Leaderboard

Daca tot sunt participant activ la challengeurile lui Sheyken, m-am gandit sa fac si eu unul. Momentan nu am un challenge hard , dar o sa vin in curand.Multumiti-va cu asta. Premiu va dau un template PSD, preview aici: http://i.imgur.com/RX8mV.jpg (sunt sarac, nu am sa va dau altceva ) ----------------------------------------------------------------- [x]Target: eduTecher [x]Document type: MySQL [x]Proof: Cerintele sunt: ------------------------------------------------------------------ Neaparat screenshot in thread Sintaxa se da doar pe PM E necesara versiunea bazei de date ------------------------------------------------------------------ ------------------------------------------------------------------ Solveri: ------------------------------------------------------------------ //Sheyken, sper ca nu te superi ca m-am inspirat de la tine putin la modelul threadului, daca e spune-mi si il fac eu iar...

Transform any javascript code into an equivalent sequence of ()[]{}!+ characters. Try it here Hieroglyphy | Patricio Palladino Source code: https://github.com/alcuadrado/hieroglyphy Alphabet Many alphabets could do the job, but just for fun, I tried to keep it as small as possible, using only the following characters: [ and ] to access array elements, objects properties, get numbers and cast elements to strings. ( and ) to call functions and avoid parsing errors. + to append strings, sum and cast elements to numbers. ! to cast elements to booleans. { and } to get NaN and the infamous string "[object Object]" Numbers To start our journey to the world of brackets, lets represent the numbers with our new alphabet. 0 is easily obtained by casting an empty array like this +[]. In a similar way, we can cast the empty array to boolean to get true, and then to 1 with +!![]. Those numbers, along with + would be enough to get every natural. But if we take advantage of JavaScript coercion of types, we can reduce the size of the sequence of the numbers in two ways. First, if we add a number and a boolean, both operands would be casted to numbers. So instead of using sums of ones to generate larger values, we can add just a 1 and a sequence of trues (we can use more than one true at a time beacuse addition is left-to-right assosiative). For instance, here is 4: !+[]+!![]+!![]+!![]. The second idea is to get strings representing large numbers and cast them in order to get a shorter sequence of symbols. Once we obtained all the possible digits like we did above with 4, we can get the desired string by adding the first digit to [] (to make it a character), and combinig all of them with + (with the necessary parens). Once again, the left-to-right assosiativite would save us lots of chars. Finally, we only need to cast that. Doing this, 12 would look like this: +((+!![]+[])+(!+[]+!![])). The second idea is to reuse what we’ve done above in order to get a shorter sequence of symbols. The main purpose of doing this is to represent bigger numbers without the need to sum 1 each time to get to our number, so instead we get it’s string representation and cast it to number. For example, representing 12 adding ones would be: (!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]), but by resuing 1 and 2 we can be represen it like this: +((+!![]+[])+(!+[]+!![])). Here, we have casted the first digit to string, added the second, and then, converted everything to a number. Speaking in terms of code, on the first case we did a simple sum: (1+1+1+1+1+1+1+1+1+1+1+1); and on the second one we concatenated two strings and casted them into a number like this: +("1"+2). Having said that, here is a table of all the possible digits: 0 +[] 1 +!![] 2 !+[]+!![] 3 !+[]+!![]+!![] 4 !+[]+!![]+!![]+!![] 5 !+[]+!![]+!![]+!![]+!![] 6 !+[]+!![]+!![]+!![]+!![]+!![] 7 !+[]+!![]+!![]+!![]+!![]+!![]+!![] 8 !+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![] 9 !+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![] Base elements and strings Now that we have numbers, lets go for more interesting elements from which we can obtain characters: true as we have already seen, can be obtained from !![] false from ![] undefined by accessing to non-existing element to an array: [][+[]] NaN is the result of trying to cast an object to number: +{} "[object Object]" with {}+[] Casting them to string (when necessary) and accessing those like arrays will give us single characters, from which we can even get more strings! These are (the space), "[", "]", "a", "b", "c", "d", "e", "f", "i", "j", "l", "n", "N", "o", "O", "r", "s", "t" and "u". By combining them with numbers we can get "1e100" and "1e1000", which when casted to numbers would result in 1e+100 and Infinity. And by casting them back to strings we can manage to get "y", "I" and "+". Gathering functions from available characters By combining those characters, we can only get these JavaScript functions and type names: "call", "concat", "constructor", "join", "slice" and "sort". Playing with our alphabet and these strings, we can get the following functions: Function from array["sort"]["constructor"] Array from array["constructor"] Bolean from false["constructor"] Number from 0["constructor"] Object fom {}["constructor"] String fom string["constructor"] Function.prototype.call from f["call"] String.prototype.concat from string["concat"] Array.prototype.join from array["join"] Array.prototype.slice from array["slice"] Array.prototype.sort from array["sort"] Unluckily, none of these functions would give us new characters, but don’t loose your hope yet! Exploting the DOM for fun and characters If we sacrifice some portabilty and constraint the scripts to webpages, we can take for granted that DOM elements would be available, and get the remaining characters. One interesting function that becames available is window.unescape which would give us all the ASCII characters by calling window.unescape("%" + HEXA_ASCII_VAL). All we are missing to get unescape is the "p" character. So once again we make a trade-off, sacrificing some more portability to get it. If we know that we are in a webpage served over HTTP or HTTPS we can asume that by casting window.location to string, and getting its third character we would obtain the precious "p". But how can we obtain the window.location object if we don’t have access to window yet? Luckly JavaScript, being so premissive, would give that object by doing this: Function("return location")() And with location now we can have three more characters "h", "p", "/", escape and unescape functions! If we could get the character "%" we would be able to get the rest by calling unescape("%" + HEXA_ASCII_VALUE). Luckly, escaping "[" yields the string "%5B, and from that, we can obtain the percentage sign. Now, we can reach any ASCII character like this: [][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+([][+[]]+[])[+[]]+([][+[]]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()([][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+([]+[][(![]+[])[+[]+!![]+!![]+!![]]+({}+[])[+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]][({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+({}+[])[+!![]]+([][+[]]+[])[+!![]]+(![]+[])[+[]+!![]+!![]+!![]]+(!![]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+[]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+({}+[])[+!![]]+(!![]+[])[+!![]]]((!![]+[])[+!![]]+(!![]+[])[!+[]+!![]+!![]]+(!![]+[])[+[]]+([][+[]]+[])[+[]]+(!![]+[])[+!![]]+([][+[]]+[])[+!![]]+({}+[])[!+[]+!![]+!![]+!![]+!![]+!![]+!![]]+(![]+[])[+[]+!![]+!![]]+({}+[])[+!![]]+({}+[])[!+[]+!+[]+!+[]+!+[]+!+[]]+(+{}+[])[+!![]]+(!![]+[])[+[]]+([][+[]]+[])[!+[]+!![]+!![]+!![]+!![]]+({}+[])[+!![]]+([][+[]]+[])[+!![]])())[!+[]+!![]+!![]]+(!![]+[])[!+[]+!![]+!![]])()(({}+[])[+[]])[+[]]+HEXA_VALUE) Finally, all we need to transform a script into symbols, is reading it as a string, encoding it in our alphabet, and use Function as eval. Hieroglyphy With the findings in this article, I’ve made a tool for encoding scripts, strings and numbers into this alphabet. It’s available at github, so feel free to fork and modify it. You can also try it online here. Room from improvement Both this article and Hieroglyphy are just proof of concepts, there is plenty of room from improvments: Once we were able to generate all ASCII characters, no effort was made to get the shortest representation of any of them. When targeting modern browsers only or node.js, btoa would be a great help yielding lots of characters in shorter sequences. Depending on the target, one may select a bigger alphabet for reducing the encoding size. If we know the domain where the script would be run, more characters can be graved from it. Credits: Bypassing XSS protection: Transform any javascript code into an equivalent sequence of ()[]{}!+ characters via reddit.com

In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target. So lets say that we have successfully exploited a remote system and we have a meterpreter session.The first thing that we have to do is to load the incognito extension in metasploit which allows us to get commands that the incognito extension supports. Then we can use the command list_tokens -u in order to obtain the list of tokens that are available of the remote system. if we would like to impersonate a token from the above list we can use the command impersonate_token and one of the delegation tokens that are available.The image below is showing the use of this command. We can see from the above image that the session has changed from System to Administrator.So now we can perform various tasks such as modifying files or to break other computers that exist in the same network as the administrator of this system.If we want to return back to our original token we can use the rev2self command. Incognito has some other options as well like the add_group user which will try to add a user to global group with all tokens.Except of the token impersonation we can try to steal the token as well.The way that this method works is that it tries to steal the token from an existing process.So in order to achieve that we need first to know the PID’s of the processes of the remote system.We can use the command ps in meterpreter in order to obtain the list of the processes of our target. In this example we will try to steal the token of the user Administrator.So we will use the command steal_token and the PID of one of the processes that this user owns.For example the 1864 is the PID of the cmd process.The image below is showing that we have successfully managed to steal the token from the administrator. Conclusion In this article we saw how we can impersonate users and steal tokens by using the meterpreter after we have exploited the remote system.We can also try to break other systems in the domain with a stolen token.The usage of token stealing and impersonation will help a penetration tester to escalate privileges on the local machine or even to be a domain administrator which is always one of the ultimate goals. Sursa: Penetration Testing Lab