I think it would be great to have a "Random page" link as there are on some wiki engines, I don't know if that would be possible with the Gitbook platform though.

I would definitely use that to discover and read about a new random subject while commuting.

Thank you for all that amazing work !!

forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md

in strings-per-processes theres "s" missing
./vol.py -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt

mod > ./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt

Add a privesc method of abusing open Docker sockets

Read more :

https://securityboulevard.com/2019/02/abusing-docker-api-socket/

In the other big References list there are two invalid:
https://rmusser.net/docs/Privilege%20Escalation%20&%20Post-Exploitation.html
https://www.0daysecurity.com/penetration-testing/enumeration.html

I'm sure this will be a controversial request to make for many people using Hacktricks however I will make it nonetheless. I'm one of those weird guys that prefers light themes over dark, and I was sad to find out that Hacktricks has removed the light theme in favour of a dark version. I would really appreciate an option to switch back to a light version of the site!

A new method of EoP has been discovered as described in https://itm4n.github.io/windows-registry-rpceptmapper-eop/

First of all, thanks for maintaining this project. It's an amazing resource :)

What I wanted to say is that commits aren't being used properly here. Most commit messages are empty:

Why do I care? I'm trying to setup an RSS Feed of the commits of this repo. With most commit messages having little to no content, an RSS feed is powerless. Besides that, having empty commit messages goes against all best practices; it makes it harder to track the changes
that are done to a project, and as a consequence also makes it harder to undo them.

All I'm really asking for is that you at least include the title of the modified section in the commit message 🙏

Regards.

Hello,
I have really enjoyed your Hack Trick series, but after trying your ROP-PWN template, I have encountered the following issue noted below. I would love to continue learning with the exercise. Please let me know if any additional details are needed.

I appreciate your help with this.

https://raw.githubusercontent.com/carlospolop/hacktricks/master/misc/basic-python/rop-pwn-template.md

$ python3 --version
Python 3.8.5

[] Loaded 14 cached gadgets for './vuln'
[] running in new terminal: /usr/bin/gdb -q "/home/palmistry/CTF/vuln" 2973 -x /tmp/pwnrsj3k9sx.gdb
[-] Waiting for debugger: debugger exited! (maybe check /proc/sys/kernel/yama/ptrace_scope)
[] Main start: 0x401156
[] Puts plt: 0x401054
[] pop rdi; ret gadget: 0x4011f3
[] puts GOT @ 0x404018
Traceback (most recent call last):
File "template.py", line 90, in
get_addr("puts") #Search for puts address in memmory to obtains libc base
File "template.py", line 72, in get_addr
rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
TypeError: can only concatenate str (not "bytes") to str

Hi , I wrote a tool, https://github.com/C4l1b4n/NoSQL-Attack-Suite , that can be used to automate NoSql Auth Bypass and to dump creds from a login form. It's similar to the one that is already linked on HackTricks page, but mine has more functionalities and it's tested to work on a larger environment (it's not a script just made to exploit Mango HTB machine).

For any question or improvement, feel free to ask :)
Thanks for the help given by HackTricks platform

https://www.criminalip.io/ - Criminal IP is a specialized Cyber Threat Intelligence (CTI) search engine that allows users to search for various security-related information such as malicious IP addresses, domains, banners, etc. It can be widely integrated

Line 35 in https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#cap_dac_override docker breakout, the code has a simple syntax error.
The error is caused because there is no function definition before the opening braces. The missing function is find_handle.

Fix: Append
int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
before the '{' in line 35.

Hello @carlospolop ,
After reading your API Security page (https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-api-pentesting), I wanted to suggest that you include Cherrybomb which is an API security tool that audit your API based on an OAS file(the tool written in rust).
The link to the tool: https://github.com/blst-security/cherrybomb

Unfortunately, I did not find any information for my question online, hence I am posting the question here with some positive hope. :)

I am pentesting an infotainment platform that is still under development. I am using Kali Linux and my system and Infotainment system(Linux) is on the same private network.
I did a nmap scanning(for all ports with option -p-) of the platform and found a few open ports.

111/tcp   open  rpcbind
3490/tcp  open  colubris
5355/tcp  open  llmnr
8888/tcp  open  sun-answerbook
9999/tcp  open  abyss
16509/tcp open  unknown
51331/tcp open  unknown
58485/tcp open  unknown

Doing a netcat on the ports, did not yield any information except for port 3490. On port 3490, I could read some logs that are being used by the IVI-Graphics, someIP logs(with service IDs),etc. I have also obtained some process and thread IDs of applications that are running on the system. I have also tried telnet on all open ports and it did not yield me any more information. I have done service version scans on all ports as well, it did not yield any significant information.

1. However, now I am stuck and unable to proceed any further. Does anyone have any other suggestions on approaching further?
2. Secondly, I know that the IVI system runs Linux and Android. Right now I am in the subnet of Linux. Linux and Android have a private virtual network between them. Is there any way, I can reach the virtual network and perform further pentest of android?

P.S. Since the system is still under development, I have a UART connection available with root access. However this will be disabled in the real production environment.

Heya,

I noticed Syncthing complaining about file conflicts and it seems you have two files for the same topic which looks like an oversight:

./hacktricks/pentesting/pentesting-SAP.md
./hacktricks/pentesting/pentesting-sap.md

I guess you can delete the outdated one :)

do not how to pull...so write it here

file:
hacktricks/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md

in method2:
latest alpine image does not contain this file ==> rootfs/usr/share/alpine-mirrors/Mirrors.txt

walkaround:
edit build_alpine file on line 22
origin => yaml_path="latest_stable/releases/$apk_arch/latest-releases.yaml"
new => yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml"

Is there a way to have a port open for the internet on a domain?

Example port 666 - domain: clonefish00.whatever? So I can sent to the specific users the link and they can login with their access ? Less then 5 users are planned

If you're going to copy content from the RTO course and exam, the least you could do is change the hostnames...

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/abusing-ad-mssql

https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp

The package "libapache2-mod-jk" is no longer available in Kali Linux. It's necessary for the "AJP Proxy" section. My workaround was downloading it from a Debian repo here: https://packages.debian.org/buster/libapache2-mod-jk

sudo apt-get install libapache2-mod-jk
sudo vim /etc/apache2/apache2.conf # append the following line to the config
    Include ajp.conf
sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address 
    ProxyRequests Off
    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from localhost
    </Proxy>
    ProxyPass       / ajp://HOST:8009/
    ProxyPassReverse    / ajp://HOST:8009/
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo systemctl restart apache2

According to this page the package was removed from Kali Rolling and Dev in August 2022 https://pkg.kali.org/pkg/libapache-mod-jk

Full disclosure I am kind of a noob, so I'm not sure if this is the optimal workaround, but it did get everything working for me.

You should mention that you can interact with SMB ...

SMB Interaction:

In the terminal:

xdg-open smb://cascade.htb/

In file browser window (nautilus, thunar, etc)

smb://friendzone.htb/general/

@carlospolop Hello! Huge thanks to you, Hacktrick has become the de-facto reference platform for penetration testing.

I've been wanting to ask, if you are thinking of hosting Hacktrick in multiple languages, such as Japanese? Many penetration testers in Japan also rely on Hacktrick for knowledge of penetration testing.

If you agree with this, let me know and I'll start translating the document :))

I just noticed that https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md has a typo in the file name, however I was wondering if there was a preferred mechanism for handling redirects in case anyone already has it bookmarked or deep linked?

languaje ➡ language

I really enjoy this site and the information you've created. I tried a number of ways to scrape the site to a PDF or ebook for offline consumption, but none of them worked or they looked really bad. :)

@carlospolop, in order to increase the ease of workflow while pen-testing/CTF-ing, I put together a platform to host "basic-information" and "enumeration" scans (as annotated by this book). My thought is that 80% of the time, per open port you are only going to do a banner grab and the initial enumeration to see if it is a foothold opportunity. If you think this is a good idea, let me know and I'll work on coming up with a curl-based API tool to populate the TireFire database periodically with updates to hacktricks.
https://github.com/coolhandsquid/TireFire
If you would like to reach me more privately [email protected].
HackTricks is a great resource and I love what you do!

In https://github.com/carlospolop/hacktricks/blob/master/mobile-apps-pentesting/android-app-pentesting/README.md#owasp there are 2 links marked as one:

• https://github.com/OWASP/owasp-mstg
• https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication

Could do a pull request later today in the evening, if preferred.

Hi Carlos,

Would you like to add tcpdump over ssh in Pentesting Network?

Sometimes remote machines without wireshark become very useful :)

You can test it in Lightweight (From HTB Machine).

ssh user@remote_ip /sbin/tcpdump -i ens160 -U -s0 -w - | wireshark -k -i -

# exclude ssh traffic
ssh user@remote_ip /sbin/tcpdump -i ens160 -U -s0 -w - 'port not 22' | wireshark -k -i -

Thank you for your hacktricks.

Threats detected: JS/Miner.ck

Please have a look if this is intended, and document if so.

In here,
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#jinja2-python

I think, It can add more Command remote execution on jinja2? it's simple and useful.

The example from here

{{request.application.__globals__.__builtins__.__import__('os')['popen']('ls')['read']()}}
{{request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('ls')['read']()}}
{{request['application']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f']('\x6f\x73')['\x70\x6f\x70\x65\x6e']('ls')['read']()}}

It is useful for late machine on hackthebox like this:

{{request.application.__globals__.__builtins__.__import__("os").popen("whoami").read()}}

Thank you for your HackTricks.

Hi,

thanks for this awesome project, you really did a great work on this. Would it be possible to implement night mode? I'd send a PR for that but there are no actual css sources in the repo so i can't do that directly. I think some other people would consider such a feature useful as well.

Keep up the good work :)

I saw my change made in #318 was not reflected to https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquitto.

That's because I PRed to pentesting/1883-8883-pentesting-mqtt-mosquitto.md which is not displayed on the website. Only the duplicated page network-services-pentesting/1883-pentesting-mqtt-mosquitto.md.

Gitbook seems to generate a lot of mess and duplicate files 😂

I suggest:

• Removing network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
• Moving pentesting/1883-8883-pentesting-mqtt-mosquitto.md to network-services-pentesting/1883-8883-pentesting-mqtt-mosquitto.md

Hi there!

There are 2 ways you can obtain a PDF version of HACKTRICKS:

• As a way to support the development of HACKTRICKS, buy the PDF copy here: https://github.com/sponsors/carlospolop
• Share some cool hacking tricks via push request here. Once your(s) push request(s) are accepted, ask for your PDF copy of hacktricks inside the Telegram group https://t.me/peass. (Note that push requests fixing syntax/grammar errors are also rewardable, but you should fix a lot of errors, not just one or a few).

I will try to generate a new version every month. Note that you can only request the PDF of the month when you sent the push request (or of the following month of you want to wait until your push request appears in the PDF).

IMPORTANT: The PDF is automatically generated from the gitbook online book. Therefore do not expect it to be perfectly formatted. If you have any suggestions about how to improve the exported PDF share them in this issue. Currently this is being used: https://www.forgebox.io/view/gitbook-exporter

Hi, I think it need to add Linux Privilege Escalation Environment Variables
locate in the sudoer file:
https://atom.hackstreetboys.ph/linux-privilege-escalation-environment-variables/

Thank you for your HackTricks.

Hey there,

I just ran into something that would be probably nice to have as information to pentest SMB shares:

I'm actually getting restricted from displaying available network shares on a windows machine, which first made me believe there aren't any open shares. After researching though (reading the section about SMB of the Network Security Assessment, 3rd Edition book) I found the names of common shares and tested them manually, which actually lead to successfully connecting to an exposed share.

So my enhancement would be to add a section at "139,445 - Pentesting SMB", that encourages to manually test for common open shares regardless if they are displayed or not.

Common share names for windows described in the book are

IPC$
C$
D$
ADMIN$
PRINT$
FAX$
SYSVOL
NETLOGON

I used the following command to manually test the shares

smbclient -U '%' -N \\\\IP\\SHARE

Please let me know what you think and thank you for such an awesome resourse.

Hello author, absolutely great content. I have one doubt? in https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters#processes-services-and-software - how it is possible to for cat and grep command to be in cmd? Please provide guidance.

When reading this section: https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/csrf-cross-site-request-forgery.md#content-type-change
I'm not sure if this is correct. It says that:

You can change to POST Content-Type to application/json, application/x-url-encoded or form-multipart and maybe you will be able to bypass the CSRF token.

Instead of application/json, shouldn't be text/plain?

As far as I know, the three content types that doesn't trigger CORS Preflight Request are (reference: MDN):

• application/x-www-form-urlencoded
• multipart/form-data
• text/plain

If a device is not rooted you can backup app data if ADB backup is enabled. However you can extract app data from any app remotely if device is rooted using these commands that are not listed. Steps to extract data:

1. First obtain root shell using command inside device shell x86_64:/ $ su
2. Make app directory readable x86_64:/ # chmod 777 /data/data/com.package
3. Copy data to Internal Storage x86_64:/ # cp -r /data/data/com.package /sdcard Note: Using ADB attacker cannot obtain data directly by using command " adb pull /data/data/com.package". He is compulsorily required to move data to Internal storage and then he can pull that data.
4. Then simply retrieve data using adb pull "/sdcard/com.package"
   Then you will simply have app's private data in your hand. An Attacker can abuse this data to perform malicious actions, like attacker can simply store this data in his own rooted device and can login as victim, or Attacker can extract various cookies and token from app's private data.
   I first exploited this bug to obtain and retrieve Android Chrome Login Data and extract usernames and passwords of victim. I have submitted this bug to google chrome team and you can check that out for more research and better commands. Here is link of Bug Report:
   https://bugs.chromium.org/p/chromium/issues/detail?id=1129358
   Further I have also created tool for extraction of Android chrome Login Data. Here is link of tool
   https://github.com/chibaku-cyber/ADBstealer
   Please note that I am not maintaining tool actively and has lot of bugs, sometimes even it will not work. But sometimes it does its task correctly.
   After doing your own research and reading my report add commands for extracting app data.

Add the link to the website instead of this description :

No description, website, or topics provided.

There is an attack which is not (or not well) documented in the GitBook.

The attack is about stealing NetNTLM hashes from a victim by pushing a malicious dhcp configuration then pushing a malicious wpad configuration, permitting to grab those hashes.

More on the attack :

• https://github.com/lgandx/Responder/wiki/DHCP-Server
• https://twitter.com/pythonresponder/status/1384685967978676225
• https://g-laurent.blogspot.com/2021/08/responders-dhcp-poisoner.html

Thanks 🚀

Best Practice details how to use Criminalip.
https://www.criminalip.io/developer/best-practice

It is also provided by Filter, tags, API, etc.
https://www.criminalip.io/developer/filters-and-tags/filters
https://www.criminalip.io/developer/filters-and-tags/tags
https://www.criminalip.io/developer/api/post-user-me

If you use Asset Search in CriminalIP, you can obtain various information by referring to filter URLs such as IP or tag, and if you use Domain Search, you can determine the presence or absence of malicious/phishing sites.

I answered what page I should put in the previously requested content, but Criminalip supports OSINT such as malicious IP, phishing site, and Domain search.

It is a wide range of CTI platforms such as shodan and censys, so please check it.

New java CVE sounds nicely to add...

Are some pages supposed to be in spanish?
https://book.hacktricks.xyz/exploiting/linux-exploiting-basic-esp

It appears "attack machine" and "victim" are reversed in this section. Enable-PSRemoting is used to configure a computer to recieve powershell commands, not to send them. Although attacks do vary, it's less likely an attacker would need to setup the attacking machine with powershell remote enabled.

Relating this part of HackTricks.

The bypass shown here doesn't work on either the latest Chrome or Firefox. Is there any source where this came from?

PoC:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' ;">
</head>
<body>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
    <param name="AllowScriptAccess" value="always"></object>
</body>
</html>

This results in Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Hi,

Doing some research on Linux LPE, I noticed that the Linux Privilege Escalation page mentions sudo <= v1.28 being vulnerable.
However, as per the article here https://www.exploit-db.com/exploits/47502, the version is instead 1.8.28.
They say that its been fixed in 1.8.28 but I've read in another article (can't find the link anymore) that it is still valid in 1.8.28.
Most probably a typo.

Thank you.

Page - https://book.hacktricks.xyz/network-services-pentesting/pentesting-web

Tool - https://github.com/projectdiscovery/katana

Also I recommend checking it out, its kinda cool

Best regards :)

This one needs to be updated i think.

Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)

With maybe this one https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation. Maybe it was moved.

pentesting/pentesting-vnc.md

use auxiliary/scanner/vnc/vnc_login

set RHOSTS
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst

Under section "To-Do" sub section "Other Big References".

The link for "Enumeration Cheat Sheet for Windows Targets", is sending users to a link unintended for the purposes of the book.

I see you have no LICENSE file for this project. The default is copyright.

I would suggest releasing the document under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license so that others are encouraged to contribute changes back to your project.

It is possible to read SYSTEM SAM SECURITY on fully patch windows 10 & 11.

https://mobile.twitter.com/gentilkiwi/status/1417229454305267714