diff --git a/.gitbook/assets/112217_0051_ExploitingX15.jpeg b/.gitbook/assets/112217_0051_ExploitingX15.jpeg new file mode 100644 index 00000000..8b4a8f32 Binary files /dev/null and b/.gitbook/assets/112217_0051_ExploitingX15.jpeg differ diff --git a/.gitbook/assets/112217_0051_ExploitingX16.jpeg b/.gitbook/assets/112217_0051_ExploitingX16.jpeg new file mode 100644 index 00000000..6a74ee07 Binary files /dev/null and b/.gitbook/assets/112217_0051_ExploitingX16.jpeg differ diff --git a/.gitbook/assets/112217_0051_ExploitingX17.jpeg b/.gitbook/assets/112217_0051_ExploitingX17.jpeg new file mode 100644 index 00000000..04e5734c Binary files /dev/null and b/.gitbook/assets/112217_0051_ExploitingX17.jpeg differ diff --git a/.gitbook/assets/112217_0051_ExploitingX18.jpeg b/.gitbook/assets/112217_0051_ExploitingX18.jpeg new file mode 100644 index 00000000..42e544dc Binary files /dev/null and b/.gitbook/assets/112217_0051_ExploitingX18.jpeg differ diff --git a/.gitbook/assets/112217_0051_ExploitingX19.jpeg b/.gitbook/assets/112217_0051_ExploitingX19.jpeg new file mode 100644 index 00000000..1b020bf0 Binary files /dev/null and b/.gitbook/assets/112217_0051_ExploitingX19.jpeg differ diff --git a/pentesting/6000-pentesting-x11.md b/pentesting/6000-pentesting-x11.md index 05c2c503..69d78a00 100644 --- a/pentesting/6000-pentesting-x11.md +++ b/pentesting/6000-pentesting-x11.md @@ -107,26 +107,25 @@ Other way: **Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command: -**./xrdp.py \ –no-disp**\ -**** +**./xrdp.py \ –no-disp** -![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX15.jpg) +![](../.gitbook/assets/112217\_0051\_ExploitingX15.jpeg) It will prompt a new control pane where we can see the R-shell option, which is illustrated below: -![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX16.jpg) +![](../.gitbook/assets/112217\_0051\_ExploitingX16.jpeg) We will start the Netcat listening mode in our local system on port 5555, which is illustrated below: -![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX17.jpg) +![](../.gitbook/assets/112217\_0051\_ExploitingX17.jpeg) Then add the IP and port and then select R-Shell, which is illustrated below: -![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX18.jpg) +![](../.gitbook/assets/112217\_0051\_ExploitingX18.jpeg) Now as can be seen below we have complete system access: -![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217\_0051\_ExploitingX19.jpg) +![](../.gitbook/assets/112217\_0051\_ExploitingX19.jpeg) {% embed url="https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref" %} diff --git a/pentesting/pentesting-kubernetes/README.md b/pentesting/pentesting-kubernetes/README.md index c6d91eca..2cbcc326 100644 --- a/pentesting/pentesting-kubernetes/README.md +++ b/pentesting/pentesting-kubernetes/README.md @@ -48,6 +48,12 @@ Another important details about enumeration and Kubernetes permissions abuse is [hardening-roles-clusterroles](hardening-roles-clusterroles/) {% endcontent-ref %} +### Privesc to a different Namespace + +If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources: + + + ### From Kubernetes to the Cloud If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**. diff --git a/pentesting/pentesting-web/symphony.md b/pentesting/pentesting-web/symphony.md index f2e58a9c..e6924785 100644 --- a/pentesting/pentesting-web/symphony.md +++ b/pentesting/pentesting-web/symphony.md @@ -1,7 +1,5 @@ # Symphony -**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)**** - ## Introduction Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites. @@ -511,8 +509,6 @@ The exploit will therefore run through every possible variable combination, and ## Accessing symphony /\_profiler information -(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)) - ![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png) As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesn’t show up, so try accessing `/_profiler` and you will see the page as shown below @@ -528,3 +524,17 @@ The Symfony framework itself is very secure, but enabling debug mode will make t As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and user’s account credentials. ![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png) + +### Other Debug Enabled Endpoints + +You should also check these URLs: + +* **https://example.com/app\_dev.php/\_profiler** +* **https://example.com/app\_dev.php**\ + + +## References + +* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)**** +* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)**** +* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)****