GitBook: [#3448] No subject

forensics/basic-forensic-methodology/linux-forensics.md

@@ -1,7 +1,7 @@
 # Linux Forensics
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -168,7 +168,7 @@ ThisisTheMasterSecret
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -233,7 +233,7 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not"
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -376,7 +376,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
 More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -466,7 +466,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md

@@ -164,7 +164,7 @@ If it was a **GPT table instead of a MBR** it should appear the signature _EFI P
 
 The **FAT (File Allocation Table)** file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located.
 
-![](<../../../.gitbook/assets/image (495).png>)
+![](<../../../.gitbook/assets/image (495) (1).png>)
 
 The minimum space unit used by this file-system is a **cluster, typically 512B** (which is composed by a number of sectors).
 

forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md

@@ -158,7 +158,7 @@ Some interesting attributes:
 
 ### NTFS timestamps
 
-![](<../../../.gitbook/assets/image (512).png>)
+![](<../../../.gitbook/assets/image (512) (1).png>)
 
 Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv) (select the mft file or the image and press dump all and extract to extract al the objects).\
 This program will extract all the MFT data and present it in CSV format. It can also be used to dump the files.

forensics/basic-forensic-methodology/windows-forensics/README.md

@@ -46,7 +46,7 @@ When a file is deleted in this folder are created 2 files:
 * `$I{id}`: File information (date of when it was deleted}
 * `$R{id}`: Content of the file
 
-![](<../../../.gitbook/assets/image (486).png>)
+![](<../../../.gitbook/assets/image (486) (1).png>)
 
 Having these files you can sue the tool [**Rifiuti**](https://github.com/abelcheung/rifiuti2) to get the original address of the deleted files and the date it was deleted (use `rifiuti-vista.exe` for Vista – Win10).
 
@@ -140,7 +140,7 @@ It's possible to identify that a USB device was used thanks to the creation of:
 
 Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
 
-![](<../../../.gitbook/assets/image (476).png>)
+![](<../../../.gitbook/assets/image (476) (1).png>)
 
 The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
 

forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md

@@ -155,7 +155,7 @@ Within this registry it's possible to find:
 
 Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value
 
-![](<../../../.gitbook/assets/image (478).png>)
+![](<../../../.gitbook/assets/image (478) (1).png>)
 
 With the previous information the registry `SOFTWARE\Microsoft\Windows Portable Devices\Devices` can be used to obtain the **`{GUID}`**:
 

generic-methodologies-and-resources/brute-force.md

@@ -1,7 +1,7 @@
 # Brute Force - CheatSheet
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ python3 cupp.py -h
 * [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -441,7 +441,7 @@ crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
 ```
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -641,7 +641,7 @@ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
 ```
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -808,7 +808,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

generic-methodologies-and-resources/python/README.md

@@ -1,7 +1,7 @@
 # Python Sandbox Escape & Pyscript
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -51,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md

@@ -1,7 +1,7 @@
 # Bypass Python sandboxes
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -322,7 +322,7 @@ with (a as b):
 ```
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -710,7 +710,7 @@ You can check the output of this script in this page:
 {% endcontent-ref %}
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -1118,7 +1118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

generic-methodologies-and-resources/python/venv.md

@@ -1,7 +1,7 @@
 # venv
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -62,7 +62,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

generic-methodologies-and-resources/python/web-requests.md

@@ -1,7 +1,7 @@
 # Web Requests
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -142,7 +142,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

generic-methodologies-and-resources/search-exploits.md

@@ -1,7 +1,7 @@
 # Search Exploits
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -85,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

linux-hardening/privilege-escalation/docker-breakout/README.md

@@ -1,7 +1,7 @@
 # Docker Basics & Breakout
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -124,7 +124,7 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
 When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -254,7 +254,7 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
 For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -397,7 +397,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../../.gitbook/assets/image (9).png>)
+![](<../../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

linux-hardening/useful-linux-commands/README.md

@@ -1,7 +1,7 @@
 # Useful Linux Commands
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -148,7 +148,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -327,7 +327,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

mobile-pentesting/android-app-pentesting/README.md

@@ -1,7 +1,7 @@
 # Android Applications Pentesting
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -63,7 +63,7 @@ adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -246,7 +246,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
 {% endcontent-ref %}
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -496,7 +496,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
 * [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -705,7 +705,7 @@ It is able to:
 Useful to detect malware: [https://koodous.com/](https://koodous.com)
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -802,7 +802,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

mobile-pentesting/android-checklist.md

@@ -1,7 +1,7 @@
 # Android APK Checklist
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -97,7 +97,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

network-services-pentesting/8086-pentesting-influxdb.md

@@ -1,7 +1,7 @@
 # 8086 - Pentesting InfluxDB
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -164,7 +164,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

network-services-pentesting/pentesting-postgresql.md

@@ -1,7 +1,7 @@
 # 5432,5433 - Pentesting Postgresql
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -99,7 +99,7 @@ ORDER BY 1;
 ```
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -179,7 +179,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

