akde/infosec

Information security is ultimately about managing risk


  • If you can reg­is­ter, do this, cre­ate a repo and go to set­tings -> githooks and there add a com­mand as post-receive hook like a reverse shell. See https://www.cvedetails.com/vulnerability-list/vendor_id-19185/product_id-49829/Gitea-Gitea.html


  • UDP 623 https://book.hacktricks.xyz/pentesting/623-udp-ipmi Metas­plot: scanner/ipmi/ipmi_version scanner/ipmi/ipmi_dumphashes ipmitool Tool for man­ag­ing IPMI See hack­tricks article


  • Registers General purpose registers Reg­is­ter x86 Reg­is­ter x64 Name Descrip­tion EAX RAX Accu­mu­la­tor For results of cal­cu­la­tions and return codes EBX RBX Base reg­is­ter Gen­er­al purpose ECX RCX Count reg­is­ter For num­ber of iter­a­tions, often used for loops EDX RDX Data reg­is­ter For data of cal­cu­la­tions or a point­er to large data ESI RSI Source index Point­er to a…


  • Keyboard functions CTRL+S Find sequence of commands SHIFT+F9 Pass exception


  • Assume you have a buffer over­flow vul­ner­a­bil­i­ty. You can con­trol the EIP. But your shell­code is nev­er executed. Your shell­code is exe­cut­ed when a ret instruc­tion is exe­cut­ed which calls the address you overwrite. But maybe the ret at the end of the func­tion where the buffer over­flow occurs is nev­er reached, because you over­wrote the…


  • SID Security Identifiers All ele­ments have attrib­ut­es. They are iden­ti­fied via a Secu­ri­ty Iden­ti­fi­er SID. The struc­ture of a SID: Exam­ple: The Domain Iden­ti­fi­er ist the SID with­out the last RID part. Exam­ples for well-known SIDs: Basic Windows security access control Security context Mandatory Integrity Control and integrity levels Win­dows (from Vista on) has five integri­ty levels:…


  • ASLR Address Space Lay­out Ran­dom­iza­tion is a tech­nique which ran­dom­izes address­es in the stack and heap. If address­es of func­tions are ran­dom­ized (e.g. from shared libraries like libc), then an attack­er can­not use a pre­de­fined exploit with hard-cod­ed addresses. Linux Dis­able ASLR: echo 0 > /proc/sys/kernel/randomize_va_space Enable ASLR: echo 2 > /proc/sys/kernel/randomize_va_space In GDB, ASLR is…


  • The stack can be pro­tect­ed against buffer overflows. Stack protection with canaries Like in a coal mine, a canary can pro­vide an indi­ca­tion if some­thing goes wrong. Here, a canary is a defined val­ues which is added between the buffer (where an attack­er will start writ­ing the pay­load) and the SFP Stack Frame Point­er and…


  • On the return-to-libc post, we described the process of inject­ing a sys­tem call with para­me­ters via envi­ron­ment vari­ables to start a new process. But this requires to exe­cute anoth­er pro­gram (which maybe no avail­able on the target). Instead of call­ing sys­tem we can call oth­er instruc­tions from some­where in the mem­o­ry. But it would be…


  • Assume that we detect­ed a buffer over­flow vul­ner­a­bil­i­ty, but we don’t have enough space on the stack for our shellcode or the bina­ry’s stack is marked as not-exe­cutable (DEP enabled). Then we can try to call a com­mon library which is also loaded (wie the plt). Walkthrough of a ret2lib attack Before we start, dis­able ASLR as…


  • https://gtfobins.github.io/gtfobins/snap/


  • Gen­er­al pur­pose debugger. Hint: gbd dis­ables ASRL by default.  Commands Gen­er­al set disassembly-flavor intel/att Process han­dling run runs a pro­gramm with­out parameters run `python -c 'print("a")'‘ runs a pro­gram with a parameter run < <(python -c 'print("a")') runs a pro­gram and enters the giv­en string into STDIN c continue si step one instruction Break­points break $f…


  • See also the Buffer Over­flow post Execute shellcode Sce­nario: You have shell­code. You want to run it to ana­lyze it in a debugger. On Windows Add the shell­code after the break­point with i686-w64-mingw32-cc s.c -o s.exex86_64-w64-mingw32-cc s.c -o s.exe and run it in a debugger. On Linux Add the shell­code after the break­point with gcc [-m32] s.c…


  • Bugs can only be found dur­ring fuzzing code, which is exe­cut­ed. But which parts of the code of a tar­get sys­tem is exe­cut­ing dur­ing a fuzzing ses­sion? And how we can improve our fuzzer to include also tests for code blocks which weren’t cov­ered before? Dynamorio We’ll use now Dynamor­io — a run­time code manip­u­la­tion…


  • Scapy fundamentals Com­mands for the inter­ac­tive scapy interpreter: conf.iface shows the cur­rent­ly used interface  conf.iface='tun0' sets the inter­face to use ls shows all protocols ls(TCP) shows all known head­ers for a giv­en protocol lsc shows build-in functions Details about a pack­et p: p shows gen­er­al information p.summary() shows also gen­er­al information p.show() shows each field and…


  • PE Portable Exe­cu­tung or DLL Dynam­ic Link­ing Libraries can be edit­ed to remove or add capa­bil­i­ties or own code. Read and modify a PE file The fol­low­ing Python3 script reads a file, prints out a head­er, mod­i­fied it to remove ASLR and write a new file with­out this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…


  • This page con­tains var­i­ous unstruc­tured notes about cryp­to relat­ed things. General notes If you find some­where that some­thing should be ran­dom, but it isn’t, this is already an impor­tant finding. Stream Ciphers A stream cipher encrypts a clear­t­ext bit for bit or char­ac­ter for char­ac­ter (nor­mal­ly via XOR) with a secret key. It pro­duces a…


  • mit­m­dump is a proxy which can store and mod­i­fy content. Change content of a third-party site Sce­nario: You want to manip­u­late some con­tent from a web­site $tar­get visits. Per­form ARP-pois­en­ing with Bet­ter­cap, Etter­cap, the http_hijack.py script or some­how else. Start mit­m­dump in trans­par­ent mode:mitmdump --mode transparent --replace /~s/wars/trek/or alter­na­tive­ly to read the new con­tent from a…


  • Bypass HSTS is based on host­names. If a tar­get already vis­it­ed www.supersite.example, you can try to redi­rect the tar­get to a sim­i­lar domain which the brows­er nev­er vis­it­ed before and thus does­n’t has HSTS activated. Rewrite the Host HTTP head­er for your serv­er you want to imper­son­ate and add anoth­er char­ac­ter, e.g. wwww.supersite.example. You pre­pared…


  • SSLstrip works as proxy which replaces HTTPS ref­er­ences in HTTP, HTML, JS,.… respons­es with HTTP versions. Instal­la­tion: SSLstrip is old. Cre­ate a venv and install an old­er ver­sion of twist­ed: venv/bin/pip install Twisted==18.9.0 Remove HTTPS references via MitM Sce­nario: You want that $tar­get routes all HTTP traf­fic through your own system. Your sys­tem should remove each…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';