From 833b5714985905ae05d48c9c57f84f1918b2c2fd Mon Sep 17 00:00:00 2001 From: Jimmy Date: Fri, 10 Jan 2025 16:34:21 +0100 Subject: [PATCH] Update URLs --- src/SUMMARY.md | 8 ++++---- .../cloudflare-security/cloudflare-domains.md | 2 +- .../github-security/abusing-github-actions/README.md | 2 +- src/pentesting-cloud/aws-security/README.md | 6 +++--- .../aws-basic-information/aws-federation-abuse.md | 2 +- .../aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md | 2 +- .../aws-post-exploitation/aws-ecr-post-exploitation.md | 2 +- .../aws-post-exploitation/aws-ecs-post-exploitation.md | 2 +- .../aws-privilege-escalation/aws-lambda-privesc.md | 2 +- .../aws-security/aws-services/aws-documentdb-enum.md | 2 +- .../aws-security/aws-services/aws-dynamodb-enum.md | 4 ++-- .../aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md | 2 +- .../aws-services/aws-relational-database-rds-enum.md | 2 +- .../aws-cloudtrail-enum.md | 2 +- .../aws-ec2-unauthenticated-enum.md | 4 ++-- src/pentesting-cloud/azure-security/README.md | 6 +++--- .../az-pass-the-cookie.md | 6 +++--- .../azure-ad-connect-hybrid-identity/federation.md | 4 ++-- .../az-lateral-movement-cloud-on-prem/pass-the-prt.md | 2 +- .../azure-security/az-persistence/az-vms-persistence.md | 2 +- .../az-virtual-machines-and-network-privesc.md | 2 +- .../azure-security/az-services/az-function-apps.md | 2 +- .../azure-security/az-services/vms/README.md | 2 +- .../az-unauthenticated-enum-and-initial-entry/README.md | 2 +- src/pentesting-cloud/digital-ocean-pentesting/README.md | 2 +- src/pentesting-cloud/gcp-security/README.md | 6 +++--- .../gcp-persistence/gcp-artifact-registry-persistence.md | 2 +- .../gcp-persistence/gcp-non-svc-persistance.md | 2 +- .../gcp-local-privilege-escalation-ssh-pivoting.md | 2 +- .../gcp-compute-instances-enum/gcp-compute-instance.md | 2 +- .../gcp-cloud-sql-unauthenticated-enum.md | 2 +- .../gcp-compute-unauthenticated-enum.md | 2 +- src/pentesting-cloud/ibm-cloud-pentesting/README.md | 2 +- .../attacking-kubernetes-from-inside-a-pod.md | 4 ++-- .../gws-google-platforms-phishing/README.md | 4 ++-- 35 files changed, 51 insertions(+), 51 deletions(-) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e38960b3a..98c93db10 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -3,8 +3,8 @@ # 👽 Welcome! - [HackTricks Cloud](README.md) -- [About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$]() -- [HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$]() +- [About the Author$$external:https://book.hacktricks.wiki/en/welcome/about-the-author.html$$]() +- [HackTricks Values & faq$$external:https://book.hacktricks.wiki/en/welcome/hacktricks-values-and-faq.html$$]() # 🏭 Pentesting CI/CD @@ -510,8 +510,8 @@ # 🛫 Pentesting Network Services -- [HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$]() -- [HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$]() +- [HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$]() +- [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]() diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md index d11fb1b19..a62d62e26 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md @@ -24,7 +24,7 @@ In each TLD configured in Cloudflare there are some **general settings and servi - [ ] Check that **DNSSEC** is **enabled** - [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings -- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) +- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#mail-spoofing) ### **Email** diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md index b9b7a2152..80e01d81b 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md @@ -553,7 +553,7 @@ docker pull ghcr.io//: Then, the user could search for **leaked secrets in the Docker image layers:** {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html {{#endref}} ### Sensitive info in Github Actions logs diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md index 2b5321f9f..989e3df9b 100644 --- a/src/pentesting-cloud/aws-security/README.md +++ b/src/pentesting-cloud/aws-security/README.md @@ -37,7 +37,7 @@ From a Red Team point of view, the **first step to compromise an AWS environment - **Social** Engineering - **Password** reuse (password leaks) - Vulnerabilities in AWS-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.aws/credentials` - `C:\Users\USERNAME\.aws\credentials` @@ -67,7 +67,7 @@ aws-permissions-for-a-pentest.md If you found a SSRF in a machine inside AWS check this page for tricks: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Whoami @@ -147,7 +147,7 @@ As pentester/red teamer you should always check if you can find **sensitive info In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: {{#ref}} -https://book.hacktricks.xyz/ +https://book.hacktricks.wiki/ {{#endref}} ## Compromising the Organization diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md index 73ae6b448..2b246f5f0 100644 --- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md @@ -7,7 +7,7 @@ For info about SAML please check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/saml-attacks +https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html {{#endref}} In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index 9ae6a0a4f..bfd300c70 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -113,7 +113,7 @@ One of the scenarios where this is useful is pivoting from a [Bastion Host](http aws ssm start-session --target "$INSTANCE_ID" ``` -3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script +3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#abusing-ssrf-in-aws-ec2-environment) script 4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile 5. Log in to EKS as the Bastion EC2: diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md index a971ea769..04d0f8834 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md @@ -51,7 +51,7 @@ aws ecr get-download-url-for-layer \ After downloading the images you should **check them for sensitive info**: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html {{#endref}} ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage` diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md index 1d2fd80a5..f099d6708 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md @@ -16,7 +16,7 @@ In ECS an **IAM role can be assigned to the task** running inside the container. Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} > [!CAUTION] diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md index 8fcba3182..e0c5ce1dc 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md @@ -194,7 +194,7 @@ aws --profile none-priv lambda update-function-configuration --function-name --master-user-password There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**. {{#ref}} -https://book.hacktricks.xyz/pentesting-web/sql-injection +https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html {{#endref}} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md index 780f52f6e..0f666a620 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md @@ -145,7 +145,7 @@ print(response) For more information about CSV Injections check the page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/formula-injection +https://book.hacktricks.wiki/en/pentesting-web/formula-csv-doc-latex-ghostscript-injection.html {{#endref}} For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/) diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md index 657bf7f3a..33843df5f 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md @@ -17,7 +17,7 @@ It's possible to expose the **any port of the virtual machines to the internet** #### SSRF {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Public AMIs & EBS Snapshots @@ -39,7 +39,7 @@ aws ec2 describe-snapshots --restorable-by-user-ids all aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")' ``` -If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot. +If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/index.html#ebs-snapshot-dump) for directions on downloading and looting the snapshot. #### Public URL template diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index fc7b3fd91..1767f09b0 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -18,7 +18,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme - **Social** Engineering - **Password** reuse (password leaks) - Vulnerabilities in Azure-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.azure` - `C:\Users\USERNAME\.azure` @@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme Use `Disconnect-AzAccount` to remove them. - 3rd parties **breached** - **Internal** Employee -- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App) +- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App) - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) @@ -52,7 +52,7 @@ az-unauthenticated-enum-and-initial-entry/ If you found a SSRF in a machine inside Azure check this page for tricks: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html {{#endref}} ### Bypass Login Conditions diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md index 4b4242d47..194e997ef 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md @@ -9,15 +9,15 @@ Browser **cookies** are a great mechanism to **bypass authentication and MFA**. You can see where are **browser cookies located** in: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#google-chrome {{#endref}} ## Attack -The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in: +The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) the cookies belong to. You can find more information about this in: {{#ref}} -https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords +https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html {{#endref}} With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command: diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md index 95a3ceff1..446a0dddb 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md @@ -32,7 +32,7 @@ In any federation setup there are three parties: **If you want to learn more about SAML authentication and common attacks go to:** {{#ref}} -https://book.hacktricks.xyz/pentesting-web/saml-attacks +https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html {{#endref}} ## Pivoting @@ -56,7 +56,7 @@ https://book.hacktricks.xyz/pentesting-web/saml-attacks The process where an **Identity Provider (IdP)** produces a **SAMLResponse** to authorize user sign-in is paramount. Depending on the IdP's specific implementation, the **response** might be **signed** or **encrypted** using the **IdP's private key**. This procedure enables the **Service Provider (SP)** to confirm the authenticity of the SAMLResponse, ensuring it was indeed issued by a trusted IdP. -A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP. +A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP. Golden SAMLs offer certain advantages: diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md index 70d00d749..1440fb485 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md @@ -173,7 +173,7 @@ Then go to [https://portal.azure.com](https://portal.azure.com) #### Steps 1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use. -2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md). +2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md). 3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). > [!CAUTION] diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md index cd1a0c3f3..795fcfaf5 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md @@ -19,7 +19,7 @@ An attacker identifies applications, extensions or images being frequently used An attacker could get access to the instances and backdoor them: - Using a traditional **rootkit** for example -- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) +- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.html)) - Backdooring the **User Data** {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index c89d074e3..2152ca10c 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -372,7 +372,7 @@ az vm identity assign \ Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm {{#endref}} ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action diff --git a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md index b36ea065b..1c37462ef 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -67,7 +67,7 @@ The **system assigned** one will be a managed identity that **only the function* It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in: -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %} +{% embed url="https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" %} Note that you need to find out a way to **check all the Managed Identities a function has attached** as if you don't indicate it, the metadata endpoint will **only use the default one** (check the previous link for more info). diff --git