root4loot

Abusing Improper Validation of CORS Origins

8 minute read Modified:

Four ways you can abuse CORS when origins are improperly validated.
In this post, we’ll look at what happens when CORS Origin is not validated properly and explore some ways this can be abused to possibly exfiltrate some data. My initial idea here was to cover the MITM part (improper scheme validation) in greater detail but I figured it wouldn’t hurt to throw in the others as well. Origin Root/TLD Origin Subdomain Origin Scheme Origin null Payload Supporting Material Origin Root/TLD First one has to do with Root/TLD domain.

Introducing rescope - A Scope Parser for Burp Suite & OWASP ZAP

5 minute read Modified:

Introducing rescope. A tool that parses your scope definitions to Burp/ZAP compatible formats for import. Useful for bug hunters and those working with large scopes.
rescope is a tool I wrote (in Go) that lets you quickly define scopes in Burp/ZAP. It’s mainly intended for “bug hunters”, and pentesters who deal with larger scopes. However, I often find myself using it for smaller scopes as well. Simply give it a file (scope) containing target identifiers and rescope parses this to regex & spits out a file that can be imported to either Burp or ZAP directly.

MS17-010 EternalBlue Manual Exploitation

3 minute read Modified:

Exploiting MS17-010 the manual way.
For educational purposes only There may be times when you want to exploit MS17-010 (EternalBlue) without having to rely on using Metasploit. Perhaps you want to run it from a ‘Command & Control’ system without msf installed, run a quick demo or execute on the go. Unlike “zzz_exploit”, this method does not require access to a named pipe, nor does it require any credentials. The downside, however, is an increased risk of crashing the target.

Docker group privesc

2 minute read Modified:

Escalating privileges when user is part of Docker group
I don’t think Docker needs an introduction at this point, but in case you are unfamiliar with it; it is a way of isolating software packages by virtualizing them on an OS-level which runs in “containers.” It works in a similar way to traditional virtual machines, but with much less overhead as the kernel is shared between multiple containers. The problem arises when the docker group is assigned to the host user.

Pickle Arbitrary Code Execution

2 minute read Modified:

The pickle module is not secure against erroneous or maliciously constructed data.
Pickle is a serialization/deserialization module found within the standard Python library. For those unfamiliar with serialization and deserialization; it is a way of converting objects and data structures to files or databases so that they can be reconstructed later (possibly in a different environment). This process is called serialization and deserialization, but in Python, it is called pickling and unpickling. Imagine that you’ve spent a long time training an artificial neural network, and instead of having to re-train the network every time, you would store the state of the program to files so it can be reconstructed later.

sudo pip install privesc

2 minute read Modified:

Escalating privileges when pip is part of sudo group
If you happen to have a user shell on a system and you see that user has sudo rights to pip install, then escalation is straight forward. alice@jada:~$ sudo -l [sudo] password for alice: Matching Defaults entries for alice on jada: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alice may run the following commands on jada: (root) /usr/bin/pip install * In that case, what you can do is create a malicious setup.py on target system: