Saltar a contenido

Diego Collao (aka. 3KY)

Bypassing Security Filters

Diego Collao (aka. 3KY)

Home
Knowledge Base
Knowledge Base
- Index
  Index
  - About me
- Pentest Notes
  Pentest Notes
  - Cradles for Windows
  - Essential FFuF
  - Essential BloodyAD
    Essential BloodyAD
    
    Authentication Methods
    
    Get Examples
    
    Set Examples
    
    Add Examples
    
    Remove Examples
- Learning Paths (ESP)
  Learning Paths (ESP)
  - (HTB) Penetration Tester
    (HTB) Penetration Tester
    
    Reconnaissance, Enumeration and Attack Planning
    Reconnaissance, Enumeration and Attack Planning
    
    Network Enumeration with NMAP
    Network Enumeration with NMAP
    
    Introduction
    
    Host Enumeration
    Host Enumeration
    
    Host Discovery
    
    Host and Port Scanning
    
    Saving the Results
    
    Service Enumeration
    
    Nmap Scripting Engine
    
    Performance
    
    Bypass Security Measures
    Bypass Security Measures
    
    Firewall and IDS/IPS Evasion
    
    Footprinting
    Footprinting
    
    Introduction
    Introduction
    
    Enumeration Principles
    
    Enumeration Methodology
    
    Host Based Enumeration
    Host Based Enumeration
    
    FTP
    
    SMB
    
    NFS
    
    DNS
    
    SMTP
    
    IMAP - POP3
    
    SNMP
    
    MySQL
    
    MSSQL
    
    Oracle TNS
    
    IPMI
    
    Remote Management Protocols
    Remote Management Protocols
    
    Linux RMP
    
    Windows RMP
    
    Information Gathering
    Information Gathering
    
    Introduction
    Introduction
    
    Introduction
    
    WHOIS
    WHOIS
    
    WHOIS
    
    Utilising WHOIS
    
    DNS and Subdomains
    DNS and Subdomains
    
    DNS
    
    Digging DNS
    
    Subdomains
    
    Subdomain Bruteforcing
    
    DNS Zone Transfers
    
    Virtual Hosts
    
    Certificate Transparency Logs
    
    Fingerprinting
    Fingerprinting
    
    Fingerprinting
    
    Crawling
    Crawling
    
    Crawling
    
    robots.txt
    
    Well-Known URIs
    
    Creepy Crawlies
    
    Search Engine Discovery
    Search Engine Discovery
    
    Search Engine Discovery
    
    Web Archives
    Web Archives
    
    Web Archives
    
    Automating Recon
    Automating Recon
    
    Automating Recon
    
    Vulnerability Assessment
    Vulnerability Assessment
    
    Security Assessments
    Security Assessments
    
    Security Assessments
    
    Vulnerability Assessment
    
    Assessment Standards
    
    Vulnerability Scoring and Reporting
    Vulnerability Scoring and Reporting
    
    CVSS
    
    CVE
    
    Nessus
    Nessus
    
    Vulnerability Scanning Overview
    
    Getting Started with Nessus
    
    Nessus Scan
    
    Advanced Settings
    
    Working with Nessus Scan Output
    
    Scanning Issues
    
    OpenVAS
    OpenVAS
    
    Getting Started with OpenVAS
    
    OpenVAS Scan
    
    Exporting The Results
    
    Reporting
    Reporting
    
    Reporting
    
    File Transfers
    File Transfers
    
    Introduction
    Introduction
    
    File Transfers
    
    File Transfer Methods
    File Transfer Methods
    
    Windows File Transfer Methods
    
    Linux File Transfer Methods
    
    Transferring File with Code
    
    Miscellaneous File Transfer Methods
    
    Protected File Transfers
    
    Catching Files over HTTP-S
    
    Living off The Land
    
    Detect or Be Detected
    Detect or Be Detected
    
    Detection
    
    Evading Detection
    
    Shells and Payloads
    Shells and Payloads
    
    Introduction
    Introduction
    
    Shells Jack Us In, Payloads Deliver Us Shells
    
