impr

Author: carlospolop

src/SUMMARY.md

@@ -284,8 +284,10 @@
   - [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
 - [Lateral Movement](windows-hardening/lateral-movement/README.md)
   - [AtExec / SchtasksExec](windows-hardening/lateral-movement/atexec.md)
-  - [DCOM Exec](windows-hardening/lateral-movement/dcom-exec.md)
+  - [DCOM Exec](windows-hardening/lateral-movement/dcomexec.md)
   - [PsExec/Winexec/ScExec](windows-hardening/lateral-movement/psexec-and-winexec.md)
+  - [RDPexec](windows-hardening/lateral-movement/rdpexec.md)
+  - [SCMexec](windows-hardening/lateral-movement/scmexec.md)
   - [SmbExec/ScExec](windows-hardening/lateral-movement/smbexec.md)
   - [WinRM](windows-hardening/lateral-movement/winrm.md)
   - [WmiExec](windows-hardening/lateral-movement/wmiexec.md)
@@ -299,6 +301,7 @@
   - [PowerView/SharpView](windows-hardening/basic-powershell-for-pentesters/powerview.md)
 - [Antivirus (AV) Bypass](windows-hardening/av-bypass.md)
 - [Cobalt Strike](windows-hardening/cobalt-strike.md)
+- [Mythic](windows-hardening/mythic.md)
 
 # 📱 Mobile Pentesting
 

src/backdoors/salseo.md

@@ -10,7 +10,7 @@ Compile those projects for the architecture of the windows box where your are go
 
 You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
 
-(\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
+(**If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
 
 ![](<../images/image (132).png>)
 

src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md

@@ -245,7 +245,7 @@ Let's explain this final ROP.\
 The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
 Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
 
-**This way the exploit will execute a \_/bin/sh**\_\*\* shell.\*\*
+**This way the exploit will execute a _/bin/sh_ shell.**
 
 ![](<../../../../images/image (165).png>)
 

src/binary-exploitation/stack-overflow/README.md

@@ -27,7 +27,7 @@ void vulnerable() {
 
 The most common way to find stack overflows is to give a very big input of `A`s (e.g. `python3 -c 'print("A"*1000)'`) and expect a `Segmentation Fault` indicating that the **address `0x41414141` was tried to be accessed**.
 
-Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to **overwrite the return address**, for this it's usually used a **De Bruijn sequence.** Which for a given alphabet of size _k_ and subsequences of length _n_ is a **cyclic sequence in which every possible subsequence of length \_n**\_\*\* appears exactly once\*\* as a contiguous subsequence.
+Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to **overwrite the return address**, for this it's usually used a **De Bruijn sequence.** Which for a given alphabet of size _k_ and subsequences of length _n_ is a **cyclic sequence in which every possible subsequence of length _n_ appears exactly once** as a contiguous subsequence.
 
 This way, instead of needing to figure out which offset is needed to control the EIP by hand, it's possible to use as padding one of these sequences and then find the offset of the bytes that ended overwriting it.
 

src/crypto-and-stego/crypto-ctfs-tricks.md

@@ -212,7 +212,7 @@ krodfdudfrod
 
 **Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
 For example: 2=A, 22=B, 222=C, 3=D...\
-You can identify this code because you will see\*\* several numbers repeated\*\*.
+You can identify this code because you will see** several numbers repeated**.
 
 You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)
 

src/cryptography/crypto-ctfs-tricks.md

@@ -212,7 +212,7 @@ krodfdudfrod
 
 **Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
 For example: 2=A, 22=B, 222=C, 3=D...\
-You can identify this code because you will see\*\* several numbers repeated\*\*.
+You can identify this code because you will see** several numbers repeated**.
 
 You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)
 

src/forensics/basic-forensic-methodology/anti-forensic-techniques.md

@@ -4,7 +4,7 @@
 # Timestamps
 
 An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
-It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` ** and ** `$FILE_NAME`.
+It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION`**and**`$FILE_NAME`.
 
 Both attributes have 4 timestamps: **Modification**, **access**, **creation**, and **MFT registry modification** (MACE or MACB).
 

src/generic-hacking/exfiltration.md

@@ -362,7 +362,7 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
 
 ## DNS
 
-- [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
+- [https://github.com/Stratiz/DNS-Exfil](https://github.com/Stratiz/DNS-Exfil)
 
 {{#include ../banners/hacktricks-training.md}}
 

src/generic-hacking/tunneling-and-port-forwarding.md

@@ -193,7 +193,7 @@ To note:
 > [!WARNING]
 > In this case, the **port is opened in the beacon host**, not in the Team Server and the **traffic is sent to the Cobalt Strike client** (not to the Team Server) and from there to the indicated host:port
 
-```
+```bash
 rportfwd_local [bind port] [forward host] [forward port]
 rportfwd_local stop [bind port]
 ```

src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md

@@ -54,7 +54,7 @@ Inveigh is a tool for penetration testers and red teamers, designed for Windows
 
 Inveigh can be operated through PowerShell:
 
-```powershell
+```bash
 Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y
 ```
 

src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md

@@ -20,7 +20,7 @@ You could also **abuse a mount to escalate privileges** inside the container.
     - `--userns=host`
     - `--uts=host`
     - `--cgroupns=host`
-- \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
+- **`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined`** -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt`
   - Run `fdisk -l` in the host to find the `</dev/sda1>` device to mount
 - **`-v /tmp:/host`** -> If for some reason you can **just mount some directory** from the host and you have access inside the host. Mount it and create a **`/bin/bash`** with **suid** in the mounted directory so you can **execute it from the host and escalate to root**.
 

src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md

@@ -25,7 +25,7 @@ Coming at some point of 2023...
 
 #### openssl
 
-\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed\*\* by the software that is going to be running inside the container.
+\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed** by the software that is going to be running inside the container.
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md

@@ -199,7 +199,7 @@ cat /dev/fb0 > /tmp/screen.raw
 cat /sys/class/graphics/fb0/virtual_size
 ```
 
-To **open** the **raw image** you can use **GIMP**, select the \*\*`screen.raw` \*\* file and select as file type **Raw image data**:
+To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**:
 
 ![](<../../../images/image (463).png>)
 

src/linux-hardening/privilege-escalation/linux-active-directory.md

@@ -70,7 +70,7 @@ This procedure will attempt to inject into various sessions, indicating success
 
 SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
 
-Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**.
+Invoking **`SSSDKCMExtractor`** with the --database and --key parameters will parse the database and **decrypt the secrets**.
 
 ```bash
 git clone https://github.com/fireeye/SSSDKCMExtractor

src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md

@@ -143,7 +143,7 @@ ARM64 instructions generally have the **format `opcode dst, src1, src2`**, where
 - **`lsl`**, **`lsr`**, **`asr`**, **`ror`, `rrx`**:
   - **Logical shift left**: Add 0s from the end moving the other bits forward (multiply by n-times 2)
   - **Logical shift right**: Add 1s at the beginning moving the other bits backward (divide by n-times 2 in unsigned)
-  - **Arithmetic shift right**: Like **`lsr`**, but instead of adding 0s if the most significant bit is a 1, \*\*1s are added (\*\*divide by ntimes 2 in signed)
+  - **Arithmetic shift right**: Like **`lsr`**, but instead of adding 0s if the most significant bit is a 1, **1s are added (**divide by ntimes 2 in signed)
   - **Rotate right**: Like **`lsr`** but whatever is removed from the right it's appended to the left
   - **Rotate Right with Extend**: Like **`ror`**, but with the carry flag as the "most significant bit". So the carry flag is moved to the bit 31 and the removed bit to the carry flag.
 - **`bfm`**: **Bit Filed Move**, these operations **copy bits `0...n`** from a value an place them in positions **`m..m+n`**. The **`#s`** specifies the **leftmost bit** position and **`#r`** the **rotate right amount**.
@@ -250,7 +250,7 @@ ldp x29, x30, [sp], #16  ; load pair x29 and x30 from the stack and increment th
 
 Armv8-A support the execution of 32-bit programs. **AArch32** can run in one of **two instruction sets**: **`A32`** and **`T32`** and can switch between them via **`interworking`**.\
 **Privileged** 64-bit programs can schedule the **execution of 32-bit** programs by executing a exception level transfer to the lower privileged 32-bit.\
-Note that the transition from 64-bit to 32-bit occurs with a lower of the exception level (for example a 64-bit program in EL1 triggering a program in EL0). This is done by setting the **bit 4 of** **`SPSR_ELx`** special register **to 1** when the `AArch32` process thread is ready to be executed and the rest of `SPSR_ELx` stores the **`AArch32`** programs CPSR. Then, the privileged process calls the **`ERET`** instruction so the processor transitions to **`AArch32`** entering in A32 or T32 depending on CPSR\*\*.\*\*
+Note that the transition from 64-bit to 32-bit occurs with a lower of the exception level (for example a 64-bit program in EL1 triggering a program in EL0). This is done by setting the **bit 4 of** **`SPSR_ELx`** special register **to 1** when the `AArch32` process thread is ready to be executed and the rest of `SPSR_ELx` stores the **`AArch32`** programs CPSR. Then, the privileged process calls the **`ERET`** instruction so the processor transitions to **`AArch32`** entering in A32 or T32 depending on CPSR**.**
 
 The **`interworking`** occurs using the J and T bits of CPSR. `J=0` and `T=0` means **`A32`** and `J=0` and `T=1` means **T32**. This basically traduces on setting the **lowest bit to 1** to indicate the instruction set is T32.\
 This is set during the **interworking branch instructions,** but can also be set directly with other instructions when the PC is set as the destination register. Example:

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md

@@ -431,6 +431,8 @@ Therefore, if you want to abuse entitlements to access the camera or microphone
 
 ## Automatic Injection
 
+- [**electroniz3r**](https://github.com/r3ggi/electroniz3r)
+
 The tool [**electroniz3r**](https://github.com/r3ggi/electroniz3r) can be easily used to **find vulnerable electron applications** installed and inject code on them. This tool will try to use the **`--inspect`** technique:
 
