GITBOOK-551: change request with no subject merged in GitBook

SUMMARY.md

@@ -174,7 +174,8 @@
 * [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md)
   * [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md)
   * [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md)
-  * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing.md)
+  * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md)
+    * [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md)
 * [AWS Pentesting](pentesting-cloud/aws-security/README.md)
   * [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md)
     * [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md)

pentesting-ci-cd/okta-security/README.md

@@ -64,11 +64,11 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
 
 With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
 

pentesting-ci-cd/travisci-security/README.md

@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
 
 TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
 
-![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 ### Dumping Secrets
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md

@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
 Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
 {% endhint %}
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Generic KMS Ransomware
 

pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md

@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
 
 It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 First, you need to give the external account access over the registry with a **registry policy** like:
 

pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md

@@ -277,7 +277,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
 
 To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Unauthenticated Access
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md

@@ -46,7 +46,7 @@ The “upgrade” from normal refresh token to primary refresh token is not poss
 
 If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device:
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md

@@ -113,7 +113,7 @@ Tokens were written to .roadtools_auth
 
 There’s also other options you can use to specify other resources or the correct redirect URL for the app you are using:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Selenium based Azure AD authentication <a href="#selenium-based-azure-a-d-authentication" id="selenium-based-azure-a-d-authentication"></a>
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md

@@ -43,7 +43,7 @@ The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync
 
 It's possible to extract the configuration from one of the tables, being one encrypted:
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.
 

pentesting-cloud/azure-security/az-services/vms/az-azure-network.md

@@ -213,7 +213,7 @@ az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VN
 Microsoft recommends using Private Links in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#compare-private-endpoints-and-service-endpoints):\
 
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Service Endpoints:**
 

pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md

@@ -70,7 +70,7 @@ Once a connection is generated, you can use it to **link repositories that the G
 
 This option is available through the button:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 {% hint style="success" %}
 Note that repositories connected with this method are **only available in Triggers using 2nd generation.**

pentesting-cloud/gcp-security/gcp-basic-information.md

@@ -168,7 +168,7 @@ When an organisation is created several groups are **strongly suggested to be cr
 * No expiration
 * If people is accessing Workspace through a third party provider, these requirements aren't applied.
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 <figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 

pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md

@@ -60,7 +60,7 @@ Note that the **first time a GCP action is performed in Cloud Shell that require
 This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session.
 {% endhint %}
 
-<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**:
 

pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md

@@ -78,8 +78,8 @@ gcloud services api-keys undelete <key-uid>
 
 Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin):
 
-{% content-ref url="../../workspace-security/gws-google-platforms-phishing.md" %}
-[gws-google-platforms-phishing.md](../../workspace-security/gws-google-platforms-phishing.md)
+{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](../../workspace-security/gws-google-platforms-phishing/)
 {% endcontent-ref %}
 
 <details>

pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md

@@ -35,7 +35,7 @@ Key features of Google Cloud SQL include:
 
 In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
 
@@ -56,7 +56,7 @@ By default a Google-managed encryption key is used, but it's also **possible to
   * **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
 * **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Data Protection
 

pentesting-cloud/workspace-security/README.md

@@ -14,55 +14,20 @@ Other ways to support HackTricks:
 
 </details>
 
-## Google Platforms and OAuth Apps Phishing
+## Entry Points
+
+### Google Platforms and OAuth Apps Phishing
 
 Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
 
-{% content-ref url="gws-google-platforms-phishing.md" %}
-[gws-google-platforms-phishing.md](gws-google-platforms-phishing.md)
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
 {% endcontent-ref %}
 
-## Password Spraying
+### Password Spraying
 
 In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
 
-## App Scripts
-
-Developers can create App Scripts and set them as a standalone project or bound them to Google Docs/Sheets/Slides/Forms. App Scripts is code that will be triggered when a user with editor permission access the doc (and after accepting the OAuth prompt)
-
-However, even if the app isn't verified there are a couple of ways to not show that prompt:
-
-* If the publisher of the app is in the same Workspace as the user accessing it
-* If the script is in a drive of the user
-
-### Copy Document Unverified Prompt Bypass
-
-When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
-If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document.**
-
-{% hint style="warning" %}
-If someone creates a **copy** of that **document** that **contained the App Script**, he will also be **copying the App Script**, therefore when he **opens** the copied **spreadsheet**, the **regular OAuth prompt** will appear **bypassing the unverified prompt**, because **the user is now the author of the App Script of the copied file**.
-{% endhint %}
-
-This method will also be able to bypass the Workspace admin restriction:
-
-But can be prevented with:
-
-### Shared Document Unverified Prompt Bypass
-
-Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
-
-{% hint style="warning" %}
-This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
-
-This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
-{% endhint %}
-
-{% hint style="danger" %}
-This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
-To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `<img>` tags.
-{% endhint %}
-
 ## Post-Exploitation
 
 If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
@@ -96,6 +61,7 @@ If you have compromised some credentials or the session of the user check these
 * Remove email forwarders
 * Remove emails filters
 * Remove recovery email/phones
+* Removed malicious synced smartphones
 * Remove bad Android Apps
 * Remove bad account delegations