GitBook: [#3489] No subject

1911-pentesting-fox.md

@@ -22,7 +22,7 @@ dht udp "DHT Nodes"
 
 ![](<.gitbook/assets/image (273).png>)
 
-![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 InfluxDB
 

README.md

@@ -44,7 +44,7 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [STM Cyber](https://www.stmcyber.com)
 
-![](<.gitbook/assets/image (638) (2) (1).png>)
+![](<.gitbook/assets/image (642) (1) (1) (1).png>)
 
 [**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentesting, Red teams and training.
 
@@ -82,7 +82,7 @@ Get Access Today:
 
 ### [**INE**](https://ine.com)
 
-![](<.gitbook/assets/INE\_Logo (3).jpg>)
+![](.gitbook/assets/ine\_logo-3-.jpg)
 
 [**INE**](https://ine.com) is a great platform to start learning or **improve** your **IT knowledge** through their huge range of **courses**. I personally like and have completed many from the [**cybersecurity section**](https://ine.com/pages/cybersecurity). **INE** also provides with the official courses to prepare the **certifications** from [**eLearnSecurity**](https://elearnsecurity.com)**.**
 

cloud-security/atlantis.md

@@ -301,7 +301,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to **
 
 This is the **setting** in Github branch protections:
 
-![](<../.gitbook/assets/image (375) (1) (1) (1).png>)
+![](<../.gitbook/assets/image (307) (4).png>)
 
 ### Webhook Secret
 

cloud-security/concourse/concourse-architecture.md

@@ -16,7 +16,7 @@
 
 ## Architecture
 
-![](<../../.gitbook/assets/image (651) (1) (1).png>)
+![](<../../.gitbook/assets/image (307) (3) (1).png>)
 
 ### ATC: web UI & build scheduler
 

cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md

@@ -31,7 +31,7 @@ Note that other cloud resources could be searched for and that some times these
 
 As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
 
-![](<../../.gitbook/assets/image (628) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (618) (3).png>)
 
 The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
 

ctf-write-ups/try-hack-me/pickle-rick.md

@@ -22,7 +22,7 @@ This machine was categorised as easy and it was pretty easy.
 
 I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
 
-![](<../../.gitbook/assets/image (79) (2).png>)
+![](<../../.gitbook/assets/image (79) (1).png>)
 
 In as you can see 2 ports are open: 80 (**HTTP**) and 22 (**SSH**)
 

exploiting/linux-exploiting-basic-esp/README.md

@@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
 
 Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
 
-![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
 
@@ -470,7 +470,7 @@ For example, in the following situation there is a **local variable in the stack
 
 So, flag is in **0xffffcf4c**
 
-![](<../../.gitbook/assets/image (618) (2).png>)
+![](<../../.gitbook/assets/image (622).png>)
 
 And from the leak you can see the **pointer to the flag** is in the **8th** parameter:
 

forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md

@@ -61,7 +61,7 @@ From the **bytes 440 to the 443** of the MBR you can find the **Windows Disk Sig
 
 In order to mount an MBR in Linux you first need to get the start offset (you can use `fdisk` and the `p` command)
 
-![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (413) (3) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
 
 And then use the following code
 

forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md

@@ -148,7 +148,7 @@ Some interesting attributes:
 * [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) (among others):
   * Contains the file's data or the indication of the sectors where the data resides. In the following example, the attribute data is not resident so the attribute gives information about the sectors where the data resides.
 
-![](<../../../.gitbook/assets/image (507) (1) (1).png>)
+![](<../../../.gitbook/assets/image (507) (1).png>)
 
 ![](<../../../.gitbook/assets/image (509).png>)
 

forensics/basic-forensic-methodology/pcap-inspection/README.md

@@ -74,7 +74,7 @@ This tool is also useful to get **other information analysed** from the packets
 You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
 This is another useful tool that **analyses the packets** and sorts the information in a useful way to **know what is happening inside**.
 
-![](<../../../.gitbook/assets/image (567) (1).png>)
+![](<../../../.gitbook/assets/image (567) (1) (1).png>)
 
 ### [BruteShark](https://github.com/odedshimon/BruteShark)
 

forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md

@@ -83,7 +83,7 @@ Other interesting filters:
 
 ### Search
 
-If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
+If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_. You can add new layers to the main information bar (No., Time, Source, etc.) by pressing the right button and then the edit column.
 
 Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
 
@@ -95,7 +95,7 @@ You can add a column that shows the Host HTTP header:
 
 And a column that add the Server name from an initiating HTTPS connection (**ssl.handshake.type == 1**):
 
-![](<../../../.gitbook/assets/image (408) (1).png>)
+![](<../../../.gitbook/assets/image (408).png>)
 
 ## Identifying local hostnames
 
@@ -128,7 +128,7 @@ A file of shared keys will look like this:
 
 ![](<../../../.gitbook/assets/image (99).png>)
 
-To import this in wireshark go to _edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
+To import this in wireshark go to \_edit > preference > protocol > ssl > and import it in (Pre)-Master-Secret log filename:
 
 ![](<../../../.gitbook/assets/image (100).png>)
 

forensics/basic-forensic-methodology/windows-forensics/README.md

@@ -26,7 +26,7 @@ Inside this SQLite database, you can find the `Notification` table with all the
 
 Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, and executed applications.
 
-The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`\. This database can be opened with an SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
+The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`. This database can be opened with an SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
 
 ### ADS (Alternate Data Streams)
 
@@ -95,16 +95,15 @@ To inspect these files you can use [**LinkParser**](http://4discovery.com/our-to
 
 In this tools you will find **2 sets** of timestamps:
 
-- **First Set:**
-    1.  FileModifiedDate
-    2.  FileAccessDate
-    3.  FileCreationDate
-
-- **Second Set:**
-    1.  LinkModifiedDate
-    2.  LinkAccessDate
-    3.  LinkCreationDate.
-
+* **First Set:**
+  1. FileModifiedDate
+  2. FileAccessDate
+  3. FileCreationDate
+* **Second Set:**
+  1. LinkModifiedDate
+  2. LinkAccessDate
+  3. LinkCreationDate.
+
 The first set of timestamp references the **timestamps of the file itself**. The second set references the **timestamps of the linked file**.
 
 You can get the same information running the Windows CLI tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)
@@ -157,7 +156,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
 
 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
 
-![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (477) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png>)
 
 ### USB Detective
 
@@ -431,8 +430,7 @@ Information that appears inside Windows events are:
 * Hosts involved (hostname, IP)
 * Assets accessed (files, folder, printer, services)
 
-The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista. 
-Before Windows Vista, the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension.
+The logs are located in `C:\Windows\System32\config` before Windows Vista and in `C:\Windows\System32\winevt\Logs` after Windows Vista. Before Windows Vista, the event logs were in binary format and after it, they are in **XML format** and use the **.evtx** extension.
 
 The location of the event files can be found in the SYSTEM registry in **`HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}`**
 

forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md

@@ -124,7 +124,7 @@ Desktop Access:
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
 
-To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) and you will be able to find the\*\* MAC time of the folder **and also the** creation date and modified date of the shellbag which are related to the** first time and the last time** the folder was accessed.
+To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) and you will be able to find the\*\* MAC time of the folder **and also the** creation date and modified date of the shellbag which are related to the\*\* first time and the last time\*\* the folder was accessed.
 
 Note 2 things from the following image:
 
@@ -147,7 +147,7 @@ Within this registry it's possible to find:
 
 ![](<../../../.gitbook/assets/image (477).png>)
 
-![](<../../../.gitbook/assets/image (479) (1).png>)
+![](<../../../.gitbook/assets/image (479) (1) (1).png>)
 
 Moreover, by checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB` and comparing the values of the sub-keys it's possible to find the VID value.
 
@@ -167,7 +167,7 @@ Having the **{GUID}** of the device it's now possible to **check all the NTUDER.
 
 Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Toshiba one (using the tool Registry Explorer).
 
-![](<../../../.gitbook/assets/image (483) (1) (1).png>)
+![](<../../../.gitbook/assets/image (483) (1).png>)
 
 ### Volume Serial Number
 

generic-methodologies-and-resources/exfiltration.md

@@ -14,7 +14,7 @@
 
 </details>
 
-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
@@ -159,7 +159,7 @@ echo bye >> ftp.txt
 ftp -n -v -s:ftp.txt
 ```
 
-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
@@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall
 
 * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
 
-<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (8).png" alt="" data-size="original">\
+<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png" alt="" data-size="original">\
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
 {% embed url="https://go.intigriti.com/hacktricks" %}

generic-methodologies-and-resources/pentesting-methodology.md

@@ -25,7 +25,7 @@ description: >-
 
 ## Pentesting Methodology
 
-![](<../.gitbook/assets/p2 (1).png>)
+![](../.gitbook/assets/p2.png)
 
 ### 0- Physical Attacks
 

generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -137,7 +137,7 @@ Responder is going to **impersonate all the service using the mentioned protocol
 
 It is possible to try to downgrade to NetNTLMv1 or to try to disable ESS.
 
-![](<../../.gitbook/assets/poison (1) (1).jpg>)
+![](<../../.gitbook/assets/poison (1) (1) (1).jpg>)
 
 ### Inveigh - C#/PowerShell Responder
 
@@ -213,7 +213,7 @@ python MultiRelay.py -t <IP target> -u ALL -d #-d to dump hashes
 # Use proxychains if you need to route the traffic to reach the attacked ip
 ```
 
-![](<../../.gitbook/assets/image (209) (1).png>)
+![](<../../.gitbook/assets/image (209).png>)
 
 ### Force NTLM Logins
 
@@ -231,7 +231,7 @@ To disable LLMNR in your domain for DNS clients, open gpedit.msc.\
 Navigate to Computer Configuration->Administrative Templates->Network->DNS client.\
 Locate the option “Turn off multicast name resolution” and click “policy setting”:
 
-![](<../../.gitbook/assets/1 (1).jpg>)
+![](../../.gitbook/assets/1.jpg)
 
 Once the new window opens, enable this option, press Apply and click OK:
 

generic-methodologies-and-resources/pentesting-wifi/README.md

@@ -283,7 +283,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
 
 All the proposed WPS attacks can be easily performed using _**airgeddon.**_
 
-![](<../../.gitbook/assets/image (201) (1).png>)
+![](<../../.gitbook/assets/image (124).png>)
 
 * 5 and 6 lets you try **your custom PIN** (if you have any)
 * 7 and 8 perform the **Pixie Dust attack**
@@ -376,7 +376,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
 
 Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
 
-![](<../../.gitbook/assets/image (172) (1) (1).png>)
+![](<../../.gitbook/assets/image (172) (1).png>)
 
 Once the handshake is captured you can **crack** it with `aircrack-ng`:
 

generic-methodologies-and-resources/phishing-methodology/README.md

@@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
 * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
 
-![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>)
 
 {% hint style="info" %}
 It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\
@@ -378,7 +378,7 @@ Note that **in order to increase the credibility of the email**, it's recommende
 * Search for **public emails** like [email protected] or [email protected] or [email protected] and send them an email and wait for the response.
 * Try to contact **some valid discovered** email and wait for the response
 
-![](<../../.gitbook/assets/image (393).png>)
+![](<../../.gitbook/assets/image (67) (1).png>)
 
 {% hint style="info" %}
 The Email Template also allows to **attach files to send**. If you would also like to steal NTLM challenges using some specially crafted files/documents [read this page](../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md).

linux-hardening/privilege-escalation/linux-capabilities.md

@@ -953,7 +953,7 @@ int main(int argc,char* argv[] )
 I exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command:
 {% endhint %}
 
-![](<../../.gitbook/assets/image (407) (1).png>)
+![](<../../.gitbook/assets/image (407) (2).png>)
 
 **The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
 

macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture.md

@@ -203,7 +203,7 @@ The offsets of any constructors are held in the **\_\_mod\_init\_func** section
 
 The heart of the file is the final region, the data, which consists of a number of segments as laid out in the load-commands region. **Each segment can contain a number of data sections**. Each of these sections **contains code or data** of one particular type.
 
-![](<../../.gitbook/assets/image (507) (3).png>)
+![](<../../.gitbook/assets/image (555).png>)
 
 **Get the info**
 

macos-hardening/macos-security-and-privilege-escalation/macos-mdm/README.md

@@ -122,7 +122,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
    2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
    3. All requests over HTTPs, built-in root certificates are used
 
-![](<../../../.gitbook/assets/image (566).png>)
+![](<../../../.gitbook/assets/image (566) (1).png>)
 
 The response is a JSON dictionary with some important data like:
 
@@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like:
 * Signed using the **device identity certificate (from APNS)**
 * **Certificate chain** includes expired **Apple iPhone Device CA**
 
-![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
 
 ### Step 6: Profile Installation
 

mobile-pentesting/android-app-pentesting/README.md

@@ -402,7 +402,7 @@ _Note that you can **omit the package name** and the mobile will automatically c
 
 In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
 
-![](<../../.gitbook/assets/image (436) (1) (1).png>)
+![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
 
 **Sensitive info**
 

mobile-pentesting/android-app-pentesting/android-applications-basics.md

@@ -237,7 +237,7 @@ In this case you could try to abuse the functionality creating a web with the fo
 
 In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**.
 
-![](<../../.gitbook/assets/image (436) (1) (1).png>)
+![](<../../.gitbook/assets/image (436) (1) (1) (1).png>)
 
 Learn how to [call deep links without using HTML pages](./#exploiting-schemes-deep-links).