 You need to compile it yourself and can use it like this:
@@ -471,6 +473,12 @@ The webSocketDebuggerUrl is: ws://127.0.0.1:13337/8e0410f0-00e8-4e0e-92e4-58984d
 Shell binding requested. Check `nc 127.0.0.1 12345`
 ```
 
+
+- [https://github.com/boku7/Loki](https://github.com/boku7/Loki)
+
+Loki was designed to backdoor Electron applications by replacing the applications JavaScript files with the Loki Command & Control JavaScript files.
+
+
 ## References
 
 - [https://www.electronjs.org/docs/latest/tutorial/fuses](https://www.electronjs.org/docs/latest/tutorial/fuses)

src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md

@@ -118,7 +118,7 @@ In this example we have only defined 1 function in the definitions, but if we wo
 
 If the function was expected to send a **reply** the function `mig_internal kern_return_t __MIG_check__Reply__<name>` would also exist.
 
-Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`** (**`subsystem*to_name_map*\***`\*\* in other files):
+Actually it's possible to identify this relation in the struct **`subsystem_to_name_map_myipc`** from **`myipcServer.h`** (**`subsystem*to_name_map*\***`** in other files):
 
 ```c
 #ifndef subsystem_to_name_map_myipc

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md

@@ -536,7 +536,7 @@ If you have **`kTCCServiceEndpointSecurityClient`**, you have FDA. End.
 
 ### User TCC DB to FDA
 
-Obtaining **write permissions** over the **user TCC** database you \*\*can'\*\*t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
+Obtaining **write permissions** over the **user TCC** database you **can'**t grant yourself **`FDA`** permissions, only the one that lives in the system database can grant that.
 
 But you can **can** give yourself **`Automation rights to Finder`**, and abuse the previous technique to escalate to FDA\*.
 

src/mobile-pentesting/android-app-pentesting/README.md

@@ -64,7 +64,7 @@ Pay special attention to **firebase URLs** and check if it is bad configured. [M
 
 ### Basic understanding of the application - Manifest.xml, strings.xml
 
-The **examination of an application's \_Manifest.xml**_\*\* and \*\*_**strings.xml**\_\*\* files can reveal potential security vulnerabilities\*\*. These files can be accessed using decompilers or by renaming the APK file extension to .zip and then unzipping it.
+The **examination of an application's _Manifest.xml_ and **_strings.xml_** files can reveal potential security vulnerabilities**. These files can be accessed using decompilers or by renaming the APK file extension to .zip and then unzipping it.
 
 **Vulnerabilities** identified from the **Manifest.xml** include:
 

src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md

@@ -164,7 +164,7 @@ A exported service is declared inside the Manifest.xml:
 <service android:name=".AuthService" android:exported="true" android:process=":remote"/>
 ```
 
-Inside the code **check** for the \*\*`handleMessage`\*\*function which will **receive** the **message**:
+Inside the code **check** for the **`handleMessage`**function which will **receive** the **message**:
 
 ![](<../../../images/image (82).png>)
 

src/network-services-pentesting/5984-pentesting-couchdb.md

@@ -46,7 +46,7 @@ These are the endpoints where you can access with a **GET** request and extract
 
 - **`/_active_tasks`** List of running tasks, including the task type, name, status and process ID.
 - **`/_all_dbs`** Returns a list of all the databases in the CouchDB instance.
-- \*\*`/_cluster_setup`\*\*Returns the status of the node or cluster, per the cluster setup wizard.
+- **`/_cluster_setup`**Returns the status of the node or cluster, per the cluster setup wizard.
 - **`/_db_updates`** Returns a list of all database events in the CouchDB instance. The existence of the `_global_changes` database is required to use this endpoint.
 - **`/_membership`** Displays the nodes that are part of the cluster as `cluster_nodes`. The field `all_nodes` displays all nodes this node knows about, including the ones that are part of the cluster.
 - **`/_scheduler/jobs`** List of replication jobs. Each job description will include source and target information, replication id, a history of recent event, and a few other things.
@@ -58,8 +58,8 @@ These are the endpoints where you can access with a **GET** request and extract
 - **`/_node/{node-name}/_system`** The \_systemresource returns a JSON object containing various system-level statistics for the running server\_.\_ You can use \_\_`_local` as {node-name} to get current node info.
 - **`/_node/{node-name}/_restart`**
 - **`/_up`** Confirms that the server is up, running, and ready to respond to requests. If [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance_mode) is `true` or `nolb`, the endpoint will return a 404 response.
-- \*\*`/_uuids`\*\*Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance.
-- \*\*`/_reshard`\*\*Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster.
+- **`/_uuids`**Requests one or more Universally Unique Identifiers (UUIDs) from the CouchDB instance.
+- **`/_reshard`**Returns a count of completed, failed, running, stopped, and total jobs along with the state of resharding on the cluster.
 
 More interesting information can be extracted as explained here: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB)