Let’s see in detail how attackers can trigger the flaw. The flaw could potentially impact billion of devices using the vulnerable software. Researchers from Qualys have published a detailed analysis of the vulnerability once discovered that the bug was fixed. System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash – Decrypt GPG message to read a password.OpenSSH maintainers have now released a security fix, but since the OpenSSH client is included in a broad range of software applications many of them could remain vulnerable for a long time.System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash –.System enumeration as www-data – Mysql credentials into passbolt php file – Database enumeration – Find a PGP encrypted message.Server Side Template Injection (SSTi – jinja2) – Access as “ www-data” user.Searching invite_code into docker image file to create an account – Access admin LTE3 demo and roundcube mail.Information leaked – Subdomain fuzzing.Download and analysis docker image – db.sqlite3 file with user credentials – Password cracking – Access admin LTE3 ( ).Ubuntu 20.04.03 LTS – Focal Active services: PORT Abussing -o curl param to modify the passwd file –.Decompile treport binary using pyinstxtractor ( ) and pycdc ( ).Sudoers user privilege – (root) NOPASSWD: /usr/bin/treport.Local File Inclusion (LFI) into url – Bypassing Path Traversal filtering using Unicode characters (Unicode Normalization Vulnerability) – ( ) – Get user credentials from db.yml file – Access as user “ code” by ssh.Generating a JSON Web Key (JWK) ( ) to create a modified JWT for admin user – Abusing Open redirect to load the local JWK – Access to admin dashboard.Port Discovery – Open port 10000 – SSH Local Port Forwarding – Microsoft Azure Storage – Get Azure Key from a backup – Connect to Azure Storage with a Local Storage Emulator – Get root id_rsa.Obtaining clusterfs certs to mount Volume2 into local file system – Modification authorized key from ssh – Access as “ jennifer” user into a docker container.Leaked app python code – Flask Server Side Template Injection ( SSTi – jinja2) – Remote Command Execution ( RCE) – Access as “ www-data” user.Access to Squid Proxy using curl –proxy.GlusterFS Enumeration – Mounting Volume1 into local file system – Mysql /var/lib files – MariaDB 10.3.31 – Getting squid proxy user&password. Linux flustered 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 () x86_64 GNU/Linuxĭebian GNU/Linux 10 – buster Active services: PORT Create and evil script to steal user root id_rsa with a symlink.Cron – Bash script executed by root periodically – /usr/bin/backup.sh – Using TAR command with “-h” param to follow symlinks.Server Side Template Injection ( SSTi – jinja2) – Remote Command Execution ( RCE) – access as “ tom” user.Bypass login panel using the JWT as an auth session cookie.Creating a JWT to “admin” user with the Secret found.Obtain AWS access keys from Git commit – Get a secret key from lamdba functions with aws tool./.git/ folder – Using GitHack to download the repository ( ).Ubuntu 20.04.3 LTS – Focal Active services: PORT NOPASSWD: /sbin/service -> sudo service.NOPASSWD: /bin/chmod -> sudo chmod u+s /bin/bash bash -p.– Sudoers multiple privileges as root user:.Password reuse for SSH access as root user.Webmin – Shell shock attack – System access as “ root” user.VTiger GRM 5 – Upload an evil php file – Remote Command Execution ( RCE) – System access as “ asterisk” user.Credentials in plain text into /etc/nf.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |