Skip to content
HackTricks Without Ads
Emails Vulnerabilities
Initializing search
HackTricks Without Ads
HackTricks
1911 - Pentesting fox
6881 udp pentesting bittorrent
LICENSE
SUMMARY.md
Android Forensics
Burp suite
Emails Vulnerabilities
Emails Vulnerabilities
Table of contents
Interesting http
Online platforms with api
Other Web Tricks
Pentesting dns
Post exploitation
Stealing Sensitive Information Disclosure from a Web
Backdoors
Backdoors
Icmpsh
Salseo
Banners
Banners
Hacktricks training
Binary exploitation
Binary exploitation
Array Indexing
Common Exploiting Problems
Integer Overflow
iOS Exploiting
Windows Exploiting (Basic Guide - OSCP lvl)
Arbitrary write 2 exec
Arbitrary write 2 exec
Arbitrary Write 2 Exec
WWW2Exec - __malloc_hook & __free_hook
WWW2Exec - GOT/PLT
WWW2Exec - .dtors & .fini_array
WWW2Exec - atexit(), TLS Storage & Other mangled Pointers
Basic stack binary exploitation methodology
Basic stack binary exploitation methodology
Basic Binary Exploitation Methodology
ELF Basic Information
Tools
Tools
Exploiting Tools
PwnTools
Common binary protections and bypasses
Common binary protections and bypasses
Common Binary Exploitation Protections & Bypasses
CET & Shadow Stack
Libc Protections
Memory Tagging Extension (MTE)
No-exec / NX
Relro
Aslr
Aslr
ASLR
Ret2plt
Ret2ret & Reo2pop
Pie
Pie
PIE
BF Addresses in the Stack
Stack canaries
Stack canaries
Stack Canaries
BF Forked & Threaded Stack Canaries
Print Stack Canary
Format strings
Format strings
Format Strings
Format Strings - Arbitrary Read Example
Format Strings Template
Libc heap
Libc heap
Libc Heap
Bins & Memory Allocations
Double Free
Fast Bin Attack
Heap Overflow
House of Einherjar
House of Force
House of Lore | Small bin Attack
House of Orange
House of Rabbit
House of Roman
House of Spirit
Large Bin Attack
Off by one overflow
Overwriting a freed chunk
Tcache Bin Attack
Unlink Attack
Unsorted Bin Attack
Heap memory functions
Heap memory functions
Heap Memory Functions
free
Heap Functions Security Checks
malloc & sysmalloc
unlink
Use after free
Use after free
Use After Free
First Fit
Rop return oriented programing
Rop return oriented programing
ROP - Return Oriented Programing
BROP - Blind Return Oriented Programming
Ret2csu
Ret2dlresolve
Ret2esp / Ret2reg
Ret2vDSO
Ret2lib
Ret2lib
Ret2lib
One Gadget
Ret2lib + Printf leak - arm64
Rop leaking libc address
Rop leaking libc address
Leaking libc address with ROP
Leaking libc - template
Rop syscall execv
Rop syscall execv
Ret2syscall
Ret2syscall - ARM64
Srop sigreturn oriented programming
Srop sigreturn oriented programming
SROP - Sigreturn-Oriented Programming
SROP - ARM64
Stack overflow
Stack overflow
Stack Overflow
Pointer Redirecting
Stack Pivoting - EBP2Ret - EBP chaining
Uninitialized Variables
Ret2win
Ret2win
Ret2win
Ret2win - arm64
Stack shellcode
Stack shellcode
Stack Shellcode
Stack Shellcode - arm64
Blockchain
Blockchain
Blockchain and crypto currencies
Blockchain and crypto currencies
Index
Crypto and stego
Crypto and stego
Blockchain and crypto currencies
Certificates
Cipher block chaining cbc mac priv
Crypto CTFs Tricks
Electronic code book ecb
Esoteric languages
Hash Length Extension Attack
Padding Oracle
Rc4 encrypt and decrypt
Stego Tricks
Cryptographic algorithms
Cryptographic algorithms
Cryptographic/Compression Algorithms
Unpacking binaries
Cryptography
Cryptography
Certificates
Cipher block chaining cbc mac priv
Crypto CTFs Tricks
Electronic code book ecb
Hash length extension attack
Padding oracle priv
Rc4 encrypt and decrypt
Exploiting
Exploiting
Windows Exploiting (Basic Guide - OSCP lvl)
Linux exploiting basic esp
Linux exploiting basic esp
Linux Exploiting (Basic) (SPA)
Fusion
Tools
Tools
Exploiting Tools
Pwntools
Forensics
Forensics
Basic forensic methodology
Basic forensic methodology
Basic Forensic Methodology
Anti forensic techniques
Docker Forensics
File integrity monitoring
Linux Forensics
Malware Analysis
Memory dump analysis
Memory dump analysis
Memory dump analysis
Partitions file systems carving
Partitions file systems carving
Partitions/File Systems/Carving
File/Data Carving & Recovery Tools
File data carving tools
Pcap inspection
Pcap inspection
Pcap Inspection
Usb keyboard pcap analysis
Usb keystrokes
Wifi pcap analysis
Specific software file type tricks
Specific software file type tricks
Index
Browser Artifacts
Desofuscation vbs cscript.exe
Local Cloud Storage
Office file analysis
PDF File analysis
Png tricks
Video and audio file analysis
ZIPs tricks
Windows forensics
Windows forensics
Windows Artifacts
Interesting Windows Registry Keys
Windows processes
Generic hacking
Generic hacking
Brute Force - CheatSheet
Exfiltration
Search Exploits
Tunneling and Port Forwarding
Reverse shells
Reverse shells
Index
Expose local to the internet
Full TTYs
Shells - Linux
MSFVenom - CheatSheet
Shells - Windows
Generic methodologies and resources
Generic methodologies and resources
Pentesting Methodology
Threat Modeling
Basic forensic methodology
Basic forensic methodology
Basic Forensic Methodology
Anti-Forensic Techniques
Docker Forensics
File integrity monitoring
Image Acquisition & Mount
Linux Forensics
Malware Analysis
Memory dump analysis
Memory dump analysis
Memory dump analysis
Volatility - CheatSheet
Partitions file systems carving
Partitions file systems carving
Partitions/File Systems/Carving
File/Data Carving & Recovery Tools
Pcap inspection
Pcap inspection
Pcap Inspection
DNSCat pcap analysis
Suricata & Iptables cheatsheet
USB Keystrokes
Wifi Pcap Analysis
Wireshark tricks
Specific software file type tricks
Specific software file type tricks
Index
Browser Artifacts
Desofuscation vbs cscript.exe
Local Cloud Storage
Office file analysis
PDF File analysis
Png tricks
Video and audio file analysis
ZIPs tricks
Windows forensics
Windows forensics
Windows Artifacts
Interesting Windows Registry Keys
External recon methodology
External recon methodology
External Recon Methodology
Github Dorks & Leaks
Wide Source Code Search
Pentesting network
Pentesting network
Pentesting Network
Dhcpv6
EIGRP Attacks
GLBP & HSRP Attacks
Ids evasion
Lateral VLAN Segmentation Bypass
Network protocols explained esp
Nmap Summary (ESP)
Pentesting ipv6
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Spoofing SSDP and UPnP Devices with EvilSSDP
WebRTC DoS
Pentesting wifi
Pentesting wifi
Pentesting Wifi
Evil Twin EAP-TLS
Phishing methodology
Phishing methodology
Phishing Methodology
Clone a website
Detecting Phishing
Phishing Files & Documents
Python
Python
Python Sandbox Escape & Pyscript
Basic Python
Bruteforce hash few chars
Class Pollution (Python's Prototype Pollution)
Pyscript
Python Internal Read Gadgets
venv
Web Requests
Bypass python sandboxes
Bypass python sandboxes
Bypass Python sandboxes
LOAD_NAME / LOAD_CONST opcode OOB Read
Hardware physical access
Hardware physical access
Escaping from KIOSKs
Physical Attacks
Firmware analysis
Firmware analysis
Firmware Analysis
Bootloader testing
Firmware integrity
Linux hardening
Linux hardening
FreeIPA Pentesting
Linux Environment Variables
Checklist - Linux Privilege Escalation
Useful Linux Commands
Bypass bash restrictions
Bypass bash restrictions
Bypass Linux Restrictions
Bypass fs protections read only no exec distroless
Bypass fs protections read only no exec distroless
Bypass FS protections: read-only / no-exec / Distroless
DDexec / EverythingExec
Linux post exploitation
Linux post exploitation
Linux Post-Exploitation
PAM - Pluggable Authentication Modules
Privilege escalation
Privilege escalation
Linux Privilege Escalation
Cisco - vmanage
Containerd (ctr) Privilege Escalation
D-Bus Enumeration & Command Injection Privilege Escalation
Node inspector/CEF debug abuse
Escaping from Jails
euid, ruid, suid
ld.so privesc exploit example
Linux Active Directory
Linux Capabilities
Logstash
Nfs no root squash misconfiguration pe
Payloads to execute
RunC Privilege Escalation
Selinux
Socket command injection
Splunk LPE and Persistence
Ssh forward agent exploitation
Wildcards spare tricks
Arbitrary File Write to Root
Docker security
Docker security
Docker Security
Abusing Docker Socket for Privilege Escalation
AppArmor
Authz and authn docker access authorization plugin
CGroups
Docker --privileged
Seccomp
Weaponizing Distroless
Docker breakout privilege escalation
Docker breakout privilege escalation
Docker Breakout / Privilege Escalation
Docker release_agent cgroups escape
Release agent exploit relative paths to pids
Sensitive Mounts
Namespaces
Namespaces
Namespaces
CGroup Namespace
IPC Namespace
Mount Namespace
Network Namespace
PID Namespace
Time Namespace
User Namespace
UTS Namespace
Interesting groups linux pe
Interesting groups linux pe
Interesting Groups - Linux Privesc
lxd/lxc Group - Privilege escalation
Useful linux commands
Useful linux commands
Useful Linux Commands
Bypass Linux Restrictions
Linux unix
Linux unix
Privilege escalation
Privilege escalation
Exploiting yum
Interesting groups linux pe
Macos hardening
Macos hardening
macOS Auto Start
macOS Useful Commands
Macos red teaming
Macos red teaming
macOS Red Teaming
macOS Keychain
Macos mdm
Macos mdm
macOS MDM
Enrolling Devices in Other Organisations
macOS Serial Number
Macos security and privilege escalation
Macos security and privilege escalation
macOS Security & Privilege Escalation
macOS AppleFS
macOS Objective-C
macOS Bypassing Firewalls
macOS Defensive Apps
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
macOS File Extension & URL scheme app handlers
macOS GCD - Grand Central Dispatch
macOS Privilege Escalation
macOS Network Services & Protocols
macOS Users & External Accounts
Mac os architecture
Mac os architecture
macOS Kernel & System Extensions
macOS Function Hooking
macOS IOKit
macOS Kernel Extensions & Debugging
macOS Kernel Vulnerabilities
macOS System Extensions
Macos ipc inter process communication
Macos ipc inter process communication
macOS IPC - Inter Process Communication
Macos apps inspecting debugging and fuzzing
Macos apps inspecting debugging and fuzzing
macOS Apps - Inspecting, debugging and Fuzzing
Introduction to ARM64v8
Introduction to x64
Objects in memory
Macos files folders and binaries
Macos files folders and binaries
macOS Files, Folders, Binaries & Memory
macOS Bundles
macOS Installers Abuse
macOS Memory Dumping
macOS Sensitive Locations & Interesting Daemons
macOS Universal binaries & Mach-O Format
Macos proces abuse
Macos proces abuse
macOS Process Abuse
macOS .Net Applications Injection
macOS Chromium Injection
macOS Dirty NIB
macOS Electron Applications Injection
macOS Function Hooking
macOS Java Applications Injection
macOS Perl Applications Injection
macOS Python Applications Injection
macOS Ruby Applications Injection
Macos ipc inter process communication
Macos ipc inter process communication
macOS IPC - Inter Process Communication
macOS MIG - Mach Interface Generator
macOS Thread Injection via Task port
Macos xpc
Macos xpc
macOS XPC
macOS XPC Authorization
Macos xpc connecting process check
Macos xpc connecting process check
macOS XPC Connecting Process Check
macOS PID Reuse
macOS xpc_connection_get_audit_token Attack
Macos library injection
Macos library injection
macOS Library Injection
macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
macOS Dyld Process
Macos security protections
Macos security protections
macOS Security Protections
macOS - AMFI - AppleMobileFileIntegrity
macOS Authorizations DB & Authd
macOS Code Signing
macOS Dangerous Entitlements & TCC perms
macOS Gatekeeper / Quarantine / XProtect
macOS Launch/Environment Constraints & Trust Cache
macOS MACF
macOS SIP
Macos fs tricks
Macos fs tricks
macOS FS Tricks
macOS xattr-acls extra stuff
Macos sandbox
Macos sandbox
macOS Sandbox
macOS Default Sandbox Debug
Macos sandbox debug and bypass
Macos sandbox debug and bypass
macOS Sandbox Debug & Bypass
macOS Office Sandbox Bypasses
Macos tcc
Macos tcc
macOS TCC
macOS Apple Events
macOS TCC Payloads
Macos tcc bypasses
Macos tcc bypasses
macOS TCC Bypasses
macOS Apple Scripts
Misc
Misc
References
Mobile pentesting
Mobile pentesting
Android APK Checklist
Cordova Apps
iOS Pentesting Checklist
Xamarin Apps
Android app pentesting
Android app pentesting
Android Applications Pentesting
Adb commands
Android Applications Basics
Android Task Hijacking
APK decompilers
AVD - Android Virtual Device
Bypass Biometric Authentication (Android)
Content protocol
Exploiting a debuggeable application
Google CTF 2018 - Shall We Play a Game?
Install Burp Certificate
Intent injection
Make apk accept ca certificate
Manual deobfuscation
React native application
Reversing Native Libraries
Smali - Decompiling/[Modifying]/Compiling
Spoofing your location in play store
Tapjacking
Webview Attacks
Drozer tutorial
Drozer tutorial
Drozer Tutorial
Exploiting Content Providers
Frida tutorial
Frida tutorial
Frida Tutorial
Frida Tutorial 1
Frida Tutorial 2
Objection Tutorial
Frida Tutorial 3
Ios pentesting
Ios pentesting
iOS Pentesting
iOS Basic Testing Operations
iOS Burp Suite Configuration
Extracting Entitlements from Compiled Application
iOS Frida Configuration
iOS App Extensions
Ios basics
iOS Custom URI Handlers / Deeplinks / Custom Schemes
Ios hooking with objection
Ios protocol handlers
Ios serialisation and encoding
iOS Testing Environment
iOS UIActivity Sharing
Ios uipasteboard
iOS Universal Links
iOS WebViews
Network services pentesting
Network services pentesting
10000 network data management protocol ndmp
1026 - Pentesting Rusersd
1080 - Pentesting Socks
1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
113 - Pentesting Ident
135, 593 - Pentesting MSRPC
137,138,139 - Pentesting NetBios
1414 - Pentesting IBM MQ
1521,1522-1529 - Pentesting Oracle TNS Listener
15672 - Pentesting RabbitMQ Management
1723 - Pentesting PPTP
1883 - Pentesting MQTT (Mosquitto)
2375, 2376 Pentesting Docker
24007 24008 24009 49152 pentesting glusterfs
27017,27018 - Pentesting MongoDB
3128 pentesting squid
3260 - Pentesting ISCSI
3299 pentesting saprouter
3632 pentesting distcc
3690 pentesting subversion svn server
3702/UDP - Pentesting WS-Discovery
43 - Pentesting WHOIS
4369 pentesting erlang port mapper daemon epmd
44134 pentesting tiller helm
44818 ethernetip
47808 udp bacnet
4786 - Cisco Smart Install
4840 - Pentesting OPC UA
49 - Pentesting TACACS+
5000 - Pentesting Docker Registry
50030 50060 50070 50075 50090 pentesting hadoop
512 - Pentesting Rexec
515 pentesting line printer daemon lpd
5353/UDP Multicast DNS (mDNS) and DNS-SD
5439 - Pentesting Redshift
554,8554 - Pentesting RTSP
5555 - Android Debug Bridge
5601 pentesting kibana
5671,5672 - Pentesting AMQP
548 - Pentesting Apple Filing Protocol (AFP)
5984,6984 - Pentesting CouchDB
5985,5986 - Pentesting OMI
5985,5986 - Pentesting WinRM
6000 - Pentesting X11
623/UDP/TCP - IPMI
6379 - Pentesting Redis
69 udp tftp
7 tcp udp pentesting echo
700 - Pentesting EPP
8009 - Pentesting Apache JServ Protocol (AJP)
8086 - Pentesting InfluxDB
8089 - Pentesting Splunkd
8333,18333,38333,18444 - Pentesting Bitcoin
873 - Pentesting Rsync
9000 pentesting fastcgi
9001 pentesting hsqldb
9100 pjl
9200 - Pentesting Elasticsearch
9042/9160 - Pentesting Cassandra
500/udp - Pentesting IPsec/IKE VPN
2049 - Pentesting NFS Service
Pentesting 264 check point firewall 1
Pentesting 631 internet printing protocol ipp
Pentesting compaq hp insight manager
53 - Pentesting DNS
79 - Pentesting Finger
143,993 - Pentesting IMAP
194,6667,6660-7000 - Pentesting IRC
Pentesting JDWP - Java Debug Wire Protocol
389, 636, 3268, 3269 - Pentesting LDAP
Pentesting modbus
3306 - Pentesting Mysql
123/udp - Pentesting NTP
110,995 - Pentesting POP
5432,5433 - Pentesting Postgresql
3389 - Pentesting RDP
Pentesting Remote GdbServer
513 - Pentesting Rlogin
111/TCP/UDP - Pentesting Portmapper
514 - Pentesting Rsh
Pentesting sap
139,445 - Pentesting SMB
22 - Pentesting SSH/SFTP
23 - Pentesting Telnet
5800,5801,5900,5901 - Pentesting VNC
11211 memcache
11211 memcache
11211 - Pentesting Memcache
Memcache Commands
1521 1522 1529 pentesting oracle listener
1521 1522 1529 pentesting oracle listener
1521,1522-1529 - Pentesting Oracle TNS Listener
Pentesting ftp
Pentesting ftp
21 - Pentesting FTP
FTP Bounce attack - Scan
Ftp bounce download 2oftp file
Pentesting kerberos 88
Pentesting kerberos 88
88tcp/udp - Pentesting Kerberos
Harvesting tickets from linux
Harvesting tickets from Windows
Pentesting mssql microsoft sql server
Pentesting mssql microsoft sql server
1433 - Pentesting MSSQL - Microsoft SQL Server
Types of MSSQL Users
Pentesting smb
Pentesting smb
139,445 - Pentesting SMB
rpcclient enumeration
Pentesting smtp
Pentesting smtp
25,465,587 - Pentesting SMTP/s
SMTP - Commands
SMTP Smuggling
Pentesting snmp
Pentesting snmp
161,162,10161,10162/udp - Pentesting SNMP
Cisco SNMP
Snmp rce
Pentesting voip
Pentesting voip
Pentesting VoIP
Basic voip protocols
Basic voip protocols
Basic VoIP Protocols
SIP (Session Initiation Protocol)
Pentesting web
Pentesting web
80,443 - Pentesting Web Methodology
403 & 401 Bypasses
Aem adobe experience cloud
Angular
Apache
Artifactory hacking guide
Bolt CMS
Cgi
Source code Review / SAST Tools
Django
DotNetNuke (DNN)
Flask
Git
Golang
Grafana
GraphQL
GWT - Google Web Toolkit
H2 - Java SQL database
IIS - Internet Information Services
ImageMagick Security
JBOSS
Jira & Confluence
Joomla
JSP
Laravel
Moodle
NextJS
NextJS
Nginx
NodeJS Express
PrestaShop
WebDav
Python
Rocket Chat
Special HTTP headers
Spring Actuators
Symfony
Uncovering CloudFlare
Vmware esx vcenter...
Web API Pentesting
Werkzeug / Flask Debug
Wordpress
Buckets
Buckets
Buckets
Firebase Database
Drupal
Drupal
Drupal
Drupal RCE
Electron desktop apps
Electron desktop apps
Electron Desktop Apps
Electron contextIsolation RCE via Electron internal code
Electron contextIsolation RCE via IPC
Electron contextIsolation RCE via preload code
Php tricks esp
Php tricks esp
PHP Tricks
PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
PHP SSRF
Php useful functions disable functions open basedir bypass
Php useful functions disable functions open basedir bypass
PHP - Useful Functions & disable_functions/open_basedir bypass
Disable functions bypass dl function
Disable functions bypass imagick less than 3.3.0 php greater than 5.4 exploit
Disable functions bypass mod cgi
Disable functions bypass php 4 greater than 4.2.0 php 5 pcntl exec
Disable functions bypass php 5.2 fopen exploit
Disable functions bypass php 5.2.3 win32std ext protections bypass
Disable functions bypass php 5.2.4 and 5.2.5 php curl
disable_functions bypass - PHP 7.0-7.4 (*nix only)
disable_functions bypass - php-fpm/FastCGI
Disable functions bypass php less than 5.2.9 on windows
Disable functions bypass php perl extension safe mode bypass exploit
Disable functions bypass php safe mode bypass via proc open and custom environment exploit
Disable functions bypass via mem
Disable functions php 5.2.4 ioncube extension exploit
Disable functions php 5.x shellshock exploit
Tomcat
Tomcat
Tomcat
Pentesting web
Pentesting web
2FA/MFA/OTP Bypass
hop-by-hop headers
Account Takeover
Bypass Payment Process
Captcha Bypass
Clickjacking
Client Side Path Traversal
Client Side Template Injection (CSTI)
Command Injection
CORS - Misconfigurations & Bypass
CRLF (%0D%0A) Injection
CSRF (Cross Site Request Forgery)
Dependency Confusion
Domain/Subdomain takeover
Email Injections
Formula/CSV/Doc/LaTeX/GhostScript Injection
Pentesting gRPC-Web
Upgrade Header Smuggling
JWT Vulnerabilities (Json Web Tokens)
HTTP Connection Contamination
HTTP Connection Request Smuggling
HTTP Response Smuggling / Desync
Idor
Iframe Traps
LDAP Injection
NoSQL injection
OAuth to Account takeover
Open Redirect
ORM Injection
Parameter Pollution | JSON Injection
Phone Number Injections
Proxy / WAF Protections Bypass
Race Condition
Rate Limit Bypass
Registration & Takeover Vulnerabilities
Regular expression Denial of Service - ReDoS
Reset/Forgotten Password Bypass
Reverse tab nabbing
Server Side Inclusion/Edge Side Inclusion Injection
Timing Attacks
UUID Insecurities
Web Tool - WFuzz
Web Vulnerabilities Methodology
WebSocket Attacks
XPATH injection
XS-Search/XS-Leaks
XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
XSSI (Cross-Site Script Inclusion)
XXE - XEE - XML External Entity
Browser extension pentesting methodology
Browser extension pentesting methodology
Browser Extension Pentesting Methodology
BrowExt - ClickJacking
BrowExt - permissions & host_permissions
BrowExt - XSS Example
Cache deception
Cache deception
Cache Poisoning and Cache Deception
Cache Poisoning to DoS
Cache Poisoning via URL discrepancies
Content security policy csp bypass
Content security policy csp bypass
Content Security Policy (CSP) Bypass
Csp bypass self + unsafe inline with iframes
Dangling markup html scriptless injection
Dangling markup html scriptless injection
Dangling Markup - HTML scriptless injection
SS-Leaks
Deserialization
Deserialization
Deserialization
Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
Basic java deserialization objectinputstream readobject
Exploiting viewstate knowing the secret
Exploiting __VIEWSTATE without knowing the secrets
Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
Java jsf viewstate .faces deserialization
CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
JNDI - Java Naming and Directory Interface & Log4Shell
PHP - Deserialization + Autoload Classes
Python Yaml Deserialization
Ruby _json pollution
Ruby Class Pollution
Nodejs proto prototype pollution
Nodejs proto prototype pollution
NodeJS - __proto__ & prototype Pollution
Client Side Prototype Pollution
Express Prototype Pollution Gadgets
Prototype Pollution to RCE
File inclusion
File inclusion
File Inclusion/Path traversal
LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
LFI2RCE via Eternal waiting
LFI2RCE via Nginx temp files
LFI2RCE via PHP Filters
Lfi2rce via phpinfo
LFI2RCE via Segmentation Fault
Lfi2rce via temp file uploads
phar:// deserialization
LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
File upload
File upload
File Upload
PDF Upload - XXE and CORS bypass
Hacking with cookies
Hacking with cookies
Cookies Hacking
Cookie bomb
Cookie jar overflow
Cookie Tossing
Http request smuggling
Http request smuggling
HTTP Request Smuggling / HTTP Desync Attack
Browser HTTP Request Smuggling
Request Smuggling in HTTP/2 Downgrades
Login bypass
Login bypass
Login Bypass
Sql login bypass
Pocs and polygloths cheatsheet
Pocs and polygloths cheatsheet
Reflecting Techniques - PoCs and Polygloths CheatSheet
Web Vulns List
Postmessage vulnerabilities
Postmessage vulnerabilities
PostMessage Vulnerabilities
Blocking main page to steal postmessage
Bypassing SOP with Iframes - 1
Bypassing SOP with Iframes - 2
Steal postmessage modifying iframe location
Saml attacks
Saml attacks
SAML Attacks
Saml basics
Sql injection
Sql injection
SQL Injection
Cypher Injection (neo4j)
MS Access SQL Injection
MSSQL Injection
Oracle injection
Sqlmap
Mysql injection
Mysql injection
MySQL injection
MySQL File priv to SSRF/RCE
Postgresql injection
Postgresql injection
PostgreSQL injection
Big binary files upload postgresql
dblink/lo_import data exfiltration
Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
PL/pgSQL Password Bruteforce
RCE with PostgreSQL Extensions
RCE with PostgreSQL Languages
Sqlmap
Sqlmap
SQLMap - Cheatsheet
Second order injection sqlmap
Ssrf server side request forgery
Ssrf server side request forgery
SSRF (Server Side Request Forgery)
Cloud SSRF
SSRF Vulnerable Platforms
URL Format Bypass
Ssti server side template injection
Ssti server side template injection
SSTI (Server Side Template Injection)
EL - Expression Language
Jinja2 SSTI
Unicode injection
Unicode injection
Unicode Injection
Unicode Normalization
Web vulnerabilities methodology
Web vulnerabilities methodology
Web Vulnerabilities Methodology
Xs search
Xs search
XS-Search/XS-Leaks
Connection Pool by Destination Example
Connection Pool Examples
Cookie Bomb + Onerror XS Leak
Event Loop Blocking + Lazy images
JavaScript Execution XS Leak
performance.now + Force heavy task
performance.now example
URL Max Length - Client Side
Css injection
Css injection
CSS Injection
CSS Injection Code
Xss cross site scripting
Xss cross site scripting
XSS (Cross Site Scripting)
Abusing Service Workers
Chrome Cache to XSS
Debugging Client Side JS
Dom Clobbering
DOM Invader
DOM XSS
Iframes in XSS, CSP and SOP
Integer Overflow
JS Hoisting
Misc JS Tricks & Relevant Info
Pdf injection
Server Side XSS (Dynamic PDF)
Shadow DOM
Sniff Leak
SOME - Same Origin Method Execution
Steal Info JS
XSS in Markdown
Physical attacks
Physical attacks
Physical Attacks
Escaping from gui applications
Escaping from gui applications
Index
Firmware analysis
Firmware analysis
Firmware Analysis
Bootloader testing
Firmware integrity
Radio hacking
Radio hacking
Radio Hacking
Low-Power Wide Area Network
Pentesting ble bluetooth low energy
Pentesting RFID
Reversing
Reversing
Common API used in Malware
Word Macros
Cryptographic algorithms
Cryptographic algorithms
Cryptographic/Compression Algorithms
Unpacking binaries
Reversing tools
Reversing tools
Index
Blobrunner
Reversing tools basic methods
Reversing tools basic methods
Reversing Tools & Basic Methods
Blobrunner
Cheat Engine
Satisfiability modulo theories smt z3
Angr
Angr
Index
Angr - Examples
Reversing and exploiting
Reversing and exploiting
Linux exploiting basic esp
Linux exploiting basic esp
Common Exploiting Problems
ELF Tricks
One Gadget
Arbitrary write 2 exec
Arbitrary write 2 exec
Arbitrary Write 2 Exec
AW2Exec - __malloc_hook
AW2Exec - GOT/PLT
AWS2Exec - .dtors & .fini_array
Common binary protections and bypasses
Common binary protections and bypasses
Common Binary Protections
No-exec / NX
Relro
Aslr
Aslr
ASLR
Ret2plt
Pie
Pie
PIE
BF Addresses in the Stack
Stack canaries
Stack canaries
Stack Canaries
BF Forked & Threaded Stack Canaries
Print Stack Canary
Format strings
Format strings
Format Strings
Format strings template
Stack overflow
Stack overflow
Stack Overflow
Pointer Redirecting
Ret2csu
Ret2dlresolve
Ret2esp / Ret2reg
Ret2ret & Reo2pop
Ret2win
ROP - Return Oriented Programing
Ret2syscall
SROP - Sigreturn-Oriented Programming
Stack Pivoting - EBP2Ret - EBP chaining
Stack Shellcode
Ret2lib
Ret2lib
Ret2lib
Rop leaking libc address
Rop leaking libc address
Leaking libc address with ROP
Rop leaking libc template
Stego
Stego
Esoteric languages
Stego Tricks
Todo
Todo
6881 udp pentesting bittorrent
Android Forensics
Burp suite
Cookies Policy
Interesting http
Investment Terms
Misc
More tools
Online Platforms with API
Other Web Tricks
Pentesting dns
Post exploitation
References
Rust Basics
Stealing Sensitive Information Disclosure from a Web
Test LLMs
TR-069
Hardware hacking
Hardware hacking
Hardware Hacking
Fault Injection Attacks
I2C
JTAG
Radio
Side Channel Analysis Attacks
SPI
UART
