HackTricks
979 pages
HackTricks
HackTricks Hacktricks logos & motion design by @ppieranacho . Run HackTricks Locally # Download latest version of ha…
HackTricks Values & FAQ
HackTricks Values & FAQ HackTricks Values Tip These are the values of the HackTricks Project : Give FREE access to E…
About the author
About the author Hello!! Credits for techniques from other researchers belong to the original authors (see references). …
Pentesting Methodology
Pentesting Methodology Pentesting Methodology Hacktricks logos designed by @ppieranacho . 0- Physical Attacks Do you hav…
Fuzzing Methodology
Fuzzing Methodology Mutational Grammar Fuzzing: Coverage vs. Semantics In mutational grammar fuzzing , inputs are mutate…
External Recon Methodology
External Recon Methodology Assets discoveries So you were said that everything belonging to some company is inside the s…
Database Leaks
Database leaks Data Breach Search Engines greynoise - Search for IPs, Tags, CVEs, vpn, dns... Dehashed - You can search …
Wide Source Code Search
Wide Source Code Search The goal of this page is to enumerate platforms that allow to search for code (literal or regex)…
Github Dorks & Leaks
Github Dorks & Leaks Tools to find secrets in git repos and file system https://github.com/dxa4481/truffleHog https:…
Pentesting Network
Pentesting Network Discovering hosts from the outside This is going to be a brief section about how to find IPs respondi…
DHCPv6
DHCPv6 DHCPv6 vs. DHCPv4 Message Types Comparison A comparative view of DHCPv6 and DHCPv4 message types is presented in …
EIGRP Attacks
EIGRP Attacks This is a summary of the attacks exposed in https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-net…
GLBP & HSRP Attacks
GLBP & HSRP Attacks FHRP Hijacking Overview Insights into FHRP FHRP is designed to provide network robustness by mer…
IDS and IPS Evasion
IDS/IPS Evasion Techniques TTL Manipulation Send some packets with a TTL enough to arrive to the IDS/IPS but not enough …
Lateral VLAN Segmentation Bypass
Lateral VLAN Segmentation Bypass If direct access to a switch is available, VLAN segmentation can be bypassed. This invo…
Network Protocols Explained (ESP)
Network Protocols Multicast DNS (mDNS) The mDNS protocol is designed for IP address resolution within small, local netwo…
Nmap Summary (ESP)
Nmap Summary (ESP) nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 Parameters IPs to scan <ip>,<net/mask> : I…
Pentesting IPv6
Pentesting IPv6 IPv6 Basic theory Networks IPv6 addresses are structured to enhance network organization and device inte…
Telecom Network Exploitation
Telecom Network Exploitation (GTP / SS7 / Diameter / Roaming Environments) Note Mobile-core protocols (GPRS Tunnelling P…
WebRTC DoS
WebRTC DoS This issue was found in this blog post: https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webr…
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks Network Protocols Local Host Resolution Protocols LLMNR, NBT…
Spoofing SSDP and UPnP Devices with EvilSSDP
Spoofing SSDP and UPnP Devices with EvilSSDP Check https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-d…
Pentesting Wifi
Pentesting Wifi Wifi basic commands ip link show #List available interfaces iwconfig #List available interfaces airmon-n…
Enable Nexmon Monitor And Injection On Android
Enable NexMon Monitor Mode & Packet Injection on Android (Broadcom chips) Overview Most modern Android phones embed …
Evil Twin EAP-TLS
Evil Twin EAP-TLS EAP-TLS is the common "secure" choice for WPA2/3-Enterprise, but two practical weaknesses regularly sh…
Phishing Methodology
Phishing Methodology Methodology Recon the victim Select the victim domain . Perform some basic web enumeration searchin…
Ai Agent Abuse Local Ai Cli Tools And Mcp
AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Codex/Warp) Overview Local AI command-line interfaces (AI CL…
Ai Agent Mode Phishing Abusing Hosted Agent Browsers
AI Agent Mode Phishing: Abusing Hosted Agent Browsers (AI‑in‑the‑Middle) Overview Many commercial AI assistants now offe…
Clipboard Hijacking
Clipboard Hijacking (Pastejacking) Attacks "Never paste anything you did not copy yourself." – old but still valid advic…
Clone a Website
Cloning a Website For a phishing assessment sometimes it might be useful to completely clone/dump a website . Note that …
Detecting Phishing
Detecting Phishing Introduction To detect a phishing attempt it's important to understand the phishing techniques that a…
Discord Invite Hijacking
Discord Invite Hijacking Discord’s invite system vulnerability allows threat actors to claim expired or deleted invite c…
Homograph Attacks
Homograph / Homoglyph Attacks in Phishing Overview A homograph (aka homoglyph) attack abuses the fact that many Unicode …
Mobile Phishing Malicious Apps
Mobile Phishing & Malicious App Distribution (Android & iOS) Info This page covers techniques used by threat act…
Phishing Files & Documents
Phishing Files & Documents Office Documents Microsoft Word performs file data validation before opening a file. Data…
Basic Forensic Methodology
Basic Forensic Methodology Creating and Mounting an Image ../../generic-methodologies-and-resources/basic-forensic-metho…
Adaptixc2 Config Extraction And Ttps
AdaptixC2 Configuration Extraction and TTPs AdaptixC2 is a modular, open‑source post‑exploitation/C2 framework with Wind…
Baseline Monitoring
File Integrity Monitoring Baseline A baseline consists of taking a snapshot of certain parts of a system to compare it w…
Anti-Forensic Techniques
Anti-Forensic Techniques Timestamps An attacker may be interested in changing the timestamps of files to avoid being det…
Docker Forensics
Docker Forensics Container modification There are suspicions that some docker container was compromised: docker ps CONTA…
Image Acquisition & Mount
Image Acquisition & Mount Acquisition Always acquire read-only and hash while you copy . Keep the original device wr…
Ios Backup Forensics
iOS Backup Forensics (Messaging‑centric triage) This page describes practical steps to reconstruct and analyze iOS backu…
Linux Forensics
Linux Forensics Initial Information Gathering Basic Information First of all, it's recommended to have some USB with goo…
Malware Analysis
Malware Analysis Forensics CheatSheets https://www.jaiminton.com/cheatsheet/DFIR/# Online Services VirusTotal HybridAnal…
Android Malware Post-Exploitation
Android Malware Post-Exploitation This page collects Android malware behavior that happens after installation or executi…
Memory dump analysis
Memory dump analysis Start Start searching for malware inside the pcap. Use the tools mentioned in Malware Analysis . Vo…
Volatility - CheatSheet
Volatility - CheatSheet If you need a tool that automates memory analysis with different scan levels and runs multiple…
Partitions/File Systems/Carving
Partitions/File Systems/Carving Partitions A hard drive or an SSD disk can contain different partitions with the goal of…
File/Data Carving & Recovery Tools
File/Data Carving & Recovery Tools Carving & Recovery tools More tools in https://github.com/Claudio-C/awesome-d…
Pcap Inspection
Pcap Inspection Tip A note about PCAP vs PCAPNG : there are two versions of the PCAP file format; PCAPNG is newer and no…
DNSCat pcap analysis
DNSCat pcap analysis If you have pcap with data being exfiltrated by DNSCat (without using encryption), you can find the…
Suricata & Iptables cheatsheet
Suricata & Iptables cheatsheet Iptables Chains In iptables, lists of rules known as chains are processed sequentiall…
USB Keystrokes
USB Keystrokes If you have a pcap containing the communication via USB of a keyboard like the following one: USB keyboar…
Wifi Pcap Analysis
Wifi Pcap Analysis Check BSSIDs When you receive a capture whose principal traffic is Wifi using WireShark you can start…
Wireshark tricks
Wireshark tricks Improve your Wireshark skills Tutorials The following tutorials are amazing to learn some cool basic tr…
Specific Software/File-Type Tricks
Specific Software/File Type Tricks Here you can find interesting tricks for specific file-types and/or software: .pyc.md…
Decompile compiled python binaries (exe, elf) - Retreive from .pyc
Decompile compiled python binaries (exe, elf) - Retreive from .pyc From Compiled Binary to .pyc From an ELF compiled bin…
Browser Artifacts
Browser Artifacts Browsers Artifacts Browser artifacts include various types of data stored by web browsers, such as nav…
Deofuscation vbs (cscript.exe)
Desobfuscation Techniques for VBS Files Some things that could be useful to debug/deobfuscate a malicious VBS file: echo…
Discord Cache Forensics
Discord Cache Forensics (Chromium Simple Cache) This page summarizes how to triage Discord Desktop cache artifacts to re…
Local Cloud Storage
Local Cloud Storage OneDrive In Windows, you can find the OneDrive folder in \Users\<username>\AppData\Local\Micro…
Mach O Entitlements And Ipsw Indexing
Mach-O Entitlements Extraction & IPSW Indexing Overview This page covers how to extract entitlements from Mach-O bin…
Office file analysis
Office file analysis For further information check https://trailofbits.github.io/ctf/forensics/ . This is just a sumary:…
PDF File analysis
PDF File analysis For further details check: https://trailofbits.github.io/ctf/forensics/ The PDF format is known for it…
PNG tricks
PNG Tricks PNG files are very common in CTFs , incident response , and malware staging because they are lossless , chunk…
Structural File Format Exploit Detection
Structural File‑Format Exploit Detection (0‑Click Chains) This page summarizes practical techniques to detect 0‑click mo…
Svg Font Glyph Analysis And Web Drm Deobfuscation
SVG/Font Glyph Analysis & Web DRM Deobfuscation (Raster Hashing + SSIM) This page documents practical techniques to …
Video and Audio file analysis
Video and Audio File Analysis Audio and video file manipulation is a staple in CTF forensics challenges , leveraging ste…
ZIPs tricks
ZIPs tricks Command-line tools for managing zip files are essential for diagnosing, repairing, and cracking zip files. H…
Windows Artifacts
Windows Artifacts Generic Windows Artifacts Windows 10 Notifications In the path \Users\<username>\AppData\Local\M…
Interesting Windows Registry Keys
Interesting Windows Registry Keys Windows Registry hives are one of the fastest ways to pivot from what happened? to whi…
Python Sandbox Escape & Pyscript
Python Sandbox Escape & Pyscript Interesting pages to check: Pyscript hacking tricks Python deserializations Keras m…
Bypass Python sandboxes
Bypass Python sandboxes These are some tricks to bypass python sandbox protections and execute arbitrary commands. js2py…
Js2py Sandbox Escape Cve 2024 28397
Js2Py sandbox escape (CVE-2024-28397) Js2Py translates JavaScript into Python objects, so even when js2py.disable_pyimpo…
LOAD_NAME / LOAD_CONST opcode OOB Read
LOAD_NAME / LOAD_CONST opcode OOB Read This info was taken from this writeup . TL;DR We can use OOB read feature in LOAD…
Reportlab Xhtml2pdf Triple Brackets Expression Evaluation Rce Cve 2023 33733
ReportLab/xhtml2pdf [[[...]]] expression-evaluation RCE (CVE-2023-33733) This page documents a practical sandbox escape …
Class Pollution (Python's Prototype Pollution)
Class Pollution (Python's Prototype Pollution) Basic Example Check how is possible to pollute classes of objects with st…
Keras Model Deserialization Rce And Gadget Hunting
Keras Model Deserialization RCE and Gadget Hunting This page summarizes practical exploitation techniques against the Ke…
Python Internal Read Gadgets
Python Internal Read Gadgets Basic Information Different vulnerabilities such as Python Format Strings or Class Pollutio…
Pyscript
Pyscript PyScript Pentesting Guide PyScript is a new framework developed for integrating Python into HTML so, it can be …
venv
venv sudo apt-get install python3-venv #Now, go to the folder you want to create the virtual environment python3 -m venv…
Web Requests
Web Requests Python Requests import requests url = "http://example.com:80/some/path.php" params = { "p1&q…
Bruteforce hash (few chars)
Bruteforce Hash Few Chars import hashlib target = '2f2e2e' #/.. candidate = 0 while True : plaintext = str ( can…
Basic Python
Basic Python Python Basics Useful information All the examples below assume Python 3 unless explicitly noted.\ range() r…
Side Channel Attacks On Messaging Protocols
Delivery Receipt Side-Channel Attacks in E2EE Messengers Delivery receipts are mandatory in modern end-to-end encrypted …
Threat Modeling
Threat Modeling Threat Modeling Welcome to HackTricks' comprehensive guide on Threat Modeling! Embark on an exploration …
Blockchain & Crypto
Blockchain and Crypto-Currencies Basic Concepts Smart Contracts are defined as programs that execute on a blockchain whe…
Defi/AMM Hook Precision
DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse This page documents a class of DeFi/AMM exploitation tec…
Defi Amm Virtual Balance Cache Exploitation
DeFi AMM Accounting Bugs & Virtual Balance Cache Exploitation Overview Yearn Finance's yETH pool (Nov 2025) showed t…
Mutation Testing With Slither
Mutation Testing for Smart Contracts (slither-mutate, mewt, MuTON) Mutation testing "tests your tests" by systematically…
Erc 4337 Smart Account Security Pitfalls
ERC-4337 Smart Account Security Pitfalls ERC-4337 account abstraction turns wallets into programmable systems. The core …
Value Centric Web3 Red Teaming
Value-Centric Web3 Red Teaming (MITRE AADAPT) The MITRE Adversarial Actions in Digital Asset Payment Techniques (AADAPT)…
Web3 Signing Workflow Compromise Safe Delegatecall Proxy Takeover
Web3 Signing Workflow Compromise & Safe Delegatecall Proxy Takeover Overview A cold-wallet theft chain combined a su…
Lua Sandbox Escape
Bypass Lua sandboxes (embedded VMs, game clients) This page collects practical techniques to enumerate and break out of …
Archive Extraction Path Traversal
Archive Extraction Path Traversal ("Zip-Slip" / WinRAR CVE-2025-8088) Overview Many archive formats (ZIP, RAR, TAR, 7-ZI…
Brute Force - CheatSheet
Brute Force - CheatSheet Default Credentials Search in google for default credentials of the technology that is being us…
Esim Javacard Exploitation
eSIM / Java Card VM Exploitation Overview Embedded SIMs (eSIMs) are implemented as Embedded UICC (eUICC) smart-cards tha…
Exfiltration
Exfiltration Tip For an end-to-end example of staging loot in C:\Users\Public and exfiltrating it with Rclone to mimic l…
Reverse Shells (Linux, Windows, MSFVenom)
Reverse Shells Shells - Linux Shells - Windows MSFVenom - CheatSheet Full TTYs Auto-generated shells https://reverse-she…
MSFVenom - CheatSheet
MSFVenom - CheatSheet Basic msfvenom msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUN…
Reverse Shells - Windows
Shells - Windows Lolbas The page lolbas-project.github.io is for Windows like https://gtfobins.github.io/ is for linux.\…
Reverse Shells - Linux
Shells - Linux If you have questions about any of these shells you could check them with https://explainshell.com/ Full …
Expose local to the internet
Expose local to the internet The goal of this page is to propose alternatives that allow AT LEAST to expose local raw TC…
Full TTYs
Full TTYs Full TTY Note that the shell you set in the SHELL variable must be listed inside /etc/shells or The value for …
Search Exploits
Search Exploits Browser Always search in "google" or others: \ [version] exploit You should also try the shodan exploit …
Tunneling and Port Forwarding
Tunneling and Port Forwarding Nmap tip Warning ICMP and SYN scans cannot be tunnelled through socks proxies, so we must …
Linux Basics
Linux Basics…
Checklist - Linux Privilege Escalation
Checklist - Linux Privilege Escalation Best tool to look for Linux local privilege escalation vectors: LinPEAS System In…
Linux Privilege Escalation
Linux Privilege Escalation System Information OS info Let's start gaining some knowledge of the OS running ( cat /proc/v…
Android Rooting Frameworks Manager Auth Bypass Syscall Hook
Android Rooting Frameworks (KernelSU/Magisk) Manager Auth Bypass & Syscall Hook Abuse Rooting frameworks like Kernel…
Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244
VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244) This technique abuses reg…
Arbitrary File Write to Root
Arbitrary File Write to Root /etc/ld.so.preload This file behaves like LD_PRELOAD env variable but it also works in SUID…
Cisco - vmanage
Cisco - vmanage Path 1 (Example from https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-…
Containerd (ctr) Privilege Escalation
Containerd (ctr) Privilege Escalation Basic information Go to the following link to learn where containerd and ctr fit i…
D-Bus Enumeration & Command Injection Privilege Escalation
D-Bus Enumeration & Command Injection Privilege Escalation GUI enumeration D-Bus is utilized as the inter-process co…
Container Security
Container Security What A Container Actually Is A practical way to define a container is this: a container is a regular …
Runtimes And Engines
Container Runtimes, Engines, Builders, And Sandboxes One of the biggest sources of confusion in container security is th…
Runtime API And Daemon Exposure
Runtime API And Daemon Exposure Overview Many real container compromises do not begin with a namespace escape at all. Th…
Authorization Plugins
Runtime Authorization Plugins Overview Runtime authorization plugins are an extra policy layer that decides whether a ca…
Image Security And Secrets
Image Security, Signing, And Secrets Overview Container security starts before the workload is launched. The image deter…
Assessment And Hardening
Assessment And Hardening Overview A good container assessment should answer two parallel questions. First, what can an a…
Sensitive Host Mounts
Sensitive Host Mounts Overview Host mounts are one of the most important practical container-escape surfaces because the…
Privileged Containers
Escaping From --privileged Containers Overview A container started with --privileged is not the same thing as a normal c…
Distroless
Distroless Containers Overview A distroless container image is an image that ships the minimum runtime components requir…
Protections
Container Protections Overview The most important idea in container hardening is that there is no single control called …
AppArmor
AppArmor Overview AppArmor is a Mandatory Access Control system that applies restrictions through per-program profiles. …
Capabilities
Linux Capabilities In Containers Overview Linux capabilities are one of the most important pieces of container security …
CGroups
cgroups Overview Linux control groups are the kernel mechanism used to group processes together for accounting, limiting…
Masked Paths
