GitBook: [master] 8 pages and 18 assets modified
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 5.2 KiB After Width: | Height: | Size: 5.2 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
Before Width: | Height: | Size: 766 KiB After Width: | Height: | Size: 766 KiB |
|
@ -10,7 +10,7 @@ dht udp "DHT Nodes"
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28182%29.png)
|
![](.gitbook/assets/image%20%28182%29.png)
|
||||||
|
|
||||||
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
|
||||||
|
|
||||||
InfluxDB
|
InfluxDB
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
|
|
||||||
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
|
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
|
||||||
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
|
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
|
||||||
|
* [Seccomp](linux-unix/privilege-escalation/seccomp.md)
|
||||||
* [Containerd \(ctr\) Privilege Escalation](linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md)
|
* [Containerd \(ctr\) Privilege Escalation](linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md)
|
||||||
* [Docker Breakout](linux-unix/privilege-escalation/docker-breakout.md)
|
* [Docker Breakout](linux-unix/privilege-escalation/docker-breakout.md)
|
||||||
* [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
* [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||||
|
|
|
@ -395,7 +395,7 @@ Partition Record Format:
|
||||||
|
|
||||||
In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
|
In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%283%29%20%281%29.png)
|
||||||
|
|
||||||
An then use the following code
|
An then use the following code
|
||||||
|
|
||||||
|
|
99
linux-unix/privilege-escalation/seccomp.md
Normal file
|
@ -0,0 +1,99 @@
|
||||||
|
# Seccomp
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
**Seccomp** or Secure Computing mode is a feature of Linux kernel which can act as **syscall filter**.
|
||||||
|
Seccomp has 2 modes.
|
||||||
|
|
||||||
|
### **Original/Strict Mode**
|
||||||
|
|
||||||
|
In this mode ****Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
|
||||||
|
|
||||||
|
{% code title="seccomp\_strict.c" %}
|
||||||
|
```c
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <linux/seccomp.h>
|
||||||
|
#include <sys/prctl.h>
|
||||||
|
|
||||||
|
//From https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/
|
||||||
|
//gcc seccomp_strict.c -o seccomp_strict
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int output = open("output.txt", O_WRONLY);
|
||||||
|
const char *val = "test";
|
||||||
|
|
||||||
|
//enables strict seccomp mode
|
||||||
|
printf("Calling prctl() to set seccomp strict mode...\n");
|
||||||
|
prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
|
||||||
|
|
||||||
|
//This is allowed as the file was already opened
|
||||||
|
printf("Writing to an already open file...\n");
|
||||||
|
write(output, val, strlen(val)+1);
|
||||||
|
|
||||||
|
//This isn't allowed
|
||||||
|
printf("Trying to open file for reading...\n");
|
||||||
|
int input = open("output.txt", O_RDONLY);
|
||||||
|
|
||||||
|
printf("You will not see this message--the process will be killed first\n");
|
||||||
|
}
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
### Seccomp-bpf
|
||||||
|
|
||||||
|
This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules.
|
||||||
|
|
||||||
|
{% code title="seccomp\_bpf.c" %}
|
||||||
|
```c
|
||||||
|
#include <seccomp.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <errno.h>
|
||||||
|
|
||||||
|
//https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373
|
||||||
|
//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp
|
||||||
|
|
||||||
|
void main(void) {
|
||||||
|
/* initialize the libseccomp context */
|
||||||
|
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
|
||||||
|
|
||||||
|
/* allow exiting */
|
||||||
|
printf("Adding rule : Allow exit_group\n");
|
||||||
|
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
|
||||||
|
|
||||||
|
/* allow getting the current pid */
|
||||||
|
//printf("Adding rule : Allow getpid\n");
|
||||||
|
//seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
|
||||||
|
|
||||||
|
printf("Adding rule : Deny getpid\n");
|
||||||
|
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0);
|
||||||
|
/* allow changing data segment size, as required by glibc */
|
||||||
|
printf("Adding rule : Allow brk\n");
|
||||||
|
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
|
||||||
|
|
||||||
|
/* allow writing up to 512 bytes to fd 1 */
|
||||||
|
printf("Adding rule : Allow write upto 512 bytes to FD 1\n");
|
||||||
|
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,
|
||||||
|
SCMP_A0(SCMP_CMP_EQ, 1),
|
||||||
|
SCMP_A2(SCMP_CMP_LE, 512));
|
||||||
|
|
||||||
|
/* if writing to any other fd, return -EBADF */
|
||||||
|
printf("Adding rule : Deny write to any FD except 1 \n");
|
||||||
|
seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1,
|
||||||
|
SCMP_A0(SCMP_CMP_NE, 1));
|
||||||
|
|
||||||
|
/* load and enforce the filters */
|
||||||
|
printf("Load rules and enforce \n");
|
||||||
|
seccomp_load(ctx);
|
||||||
|
seccomp_release(ctx);
|
||||||
|
//Get the getpid is denied, a weird number will be returned like
|
||||||
|
//this process is -9
|
||||||
|
printf("this process is %d\n", getpid());
|
||||||
|
}
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
|
@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28211%29.png)
|
![](../../../.gitbook/assets/image%20%28211%29.png)
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
|
||||||
|
|
||||||
Because you will be able to call them
|
Because you will be able to call them
|
||||||
|
|
||||||
|
|
|
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
|
||||||
|
|
||||||
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ Check where the token originated in your proxy's request history. It should be c
|
||||||
|
|
||||||
Check if the token lasts more than 24h... maybe it never expires. If there is a "exp" filed, check if the server is correctly handling it.
|
Check if the token lasts more than 24h... maybe it never expires. If there is a "exp" filed, check if the server is correctly handling it.
|
||||||
|
|
||||||
## Brute-force HMAC secret
|
## Brute-force HMAC secret
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
git clone https://github.com/Sjord/jwtcrack.git
|
git clone https://github.com/Sjord/jwtcrack.git
|
||||||
|
@ -51,7 +51,7 @@ The algorithm RS256 uses the private key to sign the message and uses the public
|
||||||
|
|
||||||
If you change the algorithm from RS256 to HS256, the back end code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
|
If you change the algorithm from RS256 to HS256, the back end code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
|
||||||
|
|
||||||
Then, using the public key and changing RS256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this:
|
Then, using the public key and changing RS256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.
|
openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.
|
||||||
|
@ -73,7 +73,7 @@ If you get an HTTP interaction you now know that the server is trying to load ke
|
||||||
|
|
||||||
## Kid issues
|
## Kid issues
|
||||||
|
|
||||||
`kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
|
`kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
|
||||||
|
|
||||||
### "kid" issues - reveal key:
|
### "kid" issues - reveal key:
|
||||||
|
|
||||||
|
@ -123,17 +123,11 @@ Try to change this header to an URL under your control and check if any request
|
||||||
|
|
||||||
You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
|
You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## JWT Registered claims
|
## JWT Registered claims
|
||||||
|
|
||||||
{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" %}
|
{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" caption="" %}
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
{% embed url="https://github.com/ticarpi/jwt\_tool" %}
|
{% embed url="https://github.com/ticarpi/jwt\_tool" caption="" %}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
|
||||||
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
|
||||||
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29.png)
|
![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29%20%281%29.png)
|
||||||
|
|
||||||
{% hint style="info" %}
|
{% hint style="info" %}
|
||||||
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.
|
||||||
|
|