From 23e2c9bb5d9c563610ae7f177d69290a80c558b9 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 28 Apr 2022 13:46:37 +0000 Subject: [PATCH] GitBook: [#3134] No subject --- .../electron-cef-chromium-debugger-abuse.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md index 1199dc8f7..17f18c89a 100644 --- a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md +++ b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md @@ -89,7 +89,7 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) **** (you need to check the API to find interesting things to do with it). {% endhint %} -## RCE +## RCE in NodeJS Debugger/Inspector {% hint style="info" %} If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)**** @@ -124,6 +124,10 @@ ws.send(JSON.stringify({ })); ``` +### Webdriver RCE and exfiltration + +According to this post: [https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148](https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148) it's possible to obtain RCE and exfiltrate internal pages from theriver. + ### Post-Exploitation In a real environment and **after compromising** a user PC that uses Chrome/Chromium based browser you could launch a Chrome process with the **debugging activated and port-forward the debugging port** so you can access it. This way you will be able to **inspect everything the victim does with Chrome and steal sensitive information**.