diff --git a/.gitbook/assets/image (13) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (13) (1) (1) (1) (1) (1).png
deleted file mode 100644
index c2205b356..000000000
Binary files a/.gitbook/assets/image (13) (1) (1) (1) (1) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (13) (1) (1) (1) (1).png b/.gitbook/assets/image (13) (1) (1) (1) (1).png
index ffd8adf04..c2205b356 100644
Binary files a/.gitbook/assets/image (13) (1) (1) (1) (1).png and b/.gitbook/assets/image (13) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (13) (1) (1) (1) (3).png b/.gitbook/assets/image (13) (1) (1) (1) (3).png
new file mode 100644
index 000000000..ffd8adf04
Binary files /dev/null and b/.gitbook/assets/image (13) (1) (1) (1) (3).png differ
diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md
index cb26f1b6e..eed9e1d40 100644
--- a/exploiting/linux-exploiting-basic-esp/README.md
+++ b/exploiting/linux-exploiting-basic-esp/README.md
@@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
- (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
diff --git a/generic-methodologies-and-resources/exfiltration.md b/generic-methodologies-and-resources/exfiltration.md
index 83ecb104d..bfa5022dc 100644
--- a/generic-methodologies-and-resources/exfiltration.md
+++ b/generic-methodologies-and-resources/exfiltration.md
@@ -14,7 +14,7 @@
-\
+\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@@ -159,7 +159,7 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
-\
+\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
-\
+\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
diff --git a/generic-methodologies-and-resources/phishing-methodology/README.md b/generic-methodologies-and-resources/phishing-methodology/README.md
index fa9cf719f..fa2b57c08 100644
--- a/generic-methodologies-and-resources/phishing-methodology/README.md
+++ b/generic-methodologies-and-resources/phishing-methodology/README.md
@@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
- (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
+ (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
{% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
index 709c6ba55..b2b06adbf 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md
@@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
- (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
+ (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Step 6: Profile Installation
diff --git a/mobile-pentesting/ios-pentesting/README.md b/mobile-pentesting/ios-pentesting/README.md
index 8525b44ac..56cb6bb0e 100644
--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
- (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png>)
+ (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
diff --git a/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/network-services-pentesting/pentesting-web/iis-internet-information-services.md
index 4af169ebf..1e0ade9a8 100644
--- a/network-services-pentesting/pentesting-web/iis-internet-information-services.md
+++ b/network-services-pentesting/pentesting-web/iis-internet-information-services.md
@@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one:
- (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (11).png>)
+ (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
diff --git a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
index f0958e677..927bdc99e 100644
--- a/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
+++ b/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
@@ -402,6 +402,19 @@ Some examples of common files calling a spawn function when imported are:
* /path/to/npm/scripts/changelog.js
* /opt/yarn-v1.22.19/preinstall.js
+The following simple script will search for **calls** from **child\_process** **without any padding** (to avoid showing calls inside functions):
+
+{% code overflow="wrap" %}
+```bash
+for file_path in `find / -name "*.js" -type f -exec grep -l "child_process" {} \; 2>/dev/null`; do
+ echo "$file_path"
+ grep -nE "^[a-zA-Z].*(exec|execFile|fork|spawn|execFileSync|execSync|spawnSync)" "$file_path"
+ echo ""
+done
+# Note that this way of finding child_process executions just importing might not find valid scripts as functions called in the root containing child_process calls won't be found.
+```
+{% endcode %}
+
### Setting require file path via prototype pollution
{% hint style="warning" %}
diff --git a/pentesting-web/formula-doc-latex-injection.md b/pentesting-web/formula-doc-latex-injection.md
index 67247b33a..7414b872c 100644
--- a/pentesting-web/formula-doc-latex-injection.md
+++ b/pentesting-web/formula-doc-latex-injection.md
@@ -55,7 +55,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
- (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
+ (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### More
diff --git a/pentesting-web/saml-attacks/README.md b/pentesting-web/saml-attacks/README.md
index 5ad453c9e..b337f32b5 100644
--- a/pentesting-web/saml-attacks/README.md
+++ b/pentesting-web/saml-attacks/README.md
@@ -22,7 +22,7 @@
## Attacks Graphic
- (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>)
+ (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
## Tool
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index e7c657130..ee6929afe 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -473,7 +473,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
-
+
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
@@ -553,7 +553,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
-
+
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
 (1) (1) (1).png)
 (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (16).png)
\
+ (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png)
\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
@@ -159,7 +159,7 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
- (1) (1) (1) (3).png)
 (1) (1) (1) (2).png)