CosmosDB, Postgres and MySQL

src/SUMMARY.md

@@ -3,8 +3,8 @@
 # 👽 Welcome!
 
 - [HackTricks Cloud](README.md)
-- [About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$]()
-- [HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$]()
+- [About the Author$$external:https://book.hacktricks.wiki/en/welcome/about-the-author.html$$]()
+- [HackTricks Values & faq$$external:https://book.hacktricks.wiki/en/welcome/hacktricks-values-and-faq.html$$]()
 
 # 🏭 Pentesting CI/CD
 
@@ -408,12 +408,15 @@
     - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     - [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md)
     - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
+    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
     - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
     - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
     - [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md)
     - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
     - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
+    - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md)
+    - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md)
     - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md)
     - [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md)
     - [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md)
@@ -442,9 +445,12 @@
     - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
+    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-post-exploitation.md)
     - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
     - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
     - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
+    - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-post-exploitation.md)
+    - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-post-exploitation.md)
     - [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
     - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
     - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
@@ -454,17 +460,20 @@
     - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
     - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
     - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
+    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md)
     - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
       - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
       - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
     - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md)
     - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
+    - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md)
+    - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md)
     - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
     - [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md)
-    - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
     - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
     - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
     - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
+    - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
   - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
     - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)
     - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
@@ -501,8 +510,8 @@
 
 # 🛫 Pentesting Network Services
 
-- [HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$]()
-- [HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$]()
+- [HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$]()
+- [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]()
 
 
 

src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md

@@ -24,7 +24,7 @@ In each TLD configured in Cloudflare there are some **general settings and servi
 - [ ] Check that **DNSSEC** is **enabled**
 - [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
   - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
-- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
+- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#mail-spoofing)
 
 ### **Email**
 

src/pentesting-ci-cd/github-security/abusing-github-actions/README.md

@@ -553,7 +553,7 @@ docker pull ghcr.io/<org-name>/<repo_name>:<tag>
 Then, the user could search for **leaked secrets in the Docker image layers:**
 
 {{#ref}}
-https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
+https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html
 {{#endref}}
 
 ### Sensitive info in Github Actions logs

src/pentesting-cloud/aws-security/README.md

@@ -37,7 +37,7 @@ From a Red Team point of view, the **first step to compromise an AWS environment
 - **Social** Engineering
 - **Password** reuse (password leaks)
 - Vulnerabilities in AWS-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
   - **Local File Read**
     - `/home/USERNAME/.aws/credentials`
     - `C:\Users\USERNAME\.aws\credentials`
@@ -67,7 +67,7 @@ aws-permissions-for-a-pentest.md
 If you found a SSRF in a machine inside AWS check this page for tricks:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
 {{#endref}}
 
 ### Whoami
@@ -147,7 +147,7 @@ As pentester/red teamer you should always check if you can find **sensitive info
 In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
 
 {{#ref}}
-https://book.hacktricks.xyz/
+https://book.hacktricks.wiki/
 {{#endref}}
 
 ## Compromising the Organization

src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md

@@ -7,7 +7,7 @@
 For info about SAML please check:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/saml-attacks
+https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html
 {{#endref}}
 
 In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md

@@ -113,7 +113,7 @@ One of the scenarios where this is useful is pivoting from a [Bastion Host](http
 aws ssm start-session --target "$INSTANCE_ID"
 ```
 
-3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
+3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#abusing-ssrf-in-aws-ec2-environment) script
 4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
 5. Log in to EKS as the Bastion EC2:
 

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md

@@ -51,7 +51,7 @@ aws ecr get-download-url-for-layer \
 After downloading the images you should **check them for sensitive info**:
 
 {{#ref}}
-https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
+https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html
 {{#endref}}
 
 ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md

@@ -16,7 +16,7 @@ In ECS an **IAM role can be assigned to the task** running inside the container.
 Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
 {{#endref}}
 
 > [!CAUTION]

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md

@@ -194,7 +194,7 @@ aws --profile none-priv lambda update-function-configuration --function-name <fu
 For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in:
 
 {{#ref}}
-https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse
+https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html
 {{#endref}}
 
 #### RCE via Lambda Layers

src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md

@@ -26,7 +26,7 @@ aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attribute
 As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/nosql-injection
+https://book.hacktricks.wiki/en/pentesting-web/nosql-injection.html
 {{#endref}}
 
 ### DocumentDB

src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md

@@ -86,7 +86,7 @@ aws dynamodb describe-endpoints #Dynamodb endpoints
 There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/sql-injection
+https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html
 {{#endref}}
 
 ### NoSQL Injection
@@ -109,7 +109,7 @@ If you can **change the comparison** performed or add new ones, you could retrie
 ```
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/nosql-injection
+https://book.hacktricks.wiki/en/pentesting-web/nosql-injection.html
 {{#endref}}
 
 ### Raw Json injection

src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md

@@ -38,7 +38,7 @@ This extra step is the **creation of an** [_**instance profile**_](https://docs.
 AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
 {{#endref}}
 
 ### Enumeration

src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md

@@ -136,7 +136,7 @@ aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password
 There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/sql-injection
+https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md

@@ -145,7 +145,7 @@ print(response)
 For more information about CSV Injections check the page:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/formula-injection
+https://book.hacktricks.wiki/en/pentesting-web/formula-csv-doc-latex-ghostscript-injection.html
 {{#endref}}
 
 For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)

src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md

@@ -17,7 +17,7 @@ It's possible to expose the **any port of the virtual machines to the internet**
 #### SSRF
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
 {{#endref}}
 
 ### Public AMIs & EBS Snapshots
@@ -39,7 +39,7 @@ aws ec2 describe-snapshots --restorable-by-user-ids all
 aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'
 ```
 
-If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
+If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/index.html#ebs-snapshot-dump) for directions on downloading and looting the snapshot.
 
 #### Public URL template
 

src/pentesting-cloud/azure-security/README.md

@@ -18,7 +18,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme
 - **Social** Engineering
 - **Password** reuse (password leaks)
 - Vulnerabilities in Azure-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
   - **Local File Read**
     - `/home/USERNAME/.azure`
     - `C:\Users\USERNAME\.azure`
@@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme
       Use `Disconnect-AzAccount` to remove them.
 - 3rd parties **breached**
 - **Internal** Employee
-- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
+- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
   - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
 - [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 
@@ -52,7 +52,7 @@ az-unauthenticated-enum-and-initial-entry/
 If you found a SSRF in a machine inside Azure check this page for tricks:
 
 {{#ref}}
-https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html
 {{#endref}}
 
 ### Bypass Login Conditions

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md

@@ -9,15 +9,15 @@ Browser **cookies** are a great mechanism to **bypass authentication and MFA**.
 You can see where are **browser cookies located** in:
 
 {{#ref}}
-https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
+https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#google-chrome
 {{#endref}}
 
 ## Attack
 
-The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
+The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) the cookies belong to. You can find more information about this in:
 
 {{#ref}}
-https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
+https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html
 {{#endref}}
 
 With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command: