This commit is contained in:
Carlos Polop 2024-12-14 19:13:46 +01:00
parent 1ccf5f88c2
commit fb9d557999
250 changed files with 250 additions and 0 deletions

View File

@ -5,3 +5,4 @@ We value your knowledge and encourage you to share content. Please ensure that y
Thank you for contributing to HackTricks!

View File

@ -204,3 +204,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -867,3 +867,4 @@
* [Post Exploitation](todo/post-exploitation.md)
* [Investment Terms](todo/investment-terms.md)
* [Cookies Policy](todo/cookies-policy.md)

View File

@ -51,3 +51,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -202,3 +202,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -1,2 +1,3 @@
# Arbitrary Write 2 Exec

View File

@ -97,3 +97,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -113,3 +113,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -84,3 +84,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -266,3 +266,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -29,3 +29,4 @@ However he you can find some nice **examples**:
* 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used.
* [https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html](https://guyinatuxedo.github.io/14-ret\_2\_system/tu\_guestbook/index.html)
* 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check).

View File

@ -135,3 +135,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -420,3 +420,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -267,3 +267,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
</details>
{% endhint %}

View File

@ -200,3 +200,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -59,3 +59,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -330,3 +330,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -107,3 +107,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -57,3 +57,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -49,3 +49,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -109,3 +109,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -108,3 +108,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -40,3 +40,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -56,3 +56,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -122,3 +122,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -59,3 +59,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -101,3 +101,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -133,3 +133,4 @@ Check also the presentation of [https://www.slideshare.net/codeblue\_jp/master-c
* [https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html](https://guyinatuxedo.github.io/07-bof\_static/dcquals16\_feedme/index.html)
* 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.

View File

@ -57,3 +57,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -275,3 +275,4 @@ Support HackTricks
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}

View File

@ -208,3 +208,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -169,3 +169,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -141,3 +141,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -209,3 +209,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
4. **Abuse Use-After-Free**: Modify pointers in the IOSurface object to enable arbitrary **kernel read/write** via IOSurface methods.
With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).

View File

@ -528,3 +528,4 @@ Functions involved in heap will perform certain check before performing its acti
* [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
* [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/)

View File

@ -666,3 +666,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -156,3 +156,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -180,3 +180,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -31,3 +31,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -410,3 +410,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -187,3 +187,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -1770,3 +1770,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -107,3 +107,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
</details>
{% endhint %}

View File

@ -75,3 +75,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -73,3 +73,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -90,3 +90,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -71,3 +71,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -99,3 +99,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -135,3 +135,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -143,3 +143,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -142,3 +142,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -85,3 +85,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -139,3 +139,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -47,3 +47,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -71,3 +71,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -153,3 +153,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -99,3 +99,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -44,3 +44,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -75,3 +75,4 @@ d = malloc(20); // a
* It's possible to alloc some memory, write the desired value, free it, realloc it and as the previous data is still there, it will treated according the new expected struct in the chunk making possible to set the value ot get the flag.
* [**https://guyinatuxedo.github.io/26-heap\_grooming/swamp19\_heapgolf/index.html**](https://guyinatuxedo.github.io/26-heap\_grooming/swamp19\_heapgolf/index.html)
* In this case it's needed to write 4 inside an specific chunk which is the first one being allocated (even after force freeing all of them). On each new allocated chunk it's number in the array index is stored. Then, allocate 4 chunks (+ the initialy allocated), the last one will have 4 inside of it, free them and force the reallocation of the first one, which will use the last chunk freed which is the one with 4 inside of it.

View File

@ -222,3 +222,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -149,3 +149,4 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
</details>
{% endhint %}

View File

@ -209,3 +209,4 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" d
</details>
{% endhint %}

View File

@ -222,3 +222,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -218,3 +218,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -191,3 +191,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -241,3 +241,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -329,3 +329,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -256,3 +256,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -94,3 +94,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -220,3 +220,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -155,3 +155,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -170,3 +170,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -216,3 +216,4 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/grte.png" alt="
</details>
{% endhint %}

View File

@ -128,3 +128,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -53,3 +53,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -139,3 +139,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -214,3 +214,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -260,3 +260,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -121,3 +121,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -107,3 +107,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -92,3 +92,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -286,3 +286,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -216,3 +216,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -47,3 +47,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -233,3 +233,4 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
```

View File

@ -62,3 +62,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -202,3 +202,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -216,3 +216,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -246,3 +246,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -85,3 +85,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -325,3 +325,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -210,3 +210,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -56,3 +56,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -104,3 +104,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
{% endhint %}

View File

@ -93,3 +93,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -65,3 +65,4 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}

View File

@ -136,3 +136,4 @@ Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data
</details>
{% endhint %}

Some files were not shown because too many files have changed in this diff Show More