GitBook: [#3492] No subject

This commit is contained in:
CPol 2022-09-18 17:48:19 +00:00 committed by gitbook-bot
parent 1870dc9ef7
commit cce707b113
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
13 changed files with 25 additions and 12 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 123 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 254 KiB

After

Width:  |  Height:  |  Size: 123 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 254 KiB

View file

@ -401,7 +401,7 @@ Get the address to this table with: **`objdump -s -j .got ./exec`**
Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT` Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xDIR_GOT`
![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) ![](<../../.gitbook/assets/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table: Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:

View file

@ -14,7 +14,7 @@
</details> </details>
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (16).png" alt="" data-size="original">\ <img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}
@ -159,7 +159,7 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt ftp -n -v -s:ftp.txt
``` ```
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (16).png" alt="" data-size="original">\ <img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}
@ -371,7 +371,7 @@ Now we just copy-paste the text into our windows-shell. And it will automaticall
* [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) * [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
<img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (16).png" alt="" data-size="original">\ <img src="../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png" alt="" data-size="original">\
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %} {% embed url="https://go.intigriti.com/hacktricks" %}

View file

@ -337,7 +337,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
* Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._ * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
* You can leave blank the username and password, but make sure to check the Ignore Certificate Errors * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (14).png>) ![](<../../.gitbook/assets/image (253) (1) (2) (1) (1) (2) (2) (3) (3) (5) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
{% hint style="info" %} {% hint style="info" %}
It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\ It's recommended to use the "**Send Test Email**" functionality to test that everything is working.\

View file

@ -142,7 +142,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate (from APNS)** * Signed using the **device identity certificate (from APNS)**
* **Certificate chain** includes expired **Apple iPhone Device CA** * **Certificate chain** includes expired **Apple iPhone Device CA**
![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) ![](<../../../.gitbook/assets/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### Step 6: Profile Installation ### Step 6: Profile Installation

View file

@ -723,7 +723,7 @@ You can collect console logs through the Xcode **Devices** window as follows:
5. Reproduce the problem. 5. Reproduce the problem.
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window. 6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (13).png>) ![](<../../.gitbook/assets/image (466) (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>)
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command: You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:

View file

@ -332,7 +332,7 @@ C:\xampp\tomcat\conf\server.xml
If you see an error like the following one: If you see an error like the following one:
![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (11).png>) ![](<../../.gitbook/assets/image (446) (1) (2) (2) (3) (3) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
It means that the server **didn't receive the correct domain name** inside the Host header.\ It means that the server **didn't receive the correct domain name** inside the Host header.\
In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one. In order to access the web page you could take a look to the served **SSL Certificate** and maybe you can find the domain/subdomain name in there. If it isn't there you may need to **brute force VHosts** until you find the correct one.

View file

@ -402,6 +402,19 @@ Some examples of common files calling a spawn function when imported are:
* /path/to/npm/scripts/changelog.js * /path/to/npm/scripts/changelog.js
* /opt/yarn-v1.22.19/preinstall.js * /opt/yarn-v1.22.19/preinstall.js
The following simple script will search for **calls** from **child\_process** **without any padding** (to avoid showing calls inside functions):
{% code overflow="wrap" %}
```bash
for file_path in `find / -name "*.js" -type f -exec grep -l "child_process" {} \; 2>/dev/null`; do
echo "$file_path"
grep -nE "^[a-zA-Z].*(exec|execFile|fork|spawn|execFileSync|execSync|spawnSync)" "$file_path"
echo ""
done
# Note that this way of finding child_process executions just importing might not find valid scripts as functions called in the root containing child_process calls won't be found.
```
{% endcode %}
### Setting require file path via prototype pollution ### Setting require file path via prototype pollution
{% hint style="warning" %} {% hint style="warning" %}

View file

@ -55,7 +55,7 @@ The good news is that **this payload is executed automatically when the file is
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`** It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2).png>) ![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
### More ### More

View file

@ -22,7 +22,7 @@
## Attacks Graphic ## Attacks Graphic
![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (12).png>) ![](<../../.gitbook/assets/image (535) (1) (1) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (3).png>)
## Tool ## Tool

View file

@ -473,7 +473,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`). First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (3).png" alt=""><figcaption></figcaption></figure>
Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that were leaving out the `@corp.local` part. Next, we change the `userPrincipalName` of `Jane` to be `Administrator`. Notice that were leaving out the `@corp.local` part.
@ -553,7 +553,7 @@ In this case, `John@corp.local` has `GenericWrite` over `Jane@corp.local`, and w
First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`). First, we obtain the hash of `Jane` with for instance Shadow Credentials (using our `GenericWrite`).
<figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1) (2).png" alt=""><figcaption></figcaption></figure> <figure><img src="../../../.gitbook/assets/image (13) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`. Next, we change the `userPrincipalName` of `Jane` to be `DC$@corp.local`.