GITBOOK-514: change request with no subject merged in GitBook

SUMMARY.md

@@ -342,6 +342,8 @@
     * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
     * [Az - Roadtx - Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md)
   * [Az - Persistence](pentesting-cloud/azure-security/az-persistence.md)
+  * [Az - Conditional Access Policies / MFA Bypass](pentesting-cloud/azure-security/az-conditional-access-policies-mfa-bypass.md)
+  * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
   * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/dynamic-groups.md)
 * [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md)
   * [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md)

pentesting-ci-cd/gitea-security/README.md

@@ -18,7 +18,7 @@ Other ways to support HackTricks:
 
 **Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
 
-![](<../../.gitbook/assets/image (5) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (5) (1) (1) (1) (1) (1).png>)
 
 ### Basic Information
 

pentesting-ci-cd/gitea-security/basic-gitea-information.md

@@ -46,7 +46,7 @@ When creating a new team, several important settings are selected:
   * **Administrator** access
   * **Specific** access:
 
-![](<../../.gitbook/assets/image (3) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (3) (1) (1) (1) (1) (1).png>)
 
 ### Teams & Users
 

pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md

@@ -22,7 +22,7 @@ If an attacker can somehow compromise the Github Action, he will be able to **co
 
 Example of artifact **download from a different repository**:
 
-<figure><img src="../../../.gitbook/assets/image (8) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (8) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 For more info and defence options (such as hardcoding the artifact to download) check [https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust](https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust)
 

pentesting-ci-cd/jenkins-security/README.md

@@ -336,7 +336,7 @@ You can list the secrets accessing `/credentials/` if you have enough permission
 
 If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
 
-![](<../../.gitbook/assets/image (9) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (9) (1) (1) (1) (1).png>)
 
 #### From Groovy
 

pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md

@@ -18,7 +18,7 @@ Other ways to support HackTricks:
 
 In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
 
-![](<../../.gitbook/assets/image (10) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (10) (1) (1) (1) (1).png>)
 
 In the **Pipeline section** write the **reverse shell**:
 

pentesting-ci-cd/jenkins-security/scm-ip-whitelisting-bypass.md

@@ -71,7 +71,7 @@ So how can we get it to work? We can **create a new webhook in GitHub**, setting
 http://jenkins.example-domain.com/j_acegi_security_check?j_username=admin&j_password=therealpassword&from=%2F&Submit=Sign+in
 ```
 
-<figure><img src="../../.gitbook/assets/image (7) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (7) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
 
 We fire the webhook, and see the results. All SCM vendors display the HTTP request and response sent through the webhook in their UI.\
 If the login attempt fails, we’re redirected to the login error page.

pentesting-ci-cd/okta-security/README.md

@@ -64,19 +64,19 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
 
 With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
 
 Moreover, if we are able to compromise the actual Okta service account exposing the delegation SPN, we can perform a Silver Ticket attack.
 
 It should be noted that as Okta only support AES for ticket encryption, we’ll need to ensure we have the AES key or plaintext password to authenticate:
 
-<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 To craft our ticket for the victim user of `testuser`, we use:
 
@@ -88,7 +88,7 @@ ticketer.py -domain-sid S-1-5-21-4170871944-1575468979-147100471 -domain lab.loc
 
 And again, deliver this to Okta via our browser session:
 
-<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Hijacking Okta AD Agent
 
@@ -104,15 +104,15 @@ C:\Program Files (x86)\Okta\Okta AD Agent
 
 We’re going to take a look at the `OktaAgentService.exe.config`, which contains a few interesting bits of XML:
 
-<figure><img src="../../.gitbook/assets/image (4) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (4) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The Base64 encoded `AgentToken` is where we set our sights. If we open up `OktaAgentService.exe` in dnSpy, we can see how these values are decrypted:
 
-<figure><img src="../../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (5) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 That’s right.. good ol’ DPAPI! The `RandomEntropy` value is set to a value of:
 
-<figure><img src="../../.gitbook/assets/image (6) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (6) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 This means that we can decrypt this Base64 encoded XML value using:
 
@@ -126,7 +126,7 @@ $k = [System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::F
 
 The DPAPI master key used belongs to the user account running the “Okta AD Agent” service, so you will need to run the above in the context of the service account, or grab the master key for the account and decrypt:
 
-<figure><img src="../../.gitbook/assets/image (7) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (7) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 For example, within `OktaAgentService.exe.config` we have two further XML fields, `APPID` and `AGENTID`. Combined with the `AgentToken`, we can make a `GET` request as follows:
 
@@ -196,11 +196,11 @@ https://example.okta.com/oauth2/authorize?redirect_uri=%2Foauth-response&respons
 
 This will give you a permission prompt for you to accept:
 
-<figure><img src="../../.gitbook/assets/image (8) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (8) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Accepting the presented prompt will give you a redirection to `/oauth-response` along with a `code` parameter:
 
-<figure><img src="../../.gitbook/assets/image (9) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (9) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 We need to take this `code` parameter and request a API token using the POST request:
 
@@ -335,7 +335,7 @@ This server will listen for incoming HTTP requests on `/saml`, so we first need
 
 First, we select the SAML 2.0 IDP:
 
-<figure><img src="../../.gitbook/assets/image (10) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (10) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 When configuring the IDP, we need to pay attention to a few settings. The first is the `Name`, which is the friendly name to be shown to any other administrators of Okta.
 

pentesting-ci-cd/travisci-security/README.md

@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
 
 TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
 
-![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 ### Dumping Secrets
 

pentesting-ci-cd/travisci-security/basic-travisci-information.md

@@ -99,7 +99,7 @@ Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deplo
 
 The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure.
 
-![](<../../.gitbook/assets/image (8) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (8) (1) (1) (1) (1) (1).png>)
 
 <details>
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md

@@ -102,7 +102,7 @@ An attacker with **elevated permissions in over a CodeBuild could leak the Githu
 
 <figure><img src="../../../../.gitbook/assets/image (91).png" alt=""><figcaption></figcaption></figure>
 
-<figure><img src="../../../../.gitbook/assets/image (10) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (10) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 * Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: \*\*http://\*\*github.com/carlospolop-forks/TestActions
 * Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy)

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md

@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
 Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
 {% endhint %}
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Destroy keys
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md

@@ -42,7 +42,7 @@ For example, **airflow** could be storing **DAGs** **code** in there, or **web p
 
 The following screenshot shows an example of a file that was targeted for a ransomware attack. As you can see, the account ID that owns the KMS key that was used to encrypt the object (7\*\*\*\*\*\*\*\*\*\*2) is different than the account ID of the account that owns the object (2\*\*\*\*\*\*\*\*\*\*1).
 
-![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png>)
 
 Here you can [find a ransomware example](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/s3\_ransomware/s3-ransomware-poc.py) that does the following:
 

pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md

@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
 
 It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 First, you need to give the external account access over the registry with a **registry policy** like:
 

pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md

@@ -65,7 +65,7 @@ aws ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snaps
 
 **Step 3:** Select the instance from the instance text box as shown below.
 
-![](<../../../../.gitbook/assets/image (6) (1) (1).png>)
+![](<../../../../.gitbook/assets/image (6) (1) (1) (1).png>)
 
 **Step 4**_:_ Now, login to your ec2 instance and list the available disks using the following command.
 

pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md

@@ -248,7 +248,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
 
 To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Unauthenticated Access
 

pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md

@@ -119,7 +119,7 @@ AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its i
 Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them
 {% endhint %}
 
-<figure><img src="../../../../.gitbook/assets/image (2) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Actions