Masked Paths Masked paths are runtime protections that hide especially sensitive kernel-facing filesystem locations from…
No New Privileges
no_new_privs no_new_privs is a kernel hardening feature that prevents a process from gaining more privilege across execv…
Read Only Paths
Read-Only System Paths Read-only system paths are a separate protection from masked paths. Instead of hiding a path comp…
Seccomp
seccomp Overview seccomp is the mechanism that lets the kernel apply a filter to the syscalls a process may invoke. In c…
SELinux
SELinux Overview SELinux is a label-based Mandatory Access Control system. Every relevant process and object may carry a…
Namespaces
Namespaces Namespaces are the kernel feature that makes a container feel like "its own machine" even though it is really…
CGroup Namespace
cgroup Namespace Overview The cgroup namespace does not replace cgroups and does not itself enforce resource limits. Ins…
IPC Namespace
IPC Namespace Overview The IPC namespace isolates System V IPC objects and POSIX message queues . That includes shared m…
PID Namespace
PID Namespace Overview The PID namespace controls how processes are numbered and which processes are visible. This is wh…
Mount Namespace
Mount Namespace Overview The mount namespace controls the mount table that a process sees. This is one of the most impor…
Network Namespace
Network Namespace Overview The network namespace isolates network-related resources such as interfaces, IP addresses, ro…
Time Namespace
Time Namespace Overview The time namespace virtualizes selected monotonic-style clocks instead of the host wall clock. I…
User Namespace
User Namespace Overview The user namespace changes the meaning of user and group IDs by letting the kernel map IDs seen …
UTS Namespace
UTS Namespace Overview The UTS namespace isolates the hostname and NIS domain name seen by the process. At first glance …
Escaping from Jails
Escaping from Jails GTFOBins Search in https://gtfobins.github.io/ if you can execute any binary with "Shell" property C…
Copy Fail Af Alg Splice Page Cache Overwrite Cve 2026 31431
Copy Fail: AF_ALG + splice page-cache overwrite (CVE-2026-31431) This page documents Copy Fail : a Linux kernel local pr…
Posix Cpu Timers Toctou Cve 2025 38352
POSIX CPU Timers TOCTOU race (CVE-2025-38352) This page documents a TOCTOU race condition in Linux/Android POSIX CPU tim…
euid, ruid, suid
euid, ruid, suid User Identification Variables ruid : The real user ID denotes the user who initiated the process. euid …
Interesting Groups - Linux Privesc
Interesting Groups - Linux Privesc Sudo/Admin Groups PE - Method 1 Sometimes , by default (or because some software need…
lxd/lxc Group - Privilege escalation
lxd/lxc Group - Privilege escalation If you belong to lxd or lxc group , you can become root Exploiting without internet…
Logstash
Logstash Privilege Escalation Logstash Logstash is used to gather, transform, and dispatch logs through a system known a…
ld.so privesc exploit example
ld.so privesc exploit example Prepare the environment In the following section you can find the code of the files we are…
Linux Active Directory
Linux Active Directory A linux machine can also be present inside an Active Directory environment. A linux machine in an…
Linux Capabilities
Linux Capabilities Linux Capabilities Linux capabilities divide root privileges into smaller, distinct units , allowing …
NFS no_root_squash/no_all_squash misconfiguration PE
NFS No Root Squash Misconfiguration Privilege Escalation Squashing Basic Info NFS will usually (specially in linux) trus…
Node inspector/CEF debug abuse
Node inspector/CEF debug abuse Basic Information From the docs : When started with the --inspect switch, a Node.js proce…
Payloads to execute
Payloads to execute Bash cp /bin/bash /tmp/b && chmod +s /tmp/b /bin/b -p #Maintains root privileges from suid, …
RunC Privilege Escalation
RunC Privilege Escalation Basic information If you want to learn more about runc check the following page: ../../network…
SELinux
SELinux SELinux is a label-based Mandatory Access Control (MAC) system. In practice, this means that even if DAC permiss…
Socket Command Injection
Socket Command Injection Socket binding example with Python In the following example a unix socket is created ( /tmp/soc…
Splunk LPE and Persistence
Splunk LPE and Persistence If enumerating a machine internally or externally you find Splunk running (port 8090), if you…
SSH Forward Agent exploitation
SSH Agent Forwarding Exploitation Summary What can you do if you discover inside the /etc/ssh_config or inside $HOME/.ss…
Wildcards Spare tricks
Wildcards Spare Tricks Wildcard (aka glob ) argument injection happens when a privileged script runs a Unix binary such …
Useful Linux Commands
Useful Linux Commands Common Bash #Exfiltration using Base64 base64 -w 0 file #Get HexDump without new lines xxd -p boot…
Bypass Linux Restrictions
Bypass Linux Restrictions Common Limitations Bypasses Reverse Shell # Double-Base64 is a great way to avoid bad characte…
Bypass FS protections: read-only / no-exec / Distroless
Bypass FS protections: read-only / no-exec / Distroless Videos In the following videos you can find the techniques menti…
DDexec / EverythingExec
DDexec / EverythingExec Context In Linux in order to run a program it must exist as a file, it must be accessible in som…
Linux Environment Variables
Linux Environment Variables Global variables The global variables will be inherited by child processes . You can create …
Linux Post-Exploitation
Linux Post-Exploitation Sniffing Logon Passwords with PAM Let's configure a PAM module to log each password each user us…
PAM - Pluggable Authentication Modules
PAM - Pluggable Authentication Modules Basic Information PAM (Pluggable Authentication Modules) acts as a security mecha…
FreeIPA Pentesting
FreeIPA Pentesting Basic Information FreeIPA is an open-source alternative to Microsoft Windows Active Directory , mainl…
macOS Security & Privilege Escalation
macOS Security & Privilege Escalation Basic MacOS If you are not familiar with macOS, you should start learning the …
macOS Apps - Inspecting, debugging and Fuzzing
macOS Apps - Inspecting, debugging and Fuzzing Static Analysis otool & objdump & nm otool -L /bin/ls #List dynam…
Objects in memory
Objects in memory CFRuntimeClass CF* objects come from CoreFoundation, which provides more than 50 classes of objects li…
Introduction to x64
Introduction to x64 Introduction to x64 x64, also known as x86-64, is a 64-bit processor architecture predominantly used…
Introduction to ARM64v8
Introduction to ARM64v8 Exception Levels - EL (ARM64v8) In ARMv8 architecture, execution levels, known as Exception Leve…
macOS AppleFS
macOS AppleFS Apple Propietary File System (APFS) Apple File System (APFS) is a modern file system designed to supersede…
macOS Bypassing Firewalls
macOS Bypassing Firewalls Found techniques The following techniques were found working in some macOS firewall apps. Abus…
macOS Defensive Apps
macOS Defensive Apps Firewalls Little Snitch : It will monitor every connection made by each process. Depending on the m…
Macos Dyld Hijacking And Dyld Insert Libraries
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES DYLD_INSERT_LIBRARIES Basic example Library to inject to execute a shel…
macOS GCD - Grand Central Dispatch
macOS GCD - Grand Central Dispatch Basic Information Grand Central Dispatch (GCD), also known as libdispatch ( libdispat…
macOS Kernel & System Extensions
macOS Kernel & System Extensions XNU Kernel The core of macOS is XNU , which stands for "X is Not Unix". This kernel…
macOS IOKit
macOS IOKit Basic Information The I/O Kit is an open-source, object-oriented device-driver framework in the XNU kernel, …
macOS Kernel Extensions & Kernelcache
macOS Kernel Extensions & Kernelcaches Basic Information Kernel extensions (Kexts) are packages with a .kext extensi…
macOS Kernel Vulnerabilities
macOS Kernel Vulnerabilities Pwning OTA In this report are explained several vulnerabilities that allowed to compromised…
macOS System Extensions
macOS System Extensions System Extensions / Endpoint Security Framework Unlike Kernel Extensions, System Extensions run …
macOS NVRAM
macOS NVRAM Basic Information NVRAM (Non-Volatile Random-Access Memory) stores boot-time and firmware-level configuratio…
macOS Network Services & Protocols
macOS Network Services & Protocols Remote Access Services These are the common macOS services to access them remotel…
macOS File Extension & URL scheme app handlers
macOS File Extension & URL scheme app handlers LaunchServices Database This is a database of all the installed appli…
macOS Files, Folders, Binaries & Memory
macOS Files, Folders, Binaries & Memory File hierarchy layout /Applications : The installed apps should be here. All…
macOS Bundles
macOS Bundles Basic Information Bundles in macOS serve as containers for a variety of resources including applications, …
macOS Installers Abuse
macOS Installers Abuse Pkg Basic Information A macOS installer package (also known as a .pkg file) is a file format used…
macOS Memory Dumping
macOS Memory Dumping Memory Artifacts Swap Files Swap files, such as /private/var/vm/swapfile0 , serve as caches when th…
macOS Sensitive Locations & Interesting Daemons
macOS Sensitive Locations & Interesting Daemons Passwords Shadow Passwords Shadow password is stored with the user's…
macOS Universal binaries & Mach-O Format
macOS Universal binaries & Mach-O Format Basic Information Mac OS binaries usually are compiled as universal binarie…
macOS Objective-C
macOS Objective-C Objective-C Caution Note that programs written in Objective-C retain their class declarations when com…
macOS Privilege Escalation
macOS Privilege Escalation TCC Privilege Escalation If you came here looking for TCC privilege escalation go to: macos-s…
macOS Process Abuse
macOS Process Abuse Processes Basic Information A process is an instance of a running executable, however processes does…
macOS Dirty NIB
macOS Dirty NIB Dirty NIB refers to abusing Interface Builder files (.xib/.nib) inside a signed macOS app bundle to exec…
macOS Chromium Injection
macOS Chromium Injection Basic Information Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, Arc, Vival…
macOS Electron Applications Injection
macOS Electron Applications Injection Basic Information If you don't know what Electron is you can find lots of informat…
macOS Function Hooking
macOS Function Hooking Function Interposing Create a dylib with an __interpose ( __DATA___interpose ) section (or a sect…
macOS IPC - Inter Process Communication
macOS IPC - Inter Process Communication Mach messaging via Ports Basic Information Mach uses tasks as the smallest unit …
macOS MIG - Mach Interface Generator
macOS MIG - Mach Interface Generator Basic Information MIG was created to simplify the process of Mach IPC code creation…
macOS XPC
macOS XPC Basic Information XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication, is a frame…
macOS XPC Authorization
macOS XPC Authorization XPC Authorization Apple also proposes another way to authenticate if the connecting process has …
macOS XPC Connecting Process Check
macOS XPC Connecting Process Check XPC Connecting Process Check When a connection is stablished to an XPC service, the s…
macOS PID Reuse
macOS PID Reuse PID Reuse When a macOS XPC service is checking the called process based on the PID and not on the audit …
macOS xpc_connection_get_audit_token Attack
macOS xpc_connection_get_audit_token Attack For further information check the original post: https://sector7.computest.n…
macOS Thread Injection via Task port
macOS Thread Injection via Task port Code https://github.com/bazad/threadexec https://gist.github.com/knightsc/bd6dfeccb…
macOS Java Applications Injection
macOS Java Applications Injection Enumeration Find Java applications installed in your system. It was noticed that Java …
macOS Library Injection
macOS Library Injection Caution The code of dyld is open source and can be found in https://opensource.apple.com/source/…
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES DYLD_INSERT_LIBRARIES Basic example Library to inject to execute a shel…
macOS Dyld Process
macOS Dyld Process Basic Information The real entrypoint of a Mach-o binary is the dynamic linked, defined in LC_LOAD_DY…
macOS Perl Applications Injection
macOS Perl Applications Injection Via PERL5OPT & PERL5LIB env variable Using the env variable PERL5OPT it's possible…
macOS Python Applications Injection
macOS Python Applications Injection Via PYTHONWARNINGS and BROWSER env variables It's possible to alter both environment…
macOS Ruby Applications Injection
macOS Ruby Applications Injection RUBYOPT Using this env variable it's possible to add new params to ruby whenever it ge…
macOS .Net Applications Injection
macOS .Net Applications Injection This is a summary of the post https://blog.xpnsec.com/macos-injection-via-third-party-…
macOS Quick Look Generators
macOS Quick Look Generators Basic Information Quick Look is macOS's file preview framework . When a user selects a file …
macOS Automator, Preference Panes & NSServices
macOS Automator, Preference Panes & NSServices Abuse Automator Actions & Workflows Basic Information Automator i…
macOS XPC Mach Services Abuse
macOS XPC Mach Services Abuse Basic Information XPC (Cross-Process Communication) is the primary IPC mechanism on macOS.…
macOS Security Protections
macOS Security Protections Gatekeeper Gatekeeper is usually used to refer to the combination of Quarantine + Gatekeeper …
macOS Gatekeeper / Quarantine / XProtect
macOS Gatekeeper / Quarantine / XProtect Gatekeeper Gatekeeper is a security feature developed for Mac operating systems…
macOS Launch/Environment Constraints & Trust Cache
macOS Launch/Environment Constraints & Trust Cache Basic Information Launch constraints in macOS were introduced to …
macOS Sandbox
macOS Sandbox Basic Information MacOS Sandbox (initially called Seatbelt) limits applications running inside the sandbox…
macOS Default Sandbox Debug
macOS Default Sandbox Debug In this page you can find how to create an app to launch arbitrary commands from inside the …
macOS Sandbox Debug & Bypass
macOS Sandbox Debug & Bypass Sandbox loading process Image from http://newosxbook.com/files/HITSB.pdf In the previou…
macOS Office Sandbox Bypasses
macOS Office Sandbox Bypasses Word Sandbox bypass via Launch Agents The application uses a custom Sandbox using the enti…
macOS Authorizations DB & Authd
macOS Authorizations DB & Authd Athorizarions DB The database located in /var/db/auth.db is database used to store p…
macOS SIP
macOS SIP Basic Information System Integrity Protection (SIP) in macOS is a mechanism designed to prevent even the most …
macOS TCC
macOS TCC Basic Information TCC (Transparency, Consent, and Control) is a security protocol focusing on regulating appli…
macOS Apple Events
macOS Apple Events Basic Information Apple Events are a feature in Apple's macOS that allows applications to communicate…
macOS TCC Bypasses
macOS TCC Bypasses By functionality Write Bypass This is not a bypass, it's just how TCC works: It doesn't protect from …
macOS Apple Scripts
macOS Apple Scripts Apple Scripts It's a scripting language used for task automation interacting with remote processes .…
macOS TCC Payloads
macOS TCC Payloads Desktop Entitlement : None TCC : kTCCServiceSystemPolicyDesktopFolder Copy $HOME/Desktop to /tmp/desk…
macOS TCC Credential & Data Theft
macOS Credential & Data Theft via TCC Permissions Overview macOS TCC (Transparency, Consent, and Control) protects a…
macOS Dangerous Entitlements & TCC perms
macOS Dangerous Entitlements & TCC perms Warning Note that entitlements starting with com.apple are not available to…
macOS - AMFI - AppleMobileFileIntegrity
macOS - AMFI - AppleMobileFileIntegrity AppleMobileFileIntegrity.kext and amfid It focuses on enforcing the integrity of…
macOS MACF - Mandatory Access Control Framework
macOS MACF Basic Information MACF stands for Mandatory Access Control Framework , which is a security system built into …
macOS Code Signing
macOS Code Signing Basic Information ../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-so…
macOS Code Signing Weaknesses & Sandbox Escapes
macOS Code Signing Weaknesses & Sandbox Escapes Ad-Hoc Signed Binaries Basic Information Ad-hoc signing ( CS_ADHOC )…
macOS Sealed System Volume & DataVault
macOS Sealed System Volume & DataVault Sealed System Volume (SSV) Basic Information Starting with macOS Big Sur (11.…
macOS Input Monitoring, Screen Capture & Accessibility
macOS Input Monitoring, Screen Capture & Accessibility Abuse Overview Three related TCC services control how applica…
macOS FS Tricks
macOS FS Tricks POSIX permissions combinations Permissions in a directory : read - you can enumerate the directory entri…
macOS xattr-acls extra stuff
macOS xattr-acls extra stuff rm -rf /tmp/test* echo test >/tmp/test chmod +a "everyone deny write,writeattr,writ…
macOS Users & External Accounts
macOS Users & External Accounts Common Users Daemon : User reserved for system daemons. The default daemon account n…
macOS Red Teaming
macOS Red Teaming Abusing MDMs JAMF Pro: jamf checkJSSConnection Kandji If you manage to compromise admin credentials to…
macOS MDM
macOS MDM To learn about macOS MDMs check: https://www.youtube.com/watch?v=ku8jZe-MHUU https://duo.com/labs/research/mdm…
Enrolling Devices in Other Organisations
Enrolling Devices in Other Organisations Intro As previously commented , in order to try to enrol a device into an organ…
macOS Serial Number
macOS Serial Number Basic Information Apple devices post-2010 have serial numbers consisting of 12 alphanumeric characte…
macOS Keychain
macOS Keychain Main Keychains The User Keychain ( ~/Library/Keychains/login.keychain-db ), which is used to store user-s…
macOS Useful Commands
macOS Useful Commands MacOS Automatic Enumeration Tools MacPEAS : https://github.com/carlospolop/PEASS-ng/tree/master/li…
macOS Auto Start
macOS Auto Start This section is heavily based on the blog series Beyond the good ol' LaunchAgents , the goal is to add …
Authentication Credentials Uac And Efs
Windows Security Controls AppLocker Policy An application whitelist is a list of approved software applications or execu…
Checklist - Local Windows Privilege Escalation
Checklist - Local Windows Privilege Escalation Best tool to look for Windows local privilege escalation vectors: WinPEAS…
Windows Local Privilege Escalation
Windows Local Privilege Escalation Best tool to look for Windows local privilege escalation vectors: WinPEAS Initial Win…
Abusing Auto Updaters And Ipc
Abusing Enterprise Auto-Updaters and Privileged IPC (e.g., Netskope, ASUS & MSI) This page generalizes a class of Wi…
Arbitrary Kernel Rw Token Theft
Windows kernel EoP: Token stealing with arbitrary kernel R/W Overview If a vulnerable driver exposes an IOCTL that gives…
Kernel Race Condition Object Manager Slowdown
Kernel Race Condition Exploitation via Object Manager Slow Paths Why stretching the race window matters Many Windows ker…
Notepad Plus Plus Plugin Autoload Persistence
Notepad++ Plugin Autoload Persistence & Execution Notepad++ will autoload every plugin DLL found under its plugins s…
Abusing Tokens
Abusing Tokens Tokens If you don't know what are Windows Access Tokens read this page before continuing: access-tokens.m…
Access Tokens
Access Tokens Access Tokens Each user logged onto the system holds an access token with security information for that lo…
ACLs - DACLs/SACLs/ACEs
ACLs - DACLs/SACLs/ACEs Access Control List (ACL) An Access Control List (ACL) consists of an ordered set of Access Cont…
AppendData/AddSubdirectory permission over service registry
AppendData/AddSubdirectory Permission over Service Registry The original post is https://itm4n.github.io/windows-registr…
Create MSI with WIX
Creating Malicious MSI and Getting Root The creation of the MSI installer will be done using wixtools, specifically wixt…
COM Hijacking
COM Hijacking Searching non-existent COM components As the values of HKCU can be modified by the users COM Hijacking cou…
Dll Hijacking
Dll Hijacking Basic Information DLL Hijacking involves manipulating a trusted application into loading a malicious DLL. …
Advanced Html Staged Dll Sideloading
Advanced DLL Side-Loading With HTML-Embedded Payload Staging Tradecraft Overview Ashen Lepus (aka WIRTE) weaponized a re…
Writable Sys Path +Dll Hijacking Privesc
Writable Sys Path +Dll Hijacking Privesc Introduction If you found that you can write in a System Path folder (note that…
DPAPI - Extracting Passwords
DPAPI - Extracting Passwords What is DPAPI The Data Protection API (DPAPI) is primarily utilized within the Windows oper…
From High Integrity to SYSTEM with Name Pipes
From High Integrity to SYSTEM with Name Pipes Code flow: Create a new Pipe Create and start a service that will connect …
Integrity Levels
Integrity Levels Integrity Levels In Windows Vista and later versions, all protected items come with an integrity level …
JuicyPotato
JuicyPotato Warning JuicyPotato is legacy. It generally works on Windows versions up to Windows 10 1803 / Windows Server…
Leaked Handle Exploitation
Leaked Handle Exploitation Introduction Handles in a process allow to access different Windows resources : There have be…
Local NTLM Reflection via SMB Arbitrary Port
Local NTLM Reflection via SMB Arbitrary Port Recent Windows builds introduced SMB client support for alternative TCP por…
MSI Wrapper
MSI Wrapper Download the free version app from https://www.exemsi.com/documentation/getting-started/ , execute it and wr…
Named Pipe Client Impersonation
Named Pipe Client Impersonation Named Pipe client impersonation is a local privilege escalation primitive that lets a na…
Privilege Escalation with Autoruns
Privilege Escalation with Autoruns WMIC Wmic can be used to run programs on startup . See which binaries are programmed …
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato Warning JuicyPotato doesn't work on Windows Server 2019 and Windows…
SeDebug + SeImpersonate copy token
SeDebug + SeImpersonate - Copy Token This page covers the manual token-theft variant where a High Integrity context that…
SeImpersonate from High To System
SeImpersonate from High To System This page is about the manual version of going from a High Integrity administrator pro…
Semanagevolume Perform Volume Maintenance Tasks
SeManageVolumePrivilege: Raw volume access for arbitrary file read Overview Windows user right: Perform volume maintenan…
Service Triggers
Windows Service Triggers: Enumeration and Abuse Windows Service Triggers allow the Service Control Manager (SCM) to star…
Telephony Tapsrv Arbitrary Dword Write To Rce
Telephony tapsrv Arbitrary DWORD Write to RCE (TAPI Server Mode) When the Windows Telephony service (TapiSrv, tapisrv.dl…
Secure Desktop Accessibility Registry Propagation LPE (RegPwn)
Secure Desktop Accessibility Registry Propagation LPE (RegPwn) Overview Windows Accessibility features persist user conf…
Uiaccess Admin Protection Bypass
Admin Protection Bypasses via UIAccess Overview Windows AppInfo exposes RAiLaunchAdminProcess to spawn UIAccess processe…
Windows C Payloads
Windows C Payloads This page collects small, self-contained C snippets that are handy during Windows Local Privilege Esc…
Active Directory Methodology
Active Directory Methodology Basic overview Active Directory serves as a foundational technology, enabling network admin…
Abusing Active Directory ACLs/ACEs
Abusing Active Directory ACLs/ACEs This page is mostly a summary of the techniques from https://www.ired.team/offensive-…
BadSuccessor
BadSuccessor Overview BadSuccessor abuses the delegated Managed Service Account ( dMSA ) migration workflow introduced i…
Shadow Credentials
Shadow Credentials Intro Check the original post for all the information about this technique . As summary : if you can …
AD Certificates
AD Certificates Introduction Components of a Certificate The Subject of the certificate denotes its owner. A Public Key …
AD CS Account Persistence
AD CS Account Persistence This is a small summary of the account persistence chapters of the awesome research from https…
AD CS Domain Escalation
AD CS Domain Escalation This is a summary of escalation technique sections of the posts: https://specterops.io/wp-conten…
AD CS Domain Persistence
AD CS Domain Persistence This is a summary of the domain persistence techniques shared in https://www.specterops.io/asse…
AD CS Certificate Theft
AD CS Certificate Theft This is a small summary of the Theft chapters of the awesome research from https://www.specterop…
Ad Certificates
AD Certificates Introduction Components of a Certificate The Subject of the certificate denotes its owner. A Public Key …
Ad Dynamic Objects Anti Forensics
AD Dynamic Objects (dynamicObject) Anti-Forensics Mechanics & Detection Basics Any object created with the auxiliary…
AD information in printers
Information in Printers There are several blogs in the Internet which highlight the dangers of leaving printers configur…
AD DNS Records
AD DNS Records By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, …
Adws Enumeration
Active Directory Web Services (ADWS) Enumeration & Stealth Collection What is ADWS? Active Directory Web Services (A…
ASREPRoast
ASREPRoast ASREPRoast ASREPRoast is a security attack that exploits users who lack the Kerberos pre-authentication requi…
Badsuccessor Dmsa Migration Abuse
BadSuccessor: Privilege Escalation via Delegated MSA Migration Abuse Overview Delegated Managed Service Accounts ( dMSA …
BloodHound & Other AD Enum Tools
BloodHound & Other Active Directory Enumeration Tools adws-enumeration.md NOTE: This page groups some of the most us…
Constrained Delegation
Constrained Delegation Constrained Delegation Using this a Domain admin can allow a computer to impersonate a user or co…
Custom SSP
Custom SSP Custom SSP Learn what is a SSP (Security Support Provider) here. \ You can create you own SSP to capture in c…
DCShadow
DCShadow Basic Information It registers a new Domain Controller in the AD and uses it to push attributes (SIDHistory, SP…
DCSync
DCSync DCSync The DCSync permission implies having these permissions over the domain itself: DS-Replication-Get-Changes …
Diamond Ticket
Diamond Ticket Diamond Ticket Like a golden ticket , a diamond ticket is a TGT which can be used to access any service a…
DSRM Credentials
DSRM Credentials Basic Information There is a local administrator account inside each DC . Having admin privileges in th…
External Forest Domain - OneWay (Inbound) or bidirectional
External Forest Domain - OneWay (Inbound) or bidirectional In this scenario an external domain is trusting you (or both …
External Forest Domain - One-Way (Outbound)
External Forest Domain - One-Way (Outbound) In this scenario your domain is trusting some privileges to principal from a…
Golden Dmsa Gmsa
Golden gMSA/dMSA Attack (Offline Derivation of Managed Service Account Passwords) Overview Windows Managed Service Accou…
Golden Ticket
Golden Ticket Golden ticket A Golden Ticket attack consists of the creation of a legitimate Ticket Granting Ticket (TGT)…
Kerberoast
Kerberoast Kerberoast Kerberoasting focuses on the acquisition of TGS tickets, specifically those related to services op…
Kerberos Authentication
Kerberos Authentication Check the amazing post from: https://www.tarlogic.com/en/blog/how-kerberos-works/ TL;DR for atta…
Kerberos Double Hop Problem
Kerberos Double Hop Problem Introduction The Kerberos "Double Hop" problem appears when an attacker attempts to use Kerb…
Lansweeper Security
Lansweeper Abuse: Credential Harvesting, Secrets Decryption, and Deployment RCE Lansweeper is an IT asset discovery and …
LAPS
LAPS Basic Information There are currently 2 LAPS flavours you can encounter during an assessment: Legacy Microsoft LAPS…
MSSQL AD Abuse
MSSQL AD Abuse MSSQL Enumeration / Discovery Python The MSSQLPwner tool is based on impacket, and allows also authentica…
Ldap Signing And Channel Binding
LDAP Signing & Channel Binding Hardening Why it matters LDAP relay/MITM lets attackers forward binds to Domain Contr…
Over Pass the Hash/Pass the Key
Over Pass the Hash/Pass the Key Overpass The Hash/Pass The Key (PTK) The Overpass The Hash/Pass The Key (PTK) attack is …
Pass the Ticket
Pass the Ticket Pass The Ticket (PTT) In the Pass The Ticket (PTT) attack method, attackers steal a user's authenticatio…
Password Spraying / Brute Force
Password Spraying / Brute Force Password Spraying Once you have found several valid usernames you can try the most commo…
PrintNightmare
PrintNightmare (Windows Print Spooler RCE/LPE) PrintNightmare is the collective name given to a family of vulnerabilitie…
Force NTLM Privileged Authentication
Force NTLM Privileged Authentication SharpSystemTriggers SharpSystemTriggers is a collection of remote authentication tr…
Privileged Groups
Privileged Groups Well Known groups with administration privileges Administrators Domain Admins Enterprise Admins Accoun…
RDP Sessions Abuse
RDP Sessions Abuse RDP Process Injection If the external group has RDP access to any computer in the current domain, an …
Resource-based Constrained Delegation
Resource-based Constrained Delegation Basics of Resource-based Constrained Delegation This is similar to the basic Const…
Sccm Management Point Relay Sql Policy Secrets
SCCM Management Point NTLM Relay to SQL – OSD Policy Secret Extraction TL;DR By coercing a System Center Configuration M…
Security Descriptors
Security Descriptors Security Descriptors From the docs : Security Descriptor Definition Language (SDDL) defines the for…
SID-History Injection
SID-History Injection SID History Injection Attack The focus of the SID History Injection Attack is aiding user migratio…
Silver Ticket
Silver Ticket Silver ticket The Silver Ticket attack involves the exploitation of service tickets in Active Directory (A…
Skeleton Key
Skeleton Key Skeleton Key Attack The Skeleton Key attack is a technique that allows attackers to bypass Active Directory…
Timeroasting
TimeRoasting TimeRoasting abuses the legacy MS-SNTP authentication extension. In MS-SNTP, a client can send a 68-byte re…
Unconstrained Delegation
Unconstrained Delegation Unconstrained delegation This a feature that a Domain Administrator can set to any Computer ins…
Windows Security Controls
Windows Security Controls AppLocker Policy An application whitelist is a list of approved software applications or execu…
UAC - User Account Control
UAC - User Account Control UAC User Account Control (UAC) is a feature that enables a consent prompt for elevated activi…
NTLM
NTLM Basic Information In environments where Windows XP and Server 2003 are in operation, LM (Lan Manager) hashes are ut…
Places to steal NTLM creds
Places to steal NTLM creds Check all the great ideas from https://osandamalith.com/2017/03/24/places-of-interest-in-stea…
Lateral Movement
Lateral Movement There are different different ways to execute commands in external systems, here you can find the expla…
AtExec / SchtasksExec
AtExec / SchtasksExec How Does it works At allows to schedule tasks in hosts where you know username/(password/Hash). So…
DCOM Exec
DCOM Exec DCOM lateral movement is attractive because it reuses existing COM servers exposed over RPC/DCOM instead of cr…
PsExec/Winexec/ScExec
PsExec/Winexec/ScExec/SMBExec How do they work These techniques abuse the Windows Service Control Manager (SCM) remotely…
RDPexec
RDPexec How it Works RDPexec is basically to execute commands login into the system using RDP. For more information chec…
SCMexec
DCOM Exec SCM SCMExec is a technique to execute commands on remote systems using the Service Control Manager (SCM) to cr…
WinRM
WinRM WinRM is one of the most convenient lateral movement transports in Windows environments because it gives you a rem…
WmiExec
WmiExec How It Works Explained Processes can be opened on hosts where the username and either password or hash are known…
Stealing Windows Credentials
Stealing Windows Credentials Credentials Mimikatz #Elevate Privileges to extract the credentials privilege::debug #This …
Windows Credentials Protections
Windows Credentials Protections WDigest The WDigest protocol, introduced with Windows XP, is designed for authentication…
Mimikatz
Mimikatz This page is based on one from adsecurity.org . Check the original for further info! LM and Clear-Text in memor…
WTS Impersonator
WTS Impersonator The WTS Impersonator tool exploits the "\pipe\LSM_API_service" RPC Named pipe to stealthily enumerate l…
Windows Registry Hive Exploitation
Windows Registry Hive Exploitation Primitives Why hive corruption is special Windows registry hives are memory-mapped .r…
Basic Win CMD for Pentesters
Basic Win CMD for Pentesters System info Version and Patches info wmic os get osarchitecture || echo %PROCESSOR_ARCHITEC…
Basic PowerShell for Pentesters
Basic PowerShell for Pentesters Default PowerShell locations C: \w indows \s yswow64 \w indowspowershell \v 1 .0 \p ower…
PowerView/SharpView
PowerView/SharpView The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: https://gi…
Antivirus (AV) Bypass
Antivirus (AV) Bypass This page was initially written by @m2rc_p ! Stop Defender defendnot : A tool to stop Windows Defe…
Cobalt Strike
Cobalt Strike Listeners C2 Listeners Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, w…
Mythic
Mythic What is Mythic? Mythic is an open-source, modular, collaborative command and control (C2) framework designed for …
Protocol Handler Shell Execute Abuse
Windows Protocol Handler / ShellExecute Abuse (Markdown Renderers) Modern Windows applications that render Markdown/HTML…
Android APK Checklist
Android APK Checklist Learn Android fundamentals [ ] Basics [ ] Dalvik & Smali [ ] Entry points [ ] Activities [ ] U…
Android Applications Pentesting
Android Applications Pentesting Android Applications Basics It's highly recommended to start reading this page to know a…
Abusing Android Media Pipelines Image Parsers
Abusing Android Media Pipelines & Image Parsers Delivery: Messaging Apps ➜ MediaStore ➜ Privileged Parsers Modern OE…
Accessibility Services Abuse
Android Accessibility Service Abuse Overview AccessibilityService was created to help users with disabilities interact w…
Android Anti Instrumentation And Ssl Pinning Bypass
Android Anti-Instrumentation & SSL Pinning Bypass (Frida/Objection) This page provides a practical workflow to regai…
Android Application Level Virtualization
Android Application-Level Virtualization (App Cloning) Application-level virtualization (aka app cloning/container frame…
Android Applications Basics
Android Applications Basics Android Security Model There are two layers: The OS , which keeps installed applications iso…
Android Enterprise Work Profile Bypass
Android Enterprise Work Profile Required-App Replacement Attack surface Android Enterprise Work Profiles are implemented…
Android Hce Nfc Emv Relay Attacks
Android HCE NFC/EMV Relay Attacks Overview Abuse of Android Host Card Emulation (HCE) allows a malicious app set as the …
Android Task Hijacking
Android Task Hijacking Task, Back Stack and Foreground Activities In Android, a task is essentially a set of activities …
ADB Commands
ADB Commands Adb is usually located in: #Windows C: \U sers \< username> \A ppData \L ocal \A ndroid \s dk \p latf…
APK decompilers
APK decompilers For further details on each tool check the original post from https://eiken.dev/blog/2021/02/how-to-brea…
AVD - Android Virtual Device
AVD - Android Virtual Device Thank you very much to @offsecjay for his help while creating this content. What is Android…
Bypass Biometric Authentication (Android)
Bypass Biometric Authentication (Android) Method 1 – Bypassing with No Crypto Object Usage The focus here is on the onAu…
content:// protocol
Content Protocol in Android This is a summary of the post https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-e…
Drozer Tutorial
Drozer Tutorial APKs to test Sieve (from mrwlabs) DIVA Parts of this tutorial were extracted from the Drozer documentati…
Exploiting Content Providers
Exploiting Content Providers Intro Data is supplied from one application to others on request by a component known as a …
Exploiting a debuggeable application
Exploiting a debuggeable application Bypassing root and debuggeable checks This section of the post is a summary from th…
Firmware Level Zygote Backdoor Libandroid Runtime
Firmware-level Android Backdoor via libandroid_runtime Zygote Injection Overview Supply-chain tampering of /system/lib[6…
Flutter
Flutter Flutter is Google’s cross-platform UI toolkit that lets developers write a single Dart code-base which the Engin…
Frida Tutorial
Frida Tutorial Installation Install frida tools : pip install frida-tools pip install frida Download and install in the …
Frida Tutorial 1
Frida Tutorial 1 This is a summary of the post : https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca…
Frida Tutorial 2
Frida Tutorial 2 This is a summary of the post : https://11x256.github.io/Frida-hooking-android-part-2/ (Parts 2, 3 and …
Frida Tutorial 3
Frida Tutorial 3 This is a summary of the post : https://joshspicer.com/android-frida-1 \ APK : https://github.com/OWASP…
Objection Tutorial
Objection Tutorial Introduction objection - Runtime Mobile Exploration Objection is a runtime mobile exploration toolkit…
Google CTF 2018 - Shall We Play a Game?
Google CTF 2018 - Shall We Play a Game? Download the APK here: I am going to upload the APK to https://appetize.io/ (fre…
In Memory Jni Shellcode Execution
Android In-Memory Native Code Execution via JNI (shellcode) This page documents a practical pattern to execute native pa…
Inputmethodservice Ime Abuse
Android IME / InputMethodService Abuse (Malicious Keyboards) Overview Android allows third-party keyboards via an InputM…
Insecure In App Update Rce
Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins Many Android applications implement thei…
Install Burp Certificate
Install Burp Certificate System-wide proxy via ADB Configure a global HTTP proxy so all apps route traffic through your …
Intent Injection
Intent Injection Intent injection abuses components that accept attacker-controlled Intents or data that is later conver…
Make APK Accept CA Certificate
Make APK accept CA certificate Some applications don't like user downloaded certificates, so in order to inspect web tra…
Manual DeObfuscation
Manual De-obfuscation Techniques Manual De-obfuscation Techniques In the realm of software security , the process of mak…
Play Integrity Attestation Bypass
Play Integrity Attestation Bypass (SafetyNet Replacement) What Play Integrity Does Play Integrity is Google’s SafetyNet …
React Native Application
React Native Application Analysis To confirm if the application was built on the React Native framework, follow these st…
Reversing Native Libraries
Reversing Native Libraries For further information check: https://maddiestone.github.io/AndroidAppRE/reversing_native_li…
Shizuku Privileged Api
Shizuku Privileged API Shizuku is an open-source service that starts a privileged Java process with app_process and expo…
Smali - Decompiling, Modifying, Compiling
Smali - Decompiling/[Modifying]/Compiling Sometimes it is interesting to modify the application code to access hidden in…
Spoofing your location in Play Store
Spoofing Your Location in Google Play Store Google Play storefront georestrictions are usually enforced by a mix of Play…
Tapjacking
Tapjacking Basic Information Tapjacking is an attack where a malicious application is launched and positions itself on t…
Webview Attacks
Webview Attacks Guide on WebView Configurations and Security Overview of WebView Vulnerabilities A critical aspect of An…
iOS Pentesting Checklist
iOS Pentesting Checklist Preparation [ ] Read iOS Basics [ ] Read iOS Basic Testing Operations to learn current extracti…
iOS Pentesting
iOS Pentesting iOS Basics ios-basics.md Testing Environment In this page you can find information about the iOS simulato…
Air Keyboard Remote Input Injection
Air Keyboard Remote Input Injection (Unauthenticated TCP / WebSocket Listener) TL;DR The iOS version of the commercial “…
iOS App Extensions
iOS App Extensions App extensions enhance the functionality of apps by allowing them to interact with other apps or the …
iOS Basics
iOS Basics Filesystem Folders /Applications : Contains all the installed native applications on the device (e.g. /Applic…
iOS Basic Testing Operations
iOS Basic Testing Operations Summary of iOS Device Identification and Access Identifying the UDID of an iOS Device To id…
iOS Burp Suite Configuration
iOS Burp Suite Configuration Installing the Burp Certificate on iOS Devices For secure web traffic analysis and SSL pinn…
iOS Custom URI Handlers / Deeplinks / Custom Schemes
iOS Custom URI Handlers / Deeplinks / Custom Schemes Basic Information Custom URL schemes enable apps to communicate usi…
iOS Extracting Entitlements From Compiled Application
Extracting Entitlements from Compiled Application Summary of the page https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFO…
iOS Frida Configuration
iOS Frida Configuration Installing Frida Steps to install Frida on a Jailbroken device: Open Cydia/Sileo app. Navigate t…
iOS Hooking With Objection
iOS Hooking with Objection For this section the tool Objection is going to be used.\ Start by getting an objection's ses…
iOS Pentesting withuot Jailbreak
iOS Pentesting without Jailbreak Main idea Applications signed with the entitlement get_task_allow allow third party app…
iOS Protocol Handlers
WebView Protocol Handlers Basic Information In this page, protocol handlers are the URL schemes or URL-like handoffs tha…
iOS Serialisation and Encoding
iOS Serialisation and Encoding Code and more information in https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Inter…
iOS Testing Environment
iOS Testing Environment Apple Developer Program A provisioning identity is a collection of public and private keys that …
iOS UIActivity Sharing
iOS UIActivity Sharing UIActivity Sharing Simplified From iOS 6 onwards, third-party applications have been enabled to s…
iOS Universal Links
iOS Universal Links Introduction Universal links offer a seamless redirection experience to users by directly opening co…
iOS UIPasteboard
iOS Pasteboard Data sharing within and across applications on iOS devices is facilitated by the UIPasteboard mechanism, …
iOS WebViews
iOS WebViews The code of this page was extracted from here . Check the page for further details. WebViews types WebViews…
Itunesstored Bookassetd Sandbox Escape
itunesstored & bookassetd Sandbox Escape Overview Recent research shows that two pre-installed iOS daemons, itunesst…
Zero Click Messaging Image Parser Chains
Zero-click Messaging → Image Parser Chains TL;DR Treat messaging app multi-device/companion protocols as remote control …
Cordova Apps
Cordova Apps For further details check https://infosecwriteups.com/recreating-cordova-mobile-apps-to-bypass-security-imp…
Xamarin Apps
Xamarin Apps Basic Information Xamarin is an open-source platform designed for developers to build apps for iOS, Android…
4222 Pentesting Nats
4222 - Pentesting NATS / JetStream Basic Information NATS is a high-performance message bus that speaks a simple text-ba…
Pentesting JDWP - Java Debug Wire Protocol
Pentesting JDWP - Java Debug Wire Protocol Exploiting JDWP exploitation hinges on the protocol's lack of authentication …
Pentesting SAP
Pentesting SAP Introduction about SAP SAP stands for Systems Applications and Products in Data Processing. SAP, by defin…
Pentesting VoIP
Pentesting VoIP VoIP Basic Information To start learning about how VoIP works check: basic-voip-protocols/ Basic Message…
Basic VoIP Protocols
Basic VoIP Protocols Signaling Protocols SIP (Session Initiation Protocol) This is the industry standard, for more infor…
SIP (Session Initiation Protocol)
SIP (Session Initiation Protocol) Basic Information SIP (Session Initiation Protocol) is a signaling and call control pr…
Pentesting Remote GdbServer
Pentesting Remote GdbServer Basic Information gdbserver is a tool that enables the debugging of programs remotely. It ru…
7/tcp/udp - Pentesting Echo
7/tcp/udp - Pentesting Echo Service Basic Information An echo service is running on this host. The echo service was inte…
21 - Pentesting FTP
21 - Pentesting FTP Basic Information The File Transfer Protocol (FTP) serves as a standard protocol for file transfer a…
FTP Bounce attack - Scan
FTP Bounce attack - Scan FTP Bounce - Scanning Manual Connect to the vulnerable FTP server. Use PORT (classic IPv4 activ…
FTP Bounce - Download 2ºFTP file
FTP Bounce Download 2 of FTP File Resume If you have access to a bounce FTP server , you can make it request files of an…
22 - Pentesting SSH/SFTP
22 - Pentesting SSH/SFTP Basic Information SSH (Secure Shell or Secure Socket Shell) is a network protocol that enables …
23 - Pentesting Telnet
23 - Pentesting Telnet Basic Information Telnet is a network protocol that gives users a UNsecure way to access a comput…
25,465,587 - Pentesting SMTP/s
25,465,587 - Pentesting SMTP/s Basic Information The Simple Mail Transfer Protocol (SMTP) is a protocol utilized within …
SMTP Smuggling
SMTP Smuggling Basic Information This type of vulnerability was originally discovered in this post were it's explained t…
SMTP - Commands
SMTP - Commands Commands from: https://serversmtp.com/smtp-commands/ HELO \ It’s the first SMTP command: is starts the c…
43 - Pentesting WHOIS
43 - Pentesting WHOIS Basic Information The WHOIS protocol serves as a standard method for inquiring about the registran…
49 - Pentesting TACACS+
49 - Pentesting TACACS+ Basic Information The Terminal Access Controller Access Control System (TACACS) protocol is used…
53 - Pentesting DNS
53 - Pentesting DNS Basic Information The Domain Name System (DNS) serves as the internet's directory, allowing users to…
69/UDP TFTP/Bittorrent-tracker
69 - UDP TFTP Basic Information Trivial File Transfer Protocol (TFTP) is a straightforward protocol used on UDP port 69 …
79 - Pentesting Finger
79 - Pentesting Finger Basic Info The Finger program/service is utilized for retrieving details about computer users. Ty…
80,443 - Pentesting Web Methodology
80,443 - Pentesting Web Methodology Basic Info The web service is the most common and extensive service and a lot of dif…
403 & 401 Bypasses
403 & 401 Bypasses HTTP Verbs/Methods Fuzzing Try using different verbs to access the file: GET, HEAD, POST, PUT, DE…
AEM - Adobe Experience Cloud
AEM (Adobe Experience Manager) Pentesting Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enter…
Angular
Angular The Checklist Checklist from here . [ ] Angular is considered a client-side framework and is not expected to pro…
Apache
Apache Executable PHP extensions Check which extensions is executing the Apache server. To search them you can execute: …
Artifactory Hacking guide
Artifactory Hacking Guide Check this post: https://www.errno.fr/artifactory/Attacking_Artifactory…
Bolt CMS
Bolt CMS RCE After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS: Select Configura…
Buckets
Buckets Check this page if you want to learn more about enumerating and abusing Buckets: https://cloud.hacktricks.wiki/e…
Firebase Database
Firebase Database What is Firebase Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on r…
CGI
CGI Pentesting Information CGI is an interface, not a language : on real targets you'll find legacy Perl , sh , Python ,…
Custom Protocols
Custom UDP RPC Enumeration & File-Transfer Abuse Mapping proprietary RPC objects with Frida Older multiplayer titles…
Django
Django Cache Manipulation to RCE Django's default cache storage method is Python pickles , which can lead to RCE if untr…
Dotnet Soap Wsdl Client Exploitation
.NET SOAP/WSDL Client Proxy Abuse TL;DR SoapHttpClientProtocol , DiscoveryClientProtocol and friends inherit from HttpWe…
DotNetNuke (DNN)
DotNetNuke (DNN) DotNetNuke (DNN) If you enter as administrator in DNN it's easy to obtain RCE , however a number of una…
Drupal
Drupal Discovery Check meta curl https://www.drupal.org/ | grep 'content="Drupal' Node : Drupal indexes its…
Drupal RCE
Drupal RCE With PHP Filter Module Warning In older versions of Drupal (before version 8) , it was possible to log in as …
Electron Desktop Apps
Electron Desktop Apps Introduction Electron combines a local backend (with NodeJS ) and a frontend ( Chromium ), althoug…
Electron contextIsolation RCE via preload code
Electron contextIsolation RCE via preload code Example 1 Example from https://speakerdeck.com/masatokinugawa/electron-ab…
Electron contextIsolation RCE via Electron internal code
Electron contextIsolation RCE via Electron internal code Example 1 Example from https://speakerdeck.com/masatokinugawa/e…
Electron contextIsolation RCE via IPC
Electron contextIsolation RCE via IPC If the preload script exposes an IPC endpoint from the main.js file, the renderer …
Flask
Flask Probably if you are playing a CTF a Flask application will be related to SSTI . Cookies Default cookie session nam…
Fortinet Fortiweb
Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation Overview Fortinet FortiWeb exposes a …
Git
Git To dump a .git folder from a URL use https://github.com/arthaud/git-dumper Use https://www.gitkraken.com/ to inspect…
Golang
GoLang HTTP CONNECT Method CONNECT method In the Go programming language, a common practice when handling HTTP requests,…
Grafana
Grafana Interesting stuff Main config is usually in /etc/grafana/grafana.ini (Deb/RPM) and can contain sensitive values …
GraphQL
GraphQL Introduction GraphQL is highlighted as an efficient alternative to REST API, offering a simplified approach for …
H2 - Java SQL database
H2 - Java SQL database Official page: https://www.h2database.com/html/main.html Access You can indicate a non-existent n…
IIS - Internet Information Services
IIS - Internet Information Services Test executable file extensions: asp aspx config php Writable webroot → ASPX command…
ImageMagick Security
ImageMagick Security Check further details in https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator…
Ispconfig
ISPConfig Overview ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor …
JBOSS
JBOSS Enumeration and Exploitation Techniques When assessing the security of web applications, certain paths like /web-c…
Jira & Confluence
Jira & Confluence Check Privileges In Jira, privileges can be checked by any user, authenticated or not, through the…
Joomla
Joomla Joomla Statistics Joomla collects some anonymous usage statistics such as the breakdown of Joomla, PHP and databa…
JSP
JSP getContextPath abuse Info from here . http://127.0.0.1:8080/&sol;rakeshmane.com/xss.js&num;/..;/..;/contextP…
Laravel
Laravel Laravel SQLInjection Read information about this here: https://stitcher.io/blog/unsafe-sql-functions-in-laravel …
Microsoft Sharepoint
Microsoft SharePoint – Pentesting & Exploitation Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS. …
Moodle
Moodle Automatic Scans droopescan pip3 install droopescan droopescan scan moodle -u http://moodle.example.com/<moodle…
NextJS
NextJS General Architecture of a Next.js Application Typical File Structure A standard Next.js project follows a specifi…
Nginx
Nginx Missing root location When configuring the Nginx server, the root directive plays a critical role by defining the …
NodeJS Express
NodeJS Express Quick Fingerprinting Useful Express indicators during recon: X-Powered-By: Express or stack traces mentio…
Sitecore
Sitecore Experience Platform (XP) – Pre‑auth HTML Cache Poisoning to Post‑auth RCE This page summarises a practical atta…
PHP Tricks
PHP Tricks Cookies common location: This is also valid for phpMyAdmin cookies. Cookies: PHPSESSID phpMyAdmin Locations: …
PHP - Useful Functions & disable_functions/open_basedir bypass
PHP - Useful Functions & disable_functions/open_basedir bypass PHP Command & Code Execution PHP Command Executio…
disable_functions bypass - php-fpm/FastCGI
disable_functions bypass - php-fpm/FastCGI PHP-FPM PHP-FPM is presented as a superior alternative to the standard PHP Fa…
disable_functions bypass - dl function
Disable Functions Bypass - dl Function dl() lets PHP load a shared extension at runtime. If you can make it load an atta…
disable_functions bypass - PHP 7.0-7.4 (\-nix only)
disable_functions bypass - PHP 7.0-7.4 (*nix only) PHP 7.0-7.4 (*nix only) From https://github.com/mm0r1/exploits/blob/m…
disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
Imagick <= 3.3.0 ‑ PHP >= 5.4 disable_functions Bypass The well-known ImageTragick family of bugs (CVE-2016-3714 e…
disable_functions - PHP 5.x Shellshock Exploit
PHP 5.x Shellshock Exploit From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ <?php echo "Disabl…
disable_functions - PHP 5.2.4 ionCube extension Exploit
PHP 5.2.4 ionCube extension Exploit <?php //PHP 5.2.4 ionCube extension safe_mode and disable_functions protections b…
disable_functions bypass - PHP <= 5.2.9 on windows
PHP <= 5.2.9 on windows From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ <?php //cmd.php /* Abys…
disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
PHP 5.2.4 and 5.2.5 PHP cURL This page documents a legacy but still useful-in-CTFs/local-legacy-installs trick to bypass…
disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
PHP safe_mode bypass via proc_open and custom environment Exploit From http://blog.safebuff.com/2016/05/06/disable-funct…
disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
PHP Perl Extension Safe_mode Bypass Exploit Background The issue tracked as CVE-2007-4596 comes from the legacy perl PHP…
disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
PHP 5.2.3 - Win32std ext Protections Bypass This is a legacy Windows-only bypass that depends on the old win32std PECL e…
disable_functions bypass - PHP 5.2 - FOpen Exploit
PHP 5.2 - FOpen Exploit From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ php -r 'fopen("srpat…
disable_functions bypass - via mem
via mem From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ <?php /* 1. kernel>=2.68 2)PHP-CGI or P…
disable_functions bypass - mod_cgi
mod_cgi From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ <?php // Only working with mod_cgi, writab…
disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
PHP 4 >= 4.2.0, PHP 5 pcntl_exec From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/ <?php $dir = &…
Php Rce Abusing Object Creation New Usd Get A Usd Get B
PHP - RCE abusing object creation: new $_GET "a" This is basically a summary of https://swarm.ptsecurity.com/exploiting-…
PHP SSRF
PHP SSRF SSRF PHP functions Some function such as file_get_contents(), fopen(), file(), md5_file() accept URLs as input …
Perl Tricks
PrestaShop Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation) Real-world pattern: Per…
PrestaShop
PrestaShop From XSS to RCE PrestaXSRF : PrestaShop Exploitation Script that elevate XSS to RCE or Others Critical Vulner…
Python
Python Server using python test a possible code execution , using the function str() : "+str(True)+" #If the s…
Rocket Chat
Rocket Chat RCE If you are admin inside Rocket Chat you can get RCE. Got to Integrations and select New Integration and …
Ruby Tricks
Ruby Tricks File upload to RCE As explained in this article , uploading a .rb file into sensitive directories such as co…
Source code Review / SAST Tools
Source code Review / SAST Tools Guidance and & Lists of tools https://owasp.org/www-community/Source_Code_Analysis_T…
Special Http Headers
Special HTTP headers Wordlists & Tools https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/Web/http…
Roundcube
Roundcube Overview Roundcube is a PHP webmail client commonly exposed on HTTP(S) vhosts (e.g., mail.example.tld). Useful…
Spring Actuators
Spring Actuators Spring Auth Bypass From https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png Exploi…
Symfony
Symfony Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-comm…
Tomcat
Tomcat Discovery It usually runs on port 8080 Common Tomcat error: Enumeration Version Identification To find the versio…
Telerik Ui Aspnet Ajax Unsafe Reflection Webresource Axd
Telerik UI for ASP.NET AJAX – Unsafe Reflection via WebResource.axd (type=iec) Pre‑auth constructor execution in Telerik…
Uncovering CloudFlare
Uncovering CloudFlare Common Techniques to Uncover Cloudflare You can use some service that gives you the historical DNS…
Vuejs
Vue.js XSS Sinks in Vue.js v-html Directive The v-html directive renders raw HTML, so any <script> (or an attribut…
VMWare (ESX, VCenter...)
