syn cubes

This commit is contained in:
carlospolop 2022-09-27 02:18:19 +02:00
parent ba748bd1ce
commit 4879b9f5dc
57 changed files with 232 additions and 232 deletions

View file

@ -54,7 +54,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [Security Hubs](https://securityhubs.io/) ### [Security Hubs](https://securityhubs.io/)
![](<.gitbook/assets/image (307).png>) ![](<.gitbook/assets/image.png>)
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results.** [**Security Hubs**](https://securityhubs.io/) \*\*\*\* bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results.** [**Security Hubs**](https://securityhubs.io/) \*\*\*\* bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**.
@ -82,7 +82,7 @@ Get Access Today:
<figure><img src=".gitbook/assets/logo.svg" alt=""><figcaption></figcaption></figure> <figure><img src=".gitbook/assets/logo.svg" alt=""><figcaption></figcaption></figure>
****[**WebSec**](https://websec.nl) **** is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach. [**WebSec**](https://websec.nl) is a professional cybersecurity company based in **Amsterdam** which helps **protecting** businesses **all over the world** against the latest cybersecurity threats by providing **offensive-security services** with a **modern** approach.
WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more. WebSec is an **all-in-one security company** which means they do it all; Pentesting, **Security** Audits, Awareness Trainings, Phishing Campagnes, Code Review, Exploit Development, Security Experts Outsourcing and much more.

View file

@ -16,11 +16,11 @@
</details> </details>
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Basic Information ## Basic Information
@ -84,11 +84,11 @@ Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/offline\_de
println(hudson.util.Secret.decrypt("{...}")) println(hudson.util.Secret.decrypt("{...}"))
``` ```
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Code Execution ## Code Execution
@ -201,11 +201,11 @@ grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
* [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/) * [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
* [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password) * [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## What is a Certificate ## What is a Certificate
@ -202,11 +202,11 @@ openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certif
``` ```
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Browsers Artifacts <a href="#3def" id="3def"></a> ## Browsers Artifacts <a href="#3def" id="3def"></a>
@ -272,11 +272,11 @@ Opera **stores browser history and download data in the exact same format as Goo
* **fraud\_protection\_enabled** should be **true** * **fraud\_protection\_enabled** should be **true**
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## OneDrive ## OneDrive
@ -118,11 +118,11 @@ Other tables inside this database contain more interesting information:
* **date\_added** * **date\_added**
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Introduction ## Introduction

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)

View file

@ -270,7 +270,7 @@ There are **other interesting tools/APIs** that even if not directly specialised
curl https://sonar.omnisint.io/subdomains/tesla.com | jq -r ".[]" curl https://sonar.omnisint.io/subdomains/tesla.com | jq -r ".[]"
``` ```
* ****[**JLDC free API**](https://jldc.me/anubis/subdomains/google.com)**** * [**JLDC free API**](https://jldc.me/anubis/subdomains/google.com)
```bash ```bash
curl https://jldc.me/anubis/subdomains/tesla.com | jq -r ".[]" curl https://jldc.me/anubis/subdomains/tesla.com | jq -r ".[]"
@ -485,7 +485,7 @@ Its time to **recollect all the IPs from those ranges** and for the **domains
Using services from the following **free apis** you can also find **previous IPs used by domains and subdomains**. These IPs might still be owned by the client (and might allow you to find [**CloudFlare bypasses**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)) Using services from the following **free apis** you can also find **previous IPs used by domains and subdomains**. These IPs might still be owned by the client (and might allow you to find [**CloudFlare bypasses**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md))
* ****[**https://securitytrails.com/**](https://securitytrails.com/)**** * [**https://securitytrails.com/**](https://securitytrails.com/)
### **Looking for vulnerabilities** ### **Looking for vulnerabilities**
@ -502,7 +502,7 @@ In the previous steps you have probably already performed some **recon of the IP
Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope). Please, note that this will be **oriented for web apps discovery**, so you should **perform the vulnerability** and **port scanning** also (**if allowed** by the scope).
A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\ A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](../pentesting-network/#http-port-discovery).\
Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) **** and **** [**httpx**](https://github.com/projectdiscovery/httpx). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionally, you can indicate to try other ports: Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe)**,** [**fprobe**](https://github.com/theblackturtle/fprobe) and [**httpx**](https://github.com/projectdiscovery/httpx). You just pass a list of domains and it will try to connect to port 80 (http) and 443 (https). Additionally, you can indicate to try other ports:
```bash ```bash
cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443 cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
@ -515,7 +515,7 @@ Now that you have discovered **all the web servers** present in the scope (among
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), [**Shutter**](https://shutter-project.org/downloads/third-party-packages/) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), [**Shutter**](https://shutter-project.org/downloads/third-party-packages/) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
Moreover, you could then use [**eyeballer**](https://github.com/BishopFox/eyeballer) **** to run over all the **screenshots** to tell you **what's likely to contain vulnerabilities**, and what isn't. Moreover, you could then use [**eyeballer**](https://github.com/BishopFox/eyeballer) to run over all the **screenshots** to tell you **what's likely to contain vulnerabilities**, and what isn't.
## Public Cloud Assets ## Public Cloud Assets
@ -541,8 +541,8 @@ If you find things such as **open buckets or cloud functions exposed** you shoul
With the **domains** and **subdomains** inside the scope you basically have all what you **need to start searching for emails**. These are the **APIs** and **tools** that have worked the best for me to find emails of a company: With the **domains** and **subdomains** inside the scope you basically have all what you **need to start searching for emails**. These are the **APIs** and **tools** that have worked the best for me to find emails of a company:
* [**theHarvester**](https://github.com/laramies/theHarvester) **** - with APIs * [**theHarvester**](https://github.com/laramies/theHarvester) - with APIs
* API of [**https://hunter.io/**](https://hunter.io/) **** (free version) * API of [**https://hunter.io/**](https://hunter.io/) (free version)
* API of [**https://app.snov.io/**](https://app.snov.io/) (free version) * API of [**https://app.snov.io/**](https://app.snov.io/) (free version)
* API of [**https://minelead.io/**](https://minelead.io/) (free version) * API of [**https://minelead.io/**](https://minelead.io/) (free version)
@ -552,7 +552,7 @@ Emails will come handy later to **brute-force web logins and auth services** (su
## Credential Leaks ## Credential Leaks
With the **domains,** **subdomains**, **** and **emails** you can start looking for credentials leaked in the past belonging to those emails: With the **domains,** **subdomains**, and **emails** you can start looking for credentials leaked in the past belonging to those emails:
* [https://leak-lookup.com](https://leak-lookup.com/account/login) * [https://leak-lookup.com](https://leak-lookup.com/account/login)
* [https://www.dehashed.com/](https://www.dehashed.com/) * [https://www.dehashed.com/](https://www.dehashed.com/)
@ -583,7 +583,7 @@ Check also this **page** for potential **github dorks** you could also search fo
### Pastes Leaks ### Pastes Leaks
Sometimes attackers or just workers will **publish company content in a paste site**. This might or might not contain **sensitive information**, but it's very interesting to search for it.\ Sometimes attackers or just workers will **publish company content in a paste site**. This might or might not contain **sensitive information**, but it's very interesting to search for it.\
You can use the tool [**Pastos**](https://github.com/carlospolop/Pastos) **** to search in more that 80 paste sites at the same time. You can use the tool [**Pastos**](https://github.com/carlospolop/Pastos) to search in more that 80 paste sites at the same time.
### Google Dorks ### Google Dorks
@ -607,7 +607,7 @@ If you found that the company has **open-source code** you can **analyse** it an
There are also free services that allow you to **scan public repositories**, such as: There are also free services that allow you to **scan public repositories**, such as:
* ****[**Snyk**](https://app.snyk.io/)**** * [**Snyk**](https://app.snyk.io/)
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/) ## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
@ -644,7 +644,7 @@ There are several tools out there that will perform part of the proposed actions
* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)** * **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)**
****
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\ <img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

View file

@ -17,7 +17,7 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/i3.png" alt="" data-size="original">****\ <img src="../../.gitbook/assets/i3.png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}

View file

@ -177,8 +177,8 @@ There are several ways to **force NTLM authentication "remotely"**, for example,
Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**: Don't forget that you cannot only steal the hash or the authentication but also **perform NTLM relay attacks**:
* [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)**** * [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
* ****[**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)**** * [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
<details> <details>

View file

@ -28,11 +28,11 @@ Get Access Today:
**Interesting pages to check:** **Interesting pages to check:**
* [**Pyscript hacking tricks**](pyscript.md)**** * [**Pyscript hacking tricks**](pyscript.md)
* ****[**Python deserializations**](../../pentesting-web/deserialization/#python)**** * [**Python deserializations**](../../pentesting-web/deserialization/#python)
* ****[**Tricks to bypass python sandboxes**](bypass-python-sandboxes/)**** * [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/)
* ****[**Basic python web requests syntax**](web-requests.md)**** * [**Basic python web requests syntax**](web-requests.md)
* [**Basic python syntax and libraries**](basic-python.md)**** * [**Basic python syntax and libraries**](basic-python.md)
<details> <details>

View file

@ -75,7 +75,7 @@ The steps are relatively easy and do not require any kind of expertise to unders
* Pass the program we want to run to the stdin of the process (will be `read()` by said "shell"code). * Pass the program we want to run to the stdin of the process (will be `read()` by said "shell"code).
* At this point it is up to the loader to load the necessary libraries for our program and jump into it. * At this point it is up to the loader to load the necessary libraries for our program and jump into it.
**Check out the tool in** [**https://github.com/arget13/DDexec**](https://github.com/arget13/DDexec)**** **Check out the tool in** [**https://github.com/arget13/DDexec**](https://github.com/arget13/DDexec)
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Automatic Enumeration & Escape ## Automatic Enumeration & Escape
@ -519,11 +519,11 @@ The second technique explained in the post [https://labs.f-secure.com/blog/abusi
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## CVEs ## CVEs
@ -570,11 +570,11 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4) * [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -127,7 +127,7 @@ In this section I will just list interesting things I find people have used to e
### Parameter Injection via Deep Links ### Parameter Injection via Deep Links
In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) **** Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI. In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI.
It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things. It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things.

View file

@ -16,7 +16,7 @@
</details> </details>
**This post was copied from** [**https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail**](https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail)**** **This post was copied from** [**https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail**](https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail)
## **`*uid`** ## **`*uid`**

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Common Limitations Bypasses ## Common Limitations Bypasses
@ -317,11 +317,11 @@ If you are inside a filesystem with the **read-only and noexec protections** the
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533) **This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)
@ -93,11 +93,11 @@ After installing the certificate this way Firefox for Android won't use it (base
{% endhint %} {% endhint %}
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -1,11 +1,11 @@
# iOS Pentesting Checklist # iOS Pentesting Checklist
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>
@ -129,9 +129,9 @@ Through Security Skills as a Service, we help organizations to **defend against
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}

View file

@ -1,10 +1,10 @@
# iOS Pentesting # iOS Pentesting
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## iOS Pentesting ## iOS Pentesting
@ -382,11 +382,11 @@ struct CGSize {
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/). However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Data Storage ## Data Storage
@ -742,11 +742,11 @@ Jun 7 13:42:14 iPhone touch[9708] <Notice>: MS:Notice: Injecting: (null) [touch
... ...
``` ```
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Backups ## Backups
@ -1166,11 +1166,11 @@ You can find the **libraries used by an application** by running **`otool`** aga
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) * [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Burp Cert Installation in physical iOS ## Burp Cert Installation in physical iOS
@ -125,11 +125,11 @@ Steps to configure Burp as proxy:
* Click on _**Ok**_ and the in _**Apply**_ * Click on _**Ok**_ and the in _**Apply**_
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Basic Information ## Basic Information
@ -330,11 +330,11 @@ Entry_1:
``` ```
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -260,7 +260,7 @@ Tools:
* [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs. * [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs.
* [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension to create a list of directories from the burp history of different pages * [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp Extension to create a list of directories from the burp history of different pages
* [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Remove URLs with duplicated functionalities (based on js imports) * [**TrashCompactor**](https://github.com/michael1026/trashcompactor): Remove URLs with duplicated functionalities (based on js imports)
* ****[**Chamaleon**](https://github.com/iustin24/chameleon): It uses wapalyzer to detect used technologies and select the wordlists to use. * [**Chamaleon**](https://github.com/iustin24/chameleon): It uses wapalyzer to detect used technologies and select the wordlists to use.
**Recommended dictionaries:** **Recommended dictionaries:**

View file

@ -18,9 +18,9 @@
## General ## General
* [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)****\ * [**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source\_Code\_Analysis\_Tools)\
****
* [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)**** * [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)
```bash ```bash
https://www.sonarqube.org/downloads/ https://www.sonarqube.org/downloads/

View file

@ -17,14 +17,14 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
****
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.** **Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
@ -94,11 +94,11 @@ Command line tool to brute-force websites using cookies crafted with flask-unsig
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret. [**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -16,7 +16,7 @@
</details> </details>
**To dump a .git folder from a URL use** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)**** **To dump a .git folder from a URL use** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)
**Use** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **to inspect the content** **Use** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **to inspect the content**

View file

@ -595,11 +595,11 @@ I have created a webshell that makes very easy to perform this actions (note tha
There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version: There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version:
* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md) * [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)
* [**Bypass with FFI - Foreign Function Interface enabled**](broken-reference)**** * [**Bypass with FFI - Foreign Function Interface enabled**](broken-reference)
* [**Bypass via mem**](disable\_functions-bypass-via-mem.md) * [**Bypass via mem**](disable\_functions-bypass-via-mem.md)
* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md) * [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)
* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md) * [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)
* [**dl function**](disable\_functions-bypass-dl-function.md)**** * [**dl function**](disable\_functions-bypass-dl-function.md)
* [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass) * [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)
* 5.\* - exploitable with minor changes to the PoC * 5.\* - exploitable with minor changes to the PoC
* 7.0 - all versions to date * 7.0 - all versions to date

View file

@ -16,11 +16,11 @@
</details> </details>
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Basic Information ## Basic Information
@ -129,11 +129,11 @@ Old versions may be still be in use and be more vulnerable than latest endpoints
* `/api/CharityEventFeb2020/user/pp/<ID>` * `/api/CharityEventFeb2020/user/pp/<ID>`
* `/api/CharityEventFeb2021/user/pp/<ID>` * `/api/CharityEventFeb2021/user/pp/<ID>`
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## 🛡️ API Security Empire Cheat Sheet ## 🛡️ API Security Empire Cheat Sheet
@ -215,11 +215,11 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API. * [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness. * [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -12,11 +12,11 @@
</details> </details>
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Basic Information ## Basic Information
@ -93,11 +93,11 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
``` ```
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Active enumeration ## Active enumeration
@ -283,11 +283,11 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
#You can try to bruteforce the admin user using wpscan with "-U admin" #You can try to bruteforce the admin user using wpscan with "-U admin"
``` ```
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Get access by overwriting a bit ## Get access by overwriting a bit
@ -425,11 +425,11 @@ Also, **only install trustable WordPress plugins and themes**.
* **Limit login attempts** to prevent Brute Force attacks * **Limit login attempts** to prevent Brute Force attacks
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses. * Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -19,7 +19,7 @@
If the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible. If the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible.
**All these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo)**** **All these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo)
# Example 1 # Example 1

