GitBook: [#2990] No subject

This commit is contained in:
CPol 2022-02-06 12:02:47 +00:00 committed by gitbook-bot
parent a82171150e
commit 250471d1e2
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
8 changed files with 26 additions and 11 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 16 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.4 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

View file

@ -107,26 +107,25 @@ Other way:
**Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command: **Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command:
**./xrdp.py \<IP:0> no-disp**\ **./xrdp.py \<IP:0> no-disp**
****
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX15.jpg) ![](../.gitbook/assets/112217\_0051\_ExploitingX15.jpeg)
It will prompt a new control pane where we can see the R-shell option, which is illustrated below: It will prompt a new control pane where we can see the R-shell option, which is illustrated below:
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX16.jpg) ![](../.gitbook/assets/112217\_0051\_ExploitingX16.jpeg)
We will start the Netcat listening mode in our local system on port 5555, which is illustrated below: We will start the Netcat listening mode in our local system on port 5555, which is illustrated below:
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX17.jpg) ![](../.gitbook/assets/112217\_0051\_ExploitingX17.jpeg)
Then add the IP and port and then select R-Shell, which is illustrated below: Then add the IP and port and then select R-Shell, which is illustrated below:
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX18.jpg) ![](../.gitbook/assets/112217\_0051\_ExploitingX18.jpeg)
Now as can be seen below we have complete system access: Now as can be seen below we have complete system access:
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX19.jpg) ![](../.gitbook/assets/112217\_0051\_ExploitingX19.jpeg)
{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %} {% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %}

View file

@ -48,6 +48,12 @@ Another important details about enumeration and Kubernetes permissions abuse is
[hardening-roles-clusterroles](hardening-roles-clusterroles/) [hardening-roles-clusterroles](hardening-roles-clusterroles/)
{% endcontent-ref %} {% endcontent-ref %}
### Privesc to a different Namespace
If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:
### From Kubernetes to the Cloud ### From Kubernetes to the Cloud
If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**. If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.

View file

@ -1,7 +1,5 @@
# Symphony # Symphony
**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
## Introduction <a href="#introduction" id="introduction"></a> ## Introduction <a href="#introduction" id="introduction"></a>
Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites. Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites.
@ -511,8 +509,6 @@ The exploit will therefore run through every possible variable combination, and
## Accessing symphony /\_profiler information&#x20; ## Accessing symphony /\_profiler information&#x20;
(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807))
![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png) ![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png)
As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesnt show up, so try accessing `/_profiler` and you will see the page as shown below As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesnt show up, so try accessing `/_profiler` and you will see the page as shown below
@ -528,3 +524,17 @@ The Symfony framework itself is very secure, but enabling debug mode will make t
As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and users account credentials. As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and users account credentials.
![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png) ![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png)
### Other Debug Enabled Endpoints
You should also check these URLs:
* **https://example.com/app\_dev.php/\_profiler**
* **https://example.com/app\_dev.php**\
## References
* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)****
* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)****