GitBook: [master] 8 pages and 18 assets modified

1911-pentesting-fox.md

@@ -10,7 +10,7 @@ dht udp "DHT Nodes"
 
 ![](.gitbook/assets/image%20%28182%29.png)
 
-![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
 
 InfluxDB
 

SUMMARY.md

@@ -24,6 +24,7 @@
 
 * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
+  * [Seccomp](linux-unix/privilege-escalation/seccomp.md)
   * [Containerd \(ctr\) Privilege Escalation](linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md)
   * [Docker Breakout](linux-unix/privilege-escalation/docker-breakout.md)
   * [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)

forensics/basic-forensics-esp/linux-forensics.md

@@ -395,7 +395,7 @@ Partition Record Format:
 
 In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
 
-![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%283%29%20%281%29.png)
 
 An then use the following code
 

linux-unix/privilege-escalation/seccomp.md

@@ -0,0 +1,99 @@
+# Seccomp
+
+## Basic Information
+
+**Seccomp** or Secure Computing mode is a feature of Linux kernel which can act as **syscall filter**.  
+Seccomp has 2 modes.
+
+### **Original/Strict Mode**
+
+In this mode ****Seccomp **only allow the syscalls**  `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
+
+{% code title="seccomp\_strict.c" %}
+```c
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+
+//From https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/
+//gcc seccomp_strict.c -o seccomp_strict
+
+int main(int argc, char **argv)
+{
+    int output = open("output.txt", O_WRONLY);
+    const char *val = "test";
+    
+    //enables strict seccomp mode
+    printf("Calling prctl() to set seccomp strict mode...\n");
+    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
+    
+    //This is allowed as the file was already opened
+    printf("Writing to an already open file...\n");
+    write(output, val, strlen(val)+1);
+    
+    //This isn't allowed
+    printf("Trying to open file for reading...\n");
+    int input = open("output.txt", O_RDONLY);
+    
+    printf("You will not see this message--the process will be killed first\n");
+}
+```
+{% endcode %}
+
+### Seccomp-bpf
+
+This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules.
+
+{% code title="seccomp\_bpf.c" %}
+```c
+#include <seccomp.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+
+//https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373
+//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp
+
+void main(void) {
+  /* initialize the libseccomp context */
+  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
+  
+  /* allow exiting */
+  printf("Adding rule : Allow exit_group\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+  
+  /* allow getting the current pid */
+  //printf("Adding rule : Allow getpid\n");
+  //seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+  
+  printf("Adding rule : Deny getpid\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0);
+  /* allow changing data segment size, as required by glibc */
+  printf("Adding rule : Allow brk\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
+  
+  /* allow writing up to 512 bytes to fd 1 */
+  printf("Adding rule : Allow write upto 512 bytes to FD 1\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,
+    SCMP_A0(SCMP_CMP_EQ, 1),
+    SCMP_A2(SCMP_CMP_LE, 512));
+  
+  /* if writing to any other fd, return -EBADF */
+  printf("Adding rule : Deny write to any FD except 1 \n");
+  seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1,
+    SCMP_A0(SCMP_CMP_NE, 1));
+  
+  /* load and enforce the filters */
+  printf("Load rules and enforce \n");
+  seccomp_load(ctx);
+  seccomp_release(ctx);
+  //Get the getpid is denied, a weird number will be returned like
+  //this process is -9
+  printf("this process is %d\n", getpid());
+}
+```
+{% endcode %}
+

mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md

@@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
 
 ![](../../../.gitbook/assets/image%20%28211%29.png)
 
-![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
 
 Because you will be able to call them
 

pentesting-web/formula-injection.md

@@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
 
 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
 
-![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
 

pentesting-web/hacking-jwt-json-web-tokens.md

@@ -73,7 +73,7 @@ If you get an HTTP interaction you now know that the server is trying to load ke
 
 ## Kid issues
 
- `kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
+`kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
 
 ### "kid" issues - reveal key:
 
@@ -123,17 +123,11 @@ Try to change this header to an URL under your control and check if any request
 
 You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
 
-
-
 ## JWT Registered claims
 
-{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" %}
+{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" caption="" %}
 
 ## Tools
 
-{% embed url="https://github.com/ticarpi/jwt\_tool" %}
-
-
-
-
+{% embed url="https://github.com/ticarpi/jwt\_tool" caption="" %}
 

phishing-methodology/README.md

@@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
 * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
 
-![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29.png)
+![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29%20%281%29.png)
 
 {% hint style="info" %}
 It's recommended to use the "**Send Test Email**" functionality to test that everything is working.