View file

@ -16,11 +16,11 @@
</details> </details>
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## The difference ## The difference
@ -128,11 +128,11 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
Example usage: `wcvs -u example.com` Example usage: `wcvs -u example.com`
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Vulnerable Examples ## Vulnerable Examples
@ -233,11 +233,11 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/) * [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) * [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## What is Clickjacking ## What is Clickjacking
@ -182,11 +182,11 @@ See the following documentation for further details and more complex examples:
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html) * [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -258,7 +258,7 @@ ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com
<script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)"> <script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
``` ```
Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) **** (some of them were deleted or fixed) Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (some of them were deleted or fixed)
### Bypass CSP with dangling markup ### Bypass CSP with dangling markup

View file

@ -394,7 +394,7 @@ ${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"
In this [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) is well explained how it's potentially **possible** to **abuse** some features of **Log4J**. In this [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) is well explained how it's potentially **possible** to **abuse** some features of **Log4J**.
The [**security page**](https://logging.apache.org/log4j/2.x/security.html) **** of Log4j has some interesting sentences: The [**security page**](https://logging.apache.org/log4j/2.x/security.html) of Log4j has some interesting sentences:
> From version 2.16.0 (for Java 8), the **message lookups feature has been completely removed**. **Lookups in configuration still work**. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. > From version 2.16.0 (for Java 8), the **message lookups feature has been completely removed**. **Lookups in configuration still work**. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.

View file

@ -612,7 +612,7 @@ However, as the previous **`child_process`** methods, it has been **fixed** in t
Please, note that prototype pollution works if the **attribute** of an object that is being accessed is **undefined**. If in the **code** that **attribute** is **set** a **value** you **won't be able to overwrite it**. Please, note that prototype pollution works if the **attribute** of an object that is being accessed is **undefined**. If in the **code** that **attribute** is **set** a **value** you **won't be able to overwrite it**.
In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) **** the var `options` instead of a `{}` is **** a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\ In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\
At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!). At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!).
In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject` ** instead of **`{}`.** In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject` ** instead of **`{}`.**

View file

@ -16,11 +16,11 @@
</details> </details>
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
## Domain takeover ## Domain takeover
@ -71,11 +71,11 @@ All of them vulnerable to subdomain takeover. All of them were big brands. Talki
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand. Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
### SSL Certificates <a href="#sslcertificates" id="sslcertificates"></a> ### SSL Certificates <a href="#sslcertificates" id="sslcertificates"></a>
@ -163,11 +163,11 @@ Until next time!
[Patrik](https://twitter.com/0xpatrik) [Patrik](https://twitter.com/0xpatrik)
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
<details> <details>

View file

@ -341,7 +341,7 @@ For more information read the following post:
Check more possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:** Check more possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
* [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) **** — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack) * [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)
* [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem * [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem
* [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs * [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs
* [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs * [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs

View file

@ -43,7 +43,7 @@ You can see that info in this part of the php-src code in main/streams/cast.c:
## Race Condition to RCE ## Race Condition to RCE
****[**This CTF**](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer) was solved using the previous trick. [**This CTF**](https://balsn.tw/ctf\_writeup/20191228-hxp36c3ctf/#includer) was solved using the previous trick.
The attacker will make the **victim server open a connection reading a file from the attackers server** using the **`compress.zlib`** protocol. The attacker will make the **victim server open a connection reading a file from the attackers server** using the **`compress.zlib`** protocol.

View file

@ -201,7 +201,7 @@ Where **name\[i] is a .mdb filename** and **realTable is an existent table** wit
### .mdb Password Cracker ### .mdb Password Cracker
****[**Access PassView**](https://www.nirsoft.net/utils/accesspv.html) is a free utility that can be used to recover the main database password of Microsoft Access 95/97/2000/XP or Jet Database Engine 3.0/4.0. [**Access PassView**](https://www.nirsoft.net/utils/accesspv.html) is a free utility that can be used to recover the main database password of Microsoft Access 95/97/2000/XP or Jet Database Engine 3.0/4.0.
## References ## References

View file

@ -12,15 +12,15 @@
</details> </details>
* ****[**KNOXSS**](https://addons.mozilla.org/en-US/firefox/addon/knoxss-community-edition/): Search for XSS while you browse * [**KNOXSS**](https://addons.mozilla.org/en-US/firefox/addon/knoxss-community-edition/): Search for XSS while you browse
* ****[**Wappalyzer**](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/): Check technologies used by the website * [**Wappalyzer**](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/): Check technologies used by the website
* ****[**HackBar** ](https://addons.mozilla.org/en-US/firefox/addon/hackbartool/)& [**Max HacKBar**](https://addons.mozilla.org/en-US/firefox/addon/maxs-hackbar/): Get payloads for most common web vulns in your bar * [**HackBar** ](https://addons.mozilla.org/en-US/firefox/addon/hackbartool/)& [**Max HacKBar**](https://addons.mozilla.org/en-US/firefox/addon/maxs-hackbar/): Get payloads for most common web vulns in your bar
* ****[**FoxyProxy**](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/): To easily configure a proxy for the browser * [**FoxyProxy**](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/): To easily configure a proxy for the browser
* ****[**DotGit**](https://addons.mozilla.org/en-US/firefox/addon/dotgit/): It checks for sensitive files like `.git` in the current page * [**DotGit**](https://addons.mozilla.org/en-US/firefox/addon/dotgit/): It checks for sensitive files like `.git` in the current page
* ****[**User-Agent Switcher**](https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/): It allows you to modify your user-agent * [**User-Agent Switcher**](https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/): It allows you to modify your user-agent
* ****[**ModHeader**](https://addons.mozilla.org/en-US/firefox/addon/modheader-firefox/): Change HTTP Headers sent by the browser * [**ModHeader**](https://addons.mozilla.org/en-US/firefox/addon/modheader-firefox/): Change HTTP Headers sent by the browser
* ****[**retire-js**](https://addons.mozilla.org/en-US/firefox/addon/retire-js/): Search for outdate JS libraries used * [**retire-js**](https://addons.mozilla.org/en-US/firefox/addon/retire-js/): Search for outdate JS libraries used
* ****[**Email Extractor**](https://addons.mozilla.org/en-US/firefox/addon/mailshunt-email-extractor/): Extracts emails from websites. * [**Email Extractor**](https://addons.mozilla.org/en-US/firefox/addon/mailshunt-email-extractor/): Extracts emails from websites.
## References ## References

View file

@ -72,7 +72,7 @@ Some of the following techniques are going to use timing to as part of the proce
**Clocks**: The [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API allows developers to get high-resolution timing measurements.\ **Clocks**: The [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API allows developers to get high-resolution timing measurements.\
There are a considerable number of APIs attackers can abuse to create implicit clocks: [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast\_Channel\_API), [Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel), [requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame), [setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout), CSS animations, and others**.**\ There are a considerable number of APIs attackers can abuse to create implicit clocks: [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast\_Channel\_API), [Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel), [requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame), [setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout), CSS animations, and others**.**\
****For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/). For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/).
## XSinator ## XSinator
@ -236,7 +236,7 @@ Because **only one request payment can be active** at the same time, if the targ
* **Inclusion Methods**: * **Inclusion Methods**:
* **Detectable Difference**: Timing (generally due to Page Content, Status Code) * **Detectable Difference**: Timing (generally due to Page Content, Status Code)
* **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop) * **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop)
* **Summary:** Measure execution time of a web **** abusing the single-threaded JS event loop. * **Summary:** Measure execution time of a web abusing the single-threaded JS event loop.
* **Code Example**: * **Code Example**:
JavaScripts concurrency model is based on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) which means **it can only run one task at a time**.\ JavaScripts concurrency model is based on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) which means **it can only run one task at a time**.\
@ -251,7 +251,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
* **Inclusion Methods**: * **Inclusion Methods**:
* **Detectable Difference**: Timing (generally due to Page Content, Status Code) * **Detectable Difference**: Timing (generally due to Page Content, Status Code)
* **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop) * **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop)
* **Summary:** Measure execution time of a web **** locking the event loop of a thread and timing **how long it takes for the event loop to become available again**.&#x20; * **Summary:** Measure execution time of a web locking the event loop of a thread and timing **how long it takes for the event loop to become available again**.&#x20;
* **Code Example**: * **Code Example**:
One of the main advantages of this technique is its ability to circumvent Site Isolation, as an attacker origin can influence the execution of another origin. One of the main advantages of this technique is its ability to circumvent Site Isolation, as an attacker origin can influence the execution of another origin.
@ -536,7 +536,7 @@ This allows an attacker to detect specific CSP directive of a crossorigin page,
* **Inclusion Methods**: Fetch API * **Inclusion Methods**: Fetch API
* **Detectable Difference**: Header * **Detectable Difference**: Header
* **More info**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)**** * **More info**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)
* **Summary:** Resource protected with CORP throws error when fetched. * **Summary:** Resource protected with CORP throws error when fetched.
* **Code Example**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak) * **Code Example**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak)
@ -561,7 +561,7 @@ Check the more information link for more information about the attack.
* **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration) * **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
In case the **Origin header** is being **reflected** in the header `Access-Control-Allow-Origin` an attacker can abuse this behaviour to try to **fetch** the **resource** in **CORS** mode. If an **error** **isn't** triggered, it means that it was **correctly retrieved form the web**, if an error is **triggered**, it's because it was **accessed from the cache** (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain)**.**\ In case the **Origin header** is being **reflected** in the header `Access-Control-Allow-Origin` an attacker can abuse this behaviour to try to **fetch** the **resource** in **CORS** mode. If an **error** **isn't** triggered, it means that it was **correctly retrieved form the web**, if an error is **triggered**, it's because it was **accessed from the cache** (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain)**.**\
****Note that if the origin isn't reflected but a wildcard is used (`Access-Control-Allow-Origin: *`) this won't work. Note that if the origin isn't reflected but a wildcard is used (`Access-Control-Allow-Origin: *`) this won't work.
## Readable Attributes Technique ## Readable Attributes Technique
@ -772,7 +772,7 @@ Before accessing the cache is faster than loading a resource, it's possible to t
* **Summary:** It's possible to try to load a resource and about before it's loaded the loading is interrupted. Depending on if an error is triggered, the resource was or wasn't cached. * **Summary:** It's possible to try to load a resource and about before it's loaded the loading is interrupted. Depending on if an error is triggered, the resource was or wasn't cached.
* **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller) * **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
[**`AbortController`**](https://developer.mozilla.org/en-US/docs/Web/API/AbortController) **** could be combined with _**fetch**_ and _**setTimeout**_ to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. A nice feature of this technique is that the probing occurs without caching new content in the process. [**`AbortController`**](https://developer.mozilla.org/en-US/docs/Web/API/AbortController) could be combined with _**fetch**_ and _**setTimeout**_ to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. A nice feature of this technique is that the probing occurs without caching new content in the process.
### Script Pollution ### Script Pollution

View file

@ -201,7 +201,7 @@ Some **examples**:
When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\ When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
_**Note: A HTML comment can be closed using**** ****`-->`**** ****or**** ****`--!>`**_ _**Note: A HTML comment can be closed using `-->` or `--!>`**_
In this case and if no black/whitelisting is used, you could use payloads like: In this case and if no black/whitelisting is used, you could use payloads like:

View file

@ -71,7 +71,7 @@ Any of the previous of following payloads may be used inside this SVG payload. O
</svg> </svg>
``` ```
You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)**** You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
## Path disclosure ## Path disclosure

View file

@ -191,7 +191,7 @@ Tools that search for this kind of information (even if you always should take a
* [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer): FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules. * [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer): FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules.
* [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep): A Free Software IoT Firmware Security Analysis Tool * [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep): A Free Software IoT Firmware Security Analysis Tool
* [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go): This is a complete rewrite of the original ByteSweep project in Go. * [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go): This is a complete rewrite of the original ByteSweep project in Go.
* ****[**EMBA**](https://github.com/e-m-b-a/emba): _EMBA_ is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the _firmware extraction_ process, doing _static analysis_ and _dynamic analysis_ via emulation and finally generating a report. _EMBA_ automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords. * [**EMBA**](https://github.com/e-m-b-a/emba): _EMBA_ is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the _firmware extraction_ process, doing _static analysis_ and _dynamic analysis_ via emulation and finally generating a report. _EMBA_ automatically discovers possible weak spots and vulnerabilities in firmware. Examples are insecure binaries, old and outdated software components, potentially vulnerable scripts or hard-coded passwords.
{% hint style="warning" %} {% hint style="warning" %}
Inside the filesystem you can also find **source code** of programs (that you should always **check**), but also **compiled binaries**. These programs might be somehow exposed and you should **decompile** and **check** them for potential vulnerabilities. Inside the filesystem you can also find **source code** of programs (that you should always **check**), but also **compiled binaries**. These programs might be somehow exposed and you should **decompile** and **check** them for potential vulnerabilities.

View file

@ -18,11 +18,11 @@
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Extracting data from all files ## Extracting data from all files
@ -92,11 +92,11 @@ If you find that a **text line** is **bigger** than it should be, then some **hi
To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder) To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Extracting data from images ## Extracting data from images
@ -228,11 +228,11 @@ To read a QR code: [https://online-barcode-reader.inliteresearch.com/](https://o
* [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit) * [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)
{% hint style="danger" %} {% hint style="danger" %}
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -70,7 +70,7 @@ If you just have access to an AD environment but you don't have any credentials/
* [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md) * [**A more detailed guide on how to enumerate LDAP can be found here.**](../../network-services-pentesting/pentesting-ldap.md)
* **Poison the network** * **Poison the network**
* Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) * Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
* Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**** * Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
* Gather credentials **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856) * Gather credentials **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
* [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology): * [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
* Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available. * Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
@ -94,7 +94,7 @@ crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq
{% hint style="warning" %} {% hint style="warning" %}
You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names). You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names).
However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) **** to generate potential valid usernames. However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames.
{% endhint %} {% endhint %}
#### **OWA (Outlook Web Access) Server** #### **OWA (Outlook Web Access) Server**
@ -138,8 +138,8 @@ Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulner
* You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods. * You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
* If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview). * If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview).
* You could also try automated tools as: * You could also try automated tools as:
* [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)**** * [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)
* ****[**61106960/adPEAS**](https://github.com/61106960/adPEAS)**** * [**61106960/adPEAS**](https://github.com/61106960/adPEAS)
* #### Extracting all domain users * #### Extracting all domain users
It's very easy to obtain all the domain usernames from Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). In Linux, you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` or `enum4linux -a -u "user" -p "password" <DC IP>` It's very easy to obtain all the domain usernames from Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). In Linux, you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` or `enum4linux -a -u "user" -p "password" <DC IP>`
@ -192,7 +192,7 @@ Then, its time to dump all the hashes in memory and locally.\
**Once you have the hash of a user**, you can use it to **impersonate** it.\ **Once you have the hash of a user**, you can use it to **impersonate** it.\
You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.\ You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.\
****[**Read this page for more information.**](../ntlm/#pass-the-hash)**** [**Read this page for more information.**](../ntlm/#pass-the-hash)
### Over Pass the Hash/Pass the Key ### Over Pass the Hash/Pass the Key
@ -369,7 +369,7 @@ These are like golden tickets forged in a way that **bypasses common golden tick
The Access Control List (ACL) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins, Backup Operators and krbtgt.\ The Access Control List (ACL) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins, Backup Operators and krbtgt.\
By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker **modifies the ACL** of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\ By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker **modifies the ACL** of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group (in an hour).\
And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group.\ And if someone tries to delete this user from the Domain Admins (for example) in an hour or less, the user will be back in the group.\
****[**More information about AdminDSHolder Group here.**](privileged-accounts-and-token-privileges.md#adminsdholder-group)**** [**More information about AdminDSHolder Group here.**](privileged-accounts-and-token-privileges.md#adminsdholder-group)
### DSRM Credentials ### DSRM Credentials

View file

@ -173,7 +173,7 @@ Notice that metasploit will try to abuse only the `openquery()` function in MSSQ
From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.** From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.**
From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)**** From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)
_Login using Windows authentication:_ _Login using Windows authentication:_

View file

@ -201,8 +201,8 @@ If we want to **enumerate Enterprise CAs** and their settings, one can query LDA
**Tools to enumerate vulnerable certificates:** **Tools to enumerate vulnerable certificates:**
* ****[**Certify**](https://github.com/GhostPack/Certify) is a C# tool that can **enumerate useful configuration and infrastructure information about of AD CS environments** and can request certificates in a variety of different ways. * [**Certify**](https://github.com/GhostPack/Certify) is a C# tool that can **enumerate useful configuration and infrastructure information about of AD CS environments** and can request certificates in a variety of different ways.
* ****[**Certipy**](https://github.com/ly4k/Certipy) is a **python** tool to be able to **enumerate and abuse** Active Directory Certificate Services (**AD CS**) **from any system** (with access to the DC) that can generate output for BloodHound created by [**Lyak**](https://twitter.com/ly4k\_) (good person better hacker) . * [**Certipy**](https://github.com/ly4k/Certipy) is a **python** tool to be able to **enumerate and abuse** Active Directory Certificate Services (**AD CS**) **from any system** (with access to the DC) that can generate output for BloodHound created by [**Lyak**](https://twitter.com/ly4k\_) (good person better hacker) .
```bash ```bash
# https://github.com/GhostPack/Certify # https://github.com/GhostPack/Certify

View file

@ -59,7 +59,7 @@ If a certificate template allowed for **Domain Computers** as enrolment principa
If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)). If an **attacker elevates privileges** on compromised system, the attacker can use the **SYSTEM** account to enrol in certificate templates that grant enrolment privileges to machine accounts (more information in [**THEFT3**](certificate-theft.md#machine-certificate-theft-via-dpapi-theft3)).
You can use [**Certify**](https://github.com/GhostPack/Certify) **** to **** gather a certificate for the machine account elevating automatically to SYSTEM with: You can use [**Certify**](https://github.com/GhostPack/Certify) to gather a certificate for the machine account elevating automatically to SYSTEM with:
```bash ```bash
Certify.exe request /ca:dc.theshire.local/theshire-DC-CA /template:Machine /machine Certify.exe request /ca:dc.theshire.local/theshire-DC-CA /template:Machine /machine

View file

@ -106,7 +106,7 @@ If you find a **PKCS#12** certificate file and it is **password protected**, you
So, if account authenticates and gets a **TGT through PKINIT**, there is a built-in “failsafe” that allows the current host to **obtain our NTLM hash from the TGT** to support legacy authentication. This involves **decrypting** a **`PAC_CREDENTIAL_DATA`** **structure** that is a Network Data Representation (NDR) serialized representation of the NTLM plaintext. So, if account authenticates and gets a **TGT through PKINIT**, there is a built-in “failsafe” that allows the current host to **obtain our NTLM hash from the TGT** to support legacy authentication. This involves **decrypting** a **`PAC_CREDENTIAL_DATA`** **structure** that is a Network Data Representation (NDR) serialized representation of the NTLM plaintext.
****[**Kekeo**](https://github.com/gentilkiwi/kekeo) can be used to ask for a TGT with this information an retrieve the users NTML [**Kekeo**](https://github.com/gentilkiwi/kekeo) can be used to ask for a TGT with this information an retrieve the users NTML
```bash ```bash
tgt::pac /caname:thename-DC-CA /subject:harmj0y /castore:current_user /domain:domain.local tgt::pac /caname:thename-DC-CA /subject:harmj0y /castore:current_user /domain:domain.local

View file

@ -34,7 +34,7 @@ You can also get the cert and private key using [**certipy**](https://github.com
certipy ca 'corp.local/administrator@ca.corp.local' -hashes :123123.. -backup certipy ca 'corp.local/administrator@ca.corp.local' -hashes :123123.. -backup
``` ```
Once you have the **CA cert** with the private key in `.pfx` format you can use [**ForgeCert**](https://github.com/GhostPack/ForgeCert) **** to create valid certificates: Once you have the **CA cert** with the private key in `.pfx` format you can use [**ForgeCert**](https://github.com/GhostPack/ForgeCert) to create valid certificates:
```bash ```bash
# Create new certificate with ForgeCert # Create new certificate with ForgeCert

View file

@ -17,11 +17,11 @@
</details> </details>
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
## Pass The Ticket (PTT) ## Pass The Ticket (PTT)
@ -66,11 +66,11 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
{% endcode %} {% endcode %}
{% hint style="danger" %} {% hint style="danger" %}
<img src="../../.gitbook/assets/image (307).png" alt="" data-size="original"> <img src="../../.gitbook/assets/image.png" alt="" data-size="original">
Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. **Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
{% embed url="https://securityhubs.io/" %} {% embed url="https://www.syncubes.com/" %}
{% endhint %} {% endhint %}
<details> <details>

View file

@ -18,7 +18,7 @@
## SharpSystemTriggers ## SharpSystemTriggers
****[**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) is a **collection** of **remote authentication triggers** coded in C# using MIDL compiler for avoiding 3rd party dependencies. [**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) is a **collection** of **remote authentication triggers** coded in C# using MIDL compiler for avoiding 3rd party dependencies.
## Spooler Service Abuse ## Spooler Service Abuse

View file

@ -46,7 +46,7 @@ beacon> inject 4960 x64 tcp-local
## From that beacon you can just run powerview modules interacting with the external domain as that user ## From that beacon you can just run powerview modules interacting with the external domain as that user
``` ```
Check **other ways to steal sessions with other tools** [**in this page.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)**** Check **other ways to steal sessions with other tools** [**in this page.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
## RDPInception ## RDPInception

View file

@ -218,7 +218,7 @@ ValueData : 0
Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**. Therefore, the goal of the AMSI bypasses you will are are to **overwrite the instructions of that DLL in memory to make the detection useless**.
**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)**** **AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)
```powershell ```powershell
# A Method # A Method

View file

@ -18,7 +18,7 @@
The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
****[**SharpView**](https://github.com/tevora-threat/SharpView) is a .NET port of [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)**** [**SharpView**](https://github.com/tevora-threat/SharpView) is a .NET port of [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
### Quick enumeration ### Quick enumeration

View file

@ -18,12 +18,12 @@
There are different different ways to execute commands in external systems, here you can find the explanations on how the main Windows lateral movements techniques work: There are different different ways to execute commands in external systems, here you can find the explanations on how the main Windows lateral movements techniques work:
* [**PsExec**](../ntlm/psexec-and-winexec.md)**** * [**PsExec**](../ntlm/psexec-and-winexec.md)
* [**SmbExec**](../ntlm/smbexec.md)**** * [**SmbExec**](../ntlm/smbexec.md)
* [**WmicExec**](../ntlm/wmicexec.md)**** * [**WmicExec**](../ntlm/wmicexec.md)
* [**AtExec / SchtasksExec**](../ntlm/atexec.md)**** * [**AtExec / SchtasksExec**](../ntlm/atexec.md)
* [**WinRM**](../ntlm/winrm.md)**** * [**WinRM**](../ntlm/winrm.md)
* [**DCOM Exec**](dcom-exec.md)**** * [**DCOM Exec**](dcom-exec.md)
<details> <details>

View file

@ -214,7 +214,7 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith
## KrbRelayUp ## KrbRelayUp
This is essentially a universal no-fix **local privilege escalation** in windows **domain** environments where **LDAP signing is not enforced,** where the **user has self rights** (to configure **RBCD**) and where the **user can create computers in the domain.**\ This is essentially a universal no-fix **local privilege escalation** in windows **domain** environments where **LDAP signing is not enforced,** where the **user has self rights** (to configure **RBCD**) and where the **user can create computers in the domain.**\
****All the **requirements** are satisfied with **default settings**. All the **requirements** are satisfied with **default settings**.
Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)
@ -1360,7 +1360,7 @@ Tools to extract passwords from browsers:
### **COM DLL Overwriting** ### **COM DLL Overwriting**
**Component Object Model (COM)** is a technology built within the Windows operating system that allows **intercommunication** between software components of different languages. **** Each COM component is **identified via a class ID (CLSID)** and each component exposes functionality via one or more interfaces, identified via interface IDs (IIDs). **Component Object Model (COM)** is a technology built within the Windows operating system that allows **intercommunication** between software components of different languages. Each COM component is **identified via a class ID (CLSID)** and each component exposes functionality via one or more interfaces, identified via interface IDs (IIDs).
COM classes and interfaces are defined in the registry under **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and **HKEY\_**_**CLASSES\_**_**ROOT\Interface** respectively. This registry is created by merging the **HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT.** COM classes and interfaces are defined in the registry under **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and **HKEY\_**_**CLASSES\_**_**ROOT\Interface** respectively. This registry is created by merging the **HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT.**
@ -1433,7 +1433,7 @@ A `pipe` is a block of shared memory that processes can use for communication an
When a **client writes on a pipe**, the **server** that created the pipe can **impersonate** the **client** if it has **SeImpersonate** privileges. Then, if you can find a **privileged process that is going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md) **or** [**this**](./#from-high-integrity-to-system)**.** When a **client writes on a pipe**, the **server** that created the pipe can **impersonate** the **client** if it has **SeImpersonate** privileges. Then, if you can find a **privileged process that is going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md) **or** [**this**](./#from-high-integrity-to-system)**.**
**Also the following tool allows to intercept a named pipe communication with a tool like burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept)**** **Also the following tool allows to intercept a named pipe communication with a tool like burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept)
## From Administrator Medium to High Integrity Level / UAC Bypass ## From Administrator Medium to High Integrity Level / UAC Bypass
@ -1511,7 +1511,7 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\ [**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\ [**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\ [**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\
****[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\ [**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\
[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\ [~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10. [~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.