a/src/pentesting-cloud/azure-security/az-services/vms/README.md b/src/pentesting-cloud/azure-security/az-services/vms/README.md index d1d3f229e..201de3b37 100644 --- a/src/pentesting-cloud/azure-security/az-services/vms/README.md +++ b/src/pentesting-cloud/azure-security/az-services/vms/README.md @@ -208,7 +208,7 @@ Moreover, to contact the metadata endpoint, the HTTP request must have the heade Check how to enumerate it in: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm {{#endref}} ## VM Enumeration diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md index 073730cf1..ffb6fcedc 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md @@ -231,7 +231,7 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex ### Phishing -- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-) +- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-) - [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) ### Password Spraying / Brute-Force diff --git a/src/pentesting-cloud/digital-ocean-pentesting/README.md b/src/pentesting-cloud/digital-ocean-pentesting/README.md index ec0ec1988..0089bc626 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/README.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/README.md @@ -17,7 +17,7 @@ do-basic-information.md ### SSRF {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Projects diff --git a/src/pentesting-cloud/gcp-security/README.md b/src/pentesting-cloud/gcp-security/README.md index e242a8d4b..d08e4bd0c 100644 --- a/src/pentesting-cloud/gcp-security/README.md +++ b/src/pentesting-cloud/gcp-security/README.md @@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise a GCP environment* - **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/index.html)) - **Password** reuse (password leaks) - Vulnerabilities in GCP-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.config/gcloud/*` - `C:\Users\USERNAME\.config\gcloud\*` @@ -58,7 +58,7 @@ gcp-permissions-for-a-pentest.md For more information about how to **enumerate GCP metadata** check the following hacktricks page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Whoami @@ -149,7 +149,7 @@ As pentester/red teamer you should always check if you can find **sensitive info In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: {{#ref}} -https://book.hacktricks.xyz/ +https://book.hacktricks.wiki/ {{#endref}} ## GCP <--> Workspace Pivoting diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md index 592e3449d..6596b66c3 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md @@ -36,7 +36,7 @@ For persistence these are the steps you need to follow: For more information about dependency confusion check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/dependency-confusion +https://book.hacktricks.wiki/en/pentesting-web/dependency-confusion.html {{#endref}} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md index 11141d543..3bcff09c0 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md @@ -13,7 +13,7 @@ sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_t Check in this page how to **directly use this token using gcloud**: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp {{#endref}} To get the details to **generate a new access token** run: diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md index 5583b3f9e..c58d8d0da 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md @@ -27,7 +27,7 @@ Moreover, it's possible to add **userdata**, which is a script that will be **ex For more info check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ## **Abusing IAM permissions** diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md index e02371007..3b0309cc1 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md @@ -91,7 +91,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp {{#endref}} ### Encryption diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md index 6cd2f8bfc..3103c847e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md @@ -17,7 +17,7 @@ If you have **access to a Cloud SQL port** because all internet is permitted or Check this page for **different tools to burte-force** different database technologies: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force +https://book.hacktricks.wiki/en/generic-hacking/brute-force.html {{#endref}} Remember that with some privileges it's possible to **list all the database users** via GCP API. diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md index a5fbc8503..4ca37c109 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md @@ -15,7 +15,7 @@ For more information about Compute and VPC (Networking) check: If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/index.html {{#endref}} ### Vulnerable exposed services diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md index cdfb9d688..38f5c3c68 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md @@ -28,7 +28,7 @@ ibm-basic-information.md Learn how you can access the medata endpoint of IBM in the following page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ibm-cloud {{#endref}} ## References diff --git a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md index 77848086d..6a96dd2da 100644 --- a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md +++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md @@ -13,13 +13,13 @@ In order to try to escape from the pods you might need to **escalate privileges** first, some techniques to do it: {{#ref}} -https://book.hacktricks.xyz/linux-hardening/privilege-escalation +https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html {{#endref}} You can check this **docker breakouts to try to escape** from a pod you have compromised: {{#ref}} -https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout +https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html {{#endref}} ### Abusing Kubernetes Privileges diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md index 37de98684..b190a3685 100644 --- a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md +++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md @@ -5,7 +5,7 @@ ## Generic Phishing Methodology {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html {{#endref}} ## Google Groups Phishing @@ -59,7 +59,7 @@ The with some code like the following an attacker could make the script load arb ```javascript function doGet() { return HtmlService.createHtmlOutput( - '' + '' ).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL) } ```