VMware ESX / vCenter Pentesting Enumeration nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <…
Web API Pentesting
Web API Pentesting API Pentesting Methodology Summary Pentesting APIs involves a structured approach to uncovering vulne…
WebDav
WebDav When dealing with a HTTP Server with WebDav enabled, it's possible to manipulate files if you have the right cred…
Werkzeug / Flask Debug
Werkzeug / Flask Debug Console RCE If debug is active you could try to access to /console and gain RCE. __import__ ( …
Wordpress
Wordpress Basic Information Uploaded files go to: http://10.10.10.10/wp-content/uploads/2018/08/a.txt Themes files can b…
88tcp/udp - Pentesting Kerberos
88tcp/udp - Pentesting Kerberos Basic Information Kerberos operates on a principle where it authenticates users without …
Harvesting tickets from Windows
Harvesting tickets from Windows Tickets in Windows are managed and stored by the lsass (Local Security Authority Subsyst…
Harvesting tickets from Linux
Harvesting Tickets from Linux Credential Storage in Linux Linux systems store credentials in three types of caches, name…
Wsgi
WSGI Post-Exploitation Tricks WSGI Overview Web Server Gateway Interface (WSGI) is a specification that describes how a …
Zabbix
Zabbix Security Overview Zabbix is a monitoring platform exposing a web UI (typically behind Apache/Nginx) and a server …
110,995 - Pentesting POP
110,995 - Pentesting POP Basic Information Post Office Protocol (POP) is described as a protocol within the realm of com…
111/TCP/UDP - Pentesting Portmapper
111/TCP/UDP - Pentesting Portmapper Basic Information Portmapper is a service that is utilized for mapping network servi…
113 - Pentesting Ident
113 - Pentesting Ident Basic Information The Ident Protocol is used over the Internet to associate a TCP connection with…
123/udp - Pentesting NTP
123/udp - Pentesting NTP Basic Information The Network Time Protocol (NTP) ensures computers and network devices across …
135, 593 - Pentesting MSRPC
135, 593 - Pentesting MSRPC Basic Information The Microsoft Remote Procedure Call (MSRPC) protocol, a client-server mode…
137,138,139 - Pentesting NetBios
137,138,139 - Pentesting NetBios NetBios Name Service NetBIOS Name Service plays a crucial role, involving various servi…
139,445 - Pentesting SMB
139,445 - Pentesting SMB Port 139 The Network Basic Input Output System (NetBIOS) is a software protocol designed to ena…
Ksmbd Attack Surface And Fuzzing Syzkaller
ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller) Overview This page abstracts practical techniques to e…
rpcclient enumeration
rpcclient enumeration Overview of Relative Identifiers (RID) and Security Identifiers (SID) Relative Identifiers (RID) a…
143,993 - Pentesting IMAP
143,993 - Pentesting IMAP Internet Message Access Protocol The Internet Message Access Protocol (IMAP) is designed for t…
161,162,10161,10162/udp - Pentesting SNMP
161,162,10161,10162/udp - Pentesting SNMP Basic Information SNMP - Simple Network Management Protocol is a protocol used…
Cisco SNMP
Cisco SNMP Pentesting Cisco Networks SNMP functions over UDP with ports 161/UDP for general messages and 162/UDP for tra…
SNMP RCE
SNMP RCE SNMP can be exploited by an attacker if the administrator overlooks its default configuration on the device or …
194,6667,6660-7000 - Pentesting IRC
194,6667,6660-7000 - Pentesting IRC Basic Information IRC, initially a plain text protocol , was assigned 194/TCP by IAN…
264 - Pentesting Check Point FireWall-1
# 264/tcp - Pentesting Check Point Firewall It's possible to interact with CheckPoint Firewall-1 firewalls to discover v…
389, 636, 3268, 3269 - Pentesting LDAP
389, 636, 3268, 3269 - Pentesting LDAP The use of LDAP (Lightweight Directory Access Protocol) is mainly for locating va…
500/udp - Pentesting IPsec/IKE VPN
500/udp - Pentesting IPsec/IKE VPN Basic Information IPsec is widely recognized as the principal technology for securing…
502 - Pentesting Modbus
# 502/tcp - Pentesting Modbus Protocol Basic Information In 1979, the Modbus Protocol was developed by Modicon, serving …
512 - Pentesting Rexec
512 - Pentesting Rexec Basic Information Rexec (remote exec ) is one of the original Berkeley r -services suite (togethe…
513 - Pentesting Rlogin
513 - Pentesting Rlogin Basic Information In the past, rlogin was widely utilized for remote administration tasks. Howev…
514 - Pentesting Rsh
514 - Pentesting Rsh Basic Information For authentication, .rhosts files along with /etc/hosts.equiv were utilized by Rs…
515 - Pentesting Line Printer Daemon (LPD)
515 Pentesting Line Printer Daemon (LPD) Introduction to LPD Protocol In the 1980s, the Line Printer Daemon (LPD) protoc…
548 - Pentesting Apple Filing Protocol (AFP)
548 - Pentesting Apple Filing Protocol (AFP) Basic Information The Apple Filing Protocol ( AFP ), once known as AppleTal…
554,8554 - Pentesting RTSP
554,8554 - Pentesting RTSP Basic Information From wikipedia : The Real Time Streaming Protocol ( RTSP ) is a network con…
623/UDP/TCP - IPMI
623/UDP/TCP - IPMI Basic Information Overview of IPMI Intelligent Platform Management Interface (IPMI) offers a standard…
631 - Internet Printing Protocol(IPP)
Internet Printing Protocol The Internet Printing Protocol (IPP) , as specified in RFC 2910 and RFC 2911 , is the de-fact…
700 - Pentesting EPP
700 - Pentesting EPP Basic Information The Extensible Provisioning Protocol (EPP) is a network protocol used for the man…
873 - Pentesting Rsync
873 - Pentesting Rsync Basic Information From wikipedia : rsync is a utility for efficiently transferring and synchroniz…
1026 - Pentesting Rusersd
1026 - Pentesting Rusersd Basic Information This protocol will provide you the usernames of the host. You may be able to…
1080 - Pentesting Socks
1080 - Pentesting Socks Basic Information SOCKS is a protocol used for transferring data between a client and server thr…
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP Basic Information Java Remote Method Invocation , or Java RMI , is an ob…
1414 - Pentesting IBM MQ
1414 - Pentesting IBM MQ Basic information IBM MQ is an IBM technology to manage message queues. As other message broker…
1433 - Pentesting MSSQL - Microsoft SQL Server
1433 - Pentesting MSSQL - Microsoft SQL Server Basic Information From wikipedia : Microsoft SQL Server is a relational d…
Types of MSSQL Users
Types of MSSQL Users Table taken from the docs . Column name Data type Description name sysname Name of principal, uniqu…
1521,1522-1529 - Pentesting Oracle TNS Listener
1521,1522-1529 - Pentesting Oracle TNS Listener Basic Information Oracle database (Oracle DB) is a relational database m…
1723 - Pentesting PPTP
1723 - Pentesting PPTP Basic Information Point-to-Point Tunneling Protocol (PPTP) is an old VPN tunneling protocol used …
1883 - Pentesting MQTT (Mosquitto)
1883 - Pentesting MQTT (Mosquitto) Basic Information MQ Telemetry Transport (MQTT) is known as a publish/subscribe messa…
2049 - Pentesting NFS Service
2049 - Pentesting NFS Service Basic Information NFS is a system designed for client/server that enables users to seamles…
2301,2381 - Pentesting Compaq/HP Insight Manager
# 2301/tcp - Pentesting Compaq/HP Insight Manager Default Port: 2301,2381 Default passwords http://www.vulnerabilityasse…
2375, 2376 Pentesting Docker
2375, 2376 Pentesting Docker Docker Basics What is Docker is the forefront platform in the containerization industry , s…
3128 - Pentesting Squid
3128/tcp - Pentesting Squid Basic Information From Wikipedia : Squid is a caching and forwarding HTTP web proxy. It has …
3260 - Pentesting ISCSI
3260 - Pentesting ISCSI Basic Information From Wikipedia : In computing, iSCSI is an acronym for Internet Small Computer…
3299 - Pentesting SAPRouter
# 3299/tcp - Pentesting SAProuter PORT STATE SERVICE VERSION 3299/tcp open saprouter? This is a summary of the post from…
3306 - Pentesting Mysql
3306 - Pentesting Mysql Basic Information MySQL can be described as an open source Relational Database Management System…
3389 - Pentesting RDP
3389 - Pentesting RDP Basic Information Developed by Microsoft, the Remote Desktop Protocol ( RDP ) is designed to enabl…
3632 - Pentesting distcc
3632 - Pentesting Distcc Basic Information Distcc is a tool that enhances the compilation process by utilizing the idle …
3690 - Pentesting Subversion (svn server)
3690/tcp - Pentesting Subversion (SVN) Server Basic Information Subversion (SVN) is a centralized version control system…
3702/UDP - Pentesting WS-Discovery
3702/UDP - Pentesting WS-Discovery Basic Information The Web Services Dynamic Discovery Protocol (WS-Discovery / WSD) is…
4369 - Pentesting Erlang Port Mapper Daemon (epmd)
4369 Pentesting Erlang Port Mapper Daemon (epmd) Basic Info The Erlang Port Mapper Daemon (epmd) serves as a coordinator…
4786 - Cisco Smart Install
4786 - Cisco Smart Install Basic Information Cisco Smart Install is a Cisco designed to automate the initial configurati…
4840 - OPC Unified Architecture
4840 - Pentesting OPC UA Basic Information OPC UA , standing for Open Platform Communications Unified Access , is a cruc…
5000 - Pentesting Docker Registry
5000 - Pentesting Docker Registry Basic Information A storage and distribution system known as a Docker registry is in p…
5353/UDP Multicast DNS (mDNS) and DNS-SD
5353/UDP Multicast DNS (mDNS) and DNS-SD Basic Information Multicast DNS (mDNS) enables DNS-like name resolution and ser…
5432,5433 - Pentesting Postgresql
5432,5433 - Pentesting Postgresql Basic Information PostgreSQL is described as an object-relational database system that…
5439 - Pentesting Redshift
5439 - Pentesting Redshift Basic Information This port is used by Amazon Redshift (AWS managed data warehouse). Redshift…
5555 - Android Debug Bridge
5555 - Android Debug Bridge Basic Information From the docs : Android Debug Bridge (adb) is a command-line tool to commu…
5601 - Pentesting Kibana
5601/tcp - Pentesting Kibana Basic Information Kibana is known for its ability to search and visualize data within Elast…
5671,5672 - Pentesting AMQP
5671,5672 - Pentesting AMQP Basic Information From cloudamqp : RabbitMQ is a message-queueing software also known as a m…
5800,5801,5900,5901 - Pentesting VNC
5800,5801,5900,5901 - Pentesting VNC Basic Information Virtual Network Computing (VNC) is a robust graphical desktop-sha…
5984,6984 - Pentesting CouchDB
5984,6984 - Pentesting CouchDB Basic Information CouchDB is a versatile and powerful document-oriented database that org…
5985,5986 - Pentesting WinRM
5985,5986 - Pentesting WinRM WinRM Windows Remote Management (WinRM) is highlighted as a protocol by Microsoft that enab…
5985,5986 - Pentesting OMI
5985,5986 - Pentesting OMI Basic Information OMI is presented as an open-source tool by Microsoft, designed for remote c…
6000 - Pentesting X11
6000 - Pentesting X11 Basic Information X Window System (X/X11) is a windowing system prevalent on UNIX-based operating …
6379 - Pentesting Redis
6379 - Pentesting Redis Basic Information From the docs : Redis is an open source (BSD licensed), in-memory data structu…
8009 - Pentesting Apache JServ Protocol (AJP)
8009 - Pentesting Apache JServ Protocol (AJP) Basic Information From https://diablohorn.com/2011/10/19/8009-the-forgotte…
8086 - Pentesting InfluxDB
8086 - Pentesting InfluxDB Basic Information InfluxDB is an open-source time series database (TSDB) developed by InfluxD…
8089 - Pentesting Splunkd
8089 - Pentesting Splunkd Basic Information Log analytics tool used for data gathering, analysis, and visualization Comm…
8333,18333,38333,18444 - Pentesting Bitcoin
8333,18333,38333,18444 - Pentesting Bitcoin Basic Information The port 8333 is used by Bitcoin nodes in the mainnet to c…
9000 - Pentesting FastCGI
9000 Pentesting FastCGI Basic Information If you want to learn what is FastCGI check the following page: pentesting-web/…
9001 - Pentesting HSQLDB
9001 - Pentesting HSQLDB Basic Information HSQLDB ( HyperSQL DataBase ) is the leading SQL relational database system wr…
9042/9160 - Pentesting Cassandra
9042/9160 - Pentesting Cassandra Basic Information Apache Cassandra is a highly scalable , high-performance distributed …
9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
9100/tcp - PJL (Printer Job Language) Basic Information From here : Raw printing is what we define as the process of mak…
9200 - Pentesting Elasticsearch
9200 - Pentesting Elasticsearch Basic information Elasticsearch is a distributed , open source search and analytics engi…
10000 - Pentesting Network Data Management Protocol (ndmp)
10000/tcp - Network Data Management Protocol (NDMP) Protocol Information From Wikipedia : NDMP , or Network Data Managem…
11211 - Pentesting Memcache
11211 - Pentesting Memcache Protocol Information From wikipedia : Memcached (pronunciation: mem-cashed, mem-cash-dee) is…
Memcache Commands
Memcache Commands Commands Cheat-Sheet From https://lzone.de/cheat-sheet/memcached The supported commands (the official …
12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane
12346/udp - Pentesting Cisco Catalyst SD-WAN Control Plane Basic Information Cisco Catalyst SD-WAN controllers expose a …
15672 - Pentesting RabbitMQ Management
15672 - Pentesting RabbitMQ Management Basic Information You can learn more about RabbitMQ in 5671,5672 - Pentesting AMQ…
24007,24008,24009,49152 - Pentesting GlusterFS
24007-24008-24009-49152 - Pentesting GlusterFS Basic Information GlusterFS is a distributed file system that combines st…
27017,27018 - Pentesting MongoDB
27017,27018 - Pentesting MongoDB Basic Information MongoDB is an open source database management system that uses a docu…
32100 Udp - Pentesting Pppp Cs2 P2p Cameras
32100/UDP - Pentesting PPPP (CS2) P2P Cameras Overview PPPP (a.k.a. “P2P”) is a proprietary device connectivity stack by…
44134 - Pentesting Tiller (Helm)
44134 Tiller / Helm Basic Information Helm is the package manager for Kubernetes. It allows to package YAML files and di…
44818/UDP/TCP - Pentesting EthernetIP
44818 Pentesting EtherNet/IP Protocol Information EtherNet/IP is an industrial Ethernet networking protocol commonly use…
47808/udp - Pentesting BACNet
47808/udp - BACnet Protocol Information BACnet is a communications protocol for Building Automation and Control (BAC) ne…
50030,50060,50070,50075,50090 - Pentesting Hadoop
50030-50060-50070-50075-50090 - Pentesting Hadoop Basic Information Apache Hadoop is an open-source framework for distri…
Web Vulnerabilities Methodology
Web Vulnerabilities Methodology In every Web Pentest, there are several hidden and obvious places that might be vulnerab…
Reflecting Techniques - PoCs and Polygloths CheatSheet
Reflecting Techniques - PoCs and Polygloths CheatSheet The goal of these PoCs and Polygloths is to give the tester a fas…
Web Vulns List
Web Vulns List Quick list of shotgun payloads and differential probes to throw at reflected input before pivoting into t…
2FA/MFA/OTP Bypass
2FA/MFA/OTP Bypass Enhanced Two-Factor Authentication Bypass Techniques Direct Endpoint Access To bypass 2FA, access the…
Account Takeover
Account Takeover Authorization Issue The email of an account should be attempted to be changed, and the confirmation pro…
Browser Extension Pentesting Methodology
Browser Extension Pentesting Methodology Basic Information Browser extensions are written in JavaScript and loaded by th…
BrowExt - ClickJacking
BrowExt - ClickJacking Basic Information This page is going to abuse a ClickJacking vulnerability in a Browser extension…
BrowExt - permissions & host_permissions
BrowExt - permissions & host_permissions Basic Information permissions Permissions are defined in the extension's ma…
BrowExt - XSS Example
BrowExt - XSS Example Cross-Site Scripting (XSS) through Iframe In this setup, a content script is implemented to instan…
Forced Extension Load Preferences Mac Forgery Windows
Forced Extension Load & Preferences MAC Forgery (Windows) Overview Stealthy post-exploitation technique to force-loa…
Bypass Payment Process
Bypass Payment Process Payment Bypass Techniques Request Interception During the transaction process, it is crucial to m…
Captcha Bypass
Captcha Bypass Captcha Bypass To bypass the captcha during server testing and automate user input functions, various tec…
Cache Poisoning and Cache Deception
Cache Poisoning and Cache Deception The difference What is the difference between web cache poisoning and web cache dece…
Cache Poisoning via URL discrepancies
Cache Poisoning via URL discrepancies This is a summary of the techniques proposed in the post https://portswigger.net/r…
Cache Poisoning to DoS
Cache Poisoning to DoS Caution These techniques try to make the origin return an error, a blank body, or a broken redire…
Clickjacking
Clickjacking What is Clickjacking In a clickjacking attack, a user is tricked into clicking an element on a webpage that…
Client Side Template Injection (CSTI)
Client Side Template Injection (CSTI) Summary It is like a Server Side Template Injection but in the client . The SSTI c…
Client Side Path Traversal
Client Side Path Traversal Basic Information A client side path traversal occurs when you can manipulate the path of a U…
Command Injection
Command Injection What is command Injection? A command injection permits the execution of arbitrary operating system com…
Content Security Policy (CSP) Bypass
Content Security Policy (CSP) Bypass What is CSP Content Security Policy (CSP) is recognized as a browser technology, pr…
CSP bypass: self + 'unsafe-inline' with Iframes
CSP Bypass via Self + Unsafe Inline with Iframes A configuration such as: Content-Security-Policy: default-src 'self…
Cookies Hacking
Cookies Hacking Cookie Attributes Cookies come with several attributes that control their behavior in the user's browser…
Cookie Tossing
Cookie Tossing Description If an attacker can control a subdomain or the domain of a company or finds an XSS in a subdom…
Cookie Jar Overflow
Cookie Jar Overflow Cookie jar overflow abuses the fact that browsers cap how many cookies they keep for one site/jar. I…
Cookie Bomb
Cookie Bomb Cookie bomb involves adding a significant number of large cookies to a domain and its subdomains targeting a…
CORS - Misconfigurations & Bypass
CORS - Misconfigurations & Bypass What is CORS? Cross-Origin Resource Sharing (CORS) standard enables servers to def…
CRLF (%0D%0A) Injection
CRLF (%0D%0A) Injection CRLF Carriage Return (CR) and Line Feed (LF), collectively known as CRLF, are special character …
CSRF (Cross Site Request Forgery)
CSRF (Cross Site Request Forgery) Cross-Site Request Forgery (CSRF) Explained Cross-Site Request Forgery (CSRF) is a typ…
Dangling Markup - HTML scriptless injection
Dangling Markup - HTML scriptless injection Resume This technique can be use to extract information from a user when an …
SS-Leaks
SS-Leaks Check the post https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks…
DApps - Decentralized Applications
DApps - Decentralized Applications What is a DApp? A DApp is a decentralized application that runs on a peer-to-peer net…
Dependency Confusion
Dependency Confusion Basic Information Dependency Confusion (a.k.a. substitution attacks) happens when a package manager…
Deserialization
Deserialization Basic Information Serialization is understood as the method of converting an object into a format that c…
NodeJS - \_\_proto\_\_ & prototype Pollution
NodeJS - __proto__ & prototype Pollution Objects in JavaScript Objects in JavaScript are essentially collections of …
Client Side Prototype Pollution
Client Side Prototype Pollution Discovering using Automatic tools The tools https://github.com/dwisiswant0/ppfuzz , http…
Express Prototype Pollution Gadgets
Express Prototype Pollution Gadgets Serve XSS responses For further details take a look to the original reserach Change …
Prototype Pollution to RCE
Prototype Pollution to RCE Vulnerable Code Imagine a real JS using some code like the following one: const { execSync , …
Java JSF ViewState (.faces) Deserialization
Java JSF ViewState Deserialization Check the posts: https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-V…
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner DNS request on deserialization The class java.net…
Basic Java Deserialization (ObjectInputStream, readObject)
Basic Java Deserialization with ObjectInputStream readObject In this POST it's going to be explained an example using ja…
Java Signedobject Gated Deserialization
Java SignedObject-gated Deserialization and Pre-auth Reachability via Error Paths This page documents a common "guarded"…
Livewire Hydration Synthesizer Abuse
Laravel Livewire Hydration & Synthesizer Abuse Recap of the Livewire state machine Livewire 3 components exchange th…
PHP - Deserialization + Autoload Classes
PHP - Deserialization + Autoload Classes First, you should check what are Autoloading Classes . PHP deserialization + sp…
CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep Java Transformers to Rutime exec() In s…
Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net) This post is dedicated to understa…
Exploiting \_\_VIEWSTATE knowing the secrets
Exploiting __VIEWSTATE Knowing the Secret If you don't know the keys yet , start with the sister page about recovering /…
Exploiting \_\_VIEWSTATE without knowing the secrets
Exploiting __VIEWSTATE without knowing the secrets What is ViewState ViewState serves as the default mechanism in ASP.NE…
Python Yaml Deserialization
Python Yaml Deserialization Yaml Deserialization Python YAML libraries can serialize Python objects , not just raw data …
JNDI - Java Naming and Directory Interface & Log4Shell
JNDI - Java Naming and Directory Interface & Log4Shell Basic Information JNDI, integrated into Java since the late 1…
Ruby Json Pollution
Ruby _json pollution This is a summary from the post https://nastystereo.com/security/rails-_json-juggling-attack.html B…
Ruby Class Pollution
Ruby Class Pollution This is a summary from the post https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html Merg…
Domain/Subdomain takeover
Domain/Subdomain takeover Domain takeover If you discover some domain (domain.tld) that is being used by some service in…
Email Injections
Email Injections Inject in sent e-mail Inject Cc and Bcc after sender argument From:sender@domain.com%0ACc:recipient@dom…
File Inclusion/Path traversal
File Inclusion/Path traversal File Inclusion Remote File Inclusion (RFI): The file is loaded from a remote server (Best:…
phar:// deserialization
phar:// deserialization Phar files (PHP Archive) files contain meta data in serialized format , so, when parsed, this me…
LFI2RCE via PHP Filters
LFI2RCE via PHP Filters Intro This writeup explains that you can use php filters to generate arbitrary content as output…
LFI2RCE via Nginx temp files
LFI2RCE via Nginx temp files Vulnerable configuration Example from bierbaumer.net showed that even the following one-lin…
LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS Basic Info If you found a Local File Inclusion even if you don't have a session …
LFI2RCE via Segmentation Fault
LFI2RCE via Segmentation Fault According to the writeups https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line…
LFI2RCE via phpinfo()
LFI to RCE via PHPInfo To exploit this technique you need all of the following: - A reachable page that prints phpinfo()…
LFI2RCE Via temp file uploads
LFI to RCE via Temporary File Uploads Check the full details of this technique in https://gynvael.coldwind.pl/download.p…
LFI2RCE via Eternal waiting
LFI2RCE via Eternal waiting Basic Information By default when a file is uploaded to PHP (even if it isn't expecting it),…
LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure compress.zlib:// and PHP_STREAM_PREFER_STDIO A fi…
File Upload
File Upload File Upload General Methodology Other useful extensions: PHP : .php , .php2 , .php3 , . php4 , . php5 , . ph…
PDF Upload - XXE and CORS bypass
PDF Upload - XXE and CORS bypass Check https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.h…
Formula/CSV/Doc/LaTeX/GhostScript Injection
Formula/CSV/Doc/LaTeX/GhostScript Injection Formula Injection Info If your input is being reflected inside CSV file s (o…
gRPC-Web Pentest
Pentesting gRPC-Web Quick protocol recap and attack surface Transport: gRPC‑Web speaks a browser‑compatible variant of g…
HTTP Connection Contamination
HTTP Connection Contamination This is a summary of the post: https://portswigger.net/research/http-3-connection-contamin…
HTTP Connection Request Smuggling
HTTP Connection Request Smuggling This page summarizes, extends and updates the seminal PortSwigger research on Browser-…
HTTP Request Smuggling / HTTP Desync Attack
HTTP Request Smuggling / HTTP Desync Attack What is This vulnerability occurs when a desyncronization between front-end …
Browser HTTP Request Smuggling
Browser HTTP Request Smuggling Browser-powered desync (aka client-side request smuggling) abuses the victim’s browser to…
Request Smuggling in HTTP/2 Downgrades
Request Smuggling in HTTP/2 Downgrades HTTP/2 is generally considered immune to classic request-smuggling because the le…
HTTP Response Smuggling / Desync
HTTP Response Smuggling / Desync The technique of this post was taken from the video: https://www.youtube.com/watch?v=su…
Upgrade Header Smuggling
Upgrade Header Smuggling H2C Smuggling HTTP2 Over Cleartext (H2C) H2C, or http2 over cleartext , deviates from the norm …
hop-by-hop headers
hop-by-hop headers This is a summary of the post https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers …
IDOR
IDOR (Insecure Direct Object Reference) IDOR (Insecure Direct Object Reference) / Broken Object Level Authorization (BOL…
JWT Vulnerabilities (Json Web Tokens)
JWT Vulnerabilities (Json Web Tokens) Part of this post is based in the awesome post: https://github.com/ticarpi/jwt_too…
JSON, XML and YAML Hacking
JSON, XML & Yaml Hacking & Issues Go JSON Decoder The following issues were detected in the Go JSON although the…
LDAP Injection
LDAP Injection LDAP Injection LDAP If you want to know what is LDAP access the following page: ../network-services-pente…
Login Bypass
Login Bypass Bypass regular login If you find a login page, here you can find some techniques to try to bypass it: Check…
Login bypass List
SQL Login Bypass Payloads This list contains payloads to bypass the login via XPath, LDAP and SQL injection (in that ord…
Mass Assignment Cwe 915
Mass Assignment (CWE-915) – Privilege Escalation via Unsafe Model Binding Mass assignment (a.k.a. insecure object bindin…
NoSQL injection
NoSQL injection Exploit In PHP you can send an Array changing the sent parameter from parameter=foo to parameter[arrName…
OAuth to Account takeover
OAuth to Account takeover Basic Information OAuth offers various versions, with foundational insights accessible at OAut…
Open Redirect
Open Redirect Open redirect Redirect to localhost or arbitrary domains If the app “allows only internal/whitelisted host…
ORM Injection
ORM Injection Django ORM (Python) In this post is explained how it's possible to make a Django ORM vulnerable by using f…
Parameter Pollution | JSON Injection
Parameter Pollution | JSON Injection HTTP Parameter Pollution (HPP) Overview HTTP Parameter Pollution (HPP) is a techniq…
Phone Number Injections
Phone Number Injections It's possible to add strings at the end the phone number that could be used to exploit common in…
PostMessage Vulnerabilities
PostMessage Vulnerabilities Send PostMessage PostMessage uses the following function to send a message: targetWindow.pos…
Blocking main page to steal postmessage
Blocking main page to steal postmessage Winning RCs with Iframes According to this Terjanq writeup , blob documents crea…
Bypassing SOP with Iframes - 1
Bypassing SOP with Iframes - 1 Iframes in SOP-1 In this challenge created by NDevTK and Terjanq you need you need to exp…
Bypassing SOP with Iframes - 2
Bypassing SOP with Iframes - 2 Iframes in SOP-2 In the solution for this challenge , @Strellic_ proposes a similar metho…
Steal postmessage modifying iframe location
Steal postmessage modifying iframe location Changing child iframes locations According to this writeup , if you can ifra…
Proxy / WAF Protections Bypass
Proxy / WAF Protections Bypass Bypass Nginx ACL Rules with Pathname Manipulation Techniques from this research . Nginx r…
Race Condition
Race Condition Warning For obtaining a deep understanding of this technique check the original report in https://portswi…
Rate Limit Bypass
Rate Limit Bypass Rate limit bypass techniques Exploring Similar Endpoints Attempts should be made to perform brute forc…
Registration & Takeover Vulnerabilities
Registration & Takeover Vulnerabilities Registration Takeover Duplicate Registration Try to generate using an existi…
Regular expression Denial of Service - ReDoS
Regular expression Denial of Service - ReDoS Regular Expression Denial of Service (ReDoS) A Regular Expression Denial of…
Reset/Forgotten Password Bypass
Reset/Forgotten Password Bypass Password Reset Token Leak Via Referrer The HTTP referer header may leak the password res…
Reverse Tab Nabbing
Reverse Tab Nabbing Description In a situation where an attacker can control the href argument of an <a tag with the …
RSQL Injection
RSQL Injection What is RSQL? RSQL is a query language designed for parameterized filtering of inputs in RESTful APIs. Ba…
SAML Attacks
SAML Attacks Basic Information saml-basics.md Tool SAMLExtractor : A tool that can take a URL or list of URL and prints …
SAML Basics
SAML Basics SAML Overview Security Assertion Markup Language (SAML) enables identity providers (IdP) to be utilized for …
Server Side Inclusion/Edge Side Inclusion Injection
Server Side Inclusion/Edge Side Inclusion Injection Server Side Inclusion Basic Information (Introduction taken from Apa…
Soap Jax Ws Threadlocal Auth Bypass
SOAP/JAX-WS ThreadLocal Authentication Bypass TL;DR Some middleware chains store the authenticated Subject / Principal i…
SQL Injection
SQL Injection What is SQL injection? An SQL injection is a security flaw that allows attackers to interfere with databas…
MS Access SQL Injection
MS Access SQL Injection Online Playground https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss…
MSSQL Injection
MSSQL Injection Active Directory enumeration It may be possible to enumerate domain users via SQL injection inside a MSS…
MySQL injection
MySQL injection Comments -- MYSQL Comment # MYSQL Comment /* MYSQL Comment */ /*! MYSQL Special SQL */ /*!32302 10*/ Com…
MySQL File priv to SSRF/RCE
MySQL File priv to SSRF/RCE This is a summary of the MySQL/MariaDB/Percona techniques from https://ibreak.software/2020/…
Oracle injection
Oracle injection Serve this post a wayback machine copy of the deleted post from https://ibreak.software/2020/06/using-s…
Cypher Injection (neo4j)
Cypher Injection (neo4j) Check the following blogs: https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-expl…
Sqlmap
SQLMap Basic arguments for SQLmap Generic -u "<URL>" -p "<PARAM TO TEST>" --user-agent =…
PostgreSQL injection
PostgreSQL injection This page aims to explain different tricks that could help you to exploit a SQLinjection found in a…
dblink/lo_import data exfiltration
dblink/lo_import data exfiltration This is an example of how to exfiltrate data loading files in the database with lo_im…
PL/pgSQL Password Bruteforce
PL/pgSQL Password Bruteforce Find more information about these attack in the original paper . PL/pgSQL is a fully featur…
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure Find more information about these attacks in the…
Big Binary Files Upload (PostgreSQL)
Big Binary Files Upload in PostgreSQL PostgreSQL Large Objects PostgreSQL offers a structure known as large objects , ac…
RCE with PostgreSQL Languages
RCE with PostgreSQL Languages PostgreSQL Languages The PostgreSQL database you got access to may have different scriptin…
RCE with PostgreSQL Extensions
RCE with PostgreSQL Extensions PostgreSQL Extensions PostgreSQL has been developed with extensibility as a core feature,…
SQLMap - CheatSheet
SQLMap - Cheatsheet Basic arguments for SQLmap Generic -u "<URL>" -p "<PARAM TO TEST>" -…
Second Order Injection - SQLMap
Second Order Injection with SQLMap SQLMap can exploit Second Order SQLis. \ You need to provide: The request where the s…
SSRF (Server Side Request Forgery)
SSRF (Server Side Request Forgery) Basic Information A Server-side Request Forgery (SSRF) vulnerability occurs when an a…
URL Format Bypass
URL Format Bypass Localhost Localhost payloads # Localhost 0 # Yes, just 0 is localhost in Linux http://127.0.0.1:80 htt…
SSRF Vulnerable Platforms
SSRF Vulnerable Platforms This page is focused on platforms and features that frequently turn a blind SSRF into a useful…
Cloud SSRF
Cloud SSRF AWS Abusing SSRF in AWS EC2 environment The metadata endpoint can be accessed from inside any EC2 machine and…
SSTI (Server Side Template Injection)
SSTI (Server Side Template Injection) What is SSTI (Server-Side Template Injection) Server-side template injection is a …
EL - Expression Language
EL - Expression Language Bsic Info Expression Language (EL) is integral in JavaEE for bridging the presentation layer (e…
Jinja2 SSTI
Jinja2 SSTI Lab from flask import Flask , request , render_template_string app = Flask ( __name__ ) @app . route ( "…
Timing Attacks
Timing Attacks Warning For obtaining a deep understanding of this technique check the original report from https://ports…
