GitBook: [#3441] No subject
BIN
.gitbook/assets/image (1) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 1.6 KiB |
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 154 KiB After Width: | Height: | Size: 178 KiB |
BIN
.gitbook/assets/image (13) (2).png
Normal file
After Width: | Height: | Size: 57 KiB |
Before Width: | Height: | Size: 57 KiB After Width: | Height: | Size: 71 KiB |
Before Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 76 KiB After Width: | Height: | Size: 51 KiB |
BIN
.gitbook/assets/image (2) (4).png
Normal file
After Width: | Height: | Size: 76 KiB |
Before Width: | Height: | Size: 178 KiB After Width: | Height: | Size: 48 KiB |
BIN
.gitbook/assets/image (6) (2).png
Normal file
After Width: | Height: | Size: 55 KiB |
Before Width: | Height: | Size: 55 KiB After Width: | Height: | Size: 132 KiB |
Before Width: | Height: | Size: 71 KiB After Width: | Height: | Size: 197 KiB |
Before Width: | Height: | Size: 197 KiB After Width: | Height: | Size: 96 KiB |
Before Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 132 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 126 KiB |
Before Width: | Height: | Size: 96 KiB After Width: | Height: | Size: 126 KiB |
Before Width: | Height: | Size: 49 KiB |
Before Width: | Height: | Size: 37 KiB After Width: | Height: | Size: 49 KiB |
BIN
.gitbook/assets/image (9) (2).png
Normal file
After Width: | Height: | Size: 126 KiB |
Before Width: | Height: | Size: 126 KiB After Width: | Height: | Size: 154 KiB |
Before Width: | Height: | Size: 48 KiB After Width: | Height: | Size: 37 KiB |
|
@ -1,7 +1,7 @@
|
|||
# Linux Forensics
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -168,7 +168,7 @@ ThisisTheMasterSecret
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -233,7 +233,7 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not"
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -376,7 +376,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
|
|||
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -466,7 +466,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -238,7 +238,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
|
|||
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Brute Force - CheatSheet
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ python3 cupp.py -h
|
|||
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -441,7 +441,7 @@ crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -641,7 +641,7 @@ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -808,7 +808,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Python Sandbox Escape & Pyscript
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -51,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Bypass Python sandboxes
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -322,7 +322,7 @@ with (a as b):
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -710,7 +710,7 @@ You can check the output of this script in this page:
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -1118,7 +1118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# venv
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -62,7 +62,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Web Requests
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -142,7 +142,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Search Exploits
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -85,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Docker Basics & Breakout
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -124,7 +124,7 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
|
|||
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -254,7 +254,7 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
|
|||
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -397,7 +397,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../../.gitbook/assets/image (1).png>)
|
||||
![](<../../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Useful Linux Commands
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -148,7 +148,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -327,7 +327,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Android Applications Pentesting
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -63,7 +63,7 @@ adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -246,7 +246,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -496,7 +496,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
|
|||
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -687,7 +687,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
|
|||
|
||||
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
|
||||
|
||||
![](<../../.gitbook/assets/image (81) (1).png>)
|
||||
![](<../../.gitbook/assets/image (81).png>)
|
||||
|
||||
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
|
||||
|
||||
|
@ -705,7 +705,7 @@ It is able to:
|
|||
Useful to detect malware: [https://koodous.com/](https://koodous.com)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -802,7 +802,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -154,7 +154,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
|
|||
You can see that in [the next tutorial](frida-tutorial-2.md).
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -127,7 +127,7 @@ This is also usefull if somehow you are **unable to get some readable source cod
|
|||
android hooking list activities
|
||||
```
|
||||
|
||||
![](<../../../.gitbook/assets/image (78) (1).png>)
|
||||
![](<../../../.gitbook/assets/image (78).png>)
|
||||
|
||||
```
|
||||
android hooking list services
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Android APK Checklist
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -97,7 +97,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -67,7 +67,7 @@ Content-Length: 267
|
|||
* `port:15672 http`
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# 8086 - Pentesting InfluxDB
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -164,7 +164,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# 5432,5433 - Pentesting Postgresql
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -99,7 +99,7 @@ ORDER BY 1;
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -179,7 +179,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -311,7 +311,7 @@ id_rsa
|
|||
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
|
||||
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
|
||||
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -47,7 +47,7 @@ inurl:status EJInvokerServlet
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -127,7 +127,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Command Injection
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -101,7 +101,7 @@ Here are the top 25 parameters that could be vulnerable to code injection and si
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -187,7 +187,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -212,7 +212,7 @@ The best prevention technique is to not use users input directly inside response
|
|||
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -202,7 +202,7 @@ out of band request with the current username
|
|||
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Email Injections
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -118,7 +118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -96,7 +96,7 @@ php vuln.php
|
|||
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# NoSQL injection
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -121,7 +121,7 @@ Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cock
|
|||
![](<../.gitbook/assets/image (468).png>)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -272,7 +272,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Race Condition
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -125,7 +125,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Rate Limit Bypass
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# XS-Search
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -84,7 +84,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/)
|
|||
{% endhint %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -196,7 +196,7 @@ You can perform the same attack with **`portal`** tags.
|
|||
Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in).
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -278,7 +278,7 @@ Browsers use sockets to communicate with servers. As the operating system and th
|
|||
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -817,7 +817,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
|
|||
* **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -935,7 +935,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -117,7 +117,7 @@ The **security descriptor** configured on the **Enterprise CA** defines these ri
|
|||
|
||||
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (6) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interface’s `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
|
||||
|
||||
|
@ -129,7 +129,7 @@ Other requirements could be in place to control who can get a certificate.
|
|||
|
||||
**CA certificate manager approval** results in the certificate template setting the `CT_FLAG_PEND_ALL_REQUESTS` (0x2) bit on the AD object’s `msPKI-EnrollmentFlag` attribute. This puts all **certificate requests** based on the template into the **pending state** (visible in the “Pending Requests” section in `certsrv.msc`), which requires a certificate manager to **approve or deny** the request before the certificate is issued:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (13).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (13) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
#### Enrolment Agents, Authorized Signatures, and Application Policies
|
||||
|
||||
|
@ -175,7 +175,7 @@ The “NTAUTH certificate store” mentioned here refers to an AD object AD CS i
|
|||
|
||||
This means that when **AD CS creates a new CA** (or it renews CA certificates), it publishes the new certificate to the **`NTAuthCertificates`** object by adding the new certificate to the object’s `cacertificate` attribute:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (9) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
During certificate authentication, the DC can then verify that the authenticating certificate chains to a CA certificate defined by the **`NTAuthCertificates`** object. CA certificates in the **`NTAuthCertificates`** object must in turn chain to a root CA. The big takeaway here is the **`NTAuthCertificates`** object is the root of trust for certificate authentication in Active Directory!
|
||||
|
||||
|
@ -184,13 +184,13 @@ During certificate authentication, the DC can then verify that the authenticatin
|
|||
Schannel is the security support provider (SSP) Windows leverages when establishing TLS/SSL connections. Schannel supports **client authentication** (amongst many other capabilities), enabling a remote server to **verify the identity of the connecting user**. It accomplishes this using PKI, with certificates being the primary credential.\
|
||||
During the **TLS handshake**, the server **requests a certificate from the client** for authentication. The client, having previously been issued a client authentication certificate from a CA the server trusts, sends its certificate to the server. The **server then validates** the certificate is correct and grants the user access assuming everything is okay.
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (8) (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
When an account authenticates to AD using a certificate, the DC needs to somehow map the certificate credential to an AD account. **Schannel** first attempts to **map** the **credential** to a **user** account use Kerberos’s **S4U2Self** functionality. \
|
||||
If that is **unsuccessful**, it will follow the attempt to map the **certificate to a user** account using the certificate’s **SAN extension**, a combination of the **subject** and **issuer** fields, or solely from the issuer. By default, not many protocols in AD environments support AD authentication via Schannel out of the box. WinRM, RDP, and IIS all support client authentication using Schannel, but it **requires additional configuration**, and in some cases – like WinRM – does not integrate with Active Directory.\
|
||||
One protocol that does commonly work – assuming AD CS has been setup - is **LDAPS**. The cmdlet `Get-LdapCurrentUser` demonstrates how one can authenticate to LDAP using .NET libraries. The cmdlet performs an LDAP “Who am I?” extended operation to display the currently authenticating user:
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../.gitbook/assets/image (2) (4).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## AD CS Enumeration
|
||||
|
||||
|
|
|
@ -192,7 +192,7 @@ certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJ
|
|||
|
||||
A certificate authority itself has a **set of permissions** that secure various **CA actions**. These permissions can be access from `certsrv.msc`, right clicking a CA, selecting properties, and switching to the Security tab:
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (73).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
This can also be enumerated via [**PSPKI’s module**](https://www.pkisolutions.com/tools/pspki/) with `Get-CertificationAuthority | Get-CertificationAuthorityAcl`:
|
||||
|
||||
|
@ -204,9 +204,9 @@ The two main rights here are the **`ManageCA`** right and the **`ManageCertifica
|
|||
|
||||
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (73).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (70).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
This is also possible in a simpler form with [**PSPKI’s Enable-PolicyModuleFlag**](https://www.sysadmins.lv/projects/pspki/enable-policymoduleflag.aspx) cmdlet.
|
||||
|
||||
|
@ -261,7 +261,7 @@ Another limitation of NTLM relay attacks is that they **require a victim account
|
|||
Certify.exe cas
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (78).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enrollment-Servers` property. **Certutil.exe** and **PSPKI** can parse and list these endpoints:
|
||||
|
||||
|
@ -269,14 +269,14 @@ Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enr
|
|||
certutil.exe -enrollmentServerURL -config CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
```powershell
|
||||
Import-Module PSPKI
|
||||
Get-CertificationAuthority | select Name,Enroll* | Format-List *
|
||||
```
|
||||
|
||||
<figure><img src="../../../.gitbook/assets/image (81).png" alt=""><figcaption></figcaption></figure>
|
||||
<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -16,11 +16,57 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## Forging Certificates with Stolen CA Certificates - DPERSIST1
|
||||
|
||||
How can you tell that a certificate is a CA certificate?
|
||||
|
||||
* The CA certificate exists on the **CA server itself**, with its **private key protected by machine DPAPI** (unless the OS uses a TPM/HSM/other hardware for protection).
|
||||
* The **Issuer** and **Subject** for the cert are both set to the **distinguished name of the CA**.
|
||||
* CA certificates (and only CA certs) **have a “CA Version” extension**.
|
||||
* There are **no EKUs**
|
||||
|
||||
The built-in GUI supported way to **extract this certificate private key** is with `certsrv.msc` on the CA server.\
|
||||
However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
|
||||
|
||||
Once you have the **CA cert** with the private key in `.pfx` format you can use [**ForgeCert**](https://github.com/GhostPack/ForgeCert) **** to create valid certificates:
|
||||
|
||||
```bash
|
||||
# Create new certificate with ForgeCert
|
||||
ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123! --Subject "CN=User" --SubjectAltName localadmin@theshire.local --NewCertPath localadmin.pfx --NewCertPassword Password123!
|
||||
|
||||
# Use new certificate with Rubeus to authenticate
|
||||
Rubeus.exe asktgt /user:localdomain /certificate:C:\ForgeCert\localadmin.pfx /password:Password123!
|
||||
```
|
||||
|
||||
{% hint style="warning" %}
|
||||
**Note**: The target **user** specified when forging the certificate needs to be **active/enabled** in AD and **able to authenticate** since an authentication exchange will still occur as this user. Trying to forge a certificate for the krbtgt account, for example, will not work.
|
||||
{% endhint %}
|
||||
|
||||
This forged certificate will be **valid** until the end date specified and as **long as the root CA certificate is valid** (usually from 5 to **10+ years**). It's also valid for **machines**, so combined with **S4U2Self**, an attacker can **maintain persistence on any domain machine** for as long as the CA certificate is valid.\
|
||||
Moreover, the **certificates generated** with this method **cannot be revoked** as CA is not aware of them.
|
||||
|
||||
## Trusting Rogue CA Certificates - DPERSIST2
|
||||
|
||||
The object `NTAuthCertificates` defines one or more **CA certificates** in its `cacertificate` **attribute** and AD uses it: During authentication, the **domain controller** checks if **`NTAuthCertificates`** object **contains** an entry for the **CA specified** in the authenticating **certificate’s** Issuer field. If **it is, authentication proceeds**.
|
||||
|
||||
An attacker could generate a **self-signed CA certificate** and **add** it to the **`NTAuthCertificates`** object. Attackers can do this if they have **control** over the **`NTAuthCertificates`** AD object (in default configurations only **Enterprise Admin** group members and members of the **Domain Admins** or **Administrators** in the **forest root’s domain** have these permissions). With the elevated access, one can **edit** the **`NTAuthCertificates`** object from any system with `certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA126` , or using the [**PKI Health Tool**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool). 
|
||||
|
||||
The specified certificate should **work with the previously detailed forgery method with ForgeCert** to generate certificates on demand.
|
||||
|
||||
## Malicious Misconfiguration - DPERSIST3
|
||||
|
||||
There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
|
||||
|
||||
* **CA server’s AD computer** object
|
||||
* The **CA server’s RPC/DCOM server**
|
||||
* Any **descendant AD object or container** in the container **`CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`** (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, etc.)
|
||||
* **AD groups delegated rights to control AD CS by default or by the current organization** (e.g., the built-in Cert Publishers group and any of its members)
|
||||
|
||||
For example, an attacker with **elevated permissions** in the domain could add the **`WriteOwner`** permission to the default **`User`** certificate template, where the attacker is the principal for the right. To abuse this at a later point, the attacker would first modify the ownership of the **`User`** template to themselves, and then would **set** **`mspki-certificate-name-flag`** to **1** on the template to enable **`ENROLLEE_SUPPLIES_SUBJECT`** (i.e., allowing a user to supply a Subject Alternative Name in the request). The attacker could then **enroll** in the **template**, specifying a **domain administrator** name as an alternative name, and use the resulting certificate for authentication as the DA.
|
||||
|
||||
## References
|
||||
|
||||
* All the information of this page was taken from [https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf)
|
||||
|
||||
<details>
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# DCSync
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -45,7 +45,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -106,7 +106,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
|
|||
|
||||
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
||||
|
||||
![](<../../.gitbook/assets/image (2) (1) (2).png>)
|
||||
![](<../../.gitbook/assets/image (2) (1).png>)
|
||||
|
||||
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
||||
|
||||
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
||||
|
||||
![](<../../.gitbook/assets/image (1) (1) (2).png>)
|
||||
![](<../../.gitbook/assets/image (1) (1) (1).png>)
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Kerberoast
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -77,7 +77,7 @@ When a TGS is requested, Windows event `4769 - A Kerberos service ticket was req
|
|||
{% endhint %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -144,7 +144,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -175,7 +175,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
|
|||
{% endcontent-ref %}
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# ACLs - DACLs/SACLs/ACEs
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -83,7 +83,7 @@ The canonical order ensures that the following takes place:
|
|||
* All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
@ -209,7 +209,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
![](<../../.gitbook/assets/image (9).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -224,7 +224,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
|
|||
```
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
</details>
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
@ -358,7 +358,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
|
|||
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
|
||||
|
||||
{% hint style="danger" %}
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="original">
|
||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
|
||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||
|
||||
|
|