mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-24 21:53:54 +00:00
fix: typos
This commit is contained in:
parent
7104c3c53a
commit
92d821c204
13 changed files with 13 additions and 13 deletions
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\
|
Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\
|
||||||
However, you can manually notice this if you find that a value is saved in the stack at the begging of a function call and this value is checked before exiting.
|
However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
# Brute force Canary
|
# Brute force Canary
|
||||||
|
|
|
@ -219,7 +219,7 @@ gets
|
||||||
|
|
||||||
At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
|
At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
|
||||||
|
|
||||||
So, at the begging of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
|
So, at the beginning of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
|
||||||
|
|
||||||
Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**.
|
Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**.
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ To fix this you need to **add the correct magic number** at the beginning of the
|
||||||
'550d0d0a'
|
'550d0d0a'
|
||||||
```
|
```
|
||||||
|
|
||||||
The **magic number** in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add** at the **begging** of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
|
The **magic number** in this case for python3.8 is **`0x550d0d0a`**, then, to fix this error you will need to **add** at the **beginning** of the **.pyc file** the following bytes: `0x0d550a0d000000000000000000000000`
|
||||||
|
|
||||||
**Once** you have **added** that magic header, the **error should be fixed.**
|
**Once** you have **added** that magic header, the **error should be fixed.**
|
||||||
|
|
||||||
|
|
|
@ -42,7 +42,7 @@ If you **know the MAC address of a host in the same net** as you (you could just
|
||||||
Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
|
Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
|
||||||
|
|
||||||
1. To IPv6 notation: **`1234:5678:9abc`**
|
1. To IPv6 notation: **`1234:5678:9abc`**
|
||||||
2. Append `fe80::` at the begging and Insert `fffe` in the middle: **`fe80::`**`1234:56`**`ff:fe`**`78:9abc`
|
2. Append `fe80::` at the beginning and Insert `fffe` in the middle: **`fe80::`**`1234:56`**`ff:fe`**`78:9abc`
|
||||||
3. Invert seventh bit from the left, from 0001 0010 to 0001 0000: `fe80::1`**`0`**`34:56ff:fe78:9abc`
|
3. Invert seventh bit from the left, from 0001 0010 to 0001 0000: `fe80::1`**`0`**`34:56ff:fe78:9abc`
|
||||||
4. `fe80::1034:56ff:fe78:9abc`
|
4. `fe80::1034:56ff:fe78:9abc`
|
||||||
|
|
||||||
|
|
|
@ -1045,7 +1045,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
|
||||||
|
|
||||||
### Bypass Defenses
|
### Bypass Defenses
|
||||||
|
|
||||||
In previous examples at the begging of this post, you can see **how to execute any python code using the `compile` function**. This is interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\
|
In previous examples at the beginning of this post, you can see **how to execute any python code using the `compile` function**. This is interesting because you can **execute whole scripts** with loops and everything in a **one liner** (and we could do the same using **`exec`**).\
|
||||||
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF).
|
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF machine** (for example because we don't have the `compiled` function in the CTF).
|
||||||
|
|
||||||
For example, let's compile and execute manually a function that reads _./poc.py_:
|
For example, let's compile and execute manually a function that reads _./poc.py_:
|
||||||
|
|
|
@ -179,7 +179,7 @@ Recommendations:
|
||||||
|
|
||||||
### Toasting
|
### Toasting
|
||||||
|
|
||||||
Remember to add 3 to the number of _.locals_ at the begging of the function.
|
Remember to add 3 to the number of _.locals_ at the beginning of the function.
|
||||||
|
|
||||||
This code is prepared to be inserted in the **middle of a function** (**change** the number of the **variables** as necessary). It will take the **value of this.o**, **transform** it to **String** and them **make** a **toast** with its value.
|
This code is prepared to be inserted in the **middle of a function** (**change** the number of the **variables** as necessary). It will take the **value of this.o**, **transform** it to **String** and them **make** a **toast** with its value.
|
||||||
|
|
||||||
|
|
|
@ -180,7 +180,7 @@ You could also abuse this behaviour to make a FTP server interact with other pro
|
||||||
The theory is easy:
|
The theory is easy:
|
||||||
|
|
||||||
1. **Upload the request (inside a text file) to the vulnerable server.** Remember that if you want to talk with another HTTP or FTP server you need to change lines with `0x0d 0x0a`
|
1. **Upload the request (inside a text file) to the vulnerable server.** Remember that if you want to talk with another HTTP or FTP server you need to change lines with `0x0d 0x0a`
|
||||||
2. **Use `REST X` to avoid sending the characters you don't want to send** (maybe to upload the request inside the file you needed to put some image header at the begging)
|
2. **Use `REST X` to avoid sending the characters you don't want to send** (maybe to upload the request inside the file you needed to put some image header at the beginning)
|
||||||
3. **Use `PORT`to connect to the arbitrary server and service**
|
3. **Use `PORT`to connect to the arbitrary server and service**
|
||||||
4. **Use `RETR`to send the saved request to the server.**
|
4. **Use `RETR`to send the saved request to the server.**
|
||||||
|
|
||||||
|
|
|
@ -520,7 +520,7 @@ You can use the tool [https://github.com/teambi0s/dfunc-bypasser](https://github
|
||||||
|
|
||||||
### Bypassing using other system functions
|
### Bypassing using other system functions
|
||||||
|
|
||||||
Just return to the begging of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
|
Just return to the beginning of this page and **check if any of the command executing functions isn't disabled and available in the environment**. If you find just 1 of them, you will be able to use it to execute arbitrary system commands.
|
||||||
|
|
||||||
### LD\_PRELOAD bypass
|
### LD\_PRELOAD bypass
|
||||||
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
|
This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
|
||||||
|
|
||||||
Basically the goal of the script is to **generate a Base64** string at the **begging** of the file that will be **finally decoded** providing the desired payload that will be **interpreted by `include`**.
|
Basically the goal of the script is to **generate a Base64** string at the **beginning** of the file that will be **finally decoded** providing the desired payload that will be **interpreted by `include`**.
|
||||||
|
|
||||||
The bases to do this are:
|
The bases to do this are:
|
||||||
|
|
||||||
|
|
|
@ -66,7 +66,7 @@ Here, the **front-end** server uses the **`Content-Length`** header and the **ba
|
||||||
`GET /404 HTTP/1.1`\
|
`GET /404 HTTP/1.1`\
|
||||||
`Foo: x`
|
`Foo: x`
|
||||||
|
|
||||||
Note how `Content-Length` indicate the **bodies request length is 30 bytes long** (_remember that HTTP uses as new line, so 2bytes each new line_), so the reverse proxy **will send the complete request** to the back-end, and the back-end will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the **begging of the next request** (BTW, the next request will be appended to `Foo:x<Next request starts here>`).
|
Note how `Content-Length` indicate the **bodies request length is 30 bytes long** (_remember that HTTP uses as new line, so 2bytes each new line_), so the reverse proxy **will send the complete request** to the back-end, and the back-end will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the **beginning of the next request** (BTW, the next request will be appended to `Foo:x<Next request starts here>`).
|
||||||
|
|
||||||
### TE.CL vulnerabilities
|
### TE.CL vulnerabilities
|
||||||
|
|
||||||
|
|
|
@ -905,7 +905,7 @@ However, if for whatever reason you **MUST** do it **char by char** (maybe the c
|
||||||
<img src=/something loading=lazy >
|
<img src=/something loading=lazy >
|
||||||
```
|
```
|
||||||
|
|
||||||
Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret**. We do this so the image is not loaded at the begging.
|
Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret**. We do this so the image is not loaded at the beginning.
|
||||||
|
|
||||||
However, you make the **bot access the page** with something like
|
However, you make the **bot access the page** with something like
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,7 @@ The attacker will f**ollow that loop until it manages to leak completely the sec
|
||||||
You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](./#css-injection)
|
You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](./#css-injection)
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
The script will try to discover 2 chars each time (from the begging and from the end) because the attribute selector allows to do things like:
|
The script will try to discover 2 chars each time (from the beginning and from the end) because the attribute selector allows to do things like:
|
||||||
|
|
||||||
```css
|
```css
|
||||||
/* value^= to match the beggining of the value*/
|
/* value^= to match the beggining of the value*/
|
||||||
|
|
|
@ -149,7 +149,7 @@ The malware will unmap the legitimate code from memory of the process and load a
|
||||||
* **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
|
* **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
|
||||||
* The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
|
* The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
|
||||||
* **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
|
* **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
|
||||||
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.
|
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
Loading…
Reference in a new issue