+
+The way to test this missconfig is to **send 2 requests and smuggle one** in the **middle**. If the **smuggled** connection **affected** the response of the **second** **request**, it means that it's **vulnerable**:
+
+.png>)
+
+{% hint style="warning" %}
+Note that you **cannot** test this vuln by just sending a **Content-Length bigger** than the one sent and **looking for a timeout** because some servers **respond** even if they **didn't receive the whole body**.
+{% endhint %}
+
+It's important to note whether the **target website supports HTTP**/2. CSD attacks typically exploit HTTP/1.1 connection reuse and web **browsers prefer to use HTTP/2** whenever possible, so if the target **website supports HTTP/2 your attacks are unlikely to work**. There's one **exception**; some **forward proxies don't support HTTP/2** so you can exploit anyone using them. This includes corporate proxies, certain intrusive VPNs and even some security tools.
+
+### Confirm
+
+First, select a site to launch the attack from. This site must be **accessed over HTTPS** and located on a **different domain than the target**.
+
+Next, ensure that you **don't have a proxy configured**, then browse to your attack site. Open the **developer tools** and switch to the **Network tab**. To help with debugging potential issues later, I recommend making the following adjustments:
+
+* Select the **"Preserve log"** checkbox.
+* Right-click on the column headers and **enable the "Connection ID" column**.
+
+Switch to the developer console and execute JavaScript to replicate your attack sequence using fetch(). This may look something like:
+
+```javascript
+fetch('https://example.com/', {
+ method: 'POST',
+ body: "GET /hopefully404 HTTP/1.1\r\nX: Y", // malicious prefix
+ mode: 'no-cors', // ensure connection ID is visible
+ credentials: 'include' // poison 'with-cookies' pool
+}).then(() => {
+ location = 'https://example.com/' // use the poisoned connection
+})
+```
+
+I've set the fetch mode **'no-cors'** to ensure Chrome **displays the connection ID** in the Network tab. I've also set **credentials: 'include'** as Chrome has [**two separate connection pools**](https://www.chromium.org/developers/design-documents/network-stack/preconnect) - one for requests with cookies and one for requests without. You'll usually want to exploit **navigations**, and those **use the 'with-cookies' pool**, so it's worth getting into the habit of always poisoning that pool.
+
+When you execute this, you should see **two requests** in the Network tab with the **same connection ID**, and the **second** one should trigger a **404**:
+
+
+
+If this works as expected, congratulations - you've found yourself a client-side desync!
+
+### Exploitation - Store
+
+One option is to identify functionality on the target site that lets you **store text data**, and craft the prefix so that your victim's cookies, authentication headers, or password end up being **stored somewhere you can retrieve them**. This attack flow works [almost identically to server-side request smuggling](https://portswigger.net/web-security/request-smuggling/exploiting#capturing-other-users-requests), so I won't dwell on it.
+
+### Exploitation - **Chain\&pivot**
+
+Under normal circumstances, many classes of **server-side attack** can only be launched by an attacker with direct access to the target website as they **rely on HTTP requests that browsers refuse to send**, like **tampering** with **HTTP headers** - web cache poisoning, most server-side request smuggling, host-header attacks, User-Agent based [SQLi](https://portswigger.net/web-security/sql-injection), CSRF JSON Content-type and numerous others.
+
+The simplest path to a successful attack came from two key techniques usually used for server-side desync attacks: [**JavaScript resource poisoning via Host-header redirects**](https://portswigger.net/web-security/request-smuggling/exploiting#using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect), and using the [**HEAD method**](https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling#non-blind-request-tunnelling-using-head) to splice together a response with harmful HTML. Both techniques needed to be **adapted** to overcome some novel challenges associated with operating in the **victim's browser**.
+
+## Exploit Examples
+
+### Stacked HEAD example
+
+* Coloured exploit
+
+.png>)
+
+* **JS exploit**
+
+```javascript
+fetch('https://www.capitalone.ca/assets', {
+ method: 'POST',
+
+ // use a cache-buster to delay the response
+ body: `HEAD /404/?cb=${Date.now()} HTTP/1.1\r\nHost: www.capitalone.ca\r\n\r\nGET /x?x= HTTP/1.1\r\nX: Y`,
+ credentials: 'include',
+ mode: 'cors' // throw an error instead of following redirect
+}).catch(() => {
+ location = 'https://www.capitalone.ca/'
+})va
+```
+
+Explanation:
+
+* **Abuse of CL.0** in /assets (it redirects to /assets/ and doesn't check the CL)
+* **Smuggle** a **HEAD** request (because HEAD responses still contains a content-length)
+* **Smuggle** a **GET** request whose **content** is going be **reflected** in the response with the payload.
+ * Because of the **content-length of the HEAD** req, the **response** of this request will be the **body of the HEAD req**
+* Set **cors mode**. Normally this isn't done, but in this case the **response** of the server to de **initial** **POST** is a **redirect** that if **followed** the **exploit won't work**. Therefore, **cors mode** is used to **trigger** an **error** and **redirect** the victim with the **`catch`**.
+
+### **Host header redirect + client-side cache poisoning**
+
+## **References**
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
diff --git a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
index 49ecbe0ab..f48821c2d 100644
--- a/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@@ -104,7 +104,7 @@ However, this technique can be used **in HTTP/2** because if the endpoint was **
### Tunnel-vision Problem
-There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the **reverse prox**y is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
+There could be another problem, if the **response** to the legit request **contains** a **Content-Length**, the **reverse proxy** is only going to **read the bytes specified there and no more, so you won't be able to read the response from the smuggled request.**
However, the **HEAD** request **doesn't contain a body** but it usually **contains** the **Content-Length** as if the request was a GET request. Therefore, sending a **HEAD** request **instead of a POST** request you can **read the HEAD Content-Length** bytes of the smuggled request response.
diff --git a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
index f9076eb52..599b26793 100644
--- a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
+++ b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
@@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
-.png>)
+ (1).png>)
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
-.png>)
+ (1).png>)
## References
diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md
index 9e3e9f12e..dd4efac35 100644
--- a/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/windows-hardening/active-directory-methodology/silver-ticket.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -175,7 +175,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
{% endcontent-ref %}
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/lateral-movement/dcom-exec.md b/windows-hardening/lateral-movement/dcom-exec.md
index b91cfbb27..6b28a1010 100644
--- a/windows-hardening/lateral-movement/dcom-exec.md
+++ b/windows-hardening/lateral-movement/dcom-exec.md
@@ -43,7 +43,7 @@ The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
-.png>)
+ (1).png>)
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
index 2971d6c87..32d3372a1 100644
--- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
+++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -224,7 +224,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index ae7d7cde4..372f06556 100644
--- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -358,7 +358,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).