diff --git a/.gitbook/assets/image (34) (1).png b/.gitbook/assets/image (34) (1).png
new file mode 100644
index 000000000..9a275baae
Binary files /dev/null and b/.gitbook/assets/image (34) (1).png differ
diff --git a/.gitbook/assets/image (34).png b/.gitbook/assets/image (34).png
index 9a275baae..2a9847951 100644
Binary files a/.gitbook/assets/image (34).png and b/.gitbook/assets/image (34).png differ
diff --git a/.gitbook/assets/image (35) (1).png b/.gitbook/assets/image (35) (1).png
new file mode 100644
index 000000000..84735e384
Binary files /dev/null and b/.gitbook/assets/image (35) (1).png differ
diff --git a/.gitbook/assets/image (35).png b/.gitbook/assets/image (35).png
index 84735e384..2758b36d6 100644
Binary files a/.gitbook/assets/image (35).png and b/.gitbook/assets/image (35).png differ
diff --git a/.gitbook/assets/image (36) (1).png b/.gitbook/assets/image (36) (1).png
new file mode 100644
index 000000000..ceb0a0f91
Binary files /dev/null and b/.gitbook/assets/image (36) (1).png differ
diff --git a/.gitbook/assets/image (36).png b/.gitbook/assets/image (36).png
index ceb0a0f91..625f447e9 100644
Binary files a/.gitbook/assets/image (36).png and b/.gitbook/assets/image (36).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 625f447e9..63d09319b 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
index 160a44b98..fb24d0eb4 100644
--- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -164,7 +164,7 @@ In this case you can see that **you shouldn't use the char 0x0A** (nothing is sa
In this case you can see that **the char 0x0D is avoided**:
-![](<../.gitbook/assets/image (34).png>)
+![](<../.gitbook/assets/image (34) (1).png>)
## Find a JMP ESP as a return address
@@ -182,7 +182,7 @@ You will **list the memory maps**. Search for some DLl that has:
* **NXCompat: False**
* **OS Dll: True**
-![](<../.gitbook/assets/image (35).png>)
+![](<../.gitbook/assets/image (35) (1).png>)
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
@@ -193,7 +193,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
**Then, if some address is found, choose one that don't contain any badchar:**
-![](<../.gitbook/assets/image (36).png>)
+![](<../.gitbook/assets/image (36) (1).png>)
**In this case, for example: \_0x5f4a358f**\_
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
index bdac3d066..c1167a58d 100644
--- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
+++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
@@ -57,6 +57,10 @@ The desktop application might have access to the userβs device through Node AP
* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
* **`preload`** - empty by default.
* [**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
+* Node Integration in Workers
+* **`nodeIntegrationInSubframes`**- is `off` by default.
+ * If **`nodeIntregation`** is **enabled**, this would allow the use of **Node.js APIs** in web pages that are **loaded in iframes** within an Electron application.
+ * If **`nodeIntregation`** is **disabled**, then preloads will load in the iframe
Example of configuration:
@@ -75,7 +79,9 @@ const mainWindowOptions = {
webPreferences: {
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
nodeIntegration: false,
- contextIsolation: false
+ contextIsolation: false,
+ sandbox: false,
+ nodeIntegrationInSubFrames: false,
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
nativeWindowOpen: true,
enableRemoteModule: false,
@@ -118,6 +124,8 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
```
+
+
## RCE: preload
The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**:
@@ -263,7 +271,7 @@ webContents.on("new-window", function (event, url, disposition, options) {} // o
webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below)
```
-The call to \*\* `openInternally`\*\* will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
+The call to **`openInternally`** will decide if the **link** will be **opened** in the **desktop window** as it's a link belonging to the platform, **or** if will be opened in the **browser as a 3rd party resource**.
In the case the **regex** used by the function is **vulnerable to bypasses** (for example by **not escaping the dots of subdomains**) an attacker could abuse the XSS to **open a new window which** will be located in the attackers infrastructure **asking for credentials** to the user:
@@ -317,6 +325,7 @@ npm start
* [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
* [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
* More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)
+* [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
diff --git a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
index ef4123f8e..6cad67319 100644
--- a/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
+++ b/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
@@ -4,15 +4,11 @@
Support HackTricks and get benefits!
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
@@ -62,18 +58,26 @@ location.reload();//Trigger the "exit" event
```
+## Example 2
+
+Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)
+
+Leak:
+
+
+
+Exploit:
+
+
+
Support HackTricks and get benefits!
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
diff --git a/pentesting-web/file-inclusion/README.md b/pentesting-web/file-inclusion/README.md
index 46faed34a..92e5f9343 100644
--- a/pentesting-web/file-inclusion/README.md
+++ b/pentesting-web/file-inclusion/README.md
@@ -12,7 +12,7 @@
-
+
Did you know that crypto projects pay more bounty rewards than their web2 counterparts?\
This [**crypto bounty alone**](https://hackenproof.com/jungle/jungle-smart-contract) is worth $1.000.000!\
@@ -112,31 +112,38 @@ http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
### Identifying folders on a server
Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
-- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
+
+* identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
+
```
http://example.com/index.php?page=../../../etc/passwd # depth of 3
-````
-- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
+```
+
+* try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
+
```
http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd
```
-- if the application is vulnerable, there might be two different outcomes to the request:
- - if you get an error / no output, the `private` folder does not exist at this location
- - if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
-- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
+* if the application is vulnerable, there might be two different outcomes to the request:
+ * if you get an error / no output, the `private` folder does not exist at this location
+ * if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
+* the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
+
```
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
+
```
$ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
$ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
```
-Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
+
+Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
### **Path truncation**