From ba748bd1ce7504a0c61e966b46b1fc569d2b17c5 Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 26 Sep 2022 12:02:10 +0000 Subject: [PATCH] GitBook: [#3511] No subject --- 1911-pentesting-fox.md | 2 +- .../partitions-file-systems-carving/README.md | 2 +- .../windows-forensics/README.md | 2 +- .../exfiltration.md | 6 +++--- .../external-recon-methodology/README.md | 14 ++++++++++++++ .../phishing-methodology/README.md | 2 +- .../macos-mdm/README.md | 2 +- mobile-pentesting/ios-pentesting/README.md | 2 +- .../5985-5986-pentesting-winrm.md | 13 ++++++++++++- .../iis-internet-information-services.md | 2 +- .../pentesting-web/wordpress.md | 2 +- pentesting-web/formula-doc-latex-injection.md | 2 +- pentesting-web/saml-attacks/README.md | 2 +- .../ad-certificates/domain-escalation.md | 4 ++-- 14 files changed, 41 insertions(+), 16 deletions(-) diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md index ab42d26f8..30e9c3cba 100644 --- a/1911-pentesting-fox.md +++ b/1911-pentesting-fox.md @@ -22,7 +22,7 @@ dht udp "DHT Nodes" ![](<.gitbook/assets/image (273).png>) -![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) +![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) InfluxDB diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md index 3f57e8ebe..0130d3efe 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command) -![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1).png>) +![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) And then use the following code diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index 271ad0296..aa1adc29e 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -156,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`). -![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10) (3).png>) +![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>) ### USB Detective diff --git a/generic-methodologies-and-resources/exfiltration.md b/generic-methodologies-and-resources/exfiltration.md index cdcb2940d..bfa5022dc 100644 --- a/generic-methodologies-and-resources/exfiltration.md +++ b/generic-methodologies-and-resources/exfiltration.md @@ -14,7 +14,7 @@ -\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} @@ -159,7 +159,7 @@ echo bye >> ftp.txt ftp -n -v -s:ftp.txt ``` -\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} @@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) -\ +\ **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! {% embed url="https://go.intigriti.com/hacktricks" %} diff --git a/generic-methodologies-and-resources/external-recon-methodology/README.md b/generic-methodologies-and-resources/external-recon-methodology/README.md index 6ddba6df4..e1b2572f9 100644 --- a/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -595,6 +595,20 @@ _Note that the tools that expect to run all the database using the regular Googl If you find **valid leaked** credentials or API tokens, this is a very easy win. +## Public Code Vulnerabilities + +If you found that the company has **open-source code** you can **analyse** it and search for **vulnerabilities** on it. + +**Depending on the language** there are different **tools** you can use: + +{% content-ref url="../../network-services-pentesting/pentesting-web/code-review-tools.md" %} +[code-review-tools.md](../../network-services-pentesting/pentesting-web/code-review-tools.md) +{% endcontent-ref %} + +There are also free services that allow you to **scan public repositories**, such as: + +* ****[**Snyk**](https://app.snyk.io/)**** + ## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/) The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/). diff --git a/generic-methodologies-and-resources/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md index d48ac1d9a..fa2b57c08 100644 --- a/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/generic-methodologies-and-resources/phishing-methodology/README.md @@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors -![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>) +![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) {% hint style="info" %} It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\ diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md index 709c6ba55..b2b06adbf 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md @@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like: * Signed using the **device identity certificate (from APNS)** * **Certificate chain** includes expired **Apple iPhone Device CA** -![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) +![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) ### Step 6: Profile Installation diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md index b4795304e..56cb6bb0e 100644 --- a/mobile-pentesting/ios-pentesting/README.md +++ b/mobile-pentesting/ios-pentesting/README.md @@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows: 5. Reproduce the problem. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. -![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>) +![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: diff --git a/network-services-pentesting/5985-5986-pentesting-winrm.md b/network-services-pentesting/5985-5986-pentesting-winrm.md index 54b445a97..1642ea7aa 100644 --- a/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -86,7 +86,13 @@ Invoke-Command -ComputerName -ScriptBlock {cmd /c "powershell -ep Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function: -```ruby +```powershell +#If you need to use different creds +$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force +## Note the ".\" in the suername to indicate it's a local user (host domain) +$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password) + +# Enter Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username] ``` @@ -109,6 +115,11 @@ Now we can enter a remote PS session on the victim. This **won't work** if the the **language** is **constrained** in the remote computer. ```ruby +#If you need to use different creds +$password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force +## Note the ".\" in the suername to indicate it's a local user (host domain) +$creds2=New-Object System.Management.Automation.PSCredential(".\student41", $password) + #You can save a session inside a variable $sess1 = New-PSSession -ComputerName [-SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)] #And restore it at any moment doing diff --git a/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/network-services-pentesting/pentesting-web/iis-internet-information-services.md index 7dee92051..1e0ade9a8 100644 --- a/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml If you see an error like the following one: -![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>) +![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>) It means that the server **didn't receive the correct domain name** inside the Host header.\ In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. diff --git a/network-services-pentesting/pentesting-web/wordpress.md b/network-services-pentesting/pentesting-web/wordpress.md index e0ef2bd16..b4d44aad9 100644 --- a/network-services-pentesting/pentesting-web/wordpress.md +++ b/network-services-pentesting/pentesting-web/wordpress.md @@ -211,7 +211,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t ``` -![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) +![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) ![](<../../.gitbook/assets/image (102).png>) diff --git a/pentesting-web/formula-doc-latex-injection.md b/pentesting-web/formula-doc-latex-injection.md index 67247b33a..7414b872c 100644 --- a/pentesting-web/formula-doc-latex-injection.md +++ b/pentesting-web/formula-doc-latex-injection.md @@ -55,7 +55,7 @@ The good news is that **this payload is executed automatically when the file is It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** -![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) +![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>) ### More diff --git a/pentesting-web/saml-attacks/README.md b/pentesting-web/saml-attacks/README.md index e41382bcf..b337f32b5 100644 --- a/pentesting-web/saml-attacks/README.md +++ b/pentesting-web/saml-attacks/README.md @@ -22,7 +22,7 @@ ## Attacks Graphic -![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (10).png>) +![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>) ## Tool diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md index bd3d00b2f..ee6929afe 100644 --- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md +++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md @@ -522,7 +522,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`). -
+
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part. @@ -553,7 +553,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`). -
+
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.