GitBook: [#3614] No subject
Before Width: | Height: | Size: 1.6 KiB |
Before Width: | Height: | Size: 84 KiB After Width: | Height: | Size: 1.6 KiB |
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 84 KiB |
Before Width: | Height: | Size: 20 KiB After Width: | Height: | Size: 54 KiB |
BIN
.gitbook/assets/image (1) (2) (2) (1).png
Normal file
After Width: | Height: | Size: 74 KiB |
Before Width: | Height: | Size: 74 KiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 20 KiB |
Before Width: | Height: | Size: 93 KiB After Width: | Height: | Size: 52 KiB |
BIN
.gitbook/assets/image (10) (1) (1).png
Normal file
After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 32 KiB |
BIN
.gitbook/assets/image (11) (3).png
Normal file
After Width: | Height: | Size: 70 KiB |
Before Width: | Height: | Size: 70 KiB After Width: | Height: | Size: 58 KiB |
BIN
.gitbook/assets/image (12) (1) (1).png
Normal file
After Width: | Height: | Size: 137 KiB |
Before Width: | Height: | Size: 137 KiB After Width: | Height: | Size: 143 KiB |
Before Width: | Height: | Size: 143 KiB After Width: | Height: | Size: 28 KiB |
Before Width: | Height: | Size: 94 KiB |
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 94 KiB |
BIN
.gitbook/assets/image (2) (1) (2).png
Normal file
After Width: | Height: | Size: 51 KiB |
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 346 KiB After Width: | Height: | Size: 19 KiB |
BIN
.gitbook/assets/image (3) (1) (1) (2).png
Normal file
After Width: | Height: | Size: 346 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 41 KiB |
Before Width: | Height: | Size: 3.6 KiB |
Before Width: | Height: | Size: 41 KiB After Width: | Height: | Size: 3.6 KiB |
Before Width: | Height: | Size: 2.7 KiB |
Before Width: | Height: | Size: 92 KiB After Width: | Height: | Size: 2.7 KiB |
Before Width: | Height: | Size: 71 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 71 KiB |
Before Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 58 KiB After Width: | Height: | Size: 31 KiB |
Before Width: | Height: | Size: 80 KiB |
Before Width: | Height: | Size: 45 KiB After Width: | Height: | Size: 80 KiB |
Before Width: | Height: | Size: 490 KiB |
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 490 KiB |
Before Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 82 KiB |
Before Width: | Height: | Size: 60 KiB |
Before Width: | Height: | Size: 37 KiB After Width: | Height: | Size: 60 KiB |
BIN
.gitbook/assets/image (4) (1) (3).png
Normal file
After Width: | Height: | Size: 37 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 205 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 205 KiB |
BIN
.gitbook/assets/image (5) (1) (1) (1).png
Normal file
After Width: | Height: | Size: 3.2 MiB |
Before Width: | Height: | Size: 3.2 MiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 229 KiB |
Before Width: | Height: | Size: 229 KiB After Width: | Height: | Size: 92 KiB |
BIN
.gitbook/assets/image (6) (3).png
Normal file
After Width: | Height: | Size: 95 KiB |
Before Width: | Height: | Size: 95 KiB After Width: | Height: | Size: 54 KiB |
BIN
.gitbook/assets/image (7) (2).png
Normal file
After Width: | Height: | Size: 146 KiB |
Before Width: | Height: | Size: 146 KiB After Width: | Height: | Size: 39 KiB |
BIN
.gitbook/assets/image (8) (3).png
Normal file
After Width: | Height: | Size: 106 KiB |
Before Width: | Height: | Size: 106 KiB After Width: | Height: | Size: 27 KiB |
BIN
.gitbook/assets/image (9) (3).png
Normal file
After Width: | Height: | Size: 138 KiB |
Before Width: | Height: | Size: 138 KiB After Width: | Height: | Size: 93 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 45 KiB |
|
@ -44,7 +44,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
|
||||||
|
|
||||||
### [SYN CUBES](https://www.syncubes.com/)
|
### [SYN CUBES](https://www.syncubes.com/)
|
||||||
|
|
||||||
<figure><img src=".gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src=".gitbook/assets/image (10) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -99,17 +99,17 @@ Open the SalseoLoader project using Visual Studio.
|
||||||
|
|
||||||
### Add before the main function: \[DllExport]
|
### Add before the main function: \[DllExport]
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (2) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (2) (1) (1).png>)
|
||||||
|
|
||||||
### Install DllExport for this project
|
### Install DllExport for this project
|
||||||
|
|
||||||
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (3) (1) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (3) (1) (1) (1).png>)
|
||||||
|
|
||||||
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (4) (1) (1) (1).png>)
|
![](<../.gitbook/assets/image (4) (1) (1).png>)
|
||||||
|
|
||||||
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
||||||
|
|
||||||
|
@ -117,7 +117,7 @@ In your project folder have appeared the files: **DllExport.bat** and **DllExpor
|
||||||
|
|
||||||
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (5) (1).png>)
|
![](<../.gitbook/assets/image (5) (1) (1).png>)
|
||||||
|
|
||||||
### **Exit Visual Studio and execute DllExport\_configure**
|
### **Exit Visual Studio and execute DllExport\_configure**
|
||||||
|
|
||||||
|
@ -139,7 +139,7 @@ Select **x64** (if you are going to use it inside a x64 box, that was my case),
|
||||||
|
|
||||||
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
|
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (10) (1).png>)
|
![](<../.gitbook/assets/image (10) (1) (1).png>)
|
||||||
|
|
||||||
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
|
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -195,7 +195,7 @@ openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
|
||||||
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
|
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -160,11 +160,11 @@ For example:
|
||||||
|
|
||||||
In this case you can see that **you shouldn't use the char 0x0A** (nothing is saved in memory since the char 0x09).
|
In this case you can see that **you shouldn't use the char 0x0A** (nothing is saved in memory since the char 0x09).
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (33) (1).png>)
|
![](<../.gitbook/assets/image (33).png>)
|
||||||
|
|
||||||
In this case you can see that **the char 0x0D is avoided**:
|
In this case you can see that **the char 0x0D is avoided**:
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (34) (1).png>)
|
![](<../.gitbook/assets/image (34).png>)
|
||||||
|
|
||||||
## Find a JMP ESP as a return address
|
## Find a JMP ESP as a return address
|
||||||
|
|
||||||
|
@ -182,7 +182,7 @@ You will **list the memory maps**. Search for some DLl that has:
|
||||||
* **NXCompat: False**
|
* **NXCompat: False**
|
||||||
* **OS Dll: True**
|
* **OS Dll: True**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (35) (1).png>)
|
![](<../.gitbook/assets/image (35).png>)
|
||||||
|
|
||||||
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
|
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
|
||||||
|
|
||||||
|
@ -193,7 +193,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
|
||||||
|
|
||||||
**Then, if some address is found, choose one that don't contain any badchar:**
|
**Then, if some address is found, choose one that don't contain any badchar:**
|
||||||
|
|
||||||
![](<../.gitbook/assets/image (36) (1).png>)
|
![](<../.gitbook/assets/image (36).png>)
|
||||||
|
|
||||||
**In this case, for example: \_0x5f4a358f**\_
|
**In this case, for example: \_0x5f4a358f**\_
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
|
||||||
|
|
||||||
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
|
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -266,7 +266,7 @@ Opera **stores browser history and download data in the exact same format as Goo
|
||||||
* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
|
* **Browser’s built-in anti-phishing:** `grep --color 'fraud_protection_enabled' ~/Library/Application Support/com.operasoftware.Opera/Preferences`
|
||||||
* **fraud\_protection\_enabled** should be **true**
|
* **fraud\_protection\_enabled** should be **true**
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -111,7 +111,7 @@ Other tables inside this database contain more interesting information:
|
||||||
* **deleted\_fields**: Dropbox deleted files
|
* **deleted\_fields**: Dropbox deleted files
|
||||||
* **date\_added**
|
* **date\_added**
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -84,7 +84,7 @@ After that, the neighborhood between the legitimate EIGRP routers is established
|
||||||
|
|
||||||
EIGRP Neighborship with GW1 (10.10.100.100):
|
EIGRP Neighborship with GW1 (10.10.100.100):
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
EIGRP Neighborship with GW2 (10.10.100.200):
|
EIGRP Neighborship with GW2 (10.10.100.200):
|
||||||
|
|
||||||
|
@ -141,7 +141,7 @@ Arguments of the script:
|
||||||
|
|
||||||
**Our host seems to be in trouble :)**
|
**Our host seems to be in trouble :)**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (6) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As you can see, the host loses connectivity to host **172.16.100.140/32** due to route injection.
|
As you can see, the host loses connectivity to host **172.16.100.140/32** due to route injection.
|
||||||
|
|
||||||
|
@ -149,7 +149,7 @@ As you can see, the host loses connectivity to host **172.16.100.140/32** due to
|
||||||
|
|
||||||
To establish EIGRP neighbors, **routers use special K-values.** They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use [**relationshipnightmare.py**](https://github.com/in9uz/EIGRPWN/blob/main/relationshipnightmare.py) **** to perform this attack**.**
|
To establish EIGRP neighbors, **routers use special K-values.** They must be the same among all EIGRP neighbors. If at least one K-value does not match, the EIGRP domain will crash and the neighborhood will be broken. We will use [**relationshipnightmare.py**](https://github.com/in9uz/EIGRPWN/blob/main/relationshipnightmare.py) **** to perform this attack**.**
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (12) (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Script arguments:
|
Script arguments:
|
||||||
|
|
||||||
|
@ -163,7 +163,7 @@ Script arguments:
|
||||||
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (9).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (9) (3).png" alt=""><figcaption><p>Dump of traffic during a neighborhood disruption</p></figcaption></figure>
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (27).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (27).png" alt=""><figcaption><p>GW1 router endlessly disconnects and reconnects EIGRP</p></figcaption></figure>
|
||||||
|
|
||||||
|
|
|
@ -66,7 +66,7 @@ When tickets are set to be **stored** as a **file** on **disk**, the standard fo
|
||||||
klist /tmp/krb5cc_0
|
klist /tmp/krb5cc_0
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
For an attacker re-using a CCACHE Ticket is very easy. To **re-use** a valid CCACHE Ticket, **export** **KRB5CCNAME** to the **path** of the valid ticket file. The system should recognize the environment variable and will attempt to use that credential material when interacting with the domain.
|
For an attacker re-using a CCACHE Ticket is very easy. To **re-use** a valid CCACHE Ticket, **export** **KRB5CCNAME** to the **path** of the valid ticket file. The system should recognize the environment variable and will attempt to use that credential material when interacting with the domain.
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@ export KRB5CCNAME=/tmp/krb5cc_0
|
||||||
klist
|
klist
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
#### **Unix Keyring**
|
#### **Unix Keyring**
|
||||||
|
|
||||||
|
@ -89,11 +89,11 @@ CCACHE Tickets **** can also be **stored** in **** the Linux **keyring**. The ke
|
||||||
|
|
||||||
Depending on how the administrator scoped the ticket stored inside of the Unix keyring, parsing it out may be difficult. However, the **default** **scope** for CCACHE Tickets in the Unix keyring is **`KEYRING:persistent:uidnumber`**. Fortunately if you are in the **context** of the **user**, `klist` can **parse** this information for us.
|
Depending on how the administrator scoped the ticket stored inside of the Unix keyring, parsing it out may be difficult. However, the **default** **scope** for CCACHE Tickets in the Unix keyring is **`KEYRING:persistent:uidnumber`**. Fortunately if you are in the **context** of the **user**, `klist` can **parse** this information for us.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As an attacker, **re-using a CCACHE** Ticket stored in the Unix **keyring** is fairly **difficult** depending on how the ticket is scoped. Fortunately [@Zer1t0](https://github.com/Zer1t0) from [@Tarlogic](https://twitter.com/Tarlogic) has built a tool that can extract Kerberos tickets from the Unix keyring. The tool is called **Tickey** and can be found [**here**](https://github.com/TarlogicSecurity/tickey).
|
As an attacker, **re-using a CCACHE** Ticket stored in the Unix **keyring** is fairly **difficult** depending on how the ticket is scoped. Fortunately [@Zer1t0](https://github.com/Zer1t0) from [@Tarlogic](https://twitter.com/Tarlogic) has built a tool that can extract Kerberos tickets from the Unix keyring. The tool is called **Tickey** and can be found [**here**](https://github.com/TarlogicSecurity/tickey).
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (9).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Keytab <a href="#ff38" id="ff38"></a>
|
### Keytab <a href="#ff38" id="ff38"></a>
|
||||||
|
|
||||||
|
@ -107,7 +107,7 @@ Keytab files can be used to **obtain a valid ticket granting ticket** (TGT) for
|
||||||
|
|
||||||
Parsing a Keytab file is very easy, and can be accomplished a few ways. The easiest way to **parse** a **keytab** file is with **klist**. The second way utilizes a great python utility that [Cody Thomas](https://medium.com/u/645ffcef8682?source=post\_page-----77e73d837d6a--------------------------------) has created. His **** [**KeytabParser**](https://github.com/its-a-feature/KeytabParser) **** project will parse out the principal and its relevant encrypted keys.
|
Parsing a Keytab file is very easy, and can be accomplished a few ways. The easiest way to **parse** a **keytab** file is with **klist**. The second way utilizes a great python utility that [Cody Thomas](https://medium.com/u/645ffcef8682?source=post\_page-----77e73d837d6a--------------------------------) has created. His **** [**KeytabParser**](https://github.com/its-a-feature/KeytabParser) **** project will parse out the principal and its relevant encrypted keys.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Attackers can **re-use credentials stored in keytab files by generating a CCACHE Ticket** through the kinit binary.
|
Attackers can **re-use credentials stored in keytab files by generating a CCACHE Ticket** through the kinit binary.
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ klist -k /rtc/krb5.keytab
|
||||||
kinit -kt /etc/krb5.keytab host/bastion.westeros.local@WESTEROS.LOCAL
|
kinit -kt /etc/krb5.keytab host/bastion.westeros.local@WESTEROS.LOCAL
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (6).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
### Cheatsheet
|
### Cheatsheet
|
||||||
|
|
||||||
|
@ -203,7 +203,7 @@ ipa sudorule-show <sudorule> --all
|
||||||
|
|
||||||
Each **role** contains a set of **privileges**, and those respective privileges contain a **set** of **permissions**. Roles can be **applied to Users**, User **Groups**, **Hosts**, Host Groups, and Services. To illustrate this concept let’s discuss the default “User Administrator” role in FreeIPA.
|
Each **role** contains a set of **privileges**, and those respective privileges contain a **set** of **permissions**. Roles can be **applied to Users**, User **Groups**, **Hosts**, Host Groups, and Services. To illustrate this concept let’s discuss the default “User Administrator” role in FreeIPA.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (38).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (12).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As the screenshot above shows the “User Administrator” role contains the following privileges:
|
As the screenshot above shows the “User Administrator” role contains the following privileges:
|
||||||
|
|
||||||
|
@ -213,7 +213,7 @@ As the screenshot above shows the “User Administrator” role contains the fol
|
||||||
|
|
||||||
We can drill down further and enumerate the **permissions** delegated to each **privilege**:
|
We can drill down further and enumerate the **permissions** delegated to each **privilege**:
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (39).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As we can see the “**User Administrator**” role contains quite **a lot of permissions** inside of the environment. Understanding the general concept and structure of **roles**, **privileges**, and **permissions** can be critical to identifying attack paths throughout an environment.
|
As we can see the “**User Administrator**” role contains quite **a lot of permissions** inside of the environment. Understanding the general concept and structure of **roles**, **privileges**, and **permissions** can be critical to identifying attack paths throughout an environment.
|
||||||
|
|
||||||
|
@ -245,19 +245,19 @@ If you can **create a new user with the name `root`**, you can impersonate him a
|
||||||
|
|
||||||
The "**User Administrators**" privilege, is very powerful (as its name indicates it):
|
The "**User Administrators**" privilege, is very powerful (as its name indicates it):
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (40).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
With this privilege comes a lot of different power to affect users inside the environment. Using this privilege we can **make a new user inside the FreeIPA domain named **_**root**._
|
With this privilege comes a lot of different power to affect users inside the environment. Using this privilege we can **make a new user inside the FreeIPA domain named **_**root**._
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Once the user is created in the domain we can **obtain a ticket for the account with **_**kinit**_.
|
Once the user is created in the domain we can **obtain a ticket for the account with **_**kinit**_.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (10).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now we can attempt to **SSH** using our newly created root domain account.
|
Now we can attempt to **SSH** using our newly created root domain account.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (33).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As shown this **drops the user into the local root account**! So simply by creating a domain user for a local user we were able to authenticate using the _root@WESTEROS.LOCAL_ account and obtain the **user context of the local root account**_._
|
As shown this **drops the user into the local root account**! So simply by creating a domain user for a local user we were able to authenticate using the _root@WESTEROS.LOCAL_ account and obtain the **user context of the local root account**_._
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -508,7 +508,7 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o
|
||||||
|
|
||||||
The second technique explained in the post [https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
|
The second technique explained in the post [https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.f-secure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files).
|
||||||
|
|
||||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -557,7 +557,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
|
||||||
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
|
* [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket)
|
||||||
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
|
* [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4)
|
||||||
|
|
||||||
<img src="../../../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -345,7 +345,7 @@ If you are inside a filesystem with the **read-only and noexec protections** the
|
||||||
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
|
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
|
||||||
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
|
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -86,7 +86,7 @@ After installing Certificate SSL endpoints also working fine tested using → [h
|
||||||
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
|
After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -147,7 +147,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
|
||||||
|
|
||||||
You can see that in [the next tutorial](frida-tutorial-2.md).
|
You can see that in [the next tutorial](frida-tutorial-2.md).
|
||||||
|
|
||||||
<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# iOS Pentesting Checklist
|
# iOS Pentesting Checklist
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -118,7 +118,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# iOS Pentesting
|
# iOS Pentesting
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -382,7 +382,7 @@ struct CGSize {
|
||||||
|
|
||||||
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
|
However, the best options to disassemble the binary are: [**Hopper**](https://www.hopperapp.com/download.html?) and [**IDA**](https://www.hex-rays.com/products/ida/support/download\_freeware/).
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -742,7 +742,7 @@ Jun 7 13:42:14 iPhone touch[9708] <Notice>: MS:Notice: Injecting: (null) [touch
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -1166,7 +1166,7 @@ You can find the **libraries used by an application** by running **`otool`** aga
|
||||||
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
|
* [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
|
||||||
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
|
* [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -118,7 +118,7 @@ Steps to configure Burp as proxy:
|
||||||
|
|
||||||
* Click on _**Ok**_ and the in _**Apply**_
|
* Click on _**Ok**_ and the in _**Apply**_
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -323,7 +323,7 @@ Entry_1:
|
||||||
Command: rmg enum {IP} {PORT}
|
Command: rmg enum {IP} {PORT}
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -60,7 +60,7 @@ Content-Length: 267
|
||||||
|
|
||||||
* `port:15672 http`
|
* `port:15672 http`
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -43,11 +43,11 @@ sudo loki_gtk.py
|
||||||
|
|
||||||
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the **Use Bruteforce** option, otherwise Loki will bruteforce the password without using the dictionary.
|
You also need to specify the path to the dictionary in order to bruteforce the encrypted key. Be sure to uncheck the **Use Bruteforce** option, otherwise Loki will bruteforce the password without using the dictionary.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (11).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (11) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, **standing in the middle via ARP spoofing**, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.
|
Now we have to wait for an administrator to log into the device through the TACACS server. It is assumed that the network administrator has already logged in, and we, **standing in the middle via ARP spoofing**, intercept the traffic. And in doing so, the legitimate hosts don’t realize that someone else has interfered with their connection.
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (8).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (8) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now click the **CRACK** button and wait for **Loki** to break the password.
|
Now click the **CRACK** button and wait for **Loki** to break the password.
|
||||||
|
|
||||||
|
@ -65,7 +65,7 @@ We see which banner was used.
|
||||||
|
|
||||||
We find the username of the user `admin`
|
We find the username of the user `admin`
|
||||||
|
|
||||||
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../.gitbook/assets/image (7) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think I’ll check their validity.**
|
As a result, **we have the `admin:secret1234` credentials,** which can be used to access the hardware itself. **I think I’ll check their validity.**
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -307,7 +307,7 @@ id_rsa
|
||||||
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
|
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
|
||||||
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
|
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -86,7 +86,7 @@ Command line tool to brute-force websites using cookies crafted with flask-unsig
|
||||||
|
|
||||||
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
|
[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
|
||||||
inurl:status EJInvokerServlet
|
inurl:status EJInvokerServlet
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
|
||||||
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
|
/usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ If `==` is used in PHP, then there are unexpected cases where the comparison doe
|
||||||
|
|
||||||
PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
|
PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
|
||||||
|
|
||||||
![](<../../../.gitbook/assets/image (40) (1).png>)
|
![](<../../../.gitbook/assets/image (40).png>)
|
||||||
|
|
||||||
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
|
{% file src="../../../.gitbook/assets/EN-PHP-loose-comparison-Type-Juggling-OWASP (1).pdf" %}
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -133,7 +133,7 @@ AutoRepeater Burp Extension: Add a replacement rule
|
||||||
* `Match: v2 (higher version)`
|
* `Match: v2 (higher version)`
|
||||||
* `Replace: v1 (lower version)`
|
* `Replace: v1 (lower version)`
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -223,7 +223,7 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
|
||||||
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
|
* [**API-fuzzer**](https://github.com/Fuzzapi/API-fuzzer): API\_Fuzzer gem accepts a API request as input and returns vulnerabilities possible in the API.
|
||||||
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
|
* [**race-the-web**](https://github.com/TheHackerDev/race-the-web): Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) _simultaneously_, and then compares the responses from the server for uniqueness.
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -99,7 +99,7 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
|
||||||
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
curl -s -X GET https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -210,7 +210,7 @@ Using the correct credentials you can upload a file. In the response the path wi
|
||||||
|
|
||||||
Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
|
Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
**Bypass 2FA**
|
**Bypass 2FA**
|
||||||
|
|
||||||
|
@ -281,7 +281,7 @@ wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detec
|
||||||
#You can try to bruteforce the admin user using wpscan with "-U admin"
|
#You can try to bruteforce the admin user using wpscan with "-U admin"
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -423,7 +423,7 @@ Also, **only install trustable WordPress plugins and themes**.
|
||||||
* **Limit login attempts** to prevent Brute Force attacks
|
* **Limit login attempts** to prevent Brute Force attacks
|
||||||
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
|
* Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -123,7 +123,7 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
|
||||||
|
|
||||||
Example usage: `wcvs -u example.com`
|
Example usage: `wcvs -u example.com`
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -227,7 +227,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
|
||||||
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
|
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
|
||||||
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -175,7 +175,7 @@ See the following documentation for further details and more complex examples:
|
||||||
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
|
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
|
||||||
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
|
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -231,7 +231,7 @@ The best prevention technique is to not use users input directly inside response
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -195,7 +195,7 @@ out of band request with the current username
|
||||||
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
|
* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
|
||||||
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -67,7 +67,7 @@ All of them vulnerable to subdomain takeover. All of them were big brands. Talki
|
||||||
|
|
||||||
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
|
Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand (see [Apple example](https://www.phishtank.com/target\_search.php?target\_id=183\&valid=y\&active=All\&Search=Search)). Having valid SSL certificate (more on that below), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -159,7 +159,7 @@ Until next time!
|
||||||
|
|
||||||
[Patrik](https://twitter.com/0xpatrik)
|
[Patrik](https://twitter.com/0xpatrik)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -89,7 +89,7 @@ php vuln.php
|
||||||
|
|
||||||
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
|
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ Secondly, the request must be **triggerable in a web-browser cross-domain**. Bro
|
||||||
|
|
||||||
The way to test this missconfig is to **send 2 requests and smuggle one** in the **middle**. If the **smuggled** connection **affected** the response of the **second** **request**, it means that it's **vulnerable**:
|
The way to test this missconfig is to **send 2 requests and smuggle one** in the **middle**. If the **smuggled** connection **affected** the response of the **second** **request**, it means that it's **vulnerable**:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (1) (2) (2).png>)
|
![](<../../.gitbook/assets/image (1) (2) (2) (1).png>)
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
Note that you **cannot** test this vuln by just sending a **Content-Length bigger** than the one sent and **looking for a timeout** because some servers **respond** even if they **didn't receive the whole body**.
|
Note that you **cannot** test this vuln by just sending a **Content-Length bigger** than the one sent and **looking for a timeout** because some servers **respond** even if they **didn't receive the whole body**.
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -84,7 +84,7 @@ cmp original.jpg stego.jpg -b -l
|
||||||
If you find that a **text line** is **bigger** than it should be, then some **hidden information** could be included inside the **spaces** using invisible characters.\
|
If you find that a **text line** is **bigger** than it should be, then some **hidden information** could be included inside the **spaces** using invisible characters.\
|
||||||
To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
|
To **extract** the **data**, you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -218,7 +218,7 @@ To read a QR code: [https://online-barcode-reader.inliteresearch.com/](https://o
|
||||||
* [**https://0xrick.github.io/lists/stego/**](https://0xrick.github.io/lists/stego/)
|
* [**https://0xrick.github.io/lists/stego/**](https://0xrick.github.io/lists/stego/)
|
||||||
* [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)
|
* [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)
|
||||||
|
|
||||||
<img src="../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -489,11 +489,11 @@ Notice that the `userPrincipalName` in the certificate is `Administrator` and th
|
||||||
|
|
||||||
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
|
Then, we change back the `userPrincipalName` of `Jane` to be something else, like her original `userPrincipalName` `Jane@corp.local`.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (4) (1) (3).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
Now, if we try to authenticate with the certificate, we will receive the NT hash of the `Administrator@corp.local` user. You will need to add `-domain <domain>` to your command line since there is no domain specified in the certificate.
|
||||||
|
|
||||||
<figure><img src="../../../.gitbook/assets/image (1) (2).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../../.gitbook/assets/image (1) (2) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
## Weak Certificate Mappings - ESC10
|
## Weak Certificate Mappings - ESC10
|
||||||
|
|
||||||
|
|
|
@ -83,13 +83,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
|
||||||
|
|
||||||
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (2) (1) (1).png>)
|
![](<../../.gitbook/assets/image (2) (1) (2).png>)
|
||||||
|
|
||||||
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
|
||||||
|
|
||||||
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (1) (1) (1) (1).png>)
|
![](<../../.gitbook/assets/image (1) (1) (1).png>)
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
|
|
|
@ -140,7 +140,7 @@ Uncompress the zip to where you’d like. Then, run the install script - `Instal
|
||||||
|
|
||||||
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
Lastly, just add a firewall rule to **open port 22**. Verify the SSH services are installed, and start them. Both of these services will need to be running for SSH to work.
|
||||||
|
|
||||||
<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
If you receive a `Connection reset` error, update permissions to allow **Everyone: Read & Execute** on the root OpenSSH directory.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
@ -63,7 +63,7 @@ klist #List tickets in cache to cehck that mimikatz has loaded the ticket
|
||||||
|
|
||||||
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
|
* [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (10).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (10) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation**, providing real-time data you need to make informed decisions.
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
|
||||||
[dcsync.md](dcsync.md)
|
[dcsync.md](dcsync.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://
|
||||||
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
|
You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
|
||||||
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
|
Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
|
||||||
|
|
||||||
![](<../../.gitbook/assets/image (3) (1) (1) (1).png>)
|
![](<../../.gitbook/assets/image (3) (1) (1) (2).png>)
|
||||||
|
|
||||||
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
|
Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
@ -217,7 +217,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="original">
|
||||||
|
|
||||||
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
||||||
|
|
||||||
|
|