    CAT5 Securitys Engagement Preparation
    
    Shell Basics
    Shell Basics
    
    Anatomy of a Shell
    
    Bind Shells
    
    Reverse Shells
    
    Payloads
    Payloads
    
    Introduction to Payloads
    
    Automating Payloads and Delivery with Metasploit
    
    Crafting payloads with MSFvenom
    
    Windows Shells
    Windows Shells
    
    Infiltrating Windows
    
    UNIX Shells
    UNIX Shells
    
    Infiltrating Unix-Linux
    
    Spawning Interactive Shells
    
    Web Shells
    Web Shells
    
    Introduction to Web Shells
    
    Laudanum, One Webshell to Rule Them All
    
    Antak Webshell
    
    PHP Web Shells
    
    Additional Considerations
    Additional Considerations
    
    Detection and Prevention
    
    Metasploit Framework
    Metasploit Framework
    
    Introduction
    Introduction
    
    Preface
    
    Introduction to Metasploit
    
    Introduction to MSFconsole
    
    MSF Components
    MSF Components
    
    Modules
    
    Targets
    
    Payloads
    
    Encoders
    
    Databases
    
    Plugins and Mixins
    
    MSF Sessions
    MSF Sessions
    
    Sessions and Jobs
    
    Meterpreter
    
    Additional Features
    Additional Features
    
    Writing and Importing Modules
    
    Introduction to MSFVenom
    
    Firewall and IDS/IPS Evasion
    
    Exploitation and Lateral Movement
    Exploitation and Lateral Movement
    
    Password Attacks
    Password Attacks
    
    Introduction
    Introduction
    
    Theory of Protection
    
    Credential Storage
    
    John The Ripper
    
    Remote Password Attacks
    Remote Password Attacks
    
    Network Services
    
    Password Mutations
    
    Password Reuse and Default Passwords
    
    Windows Local Password Attacks
    Windows Local Password Attacks
    
    Attacking SAM
    
    Attacking LSASS
    
    Attacking AD and NTDS.dit
    
    Credential Hunting in Windows
    
    Linux Local Password Attacks
    Linux Local Password Attacks
    
    Credential Hunting in Linux
    
    Passwd, Shadow and Opasswd
    
    Windows Lateral Movement
    Windows Lateral Movement
    
    Pass the Hash (PtH)
    
    Pass the Ticket (PtT) from Windows
    
    Pass the Ticket (PtT) from Linux
    
    Cracking Files
    Cracking Files
    
    Protected Files
    
    Protected Archives
    
    Password Management
    Password Management
    
    Password Policies
    
    Password Managers
    
    Attacking Common Services
    Attacking Common Services
    
    Introduction
    Introduction
    
    Interacting with Common Services
    
    Protocol Specific Attacks
    Protocol Specific Attacks
    
    The Concept of Attacks
    
    Service Misconfigurations
    
    Finding Sensitive Information
    
    FTP
    FTP
    
    Attacking FTP
    
    Latest FTP Vulnerabilities
    
    SMB
    SMB
    
    Attacking SMB
    
    Latest SMB Vulnerabilities
    
    SQL Databases
    SQL Databases
    
    Attacking SQL Databases
    
    Latest SQL Vulnerabilities
    
    RDP
    RDP
    
    Attacking RDP
    
    Latest RDP Vulnerabilities
    
    DNS
    DNS
    
    Attacking DNS
    
    Latest DNS Vulnerabilities
    
    SMTP
    SMTP
    
    Attacking Email Services
    
    Latest Email Service Vulnerabilities
    
    Pivoting, Tunneling, and Port Forwarding
    Pivoting, Tunneling, and Port Forwarding
    
    Introduction
    Introduction
    
    Introduction to Pivoting, Tunneling and Port Forwarding
    
    The Networking Behind Pivoting
    
    Choosing The Dig Site and Starting Our Tunnels
    Choosing The Dig Site and Starting Our Tunnels
    
    Dynamic PF with SSH and SOCKS Tunneling
    
    Remote-Reverse PF with SSH
    
    Meterpreter Tunneling and PF
    
    Playing Pong with Socat
    Playing Pong with Socat
    
    Socat Redirection with a Reverse Shell
    
    Socat Redirection with a Bind Shell
    
    Pivoting Around Obstacles
    Pivoting Around Obstacles
    
    SSH for Windows plink.exe
    
    SSH Pivoting with sshuttle
    
    Web Server Pivoting with Rpivot
    
    PF with Windows Netsh
    
    Branching Out Our Tunnels
    Branching Out Our Tunnels
    
    DNS Tunneling with Dnscat2
    
    SOCKS5 Tunneling with Chisel
    
    ICMP Tunneling with SOCKS
    
    Double Pivots
    Double Pivots
    
    RDP and SOCKS Tunneling with SocksOverRDP
    
    Additional Considerations
    Additional Considerations
    
    Detection and Prevention
    
    Beyond this Module
    
    Active Directory Enumeration and Attacks
    Active Directory Enumeration and Attacks
    
    Setting The Stage
    Setting The Stage
    
    Introduction to AD Enumeration and Attacks
    
    Tools Of The Trade
    
    Scenario
    
    Initial Enumeration
    Initial Enumeration
    
    External Recon and Enumeration Principles
    
    Initial Enumeration of the Domain
    
    Sniffing out a Foothold
    Sniffing out a Foothold
    
    LLMNR NBT-NS Poisoning - from Linux
    
    LLMNR NBT-NS Poisoning - from Windows
    
    Sighting In, Hunting For A User
    Sighting In, Hunting For A User
    
    Password Spraying Overview
    
    Enumerating and Retrieving Password Policies
    
    Password Spraying - Making a Target User List
    
    Spray Responsibly
    Spray Responsibly
    
    Internal Password Spraying - from Linux
    
    Internal Password Spraying - from Windows
    
    Deeper Down the Rabbit Hole
    Deeper Down the Rabbit Hole
    
    Enumerating Security Controls
    
    Credentialed Enumeration - from Linux
    
    Credentialed Enumeration - from Windows
    
    Living Off the Land
    
    Cooking with Fire
    Cooking with Fire
    
    Kerberoasting - from Linux
    
    Kerberoasting - from Windows
    
    An ACE in the Hole
    An ACE in the Hole
    
    Access Control List (ACL) Abuse Primer
    
    ACL Enumeration
    
    ACL Abuse Tactics
    
    DCSync
    
    Stacking The Deck
    Stacking The Deck
    
    Privileged Access
    
    Kerberos Double Hop Problem
    
    Bleeding Edge Vulnerabilities
    
    Miscellaneous Misconfigurations
    
    Why So Trusting
    Why So Trusting
    
    Domain Trusts Primer
    
    Attacking Domain Trusts - Child - Parent Trusts - from Windows
    
    Attacking Domain Trusts - Child - Parent Trusts - from Linux
    
    Breaking Down Boundaries
    Breaking Down Boundaries
    
    Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
    
    Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    
    Defensive Considerations
    Defensive Considerations
    
    Hardening Active Directory
    
    Additional AD Auditing Techniques
    
    Final Showdown
    Final Showdown
    
    Beyond this Module
    
    Web Exploitation
    Web Exploitation
    
    Using Web Proxies
    Using Web Proxies
    
    Getting Started
    Getting Started
    
    Intro to Web Proxies
    
    Setting Up
    
    Web Proxy
    Web Proxy
    
    Proxy Setup
    
    Intercepting Web Requests
    
    Intercepting Responses
    
    Automatic Modification
    
    Repeating Requests
    
    Encoding and Decoding
    
    Proxying Tools
    
    Web Fuzzer
    Web Fuzzer
    
    Burp Intruder
    
    ZAP Fuzzer
    
    Web Scanner
    Web Scanner
    
    Burp Scanner
    
    ZAP Scanner
    
    Extensions
    
    Attacking Web Applications with Ffuf
    Attacking Web Applications with Ffuf
    
    Introduction
    Introduction
    
    Introduction
    
    Web Fuzzing
    
    Basic Fuzzing
    Basic Fuzzing
    
    Directory Fuzzing
    
    Page Fuzzing
    
    Recursive Fuzzing
    
    Domain Fuzzing
    Domain Fuzzing
    
    DNS Records
    
    Sub-domain Fuzzing
    
    Vhost Fuzzing
    
    Filtering Results
    
    Parameter Fuzzing
    Parameter Fuzzing
    
    Parameter Fuzzing - GET
    
    Parameter Fuzzing - POST
    
    Value Fuzzing
    
    Login Brute Forcing
    Login Brute Forcing
    
    Introduction
    Introduction
    
    Introduction
    
    Password Security Fundamentals
    
    Brute Force Attacks
    Brute Force Attacks
    
    Brute Force Attacks
    
    Dictionary Attacks
    
    Hybrid Attacks
    
    Hydra
    Hydra
    
    Hydra
    
    Basic HTTP Authentication
    
    Login Forms
    
    Medusa
    Medusa
    
    Medusa
    
    Web Services
    
    Custom Wordlists
    Custom Wordlists
    
    Custom Wordlists
    
    SQL Injection Fundamentals
    SQL Injection Fundamentals
    
    Introduction
    Introduction
    
    Introduction
    
    Databases
    Databases
    
    Intro to Databases
    
    Types of Databases
    
    MySQL
    MySQL
    
    Intro to MySQL
    
    SQL Statements
    
    Query Results
    
    SQL Operators
    
    SQL Injections
    SQL Injections
    
    Intro to SQL Injections
    
    Subverting Query Logic
    
    Using Comments
    
    Union Clause
    
    Union Injection
    
    Exploitation
    Exploitation
    
    Database Enumeration
    
    Reading Files
    
    Writing Files
    
    Mitigations
    Mitigations
    
    Mitigating SQL Injection
    
    SQLMap Essentials
    SQLMap Essentials
    
    Getting Started
    Getting Started
    
    SQLMap Overview
    
    Getting Started with SQLMap
    
    SQLMap Output Description
    
    Building Attacks
    Building Attacks
    
    Running SQLMap on an HTTP Request
    
    Handling SQLMap Errors
    
    Attack Tuning
    
    Database Enumeration
    Database Enumeration
    
    Database Enumeration
    
    Advanced Database Enumeration
    
    Advanced SQLMap Usage
    Advanced SQLMap Usage
    
    Bypassing Web Application Protections
    
    OS Exploitation
    
    Cross-Site Scripting (XSS)
    Cross-Site Scripting (XSS)
    
    XSS Basics
    XSS Basics
    
    Intro to XSS
    
    Stored XSS
    
    Reflected XSS
    
    DOM XSS
    
    XSS Discovery
    
    XSS Attacks
    XSS Attacks
    
    Defacing
    
    Phishing
    
    Session Hijacking
    
    XSS Prevention
    XSS Prevention
    
    XSS Prevention
    
    File Inclusion
    File Inclusion
    
    Introduction
    Introduction
    
    Intro to File Inclusions
    
    File Disclosure
    File Disclosure
    
    Local File Inclusion (LFI)
    
    Basic Bypasses
    
    PHP Filters
    
    Remote Code Execution
    Remote Code Execution
    
    PHP Wrappers
    
    Remote File Inclusion (RFI)
    
    LFI and File Uploads
    
    Log Poisoning
    
    Automation and Prevention
    Automation and Prevention
    
    Automated Scanning
    
    File Inclusion Prevention
    
    File Upload Attacks
    File Upload Attacks
    
    Introduction
    Introduction
    
    Intro to File Upload Attacks
    
    Basic Exploitation
    Basic Exploitation
    
    Absent Validation
    
    Upload Exploitation
    
    Bypassing Filters
    Bypassing Filters
    
    Client-Side Validation
    
    Blacklist Filters
    
    Whitelist Filters
    
    Type Filters
    
    Other Upload Attacks
    Other Upload Attacks
    
    Limited File Uploads
    
    Other Upload Attacks
    
    Prevention
    Prevention
    
    Preventing File Upload Vulnerabilities
    
    Command Injections
    Command Injections
    
    Introduction
    Introduction
    
    Intro to Command Injections
    
    Exploitation
    Exploitation
    
    Detection
    
    Injecting Commands
    
    Other Injection Operators
    
    Filter Evasion
    Filter Evasion
    
    Identifying Filters
    
    Bypassing Space Filters
    
    Bypassing Other Blacklisted Characters
    
    Bypassing Blacklisted Commands
    
    Advanced Command Obfuscation
    
    Evasion Tools
    
    Prevention
    Prevention
    
    Command Injection Prevention
    
    Web Attacks
    Web Attacks
    
    Introduction
    Introduction
    
    Introduction to Web Attacks
    
    HTTP Verb Tampering
    HTTP Verb Tampering
    
    Intro to HTTP Verb Tampering
    
    Bypassing Basic Authentication
    
    Bypassing Security Filters Bypassing Security Filters
    Tabla de contenidos
    
    Identify
    
    Exploit
    
    Verb Tampering Prevention
    
    Insecure Direct Object References (IDOR)
    Insecure Direct Object References (IDOR)
    
    Intro to IDOR
    
    Identifying IDORs
    
    Mass IDOR Enumeration
    
    Bypassing Encoded References
    
    IDOR in Insecure APIs
    
    Chaining IDOR Vulnerabilities
    
    IDOR Prevention
    
    XXE Injection
    XXE Injection
    
    Intro to XXE
    
    Local File Disclosure
    
    Advanced File Disclosure
    
    Blind Data Exfiltration
    
    XXE Prevention
    
    Attacking Common Applications
    Attacking Common Applications
    
    Setting the Stage
    Setting the Stage
    
    Introduction to Attacking Common Applications
    
    Application Discovery and Enumeration
    
    Content Management Systems (CMS)
    Content Management Systems (CMS)
    
    WordPress - Discovery and Enumeration
    
    Attacking WordPress
    
    Joomla - Discovery and Enumeration
    
    Attacking Joomla
    
    Drupal - Discovery and Enumeration
    
    Attacking Drupal
    
    Servlet Containers and Software Development
    Servlet Containers and Software Development
    
    Tomcat - Discovery and Enumeration
    
    Attacking Tomcat
    
    Jenkins - Discovery and Enumeration
    
    Attacking Jenkins
    
    Infrastructure and Network Monitoring Tools
    Infrastructure and Network Monitoring Tools
    
    Splunk - Discovery and Enumeration
    
    Attacking Splunk
    
    PRTG Network Monitor
    
    Customer Service Mgmt and Configuration Management
    Customer Service Mgmt and Configuration Management
    
    osTicket
    
    GitLab - Discovery and Enumeration
    
    Attacking GitLab
    
    Common Gateway Interfaces
    Common Gateway Interfaces
    
    Attacking Tomcat CGI
    
    Attacking CGI Applications - Shellshock
    
    Thick Client Applications
    Thick Client Applications
    
    Attacking Thick Client Applications
    
    Exploiting Web Vulnerabilities in Thick-Client Applications
    
    Miscellaneous Applications
    Miscellaneous Applications
    
    ColdFusion - Discovery and Enumeration
    
    Attacking ColdFusion
    
    IIS Tilde Enumeration
    
    Attacking LDAP
    
    Web Mass Assignment Vulnerabilities
    
    Attacking Applications Connecting to Services
    
    Other Notable Applications
    
    Closing Out
    Closing Out
    
    Application Hardening
    
    Post-Exploitation
    Post-Exploitation
    
    Linux Privilege Escalation
    Linux Privilege Escalation
    
    Introduction
    Introduction
    
    Introduction to Linux Privilege Escalation
    
    Information Gathering
    Information Gathering
    
    Environment Enumeration
    
    Linux Services and Internals Enumeration
    
    Credential Hunting
    
    Environment-based Privilege Escalation
    Environment-based Privilege Escalation
    
    Path Abuse
    
    Wildcard Abuse
    
    Escaping Restricted Shells
    
    Permissions-based Privilege Escalation
    Permissions-based Privilege Escalation
    
    Special Permissions
    
    Sudo Rights Abuse
    
    Privileged Groups
    
    Capabilities
    
    Service-based Privilege Escalation
    Service-based Privilege Escalation
    
    Vulnerable Services
    
    Cron Job Abuse
    
    LXD
    
    Docker
    
    Kubernetes
    
    Logrotate
    
    Miscellaneous Techniques
    
    Linux Internals-based Privilege Escalation
    Linux Internals-based Privilege Escalation
    
    Kernel Exploits
    
    Shared Libraries
    
    Shared Object Hijacking
    
    Python Library Hijacking
    
    Recent 0-Days
    Recent 0-Days
    
    Sudo
    
    Polkit
    
    Dirty Pipe
    
    Netfilter
    
    Hardening Considerations
    Hardening Considerations
    
    Linux Hardening
    
    Windows Privilege Escalation
    Windows Privilege Escalation
    
    Introduction
    Introduction
    
    Introduction to Windows Privilege Escalation
    
    Useful Tools
    
    Getting the Lay of the Land
    Getting the Lay of the Land
    
    Situational Awareness
    
    Initial Enumeration
    
    Communication with Processes
    
    Windows Users Privileges
    Windows Users Privileges
    
    Windows Privileges Overview
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeDebugPrivilege
    
    SeTakeOwnershipPrivilege
    
    Windows Group Privileges
    Windows Group Privileges
    
    Windows Built-in Groups
    
    Event Log Readers
    
    DnsAdmins
    
    Hyper-V Administrators
    
    Print Operators
    
    Server Operators
    
    Attacking the OS
    Attacking the OS
    
    User Account Control
    
    Weak Permissions
    
    Kernel Exploits
    
    Vulnerable Services
    
    DLL Injection
    
    Credential Theft
    Credential Theft
    
    Credential Hunting
    
    Other Files
    
    Further Credential Theft
    
    Restricted Environments
    Restricted Environments
    
    Citrix Breakout
    
    Additional Techniques
    Additional Techniques
    
    Interacting with Users
    
    Pillaging
    
    Miscellaneous Techniques
    
    Dealing with End of Life Systems
    Dealing with End of Life Systems
    
    Legacy Operating Systems
    
    Windows Server
    
    Windows Desktop Versions
    
    Closing Thoughts
    Closing Thoughts
    
    Windows Hardening
    
    Reporting and Capstone
    Reporting and Capstone
    
    Documentation and Reporting
    Documentation and Reporting
    
    Introduction
    Introduction
    
    Introduction to Documentation and Reporting
    
    Preparation
    Preparation
    
    Notetaking and Organization
    
    Types of Reports
    
    Components of a Report
    
    Reporting
    Reporting
    
    How to Write Up a Finding
    
    Reporting Tips and Tricks
    
    Next Steps
    Next Steps
    
    Beyond this Module
    
    Attacking Enterprise Networks
    Attacking Enterprise Networks
    
    Pre-Engagement
    Pre-Engagement
    
    Intro to Attacking Enterprise Networks
    
    Scenario and Kickoff
    
    External Testing
    External Testing
    
    External Information Gathering
    
    Service Enumeration and Exploitation
    
    Web Enumeration and Exploitation
    
    Initial Access
    
    Internal Testing
    Internal Testing
    
    Post-Exploitation Persistence
    
    Internal Information Gathering
    
    Exploitation and Privilege Escalation
    
    Lateral Movement and Privilege Escalation
    Lateral Movement and Privilege Escalation
    
    Lateral Movement
    
    Active Directory Compromise
    
    Post-Exploitation
    
    Wrapping Up
    Wrapping Up
    
    Engagement Closeout
    
    Beyond this Module
  - (HTB) Other Modules
    (HTB) Other Modules
    
    Introduction to Active Directory
    Introduction to Active Directory
    
    Active Directory Overview
    Active Directory Overview
    
    Why Active Directory?
    
    Active Directory Research Over the Years
    
    Active Directory Fundamentals
    Active Directory Fundamentals
    
    Active Directory Structure
    
    Active Directory Terminology
    
    Active Directory Objects
    
    Active Directory Functionality
    
    Active Directory Protocols
    Active Directory Protocols
    
    Kerberos, DNS, LDAP, MSRPC
    
    NTLM Authentication
    
    All About Users
    All About Users
    
    User and Machine Accounts
    
    Active Directory Groups
    
    Active Directory Rights and Privileges
    
    Digging in Deeper
    Digging in Deeper
    
    Security in Active Directory
    
    Examining Group Policy
    
    Getting Our Hands Dirty
    Getting Our Hands Dirty
    
    AD Administration: Guided Lab Part I
    
    AD Administration: Guided Lab Part II
    
    Module Summary
    Module Summary
    
    Wrapping It Up
    
    Intro to Binary Exploitation
    Intro to Binary Exploitation
    
    Introduction to Python 3
    Introduction to Python 3
    
    Introduction to Python 3
    Introduction to Python 3
    
    What is Python?
    
