GitBook: [master] 9 pages and 12 assets modified

Author: carlospolop

.gitbook/assets/image (466) (2) (2) (1).png renamed to .gitbook/assets/image (466) (2) (2) (2) (1).png

@@ -1,4 +1,5 @@
 # CTF Write-ups
 
-- [Write-up factory](https://writeup.raw.pm/) - Seach engine to find write-ups (TryHackMe, HackTheBox, etc.)
-- [CTFtime Write-ups](https://ctftime.org/writeups) - Newest write-ups added to CTF events on CTFtime
+* [Write-up factory](https://writeup.raw.pm/) - Seach engine to find write-ups \(TryHackMe, HackTheBox, etc.\)
+* [CTFtime Write-ups](https://ctftime.org/writeups) - Newest write-ups added to CTF events on CTFtime
+

.gitbook/assets/image (466) (2) (2).png renamed to .gitbook/assets/image (466) (2) (2) (2) (2).png

@@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
 
 Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
 
-![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
 
 ### USB Detective
 

.gitbook/assets/image (477) (2) (2) (1).png renamed to .gitbook/assets/image (477) (2) (2) (2) (1).png

@@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
 5. Reproduce the problem.
 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
 
-![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
 
 You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
 

.gitbook/assets/image (477) (2) (2).png renamed to .gitbook/assets/image (477) (2) (2) (2) (2).png

@@ -779,7 +779,7 @@ exit;
 
 ## Resources
 
-In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect)  you can find fuzzing lists.  
+In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.  
 [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)  
 [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 

.gitbook/assets/image (507) (2).png

@@ -133,7 +133,7 @@ private_bits = [
 * `username` is the user who started this Flask
 * `modname` is flask.app
 * `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
-* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, try `app.pyc`
+* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory \(e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`\). If `app.py` doesn't work, try `app.pyc`
 * `uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
 * `get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_id` and return directly if there is, sometimes it might be required to append a piece of information within `/proc/self/cgroup` that you find at the end of the first line \(after the third slash\)
 

.gitbook/assets/image (533).png

@@ -34,7 +34,7 @@ For more information read [https://www.bleepingcomputer.com/news/security/hijack
 
 ### Basic checks
 
-Once you have a list of potential suspicions domain names you should **check**  them \(mainly the ports HTTP and HTTPS\) to **see if they are using some login form similar** to someone of the victim's domain.  
+Once you have a list of potential suspicions domain names you should **check** them \(mainly the ports HTTP and HTTPS\) to **see if they are using some login form similar** to someone of the victim's domain.  
 You could also check the port 3333 to see if it's open and running an instance of `gophish`.  
 It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.  
 You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's really suspicious and in that case **access it to take a deeper look**.
@@ -51,7 +51,7 @@ The parent page also mentions a domain name variation technique that consist on
 
 ### Certificate Transparency
 
-It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of https://paypal-financial.com, seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
+It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
 
 The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggest that you can use Censys to search for certificates affecting a specific keyword and filter by date \(only "new" certificates\) and by the CA issuer "Let's Encrypt":
 

.gitbook/assets/image (535).png renamed to .gitbook/assets/image (536) (1).png

@@ -17,7 +17,7 @@ DOCX files referencing a remote template \(File –Options –Add-ins –Manage:
 ### Word with external image
 
 Go to: _Insert --> Quick Parts --> Field_  
-_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ [http://&lt;ip&gt;/whatever](http://<ip>/whatever)
 
 ![](../.gitbook/assets/image%20%28347%29.png)
 

ctf-write-ups/README.md

@@ -2,9 +2,8 @@
 
 ## Full TTY
 
-Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file   
-This incident has been reported`.
-Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`. 
+Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file    
+This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
 
 ```bash
 python3 -c 'import pty; pty.spawn("/bin/bash")'
@@ -13,7 +12,7 @@ python3 -c 'import pty; pty.spawn("/bin/bash")'
 
 ```bash
 script -qc /bin/bash /dev/null
-(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; 
+(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
 ```
 
 ```bash