updates

Author: carlospolop

src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md

@@ -204,6 +204,31 @@ If you see an error like the following one:
 It means that the server **didn't receive the correct domain name** inside the Host header.\
 In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.
 
+## Decrypt encrypted configuration and ASP.NET Core Data Protection key rings
+
+Two common patterns to protect secrets on IIS-hosted .NET apps are:
+- ASP.NET Protected Configuration (RsaProtectedConfigurationProvider) for web.config sections like <connectionStrings>.
+- ASP.NET Core Data Protection key ring (persisted locally) used to protect application secrets and cookies.
+
+If you have filesystem or interactive access on the web server, co-located keys often allow decryption.
+
+- ASP.NET (Full Framework) – decrypt protected config sections with aspnet_regiis:
+
+```cmd
+# Decrypt a section by app path (site configured in IIS)
+%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd "connectionStrings" -app "/MyApplication"
+
+# Or specify the physical path (-pef/-pdf write/read to a config file under a dir)
+%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" "C:\inetpub\wwwroot\MyApplication"
+```
+
+- ASP.NET Core – look for Data Protection key rings stored locally (XML/JSON files) under locations like:
+  - %PROGRAMDATA%\Microsoft\ASP.NET\DataProtection-Keys
+  - HKLM\SOFTWARE\Microsoft\ASP.NET\Core\DataProtection-Keys (registry)
+  - App-managed folder (e.g., App_Data\keys or a Keys directory next to the app)
+
+With the key ring available, an operator running in the app’s identity can instantiate an IDataProtector with the same purposes and unprotect stored secrets. Misconfigurations that store the key ring with the app files make offline decryption trivial once the host is compromised.
+
 ## Old IIS vulnerabilities worth looking for
 
 ### Microsoft IIS tilde character “\~” Vulnerability/Feature – Short File/Folder Name Disclosure

src/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md

@@ -115,6 +115,23 @@ For example `http://127.0.0.1:8000/profiles`:
 
 This is usually needed for exploiting other Laravel RCE CVEs.
 
+### Fingerprinting & exposed dev endpoints
+
+Quick checks to identify a Laravel stack and dangerous dev tooling exposed in production:
+
+- `/_ignition/health-check` → Ignition present (debug tool used by CVE-2021-3129). If reachable unauthenticated, the app may be in debug or misconfigured.
+- `/_debugbar` → Laravel Debugbar assets; often indicates debug mode.
+- `/telescope` → Laravel Telescope (dev monitor). If public, expect broad information disclosure and possible actions.
+- `/horizon` → Queue dashboard; version disclosure and sometimes CSRF-protected actions.
+- `X-Powered-By`, cookies `XSRF-TOKEN` and `laravel_session`, and Blade error pages also help fingerprint.
+
+```bash
+# Nuclei quick probe
+nuclei -nt -u https://target -tags laravel -rl 30
+# Manual spot checks
+for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https://target/$p | head -n1; done
+```
+
 ### .env
 
 Laravel saves the APP it uses to encrypt the cookies and other credentials inside a file called `.env` that can be accessed using some path traversal under: `/../.env`
@@ -205,6 +222,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
 * [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
 * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
 * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
+* [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
+
 
 {{#include ../../banners/hacktricks-training.md}}