    Python Fundamentals
    Python Fundamentals
    
    Executing Python Code
    
    Introduction to Variables
    
    Conditional Statements and Loops
    
    Keeping It Simple and Smart
    Keeping It Simple and Smart
    
    Defining Functions
    
    Making Code Classy
    
    The Importance of Libraries
    The Importance of Libraries
    
    Introduction to Libraries
    
    Managing Libraries in Python
    
    The Importance of Libraries
    
    Word Extractor
    Word Extractor
    
    The First Iterations
    
    Continuously Improving The Code
    
    Further Improvements
    
    Turning it up to 11
    Turning it up to 11
    
    A Simple Bind Shell
    
    Managing Libraries in Python II
    
    Introduction to Assembly
    Introduction to Assembly
    
    Architecture
    Architecture
    
    Assembly Language
    
    Computer Architecture
    
    CPU Architecture
    
    Instruction Set Architecture
    
    Registers, Addresses, and Data Types
    
    Assembling & Debugging
    Assembling & Debugging
    
    Assembly File Structure
    
    Assembling & Disassembling
    
    GNU Debugger (GDB)
    
    Debugging with GDB
    
    Module Project
    Module Project
    
    Module Project
    
    Basic Instructions
    Basic Instructions
    
    Data Movement
    
    Arithmetic Instructions
    
    Control Instructions
    Control Instructions
    
    Loops
    
    Unconditional Branching
    
    Conditional Branching
    
    Functions
    Functions
    
    Using the Stack
    
    Syscalls
    
    Procedures
    
    Functions
    
    Libc Functions
    
    Shellcoding
    Shellcoding
    
    Shellcodes
    
    Shellcoding Techniques
    
    Shellcoding Tools
HTB
Github
Linkedin

Bypassing Security Filters

El otro tipo más común de vulnerabilidad por HTTP Verb Tampering es causado por errores de Insecure Coding cometidos durante el desarrollo de la aplicación web, lo que lleva a que la aplicación no cubra todos los métodos HTTP en ciertas funcionalidades. Esto se encuentra comúnmente en filtros de seguridad que detectan solicitudes maliciosas. Por ejemplo, si un filtro de seguridad se utiliza para detectar vulnerabilidades de inyección y solo verifica las inyecciones en los parámetros de POST (e.g. $_POST['parameter']), podría ser posible evadirlo simplemente cambiando el método de solicitud a GET.

Identify

En la aplicación web File Manager, si intentamos crear un nuevo nombre de archivo con caracteres especiales en su nombre (e.g. test;), obtenemos el siguiente mensaje:

http://SERVER_IP:PORT/

Este mensaje muestra que la aplicación web utiliza ciertos filtros en el back-end para identificar intentos de inyección y luego bloquea cualquier solicitud maliciosa. Sin importar lo que intentemos, la aplicación web bloquea nuestras solicitudes correctamente y está protegida contra intentos de inyección. Sin embargo, podemos intentar un ataque de HTTP Verb Tampering para ver si podemos evadir el filtro de seguridad por completo.

Exploit

Para intentar explotar esta vulnerabilidad, interceptemos la solicitud en Burp Suite (Burp) y luego usemos Change Request Method para cambiarlo a otro método:

Esta vez, no obtuvimos el mensaje Malicious Request Denied!, y nuestro archivo fue creado con éxito:

http://SERVER_IP:PORT/

Para confirmar si logramos evadir el filtro de seguridad, necesitamos intentar explotar la vulnerabilidad que protege el filtro: en este caso, una vulnerabilidad de Command Injection. Entonces, podemos inyectar un comando que cree dos archivos y luego verificar si ambos archivos fueron creados. Para ello, usaremos el siguiente nombre de archivo en nuestro ataque (file1; touch file2;):

http://SERVER_IP:PORT/

Luego, nuevamente cambiamos el método de solicitud a una solicitud GET:

Una vez que enviamos nuestra solicitud, vemos que esta vez tanto file1 como file2 fueron creados:

http://SERVER_IP:PORT/

Esto demuestra que logramos evadir el filtro a través de una vulnerabilidad de HTTP Verb Tampering y logramos Command Injection. Sin la vulnerabilidad de HTTP Verb Tampering, la aplicación web podría haber estado protegida contra ataques de Command Injection, pero esta vulnerabilidad permitió que evadiéramos los filtros implementados por completo.