Industrial control systems hacking
Industrial control systems hacking
Industrial Control Systems Hacking
The Modbus Protocol
Llm training data preparation
Llm training data preparation
LLM Training - Data Preparation
0. Basic LLM Concepts
1. Tokenizing
2. Data Sampling
3. Token Embeddings
4. Attention Mechanisms
5. LLM Architecture
6. Pre-training & Loading models
7.0. LoRA Improvements in fine-tuning
7.1. Fine-Tuning for Classification
7.2. Fine-Tuning to follow instructions
Radio hacking
Radio hacking
Radio Hacking
FISSURE - The RF Framework
iButton
Infrared
Low-Power Wide Area Network
Pentesting BLE - Bluetooth Low Energy
Pentesting RFID
Proxmark 3
Sub-GHz RF
Flipper zero
Flipper zero
Flipper Zero
FZ - 125kHz RFID
FZ - iButton
FZ - Infrared
FZ - NFC
FZ - Sub-GHz
Welcome
Welcome
About the author
HackTricks Values & FAQ
Windows hardening
Windows hardening
Windows Security Controls
Antivirus (AV) Bypass
Basic Win CMD for Pentesters
Checklist - Local Windows Privilege Escalation
Cobalt Strike
Active directory methodology
Active directory methodology
Active Directory Methodology
MSSQL AD Abuse
AD Certificates
AD DNS Records
Ad information in printers
ASREPRoast
BloodHound & Other AD Enum Tools
Constrained Delegation
Custom SSP
Dcshadow
DCSync
Diamond Ticket
Dsrm credentials
External Forest Domain - One-Way (Outbound)
External Forest Domain - OneWay (Inbound) or bidirectional
Golden Ticket
Kerberoast
Kerberos Authentication
Kerberos Double Hop Problem
LAPS
Over Pass the Hash/Pass the Key
Pass the Ticket
Password Spraying / Brute Force
Force NTLM Privileged Authentication
PrintNightmare
Privileged Groups
RDP Sessions Abuse
Resource-based Constrained Delegation
Security Descriptors
SID-History Injection
Silver Ticket
Skeleton Key
Unconstrained Delegation
Acl persistence abuse
Acl persistence abuse
Abusing Active Directory ACLs/ACEs
Shadow Credentials
Ad certificates
Ad certificates
AD Certificates
AD CS Account Persistence
AD CS Certificate Theft
AD CS Domain Escalation
AD CS Domain Persistence
Authentication credentials uac and efs
Authentication credentials uac and efs
Windows Security Controls
UAC - User Account Control
Basic powershell for pentesters
Basic powershell for pentesters
Basic PowerShell for Pentesters
PowerView/SharpView
Lateral movement
Lateral movement
Lateral Movement
AtExec / SchtasksExec
DCOM Exec
PsExec/Winexec/ScExec
SmbExec/ScExec
WinRM
WmiExec
Ntlm
Ntlm
NTLM
AtExec / SchtasksExec
Places to steal NTLM creds
PsExec/Winexec/ScExec
SmbExec/ScExec
WinRM
WmiExec
Stealing credentials
Stealing credentials
Stealing Windows Credentials
Mimikatz
Windows Credentials Protections
Wts impersonator
Windows local privilege escalation
Windows local privilege escalation
Windows Local Privilege Escalation
Access Tokens
ACLs - DACLs/SACLs/ACEs
Appenddata addsubdirectory permission over service registry
COM Hijacking
Create msi with wix
Dll Hijacking
DPAPI - Extracting Passwords
From high integrity to system with name pipes
Integrity Levels
JuicyPotato
Leaked Handle Exploitation
MSI Wrapper
Named Pipe Client Impersonation
Abusing Tokens
Privilege Escalation with Autoruns
RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
Sedebug + seimpersonate copy token
SeImpersonate from High To System
Windows c payloads
Dll hijacking
Dll hijacking
Dll Hijacking
Writable Sys Path +Dll Hijacking Privesc
Privilege escalation abusing tokens
Privilege escalation abusing tokens
Abusing Tokens
Windows security controls
Windows security controls
UAC - User Account Control
Table of contents
Emails Vulnerabilities
[AD REMOVED]
[AD REMOVED]