Unicode Injection
Unicode Injection Introduction Depending on how the back-end/front-end is behaving when it receives weird unicode charac…
Unicode Normalization
Unicode Normalization This is a summary of: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-…
UUID Insecurities
UUID Insecurities Basic Information Universally Unique Identifiers (UUIDs) are 128-bit numbers used to uniquely identify…
WebSocket Attacks
WebSocket Attacks What are WebSockets WebSocket connections are established through an initial HTTP handshake and are de…
Web Tool - WFuzz
Web Tool - WFuzz A tool to FUZZ web applications anywhere. Wfuzz has been created to facilitate the task in web applicat…
XPATH injection
XPATH injection Basic Syntax An attack technique known as XPath Injection is utilized to take advantage of applications …
XS Search
XS-Search/XS-Leaks Basic Information XS-Search is a method used for extracting cross-origin information by leveraging si…
XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations) Basic Information XSLT is a technology emplo…
XXE - XEE - XML External Entity
XXE - XEE - XML External Entity XML Basics XML is a markup language designed for data storage and transport, featuring a…
XSS (Cross Site Scripting)
XSS (Cross Site Scripting) Methodology Check if any value you control ( parameters , path , headers ?, cookies ?) is bei…
Abusing Service Workers
Abusing Service Workers Basic Information A service worker is a script run by your browser in the background, separate f…
Chrome Cache to XSS
Chrome Cache to XSS This is a browser-local cache abuse technique in Chrome: you first make the victim cache attacker-in…
Debugging Client Side JS
Debugging Client Side JS Debugging client side JS can be a pain because every-time you change the URL (including a chang…
Dom Clobbering
Dom Clobbering Basics It's possible to generate global variables inside the JS context with the attributes id and name i…
DOM Invader
DOM Invader DOM Invader DOM Invader is a browser tool installed in Burp Suite's built-in Chromium browser . It assists i…
DOM XSS
DOM XSS DOM Vulnerabilities DOM vulnerabilities occur when data from attacker-controlled sources (like location.search ,…
Iframes in XSS, CSP and SOP
Iframes in XSS, CSP and SOP Iframes in XSS There are 3 ways to indicate the content of an iframed page: Via src indicati…
Integer Overflow
Integer Overflow (Web Applications) This page focuses on how integer overflows/truncations can be abused in web applicat…
JS Hoisting
JS Hoisting Basic Information In the JavaScript language, a mechanism known as Hoisting is described where declarations …
Misc JS Tricks & Relevant Info
Misc JS Tricks & Relevant Info Javascript Fuzzing Valid JS Comment Chars //This is a 1 line comment /* This is a mul…
PDF Injection
PDF Injection If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript, …
Server Side XSS (Dynamic PDF)
Server Side XSS (Dynamic PDF) Server Side XSS (Dynamic PDF) If a web page is creating a PDF using user controlled input,…
Shadow DOM
Shadow DOM Check out this blog: https://blog.ankursundara.com/shadow-dom/ and this CTF challenge: https://github.com/Sup…
SOME - Same Origin Method Execution
SOME - Same Origin Method Execution Same Origin Method Execution There will be occasions where you can execute some limi…
Sniff Leak
Sniff Leak Leak script content by converting it to UTF16 This writeup leaks a text/plain because there is no X-Content-T…
Steal Info JS
Steal Info JS // SELECT HERE THE EXFILTRATION MODE (more than 1 can be selected) // If any GET method is selected (like …
Wasm Linear Memory Template Overwrite Xss
WebAssembly linear memory corruption to DOM XSS (template overwrite) This technique shows how a memory-corruption bug in…
XSS in Markdown
XSS in Markdown If you have the chance to inject code in markdown, there are a few options you can use to trigger a XSS …
XSSI (Cross-Site Script Inclusion)
XSSI (Cross-Site Script Inclusion) Basic Information Cross-Site Script Inclusion (XSSI) is a vulnerability that arises f…
XS-Search/XS-Leaks
XS-Search/XS-Leaks Basic Information XS-Search is a method used for extracting cross-origin information by leveraging si…
Connection Pool Examples
Connection Pool Examples Sekaictf2022 - safelist In the Sekaictf2022 - safelist challenge, @Strellic_ gives an example o…
Connection Pool by Destination Example
Connection Pool by Destination Example In this exploit , @terjanq proposes yet another solution for the challenge mentio…
Cookie Bomb + Onerror XS Leak
Cookie Bomb + Onerror XS Leak This technique combines: - Cookie bombing: stuffing the victim’s browser with many/large c…
URL Max Length - Client Side
URL Max Length - Client Side Code from https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-c…
performance.now example
performance.now example Example taken from https://ctf.zeyu2001.com/2022/nitectf-2022/js-api const sleep = ( ms ) => …
performance.now + Force heavy task
performance.now + Force heavy task Exploit taken from https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/ In…
Event Loop Blocking + Lazy images
Event Loop Blocking + Lazy images In this exploit , @aszx87410 mixes the lazy image side channel technique through a HTM…
JavaScript Execution XS Leak
JavaScript Execution XS Leak This XS-Search primitive turns whether a cross-origin response executes as JavaScript into …
CSS Injection
CSS Injection CSS Injection LESS Code Injection LESS is a popular CSS pre-processor that adds variables, mixins, functio…
CSS Injection Code
CSS Injection Code ```html:victim.html @import url("//localhost:5001/start?"); ```javascript:server.js const http = requ…
LESS Code Injection
LESS Code Injection leading to SSRF & Local File Read LESS is a popular CSS pre-processor that adds variables, mixin…
Iframe Traps
Iframe Traps Basic Information This technique abuses same-origin XSS to keep code execution alive while the victim keeps…
Physical Attacks
Physical Attacks BIOS Password Recovery and System Security Resetting the BIOS can be achieved in several ways. Most mot…
Escaping from KIOSKs
Escaping from KIOSKs Check physical device Component Action Power button Turning the device off and on again may expose …
Firmware Analysis
Firmware Analysis Introduction Related resources synology-encrypted-archive-decryption.md ../../network-services-pentest…
Android Mediatek Secure Boot Bl2 Ext Bypass El3
MediaTek bl2_ext Secure-Boot Bypass (EL3 Code Execution) This page documents a practical secure-boot break on multiple M…
Bootloader testing
Bootloader Testing The following steps are recommended for modifying device startup configurations and testing bootloade…
Firmware Integrity
Firmware Integrity The custom firmware and/or compiled binaries can be uploaded to exploit integrity or signature verifi…
Basic Stack Binary Exploitation Methodology
Basic Binary Exploitation Methodology ELF Basic Info Before start exploiting anything it's interesting to understand par…
ELF Basic Information
ELF Basic Information Program Headers The describe to the loader how to load the ELF into memory: readelf -lW lnstat Elf…
Exploiting Tools
Exploiting Tools Metasploit pattern_create.rb -l 3000 #Length pattern_offset.rb -l 3000 -q 5f97d534 #Search offset nasm_…
PwnTools
PwnTools pip3 install pwntools Pwn asm Get opcodes from line or file. pwn asm "jmp esp" pwn asm -i <filepat…
Stack Overflow
Stack Overflow What is a Stack Overflow A stack overflow is a vulnerability that occurs when a program writes more data …
Pointer Redirecting
Pointer Redirecting String pointers If a function call is going to use an address of a string that is located in the sta…
Ret2win
Ret2win Basic Information Ret2win challenges are a popular category in Capture The Flag (CTF) competitions, particularly…
Ret2win - arm64
Ret2win - arm64 Find an introduction to arm64 in: ../../../macos-hardening/macos-security-and-privilege-escalation/macos…
Stack Shellcode
Stack Shellcode Basic Information Stack shellcode is a technique used in binary exploitation where an attacker writes sh…
Stack Shellcode - arm64
Stack Shellcode - arm64 Find an introduction to arm64 in: ../../../macos-hardening/macos-security-and-privilege-escalati…
Stack Pivoting
Stack Pivoting Basic Information This technique exploits the ability to manipulate the Base Pointer (EBP/RBP) to chain t…
Uninitialized Variables
Uninitialized Variables Basic Information The core idea here is to understand what happens with uninitialized variables …
ROP & JOP
ROP & JOP Basic Information Return-Oriented Programming (ROP) is an advanced exploitation technique used to circumve…
BROP - Blind Return Oriented Programming
BROP - Blind Return Oriented Programming Basic Information The goal of this attack is to be able to abuse a ROP via a bu…
Ret2csu
Ret2csu https://www.scs.stanford.edu/brop/bittau-brop.pdf Basic Information ret2csu is a hacking technique used when you…
Ret2dlresolve
Ret2dlresolve Basic Information As explained in the page about GOT/PLT and Relro , binaries without Full Relro will reso…
Ret2esp / Ret2reg
Ret2esp / Ret2reg Ret2esp Because the ESP (Stack Pointer) always points to the top of the stack , this technique involve…
Ret2lib
Ret2lib Basic Information The essence of Ret2Libc is to redirect the execution flow of a vulnerable program to a functio…
Leaking libc address with ROP
Leaking libc address with ROP Quick Resume Find overflow offset Find POP_RDI gadget, PUTS_PLT and MAIN gadgets Use previ…
Leaking libc - template
Leaking libc - template ```python:template.py from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, …
One Gadget
One Gadget Basic Information One Gadget allows to obtain a shell instead of using system and "/bin/sh". One Gadget will …
Ret2lib + Printf leak - arm64
Ret2lib + Printf leak - ARM64 Ret2lib - NX bypass with ROP (no ASLR) #include <stdio.h> void bof () { char buf [ 1…
Ret2syscall
Ret2syscall Basic Information This is similar to Ret2lib, however, in this case we won't be calling a function from a li…
Ret2syscall - arm64
Ret2syscall - ARM64 Find an introduction to arm64 in: ../../../macos-hardening/macos-security-and-privilege-escalation/m…
Ret2vDSO
Ret2vDSO Basic Information There might be gadgets in the vDSO region , which is a small ELF DSO mapped by the kernel to …
SROP - Sigreturn-Oriented Programming
SROP - Sigreturn-Oriented Programming Basic Information Sigreturn is a special syscall that's primarily used to clean up…
SROP - arm64
Pwntools example This example is creating the vulnerable binary and exploiting it. The binary reads into the stack and t…
Mediatek Xflash Carbonara Da2 Hash Bypass
MediaTek XFlash Carbonara DA2 Hash Bypass Summary "Carbonara" abuses MediaTek's XFlash download path to run a modified D…
Synology Encrypted Archive Decryption
Synology PAT/SPK Encrypted Archive Decryption Overview Several Synology devices (DSM/BSM NAS, BeeStation, …) distribute …
Windows SEH Overflow
Windows SEH-based Stack Overflow Exploitation (nSEH/SEH) SEH-based exploitation is a classic x86 Windows technique that …
Array Indexing
Array Indexing Basic Information This category includes all vulnerabilities that occur because it is possible to overwri…
Chrome Exploiting
Chrome Exploiting This page provides a high-level yet practical overview of a modern "full-chain" exploitation workflow …
Common Exploiting Problems Unsafe Relocation Fixups
Unsafe Relocation Fixups in Asset Loaders Why asset relocations matter Many legacy game engines (Granny 3D, Gamebryo, et…
Integer Overflow
Integer Overflow Basic Information At the heart of an integer overflow is the limitation imposed by the size of data typ…
Format Strings
Format Strings Basic Information In C printf is a function that can be used to print some string. The first parameter th…
Format Strings - Arbitrary Read Example
Format Strings - Arbitrary Read Example Read Binary Start Code #include <stdio.h> int main ( void ) { char buffer …
Format Strings Template
Format Strings Template from pwn import * from time import sleep ################### ### CONNECTION #### ###############…
Libc Heap
Libc Heap Heap Basics The heap is basically the place where a program is going to be able to store data when it requests…
Bins & Memory Allocations
Bins & Memory Allocations Basic Information In order to improve the efficiency on how chunks are stored every chunk …
Heap Memory Functions
Heap Memory Functions…
free
free Free Order Summary (No checks are explained in this summary and some case have been omitted for brevity) If the add…
malloc & sysmalloc
malloc & sysmalloc Allocation Order Summary (No checks are explained in this summary and some case have been omitted…
unlink
unlink Code // From https://github.com/bminor/glibc/blob/master/malloc/malloc.c /* Take a chunk off a bin list. */ stati…
Heap Functions Security Checks
Heap Functions Security Checks unlink For more info check: unlink.md This is a summary of the performed checks: Check if…
Use After Free
Use After Free Basic Information As the name implies, this vulnerability occurs when a program stores some space in the …
First Fit
First Fit First Fit When you free memory in a program using glibc, different "bins" are used to manage the memory chunks…
Double Free
Double Free Basic Information If you free a block of memory more than once, it can mess up the allocator's data and open…
Gnu Obstack Function Pointer Hijack
GNU obstack function-pointer hijack Overview GNU obstacks embed allocator state together with two indirect call targets:…
Overwriting a freed chunk
Overwriting a freed chunk Several of the proposed heap exploitation techniques need to be able to overwrite pointers ins…
Heap Overflow
Heap Overflow Basic Information A heap overflow is like a stack overflow but in the heap. Basically it means that some s…
Unlink Attack
Unlink Attack Basic Information Historically, this attack used to give a very strong WWW (Write-What-Where) primitive. M…
Fast Bin Attack
Fast Bin Attack Basic Information For more information about what is a fast bin check this page: bins-and-memory-allocat…
Unsorted Bin Attack
Unsorted Bin Attack Basic Information For more information about what is an unsorted bin check this page: bins-and-memor…
Large Bin Attack
Large Bin Attack Basic Information For more information about what is a large bin check this page: bins-and-memory-alloc…
Tcache Bin Attack
Tcache Bin Attack Basic Information For more information about what a Tcache bin is, check this page: bins-and-memory-al…
Off by one overflow
Off by one overflow Basic Information Having just access to a 1B overflow allows an attacker to modify the size field fr…
House of Spirit
House of Spirit Basic Information Code House of Spirit #include <unistd.h> #include <stdlib.h> #include <…
House of Lore | Small bin Attack
House of Lore | Small bin Attack Basic Information Code Check the one from https://ctf-wiki.mahaloz.re/pwn/linux/glibc-h…
House of Einherjar
House of Einherjar Basic Information Code Check the example from https://github.com/shellphish/how2heap/blob/master/glib…
House of Force
House of Force Basic Information Code This technique was patched ( here ) and produces this error: malloc(): corrupted t…
House of Orange
House of Orange Basic Information Code Find an example in https://github.com/shellphish/how2heap/blob/master/glibc_2.23/…
House of Rabbit
House of Rabbit Requirements Ability to modify fast bin fd pointer or size : This means you can change the forward point…
House of Roman
House of Roman Basic Information This was a very interesting technique that allowed for RCE without leaks via fake fastb…
Common Binary Exploitation Protections & Bypasses
Common Binary Exploitation Protections & Bypasses Enable Core files Core files are a type of file generated by an op…
ASLR
ASLR Basic Information Address Space Layout Randomization (ASLR) is a security technique used in operating systems to ra…
Ret2plt
Ret2plt Basic Information The goal of this technique would be to leak an address from a function from the PLT to be able…
Ret2ret & Reo2pop
Ret2ret & Ret2pop Ret2ret The main goal of this technique is to try to bypass ASLR by abusing an existing pointer in…
CET & Shadow Stack
CET & Shadow Stack Control Flow Enforcement Technology (CET) CET is a security feature implemented at the hardware l…
Libc Protections
Libc Protections Chunk Alignment Enforcement Malloc allocates memory in 8-byte (32-bit) or 16-byte (64-bit) groupings . …
Memory Tagging Extension (MTE)
Memory Tagging Extension (MTE) Basic Information Memory Tagging Extension (MTE) is designed to enhance software reliabil…
No-exec / NX
No-exec / NX Basic Information The No-Execute (NX) bit, also known as Execute Disable (XD) in Intel terminology, is a ha…
PIE
PIE Basic Information A binary compiled as PIE, or Position Independent Executable , means the program can load at diffe…
BF Addresses in the Stack
BF Addresses in the Stack If you are facing a binary protected by a canary and PIE (Position Independent Executable) you…
Relro
Relro Relro RELRO stands for Relocation Read-Only and it is a mitigation implemented by the linker ( ld ) that turns a s…
Stack Canaries
Stack Canaries StackGuard and StackShield StackGuard inserts a special value known as a canary before the EIP (Extended …
BF Forked & Threaded Stack Canaries
BF Forked & Threaded Stack Canaries If you are facing a binary protected by a canary and PIE (Position Independent E…
Print Stack Canary
Print Stack Canary Enlarge printed stack Imagine a situation where a program vulnerable to stack overflow can execute a …
Write What Where 2 Exec
Arbitrary Write 2 Exec…
Aw2exec Sips Icc Profile
WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236) Overview An out-of-bounds zero-write vulnerability in A…
WWW2Exec - atexit()
WWW2Exec - atexit(), TLS Storage & Other mangled Pointers __atexit Structures Caution Nowadays is very weird to expl…
WWW2Exec - .dtors & .fini_array
WWW2Exec - .dtors & .fini_array .dtors Caution Nowadays is very weird to find a binary with a .dtors section! The de…
WWW2Exec - GOT/PLT
WWW2Exec - GOT/PLT Basic Information GOT: Global Offset Table The Global Offset Table (GOT) is a mechanism used in dynam…
WWW2Exec - \_\_malloc_hook & \_\_free_hook
WWW2Exec - __malloc_hook & __free_hook Malloc Hook As you can Official GNU site , the variable __malloc_hook is a po…
WWW2Exec - \_\_printf_arginfo_table
WWW2Exec - __printf_arginfo_table Glibc allows users to register custom conversion specifiers (like %s , %d ) for printf…
Virtualbox Slirp Nat Packet Heap Exploitation
VirtualBox Slirp NAT Packet Heap Exploitation TL;DR VirtualBox ships a heavily modified fork of Slirp whose packet buffe…
Common Exploiting Problems
Common Exploiting Problems FDs in Remote Exploitation When sending an exploit to a remote server that calls system('/bin…
Adreno A7xx Sds Rb Priv Bypass Gpu Smmu Kernel Rw
Adreno A7xx SDS->RB privilege bypass (GPU SMMU takeover to Kernel R/W) This page abstracts an in-the-wild Adreno A7xx…
Af Unix Msg Oob Uaf Skb Primitives
AF_UNIX MSG_OOB UAF & SKB-based kernel primitives TL;DR Linux >=6.9 introduced a flawed manage_oob() refactor ( 5…
Arm64 Static Linear Map Kaslr Bypass
Linux arm64 Static Linear Map KASLR Bypass Overview Android kernels built for arm64 almost universally enable CONFIG_ARM…
Ksmbd Streams Xattr Oob Write Cve 2025 37947
ksmbd streams_xattr OOB write → local LPE (CVE-2025-37947) This page documents a deterministic out-of-bounds write in ks…
Pixel Bigwave Bigo Job Timeout Uaf Kernel Write
Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec TL;DR From the SELinux-confined mediacodec contex…
Linux kernel exploitation - toctou
POSIX CPU Timers TOCTOU race (CVE-2025-38352) This page documents a TOCTOU race condition in Linux/Android POSIX CPU tim…
PS5 compromission
FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study) Overview This page documents a practical Unix/BSD usermo…
Vmware Workstation Pvscsi Lfh Escape
VMware Workstation PVSCSI LFH Escape (VMware-vmx on Windows 11) This is the public Workstation-on-Windows 11 variant of …
Windows Exploiting (Basic Guide - OSCP lvl)
Windows Exploiting (Basic Guide - OSCP lvl) Tip Looking for post-OSCP kernel primitives? Modern registry hive corruption…
Windows Vectored Overloading
Vectored Overloading PE Injection Tip Looking for Windows 11 LFH heap shaping and VMware Workstation PVSCSI (vmware-vmx)…
iOS Exploiting
iOS Exploiting iOS Exploit Mitigations 1. Code Signing / Runtime Signature Verification Introduced early (iPhone OS → iO…
ios CVE-2020-27950-mach_msg_trailer_t
CVE-2021-30807: IOMobileFrameBuffer OOB The Bug You have a great explanation of the vuln here , but as summary: Every Ma…
ios CVE-2021-30807-IOMobileFrameBuffer
CVE-2021-30807: IOMobileFrameBuffer OOB The Bug You have a great explanation of the vuln here , but as summary: The vuln…
Imessage Media Parser Zero Click Coreaudio Pac Bypass
iMessage Media Parser Zero-Click → CoreAudio RCE → PAC/RPAC → Kernel → CryptoTokenKit Abuse This page summarizes a moder…
ios Corellium
iOS How to Connect to Corellium Prereqs A Corellium iOS VM (jailbroken or not). In this guide we assume you have access …
ios Heap Exploitation
iOS/macOS Example Heap Overflow Exploit This page is a small Apple-platform heap-overflow lab : a heap buffer overflow c…
ios Physical UAF - IOSurface
iOS Physical Use After Free via IOSurface iOS Exploit Mitigations Code Signing in iOS works by requiring every piece of …
Webkit Dfg Store Barrier Uaf Angle Oob
WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1) Summary DFG Store Barrier bug (CVE-2025-43529) : In DFGStoreBarr…
AI Security
AI in Cybersecurity Main Machine Learning Algorithms The best starting point to learn about AI is to understand how the …
Ai Assisted Fuzzing And Vulnerability Discovery
AI-Assisted Fuzzing & Automated Vulnerability Discovery Overview Large-language models (LLMs) can super-charge tradi…
AI Security Methodology
Deep Learning Deep Learning Deep learning is a subset of machine learning that uses neural networks with multiple layers…
Burp MCP: LLM-assisted traffic review
Burp MCP: LLM-assisted traffic review Overview Burp's MCP Server extension can expose intercepted HTTP(S) traffic to MCP…
AI MCP Security
MCP Servers What is MCP - Model Context Protocol The Model Context Protocol (MCP) is an open standard that allows AI mod…
AI Model Data Preparation
Model Data Preparation & Evaluation Model data preparation is a crucial step in the machine learning pipeline, as it…
AI Models RCE
Models RCE Loading models to RCE Machine Learning models are usually shared in different formats, such as ONNX, TensorFl…
AI Prompts
AI Prompts Basic Information AI prompts are essential for guiding AI models to generate desired outputs. They can be sim…
AI Risk Frameworks
AI Risks OWASP Top 10 Machine Learning Vulnerabilities Owasp has identified the top 10 machine learning vulnerabilities …
AI Supervised Learning Algorithms
Supervised Learning Algorithms Basic Information Supervised learning uses labeled data to train models that can make pre…
AI Unsupervised Learning Algorithms
Unsupervised Learning Algorithms Unsupervised Learning Unsupervised learning is a type of machine learning where the mod…
AI Reinforcement Learning Algorithms
Reinforcement Learning Algorithms Reinforcement Learning Reinforcement learning (RL) is a type of machine learning where…
LLM Training
LLM Training - Data Preparation These are my notes from the very recommended book https://www.manning.com/books/build-a-…
0. Basic LLM Concepts
0. Basic LLM Concepts Pretraining Pretraining is the foundational phase in developing a large language model (LLM) where…
1. Tokenizing
1. Tokenizing Tokenizing Tokenizing is the process of breaking down data, such as text, into smaller, manageable pieces …
2. Data Sampling
2. Data Sampling Data Sampling Data Sampling is a crucial process in preparing data for training large language models (…
3. Token Embeddings
3. Token Embeddings Token Embeddings After tokenizing text data, the next critical step in preparing data for training l…
4. Attention Mechanisms
4. Attention Mechanisms Attention Mechanisms and Self-Attention in Neural Networks Attention mechanisms allow neural net…
5. LLM Architecture
5. LLM Architecture LLM Architecture Tip The goal of this fifth phase is very simple: Develop the architecture of the fu…
6. Pre-training & Loading models
6. Pre-training & Loading models Text Generation In order to train a model we will need that model to be able to gen…
7.0. LoRA Improvements in fine-tuning
7.0. LoRA Improvements in fine-tuning LoRA Improvements Tip The use of LoRA reduce a lot the computation needed to fine …
7.1. Fine-Tuning for Classification
7.1. Fine-Tuning for Classification What is Fine-tuning is the process of taking a pre-trained model that has learned ge…
7.2. Fine-Tuning to follow instructions
7.2. Fine-Tuning to follow instructions Tip The goal of this section is to show how to fine-tune an already pre-trained …
Reversing Tools & Basic Methods
Reversing Tools & Basic Methods ImGui Based Reversing tools Software: ReverseKit: https://github.com/zer0condition/R…
Angr
Angr Part of this cheatsheet is based on the angr documentation . Installation sudo apt-get install python3-dev libffi-d…
Angr - Examples
Angr - Examples Tip If the program is using scanf to get several values at once from stdin you need to generate a state …
Z3 - Satisfiability Modulo Theories (SMT)
Satisfiability Modulo Theories (SMT) - Z3 Very basically, this tool will help us to find values for variables that need …
Cheat Engine
Cheat Engine Cheat Engine is a useful program to find where important values are saved inside the memory of a running ga…
Blobrunner
Blobrunner The only modified line from the original code is the line 10. In order to compile it just create a C/C++ proj…
Common API used in Malware
Common API used in Malware Generic Networking Raw Sockets WinAPI Sockets socket() WSAStratup() bind() bind() listen() li…
Word Macros
Word Macros Junk Code It's very common to find junk code that is never used to make the reversing of the macro more diff…
Crypto
Crypto This section focuses on practical cryptography for hacking/CTFs : how to quickly recognize common patterns, pick …
Crypto CTF Workflow
Crypto CTF Workflow Triage checklist Identify what you have: encoding vs encryption vs hash vs signature vs MAC. Determi…
Symmetric Crypto
Symmetric Crypto What to look for in CTFs Mode misuse : ECB patterns, CBC malleability, CTR/GCM nonce reuse. Padding ora…
Hashes, MACs & KDFs
Hashes, MACs & KDFs Common CTF patterns "Signature" is actually hash(secret || message) → length extension. Unsalted…
Public-Key Crypto
Public-Key Crypto Most CTF hard crypto ends up here: RSA, ECC/ECDSA, lattices, and bad randomness. Recommended tooling S…
RSA Attacks
RSA Attacks Fast triage Collect: n , e , c (and any additional ciphertexts) Any relationships between messages (same pla…
TLS & Certificates
TLS & Certificates This area is about X.509 parsing, formats, conversions, and common mistakes . X.509: parsing, for…
Crypto in Malware
Crypto in Malware / Reverse Engineering This subsection helps when you see crypto/compression inside binaries and want t…
Crypto CTF Misc
Crypto CTF Misc Grab-bag pages that show up a lot in crypto challenges, but don’t fit neatly elsewhere. Esoteric languag…
Stego
Stego This section focuses on finding and extracting hidden data from files (images/audio/video/documents/archives) and …
Stego Workflow
Stego Workflow Most stego problems are solved faster by systematic triage than by trying random tools. Core flow Quick t…
Images
Image Steganography Most CTF image stego reduces to one of these buckets: LSB/bit-planes (PNG/BMP) Metadata/comment payl…
Audio
Audio Steganography Common patterns: Spectrogram messages WAV LSB embedding DTMF / dial tones encoding Metadata payloads…
Text Stego
Text Steganography Look for: Unicode homoglyphs Zero-width characters Whitespace patterns (spaces vs tabs) Practical pat…
Documents
Document Steganography Documents are often just containers: PDF (embedded files, streams) Office OOXML ( .docx/.xlsx/.pp…
Malware & Network Stego
Malware & Network Stego Not all steganography is pixel LSB; commodity malware often hides payloads inside otherwise …
Interesting Http
Interesting HTTP Referrer headers and policy Referrer is the header used by browsers to indicate which was the previous …
Rust Basics
Rust Basics Ownership of variables Memory is managed through a system of ownership with the following rules that the com…
More Tools
More tools BlueTeam https://github.com/yarox24/attack_monitor https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-ro…
Hardware Hacking
Hardware Hacking JTAG JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including em…
Fault Injection Attacks
Fault Injection Attacks Fault injections attacks includes introducing external distrubance in electronic circuits to inf…
I2C
I2C Bus Pirate To test a Bus Pirate is working, connect +5V with VPU and 3.3V with ADC and access the bus pirate (Using …
Side Channel Analysis
Side Channel Analysis Attacks Side-channel attacks recover secrets by observing physical or micro-architectural "leakage…
UART
UART Basic Information UART is a serial protocol, which means it transfers data between components one bit at a time. In…
Radio
Radio SigDigger SigDigger is a free digital signal analyzer for GNU/Linux and macOS, designed to extract information of …
JTAG
JTAG README.md JTAGenum JTAGenum is a tool you can load on an Arduino-compatible MCU or (experimentally) a Raspberry Pi …
SPI
SPI Basic Information SPI (Serial Peripheral Interface) is an Synchronous Serial Communication Protocol used in embedded…
Industrial Control Systems Hacking
Industrial Control Systems Hacking About this Section This section contains all about Industrial Control Systems includi…
Modbus Protocol
The Modbus Protocol Introduction to Modbus Protocol The Modbus protocol is a widely used protocol in Industrial Automati…
Radio Hacking
Radio Hacking…
Maxiprox Mobile Cloner
Building a Portable HID MaxiProx 125 kHz Mobile Cloner Goal Turn a mains-powered HID MaxiProx 5375 long-range 125 kHz re…
Pentesting RFID
Pentesting RFID Introduction Radio Frequency Identification (RFID) is the most popular short-range radio solution. It's …
Infrared
Infrared How the Infrared Works Infrared light is invisible to humans . IR wavelength is from 0.7 to 1000 microns . Hous…
Sub-GHz RF
Sub-GHz RF Garage Doors Garage door openers typically operate at frequencies in the 300-190 MHz range, with the most com…
iButton
iButton Intro iButton is a generic name for an electronic identification key packed in a coin-shaped metal container . I…
Flipper Zero
Flipper Zero With Flipper Zero you can: Listen/Capture/Replay radio frequencies: Sub-GHz Read/Capture/Emulate NFC cards:…
FZ - NFC
FZ - NFC Intro For info about RFID and NFC check the following page: ../pentesting-rfid.md Supported NFC cards Caution A…
FZ - Sub-GHz
FZ - Sub-GHz Intro Flipper Zero can receive and transmit radio frequencies in the range of 300-928 MHz with its built-in…
FZ - Infrared
FZ - Infrared Intro For more info about how Infrared works check: ../infrared.md IR Signal Receiver in Flipper Zero Flip…
FZ - iButton
FZ - iButton Intro For more info about what is an iButton check: ../ibutton.md Design The blue part of the following ima…
FZ - 125kHz RFID
FZ - 125kHz RFID Intro For more info about how 125kHz tags work check: ../pentesting-rfid.md Actions For more info about…
Proxmark 3
Proxmark 3 Attacking RFID Systems with Proxmark3 The first thing you need to do is to have a Proxmark3 and install the s…
FISSURE - The RF Framework
FISSURE - The RF Framework Frequency Independent SDR-based Signal Understanding and Reverse Engineering FISSURE is an op…
Low-Power Wide Area Network
Low-Power Wide Area Network Introduction Low-Power Wide Area Network (LPWAN) is a group of wireless, low-power, wide-are…
Pentesting BLE - Bluetooth Low Energy
Pentesting BLE - Bluetooth Low Energy Introduction Available since the Bluetooth 4.0 specification, BLE uses only 40 cha…
Test LLMs
Test LLMs Run & train models locally Hugging Face Transformers Hugging Face Transformers is one of the most popular …
Burp Suite
Burp Suite Basic Payloads Simple List: Just a list containing an entry in each line Runtime File: A list read in runtime…
Other Web Tricks
Other Web Tricks Host header Several times the back-end trust the Host header to perform some actions. For example, it c…
Android Forensics
Android Forensics Locked Device To start extracting data from an Android device it has to be unlocked. If it's locked yo…
Online Platforms with API
Online Platforms with API ProjectHoneypot You can ask if an IP is related to suspicious/malicious activities. Completely…
Stealing Sensitive Information Disclosure from a Web
Stealing Sensitive Information Disclosure from a Web If at some point you find a web page that presents you sensitive in…
Post Exploitation
Post Exploitation Local l00t PEASS-ng : These scripts, apart for looking for PE vectors, will look for sensitive informa…
Investment Terms
Investment Terms Spot This is the most basic way to do some trading. You can indicate the amount of the asset and the pr…
Cookies Policy
Cookies Policy Last updated: 02/04/2023 Introduction This Cookies Policy applies to the following websites owned and ope…