mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
GitBook: [#2990] No subject
This commit is contained in:
parent
a82171150e
commit
250471d1e2
8 changed files with 26 additions and 11 deletions
BIN
.gitbook/assets/112217_0051_ExploitingX15.jpeg
Normal file
BIN
.gitbook/assets/112217_0051_ExploitingX15.jpeg
Normal file
Binary file not shown.
After Width: | Height: | Size: 16 KiB |
BIN
.gitbook/assets/112217_0051_ExploitingX16.jpeg
Normal file
BIN
.gitbook/assets/112217_0051_ExploitingX16.jpeg
Normal file
Binary file not shown.
After Width: | Height: | Size: 8.4 KiB |
BIN
.gitbook/assets/112217_0051_ExploitingX17.jpeg
Normal file
BIN
.gitbook/assets/112217_0051_ExploitingX17.jpeg
Normal file
Binary file not shown.
After Width: | Height: | Size: 11 KiB |
BIN
.gitbook/assets/112217_0051_ExploitingX18.jpeg
Normal file
BIN
.gitbook/assets/112217_0051_ExploitingX18.jpeg
Normal file
Binary file not shown.
After Width: | Height: | Size: 8.5 KiB |
BIN
.gitbook/assets/112217_0051_ExploitingX19.jpeg
Normal file
BIN
.gitbook/assets/112217_0051_ExploitingX19.jpeg
Normal file
Binary file not shown.
After Width: | Height: | Size: 14 KiB |
|
@ -107,26 +107,25 @@ Other way:
|
|||
|
||||
**Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command:
|
||||
|
||||
**./xrdp.py \<IP:0> –no-disp**\
|
||||
****
|
||||
**./xrdp.py \<IP:0> –no-disp**
|
||||
|
||||
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX15.jpg)
|
||||
![](../.gitbook/assets/112217\_0051\_ExploitingX15.jpeg)
|
||||
|
||||
It will prompt a new control pane where we can see the R-shell option, which is illustrated below:
|
||||
|
||||
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX16.jpg)
|
||||
![](../.gitbook/assets/112217\_0051\_ExploitingX16.jpeg)
|
||||
|
||||
We will start the Netcat listening mode in our local system on port 5555, which is illustrated below:
|
||||
|
||||
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX17.jpg)
|
||||
![](../.gitbook/assets/112217\_0051\_ExploitingX17.jpeg)
|
||||
|
||||
Then add the IP and port and then select R-Shell, which is illustrated below:
|
||||
|
||||
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX18.jpg)
|
||||
![](../.gitbook/assets/112217\_0051\_ExploitingX18.jpeg)
|
||||
|
||||
Now as can be seen below we have complete system access:
|
||||
|
||||
![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX19.jpg)
|
||||
![](../.gitbook/assets/112217\_0051\_ExploitingX19.jpeg)
|
||||
|
||||
{% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %}
|
||||
|
||||
|
|
|
@ -48,6 +48,12 @@ Another important details about enumeration and Kubernetes permissions abuse is
|
|||
[hardening-roles-clusterroles](hardening-roles-clusterroles/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
### Privesc to a different Namespace
|
||||
|
||||
If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:
|
||||
|
||||
|
||||
|
||||
### From Kubernetes to the Cloud
|
||||
|
||||
If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
# Symphony
|
||||
|
||||
**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
|
||||
|
||||
## Introduction <a href="#introduction" id="introduction"></a>
|
||||
|
||||
Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites.
|
||||
|
@ -511,8 +509,6 @@ The exploit will therefore run through every possible variable combination, and
|
|||
|
||||
## Accessing symphony /\_profiler information 
|
||||
|
||||
(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807))
|
||||
|
||||
![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png)
|
||||
|
||||
As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesn’t show up, so try accessing `/_profiler` and you will see the page as shown below
|
||||
|
@ -528,3 +524,17 @@ The Symfony framework itself is very secure, but enabling debug mode will make t
|
|||
As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and user’s account credentials.
|
||||
|
||||
![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png)
|
||||
|
||||
### Other Debug Enabled Endpoints
|
||||
|
||||
You should also check these URLs:
|
||||
|
||||
* **https://example.com/app\_dev.php/\_profiler**
|
||||
* **https://example.com/app\_dev.php**\
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
|
||||
* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)****
|
||||
* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)****
|
||||
|
|
Loading…
Reference in a new issue