From 17b7f4d0da365a35e88f81ab2112775827d06160 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 4 Mar 2021 11:40:50 +0000 Subject: [PATCH] GitBook: [master] 6 pages and 3 assets modified --- ...2616e67655f696d672e706e67 (6) (4) (11).png | Bin 0 -> 1502 bytes ...6) (1).png => image (436) (1) (1) (1).png} | Bin README.md | 6 +-- .../linux-privilege-escalation-checklist.md | 2 +- .../android-app-pentesting/README.md | 4 +- pentesting/pentesting-web/api-pentesting.md | 51 +++++++++++++++++- .../active-directory-methodology/README.md | 2 +- .../checklist-windows-privilege-escalation.md | 2 +- 8 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png rename .gitbook/assets/{image (436) (1).png => image (436) (1) (1) (1).png} (100%) diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (11).png new file mode 100644 index 0000000000000000000000000000000000000000..4c4968b48f0ebf20a73e46cd07c9315dc629c00c GIT binary patch literal 1502 zcmV<41tI#0P)O}P0RNd|v9YnQudnZ?9RH*M z|B+Y!p8)@kQ~!)n|BO%nn*jfdPXCHc|A|chiA(>8O82_ME`?B|ARvR zf5yUXqm38Abi#$x94+_wSpM&m`*Z*GIHFl|p&O65#5k%QvJu2Y>v!(8I?EcNQZGLg~u( zv^h#zNhUuw>eb0)vL$Kn+gBEP^N0JRA$h;q;whs#8mWb2qi#)Zd^(YIe>y^a`_XhX z1bp3CPTLQ1q7<>mM!huo?Bj`~dwZ`gP(S!{=Lo8#cziqP;&YNE9$6TOQawbVjh&S|SSUIvc>`V@ND4iwhrCk_rd{R$*KSDKnf*tjSm09Qp;n+!g0?1?l!iD*as#*m zFr7LB^JMV=6#Y%WKvZi0sN;YdB-H>h0fd!ib#wOK#gVr6$Edw(IV#l{6_k?7AaNsb`N5=vr;YmR}c{fmsWy|;K$fpN}4G(>rv z42{$o%6Za}h5iAO)k$-YYq97tA)A)DH({exg@A1k5z&s3zQ19N+4OBRM4YJ@&q-2wUkl| zQ7Qq`s?RddD%9J%W7OGKy0Ud`Zq-pzmy_em`J>Y5s zrqQenSPoR1HAcEk|vu zPWtV;;jDV=r|HVWGnr==Fl~~$x^9nEtwc|O>kLv`HJy~|I<2Z#9YLBt7*OANbZ_NE z9&1llYdKZOq+)$8>i)c{+FLnKee&Oe&VX0F z^gXB22=cwBo`^L@No`!x7+I(G+B!8Y*Qgb|HVyWF0T{|tnTG-h82|tP07*qoM6N<$ Ef}*3!D*ylh literal 0 HcmV?d00001 diff --git a/.gitbook/assets/image (436) (1).png b/.gitbook/assets/image (436) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (436) (1).png rename to .gitbook/assets/image (436) (1) (1) (1).png diff --git a/README.md b/README.md index a423cea7276..16e8b28582f 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,9 @@ Here you will find the **typical flow** that **you should follow when pentesting **Click in the title to start!** -If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter ****[**🐦**](https://emojipedia.org/bird/)[@carlospolopm](https://twitter.com/carlospolopm). -**If you want to** share some tricks with the community **you can also submit** pull requests **to** https://github.com/carlospolop/hacktricks that will be reflected in this book. -Don't forget to\*\* give ⭐ on the github to motivate me to continue developing this book. +If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/)[ PEASS & HackTricks telegram group here](https://t.me/peass)**, or** follow me on Twitter **\*\*\[**🐦**\]\(**[https://emojipedia.org/bird/\)\[@carlospolopm\]\(https://twitter.com/carlospolopm](https://emojipedia.org/bird/%29[@carlospolopm]%28https://twitter.com/carlospolopm)**\).** +If you want to **share some tricks with the community** you can also submit **pull requests** to_\*_ [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks) _that will be reflected in this book. +Don't forget to\_\* give ⭐ on the github to motivate me to continue developing this book. ![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%283%29.png) diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md index 5867d7ee5ee..9b9a7a36129 100644 --- a/linux-unix/linux-privilege-escalation-checklist.md +++ b/linux-unix/linux-privilege-escalation-checklist.md @@ -146,7 +146,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\* diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md index 38c9d8f435a..d124ebf2c45 100644 --- a/mobile-apps-pentesting/android-app-pentesting/README.md +++ b/mobile-apps-pentesting/android-app-pentesting/README.md @@ -97,7 +97,7 @@ In this case you could try to abuse the functionality creating a web with the fo In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29%20%281%29.png) Learn how to [call deep links without using HTML pages below](./#exploiting-schemes-deep-links). @@ -455,7 +455,7 @@ _Note that you can **omit the package name** and the mobile will automatically c In order to find the **code that will be executed in the App**, go to the activity called by the deeplink and search the function **`onNewIntent`**. -![](../../.gitbook/assets/image%20%28436%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28436%29%20%281%29%20%281%29.png) #### Sensitive info diff --git a/pentesting/pentesting-web/api-pentesting.md b/pentesting/pentesting-web/api-pentesting.md index bd52013a7fa..4d8ebf040da 100644 --- a/pentesting/pentesting-web/api-pentesting.md +++ b/pentesting/pentesting-web/api-pentesting.md @@ -2,10 +2,59 @@ ## Tricks -#### Play with routes +### Public and private endpoints + +Create a list with the public and private endpoints to know which information should be confidential and try to access it in "unathorized" ways. + +### Patterns + +Search for API patterns inside the api and try to use it to discover more. +If you find _/api/albums/**<album\_id>**/photos/**<photo\_id>**_ ****you could try also things like _/api/**posts**/<post\_id>/**comment**/_. Use some fuzzer to discover this new endpoints. + +### Add parameters + +Something like the following example might get you access to another user’s photo album: +_/api/MyPictureList β†’ /api/MyPictureList?**user\_id=<other\_user\_id>**_ + +### Replace parameters + +You can try to **fuzz parameters** or **use** parameters **you have seen** in a different endpoints to try to access other information + +For example, if you see something like: _/api/albums?**album\_id=<album id>**_ + +You could **replace** the **`album_id`** parameter with something completely different and potentially get other data: _/api/albums?**account\_id=<account id>**_ + +### Parameter pollution + + /api/account?**id=<your account id>** β†’ /api/account?**id=<your account id>&id=<admin's account id>** + +### HTTP requet method change + +You can try to use the HTTP methods: **GET, POST, PUT, DELETE, PATCH, INVENTED** to try check if the web server gives you unexpected information with them. + +### Request content-type + +Try to play between the following content-types \(bodifying acordinly the request body\) to make the web server behave unexpectedly: + +* **x-www-form-urlencoded** --> user=test +* **application/xml** --> <user>test</user> +* **application/json** --> {"user": "test"} + +### Play with routes `/files/..%2f..%2f + victim ID + %2f + victim filename` +### Check possible versions + +Old versions may be still be in use and be more vulenrable than latest endpoints + +* `/api/v1/login` +* `/api/v2/login` +* `/api/CharityEventFeb2020/user/pp/` +* `/api/CharityEventFeb2021/user/pp/` + +## + ## Owasp API Security Top 10 Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf) diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md index 023847c1423..a2da4db1166 100644 --- a/windows/active-directory-methodology/README.md +++ b/windows/active-directory-methodology/README.md @@ -398,7 +398,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s * [Python script to enumerate active directory](https://github.com/ropnop/windapsearch) * [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum) -![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) +![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%2811%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md index 0cf1ef5faf8..ea454a97069 100644 --- a/windows/checklist-windows-privilege-escalation.md +++ b/windows/checklist-windows-privilege-escalation.md @@ -118,7 +118,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*