network-services-pentesting/pentesting-web/put-method-webdav.md

@@ -1,7 +1,7 @@
 # WebDav
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -73,7 +73,7 @@ curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -145,7 +145,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/command-injection.md

@@ -1,7 +1,7 @@
 # Command Injection
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -101,7 +101,7 @@ Here are the top 25 parameters that could be vulnerable to code injection and si
 ```
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -187,7 +187,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/email-injections.md

@@ -1,7 +1,7 @@
 # Email Injections
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -118,7 +118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/http-request-smuggling/browser-http-request-smuggling.md

@@ -83,7 +83,7 @@ I've set the fetch mode **'no-cors'** to ensure Chrome **displays the connection
 
 When you execute this, you should see **two requests** in the Network tab with the **same connection ID**, and the **second** one should trigger a **404**:
 
-![](<../../.gitbook/assets/image (158).png>)
+![](<../../.gitbook/assets/image (158) (2).png>)
 
 If this works as expected, congratulations - you've found yourself a client-side desync!
 
@@ -265,7 +265,7 @@ When processing a **partial request** that matches a synth rule, Varnish will **
 
 To trigger a pause-based desync on a vulnerable front-end, start by sending your headers, promising a body, and then just wait. Eventually you'll receive a response and when you finally send send your request body, it'll be interpreted as a new request:
 
-![](<../../.gitbook/assets/image (4).png>)
+![](<../../.gitbook/assets/image (4) (3).png>)
 
 {% hint style="warning" %}
 Apparently this was patched on the 25th January as [CVE-2022-23959](https://varnish-cache.org/security/VSV00008.html).
@@ -285,7 +285,7 @@ In this case the attacker **won't receive  the response timeout until he has sen
 
 Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here:
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
 
 There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours.
 

pentesting-web/nosql-injection.md

@@ -1,7 +1,7 @@
 # NoSQL injection
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -121,7 +121,7 @@ Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cock
 ![](<../.gitbook/assets/image (468).png>)
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -272,7 +272,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/race-condition.md

@@ -1,7 +1,7 @@
 # Race Condition
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -125,7 +125,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/rate-limit-bypass.md

@@ -1,7 +1,7 @@
 # Rate Limit Bypass
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/ssrf-server-side-request-forgery/README.md

@@ -1,7 +1,7 @@
 # SSRF (Server Side Request Forgery)
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -198,7 +198,7 @@ if __name__ == "__main__":
 ```
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -321,7 +321,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

pentesting-web/xs-search.md

@@ -1,7 +1,7 @@
 # XS-Search
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/)
 {% endhint %}
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -196,7 +196,7 @@ You can perform the same attack with **`portal`** tags.
 Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in).
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -278,7 +278,7 @@ Browsers use sockets to communicate with servers. As the operating system and th
 For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -817,7 +817,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
 * **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -935,7 +935,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

todo/hardware-hacking/radio.md

@@ -49,7 +49,7 @@ If you realise that your PC is not capturing things try to disable OpenGL and lo
 
 With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with the channel you want to hear, configure "Baseband audio preview" option, configure the bandwith to get all the info being sent and then set the Tuner to the level before the noise is really starting to increase:
 
-![](<../../.gitbook/assets/image (389).png>)
+![](<../../.gitbook/assets/image (389) (2).png>)
 
 ## Interesting tricks
 

windows-hardening/active-directory-methodology/ad-certificates.md

@@ -95,7 +95,7 @@ The **`pKIExtendedKeyUsage`** attribute on an AD certificate template object con
 
 An admin needs to **create the certificate** template and then an **Enterprise CA “publishes”** the template, making it available to clients to enrol in. AD CS specifies that a certificate template is enabled on an Enterprise CA by **adding the template’s name to the `certificatetemplates` field** of the AD object.
 
-<figure><img src="../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (11) (2).png" alt=""><figcaption></figcaption></figure>
 
 {% hint style="warning" %}
 AD CS defines enrolment rights - which **principals can request** a certificate – using two security descriptors: one on the **certificate template** AD object and another on the **Enterprise CA itself**.\
@@ -113,7 +113,7 @@ A client needs to be granted in both security descriptors in order to be able to
 
 The **security descriptor** configured on the **Enterprise CA** defines these rights and is **viewable** in the Certificate Authority MMC snap-in `certsrv.msc` by right clicking on the CA → Properties → Security.
 
-<figure><img src="../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
 
 This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration<CA NAME>`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
 
@@ -148,6 +148,7 @@ A common use for these settings is for **enrolment agents**. An enrolment agent
 1. Using the Windows **Client Certificate Enrolment Protocol** (MS-WCCE), a set of Distributed Component Object Model (DCOM) interfaces that interact with various AD CS features including enrolment. The **DCOM server is enabled on all AD CS servers by default** and is the most common method by which we have seen clients request certificates.
 2. Via the **ICertPassage Remote Protocol** (MS-ICPR), a **remote procedure call** (RPC) protocol can operate over named pipes or TCP/IP.
 3. Accessing the **certificate enrolment web interface**. To use this, the ADCS server needs to have the **Certificate Authority Web Enrolment role installed**. Once enabled, a user can navigate to the IIS-hosted ASP web enrolment application running at `http:///certsrv/`.
+   * `certipy req -ca 'corp-DC-CA' -username john@corp.local -password Passw0rd -web -debug`
 4. Interacting with a **certificate enrolment service** (CES). To use this, a server needs to have the **Certificate Enrolment Web Service role installed**. Once enabled, a user can access the web service at `https:///_CES_Kerberos/service.svc` to request certificates. This service works in tandem with a certificate enrolment policy (CEP) service (installed via the Certificate Enrolment Policy Web Service role), which clients use to **list certificate templates** at the URL `https:///ADPolicyProvider_CEP_Kerberos/service.svc`. Underneath, the certificate enrolment and policy web services implement MS-WSTEP and MS-XCEP, respectively (two SOAP-based protocols).
 5. Using the **network device enrolment service**. To use this, a server needs to have the **Network Device Enrolment Service role installed**, which allows clients (namely network devices) to obtain certificates via the **Simple Certificate Enrolment Protocol** (SCEP). Once enabled, an administrator can obtain a one-time password (OTP) from the URL `http:///CertSrv/mscep_admin/`. The administrator can then provide the OTP to a network device and the device will use the SCEP to request a certificate using the URL `http://NDESSERVER/CertSrv/mscep/`.
 
@@ -190,7 +191,7 @@ When an account authenticates to AD using a certificate, the DC needs to somehow
 If that is **unsuccessful**, it will follow the attempt to map the **certificate to a user** account using the certificate’s **SAN extension**, a combination of the **subject** and **issuer** fields, or solely from the issuer. By default, not many protocols in AD environments support AD authentication via Schannel out of the box. WinRM, RDP, and IIS all support client authentication using Schannel, but it **requires additional configuration**, and in some cases – like WinRM – does not integrate with Active Directory.\
 One protocol that does commonly work – assuming AD CS has been setup - is **LDAPS**. The cmdlet `Get-LdapCurrentUser` demonstrates how one can authenticate to LDAP using .NET libraries. The cmdlet performs an LDAP “Who am I?” extended operation to display the currently authenticating user:
 
-<figure><img src="../../.gitbook/assets/image (2) (4).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (4) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## AD CS Enumeration
 
@@ -211,6 +212,7 @@ Certify.exe find /vulnerable #Enumerate vulenrable certificate templater
 
 # https://github.com/ly4k/Certipy
 certipy find -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
+certipy find -vulnerable [-hide-admins] -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128 #Search vulnerable templates
 
 certutil.exe -TCAInfo #enumerate Enterprise CAs
 certutil -v -dstemplate #enumerate certificate templates

windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md

@@ -165,7 +165,7 @@ ESC4 is when a user has write privileges over a certificate template. This can f
 
 As we can see in the path above, only `JOHNPC` has these privileges, but our user `JOHN` has the new `AddKeyCredentialLink` edge to `JOHNPC`. Since this technique is related to certificates, I have implemented this attack as well, which is known as [Shadow Credentials](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab). Here’s a little sneak peak of Certipy’s `shadow auto` command to retrieve the NT hash of the victim.
 
-<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Certipy** can overwrite the configuration of a certificate template with a single command. By **default**, Certipy will **overwrite** the configuration to make it **vulnerable to ESC1**. We can also specify the **`-save-old` parameter to save the old configuration**, which will be useful for **restoring** the configuration after our attack.
 
@@ -267,7 +267,7 @@ If you have a principal with **`ManageCA`** rights on a **certificate authority*
 
 <figure><img src="../../../.gitbook/assets/image (1) (2).png" alt=""><figcaption></figcaption></figure>
 
-<figure><img src="../../../.gitbook/assets/image (70).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (70) (2).png" alt=""><figcaption></figcaption></figure>
 
 This is also possible in a simpler form with [**PSPKI’s Enable-PolicyModuleFlag**](https://www.sysadmins.lv/projects/pspki/enable-policymoduleflag.aspx) cmdlet.
 
@@ -444,6 +444,131 @@ Certipy v4.0.0 - by Oliver Lyak (ly4k)
 [*] Exiting...
 ```
 
+## No Security Extension - ESC9 <a href="#5485" id="5485"></a>
+
+### Explanation
+
+ESC9 refers to the new **`msPKI-Enrollment-Flag`** value **`CT_FLAG_NO_SECURITY_EXTENSION`** (`0x80000`). If this flag is set on a certificate template, the **new `szOID_NTDS_CA_SECURITY_EXT` security extension** will **not** be embedded. ESC9 is only useful when `StrongCertificateBindingEnforcement` is set to `1` (default), since a weaker certificate mapping configuration for Kerberos or Schannel can be abused as ESC10 — without ESC9 — as the requirements will be the same.
+
+* `StrongCertificateBindingEnforcement` not set to `2` (default: `1`) or `CertificateMappingMethods` contains `UPN` flag
+* Certificate contains the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value
+* Certificate specifies any client authentication EKU
+* `GenericWrite` over any account A to compromise any account B
+
+### Abuse
+
+In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and we wish to compromise `Administrator@corp.local`. `Jane@corp.local` is allowed to enroll in the certificate template `ESC9` that specifies the `CT_FLAG_NO_SECURITY_EXTENSION` flag in the `msPKI-Enrollment-Flag` value.
+
+First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
+
+<figure><img src="../../../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
+
+Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
+
+<figure><img src="../../../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
+
+This is not a constraint violation, since the `Administrator` user’s `userPrincipalName` is `Administrator@corp.local` and not `Administrator`.
+
+Now, we request the vulnerable certificate template `ESC9`. We must request the certificate as `Jane`.
+
+<figure><img src="../../../.gitbook/assets/image (478).png" alt=""><figcaption></figcaption></figure>
+
+Notice that the `userPrincipalName` in the certificate is `Administrator` and that the issued certificate contains no “object SID”.
+
+Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
+
+<figure><img src="../../../.gitbook/assets/image (495).png" alt=""><figcaption></figcaption></figure>
+
+Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
+
+<figure><img src="../../../.gitbook/assets/image (158).png" alt=""><figcaption></figcaption></figure>
+
+## Weak Certificate Mappings - ESC10
+
+### Explanation
+
+ESC10 refers to two registry key values on the domain controller.
+
+`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel` `CertificateMappingMethods`. Default value `0x18` (`0x8 | 0x10`), previously `0x1F`.
+
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc` `StrongCertificateBindingEnforcement`. Default value `1`, previously `0`.
+
+**Case 1**
+
+`StrongCertificateBindingEnforcement` set to `0`
+
+**Case 2**
+
+`CertificateMappingMethods` contains `UPN` bit (`0x4`)
+
+### Abuse Case 1
+
+* `StrongCertificateBindingEnforcement` set to `0`
+* `GenericWrite` over any account A to compromise any account B
+
+In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and we wish to compromise `Administrator@corp.local`. The abuse steps are almost identical to ESC9, except that any certificate template can be used.
+
+First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
+
+<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+
+Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.
+
+<figure><img src="../../../.gitbook/assets/image (70).png" alt=""><figcaption></figcaption></figure>
+
+This is not a constraint violation, since the `Administrator` user’s `userPrincipalName` is `Administrator@corp.local` and not `Administrator`.
+
+Now, we request any certificate that permits client authentication, for instance the default `User` template. We must request the certificate as `Jane`.
+
+<figure><img src="../../../.gitbook/assets/image (511).png" alt=""><figcaption></figcaption></figure>
+
+Notice that the `userPrincipalName` in the certificate is `Administrator`.
+
+Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
+
+<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+
+Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
+
+<figure><img src="../../../.gitbook/assets/image (486).png" alt=""><figcaption></figcaption></figure>
+
+### Abuse Case 2
+
+* `CertificateMappingMethods` contains `UPN` bit flag (`0x4`)
+* `GenericWrite` over any account A to compromise any account B without a `userPrincipalName` property (machine accounts and built-in domain administrator `Administrator`)
+
+In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and we wish to compromise the domain controller `DC$@corp.local`.
+
+First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
+
+<figure><img src="../../../.gitbook/assets/image (476).png" alt=""><figcaption></figcaption></figure>
+
+Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.
+
+<figure><img src="../../../.gitbook/assets/image (512).png" alt=""><figcaption></figcaption></figure>
+
+This is not a constraint violation, since the `DC$` computer account does not have `userPrincipalName`.
+
+Now, we request any certificate that permits client authentication, for instance the default `User` template. We must request the certificate as `Jane`.
+
+<figure><img src="../../../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
+
+Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` (`Jane@corp.local`).
+
+<figure><img src="../../../.gitbook/assets/image (389).png" alt=""><figcaption></figcaption></figure>
+
+Now, since this registry key applies to Schannel, we must use the certificate for authentication via Schannel. This is where Certipy’s new `-ldap-shell` option comes in.
+
+If we try to authenticate with the certificate and `-ldap-shell`, we will notice that we’re authenticated as `u:CORP\DC$`. This is a string that is sent by the server.
+
+<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+
+One of the available commands for the LDAP shell is `set_rbcd` which will set Resource-Based Constrained Delegation (RBCD) on the target. So we could perform a RBCD attack to compromise the domain controller.
+
+<figure><img src="../../../.gitbook/assets/image (479).png" alt=""><figcaption></figcaption></figure>
+
+Alternatively, we can also compromise any user account where there is no `userPrincipalName` set or where the `userPrincipalName` doesn’t match the `sAMAccountName` of that account. From my own testing, the default domain administrator `Administrator@corp.local` doesn’t have a `userPrincipalName` set by default, and this account should by default have more privileges in LDAP than domain controllers.
+
 ## Compromising Forests with Certificates
 
 ### CAs Trusts Breaking Forest Trusts

windows-hardening/active-directory-methodology/dcsync.md

@@ -1,7 +1,7 @@
 # DCSync
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -96,7 +96,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

windows-hardening/active-directory-methodology/kerberoast.md

@@ -1,7 +1,7 @@
 # Kerberoast
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -77,7 +77,7 @@ When a TGS is requested, Windows event `4769 - A Kerberos service ticket was req
 {% endhint %}
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -144,7 +144,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

windows-hardening/authentication-credentials-uac-and-efs.md

@@ -1,7 +1,7 @@
 # Authentication, Credentials, UAC and EFS
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -83,7 +83,7 @@ It is the database of the Active Directory. It is only present in Domain Control
 Allows browsers and other Windows applications to save credentials.
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -280,7 +280,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../.gitbook/assets/image (9).png>)
+![](<../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\

windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md

@@ -1,7 +1,7 @@
 # ACLs - DACLs/SACLs/ACEs
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -83,7 +83,7 @@ The canonical order ensures that the following takes place:
 * All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -209,7 +209,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 </details>
 
 {% hint style="danger" %}
-![](<../../.gitbook/assets/image (9).png>)
+![](<../../.gitbook/assets/image (9) (3).png>)
 
 \
 Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\