From e7dae2fa77b3503881a517a16aa6d99a9db53f1d Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Tue, 10 May 2022 00:08:57 +0200
Subject: [PATCH] binary stuff

---
 enumeration/docs/kubectl.md                   | 13 ++++-
 .../binaries/format_string/format_string.md   | 50 +++++++++++++++++++
 exploit/binaries/plt_got.md                   | 32 ++++++++++++
 misc/sandbox_evasion.md                       | 42 ++++++++++++++++
 4 files changed, 136 insertions(+), 1 deletion(-)
 create mode 100644 exploit/binaries/plt_got.md
 create mode 100644 misc/sandbox_evasion.md

diff --git a/enumeration/docs/kubectl.md b/enumeration/docs/kubectl.md
index 2210db8..1ccf8f3 100644
--- a/enumeration/docs/kubectl.md
+++ b/enumeration/docs/kubectl.md
@@ -1,7 +1,8 @@
 # Kubectl
 
+* Get pods, `-A` for all namespaces
 ```sh
-kubectl get pods
+kubectl get pods -A 
 ```
 * Check mounted secret
 ```sh
@@ -16,6 +17,7 @@ kubectl get jobs
 * Intel about a secret, and output
 ```sh
 kubectl describe secrets <secret> 
+kubectl get secret <secret> -o json
 kubectl describe secrets <secret> -o 'json'
 ```
 ## Abuse Token
@@ -33,5 +35,14 @@ kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
 * If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
 ```sh
 kubectl apply -f pod.yml --token=$TOKEN
+```
+* Start Pod
+```sh
 kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
 ```
+
+## Start Pods
+
+```sh
+kubectl exec -it  <podname> -n <namespace> -- /bin/bash
+```
diff --git a/exploit/binaries/format_string/format_string.md b/exploit/binaries/format_string/format_string.md
index 888a934..24bf677 100644
--- a/exploit/binaries/format_string/format_string.md
+++ b/exploit/binaries/format_string/format_string.md
@@ -1,6 +1,7 @@
 # Format String
 
 * Read and write values from stack
+* [axcheron's writeup](https://axcheron.github.io/exploit-101-format-strings/)
 
 ## Read
 
@@ -8,11 +9,21 @@
 ```sh
 %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 
 ```
+
+* Do long long hex reading from stack
+```sh
+%llx
+```
+
 * Select values as string, e.g. the second value
 ```sh
 %2$s
 ```
 * Another way of reading is via `%p`
+* Read pointer on stack at offset 42
+```sh
+%42$p
+```
 
 * [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one
 ```python
@@ -27,3 +38,42 @@ payload += p32(0x8048000)
 p.sendline(payload)
 log.info(p.clean())
 ```
+
+## Offset
+
+* Read at offset as pointer value at the 42th argument on the stack
+```sh
+%42$s
+```
+* If the pointer at the offset references a string you can dereference by
+```sh
+%42$s
+```
+
+## Length of output
+
+* Padding of the first argument on stack to the given length
+```sh
+%31337x
+```
+
+## Parameters
+
+|Parameters       |Type                                       |Passed as
+|-----------------|-------------------------------------------|-----------|
+%d                decimal (int)                                 value
+%u                unsigned decimal (unsigned int)               value
+%x                hexadecimal (unsigned int)                    value
+%p                hexadecimal (unsigned int), nice layout       value
+%s                string ((const) (unsigned) char*)             reference
+%n                write the number of bytes ypu put in, (*int)  reference
+
+
+## Tips and Tricks
+
+* Overwrite GOT when there is no FullRELRO, when it is not read only
+* Find the input argument on the stack. Write `AAAA` and look out where it is placed on the stack
+```sh
+AAAA%6$p
+```
+
diff --git a/exploit/binaries/plt_got.md b/exploit/binaries/plt_got.md
new file mode 100644
index 0000000..ada5f2d
--- /dev/null
+++ b/exploit/binaries/plt_got.md
@@ -0,0 +1,32 @@
+# Procedure Lookup Table, Global Offset Table
+
+* Both are part of dynamic binaries
+* PLT resolves called function address of shared object
+* A function call inside the binary, to a function inside a shared object is done via PLT
+* __PLT__ contains dynamic address, references GOT
+* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT
+* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time
+
+
+## pwn
+
+* Overwrite the GOT address of a called functions, which then will be returned instead
+
+* Check the disassembly of the binary for SO function call
+```sh
+x/s <functionaddress>
+x/3i <functionaddress>
+```
+* This is the PLT address
+* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function
+
+* Rewrite this address with for example `system`. Take a look where it is placed
+```sh
+p system
+```
+* Set the address of the `jmp` to GOT to `system` address
+```sh
+set *<foundGOTjmpAddress>=<foundSystemAddress>
+```
+
+* Fill the buffer with the argument to `system`
diff --git a/misc/sandbox_evasion.md b/misc/sandbox_evasion.md
new file mode 100644
index 0000000..cc43880
--- /dev/null
+++ b/misc/sandbox_evasion.md
@@ -0,0 +1,42 @@
+# Sandbox Evasion
+
+* Evade the usual checks that will be run on you malware
+
+## Sleeping
+
+* [checkpoint](https://evasions.checkpoint.com/techniques/timing.html)
+* [joesecurity](https://www.joesecurity.org/blog/660946897093663167)
+
+## Geolocation
+
+* Check the IP of the machine
+* Check the block of the ISP via
+```sh
+https://rdap.arin.net/registry/ip/<IPBlock>
+```
+
+## System Info
+
+* Check system info like
+```sh
+hostname
+user
+serial number
+software versions
+hardware specs
+product keys
+```
+
+## Network Info
+
+* Check all available network info like
+```sh
+interfaces
+traffic
+groups
+domain admins
+enterprise admins
+dns
+```
+
+