Pentesting | Tricks for penetration testing

I want to pen test rest apis, the use case I have is a client(desktop app with username and password) connecting to a server. So I am confused from where to start and how to configure burp. Usually I use burp to pen test websites, which is quite easier to configure, you only set the proxy and intercept in the browser, but now the use case is different. Furthermore, I did some search on google I noticed postman is mentioned many times, I know it's a tool for building apis, but is it also used in the pentesting with the burp?

Context: Running an exploit vs a vulnerable VM as a part of my OSCP studies. I know this VM is vulnerable to this exploit because I ran the exploit inside MSF(pentesting framework) and it worked, but doing it manually I am having dependency issues.

Setup: I am on kali, latest quarterly release

Exploit: https://github.com/andyacer/ms08_067

Pip versions output

Trying to install dependencies

Keep in mind on kali "python" points to python2.7.18, and python3 points to python3.xwhatever because of backwards compatibility (funny huh) because tons of exploits are written in python2

the script uses #!/usr/bin/env python thus points to python2.7.18

I have already tried various solutions from various SO threads as well as articles on google.

I'm a total newbie in Javascript, so really need your help, guys.

I have a vertical submenu, and I'd like to hide one dropdown item as soon as another one is opened. I've been browsing what feels like for ages today, and I assume I have to use the 'toggle' method somehow, maybe even an onclick function, but so far, I haven't been able to figure out how, and mainly, how to make it work with an already existing Javascript piece of code. The answer must be very simple, and yet... Would be awesome if you could help me.

My code:

HTML (just deleted a few lines to save some space):

I am pentesting an Angular application backed by a .NET 5 app. They run both on localhost. This is my very first experience with OWASP Zed Attack Proxy

I can add http://localhost:4200 to ZAP scope, but ZAP can't seem to find https://localhost:5001 which is the Kestrel backend

• Question: how can I add manually a site to the scope from the HUD?
• Question: is it meaningful to add a REST backend to ZAP scope for active scanning?

The answer to the second may likely be yes as it could be testing for SQL injection tokens at least.

The site tree contains only the following

I'm working on a pentesting challenge in which a corrupt PNG is provided with the eight dimension bytes in the IHDR chunk all set to zero. The CRC checksum and the rest of the file is still intact. I was wondering whether there is a way to recover the image dimensions by somehow reversing the CRC, since as I understand it, the CRC is calculated from the chunk's bytes. If this is not possible, is there some other way to find the dimensions based on the image data? Any help would be much appreciated.

Short disclaimer: As this question includes topics regarding hacking/pentesting, I'd like to state that this question is only asked for educational purposes as part of a school project. To prevent possible abuse, I will only post code that is necessary for understanding the problem.

To demonstrate dangers and vulnerabilities of Windows 10, I'm currently writing a small C++/WinAPI application that utilizes two common techniques:

• A UAC bypass using the "fodhelper technique" (this works by simply setting a specific registry value to the path of the executable which is supposed to be elevated and then launching an automatically elevated Windows executable called "fodhelper.exe", which will then read the registry value and execute it as command/launch the specified application).
• Performing PE injection, i.e. running a PE file from the address space of the current process (based on this example from github). The PE that gets injected in my program is a simple C++ Console Application (x86) that prints a message box. The shellcode is hardcoded in the injector binary (x86).

I managed to perform both of these techniques successfully in independent files. However, once I combine these two methods (i.e. first elevating, then injecting), a weird error appears.

When the injector gets started manually (by double clicking), everything works fine, but when the injector is launched by System32\fodhelper.exe (x64) as a result of the UAC bypass, the following happens: After the injection has finished, the console window of the injected application appears, but instead of continuing the execution, I receive a bunch of error messages stating "The code execution cannot proceed because [garbage characters].dll was not found". This indicates that something went wrong with the offsets, and the Windows loader is trying to read the imports at a wrong position.

To summarize: The code injection works fine, unless the injector was started by fodhelper.exe. In this case the injected PE file is unable to run.

• Debugging the injection using GetLastError and printing the various memory addresses used during the injection. There is no difference if the file is manually started (and the injection is successful) or if it gets started by fodhelper.exe (and the injection fails).
• Replace the WriteProcessMemory calls with WriteFile to compare the output file when the injector gets manually launched or by fodhelper.exe. Both output files are exactly the same and runnable. This indicates that the injection itself is not the problem, but the Windows loader seems to act differently.
• Manually elevating the injector using UAC or by using an elevated command prompt. In both cases, the injection is successful.
• Copying fodhelper.exe to another location (for example to the desktop) and launching this copy. In this case, the injection is successful. The injection only fails if the injector gets started by the original fodhelper.exe in the System32 folder.

It seems that the injection behaves completely identical, but the indicators show that due to some unknown impact of fodhelper.exe that gets passed down to the injector, the Windows loader seems to behave differently.

I appreciate any explanation or assumption! Feel free to ask if you require more information.

(with limited debug info and comments): https://0bin.net/paste/UPRIg12n#6nJvBok72UcDvIa56c-XEss7AibIh1Zrs+c3sUzvQMj

Note: See how the injection works if you exclude the elevateProcess function or manually elevate the exe with UAC, and how it fails when including said function.

According to the answer by user RbMm, this error is a result of a specific exploit protection attribute (PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY with the EnableModuleTamperingProtection value) that gets automatically applied onto fodhelper.exe and seemingly gets inherited by all child processes. According to this, removing/resetting this attribute when launching the target process should fix the error. So far I've tried the following, but couldn't achieve any change in the outcome:

Hello I am trying to make a simple letter brute force for pentesting:

I have to write the "assumptions" part of a pentest report and I am having trouble understanding what I should write. I checked multiple pentest reports (from https://github.com/juliocesarfort/public-pentesting-reports) but none of them had this paragraph.
Also I found this explanation "In case there are some assumptions that the pen-tester considers before or during the test, the assumptions need to be clearly shown in the report. Providing the assumption will help the report audiences to understand why penetration testing followed a specific direction.", but still what I do have in mind it is more suited for "attack narative".
Can you provide me a small example (for one action, situation) so I can see exactly how it should be written?

I have use flask to develop a web app. In the pentesting report, it says, If the download function has a static link, then the download link should be not predictable. So I should change the int in the download link.

html: