.

content.en/docs/dns_rebinding.md

@@ -0,0 +1,75 @@
++++
+title = "DNS Rebinding"
+date = '2022-10-16'
+description = 'All about DNS rebinding techniques, methods, payloads, how/why/when they work.'
++++
+# DNS Rebinding
+
+> DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the [same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus allowing the browser to make arbitrary requests to the target application and read their responses.
+
+
+## Tools
+
+- [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks.
+- [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack)
+
+## Exploitation
+
+First, we need to make sure that the targeted service is vulnerable to DNS rebinding.
+It can be done with a simple curl request:
+
+```bash
+curl --header 'Host: <arbitrary-hostname>' http://<vulnerable-service>:8080
+```
+
+If the server returns the expected result (e.g. the regular web page) then the service is vulnerable.
+If the server returns an error message (e.g. 404 or similar), the server has most likely protections implemented which prevent DNS rebinding attacks.
+
+Then, if the service is vulnerable, we can abuse DNS rebinding by following these steps:
+
+1. Register a domain.
+2. [Setup Singularity of Origin](https://github.com/nccgroup/singularity/wiki/Setup-and-Installation).
+3. Edit the [autoattack HTML page](https://github.com/nccgroup/singularity/blob/master/html/autoattack.html) for your needs.
+4. Browse to "http://rebinder.your.domain:8080/autoattack.html".
+5. Wait for the attack to finish (it can take few seconds/minutes).
+
+## Protection Bypasses
+
+> Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Some tools allow to additionally block localhost (127.0.0.0/8), local (internal) networks, or 0.0.0.0/0 network ranges.
+
+In the case where DNS protection are enabled (generally disabled by default), NCC Group has documented multiple [DNS protection bypasses](https://github.com/nccgroup/singularity/wiki/Protection-Bypasses) that can be used.
+
+### 0.0.0.0
+
+We can use the IP address 0.0.0.0 to access the localhost (127.0.0.1) to bypass filters blocking DNS responses containing 127.0.0.1 or 127.0.0.0/8.
+
+### CNAME
+
+We can use DNS CNAME records to bypass a DNS protection solution that blocks all internal IP addresses.
+Since our response will only return a CNAME of an internal server,
+the rule filtering internal IP addresses will not be applied.
+Then, the local, internal DNS server will resolve the CNAME.
+
+```bash
+$ dig cname.example.com +noall +answer
+; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
+;; global options: +cmd
+cname.example.com.            381     IN      CNAME   target.local.
+```
+
+### localhost
+
+We can use "localhost" as a DNS CNAME record to bypass filters blocking DNS responses containing 127.0.0.1.
+
+```bash
+$ dig www.example.com +noall +answer
+; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> example.com +noall +answer
+;; global options: +cmd
+localhost.example.com.            381     IN      CNAME   localhost.
+```
+
+## References
+
+- [How Do DNS Rebinding Attacks Work? - nccgroup, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)
+
+

content.en/docs/escape_breakout.md

@@ -0,0 +1,139 @@
++++
+title = "Application Escape and Breakout"
+date = 2022-11-03 04:33:00
+description = "Examples and ideas for escaping and/or breaking out of application restrictions and/or guards."
++++
+# Application Escape and Breakout
+
+## Gaining a command shell
+
+* **Shortcut**
+    * [Window] + [R] -> cmd 
+    * [CTRL] + [SHIFT] + [ESC] -> Task Manager
+    * [CTRL] + [ALT] + [DELETE] -> Task Manager 
+* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
+* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe 
+* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
+* **Task Manager**: `File` > `New Task (Run...)` > `cmd`
+* **MSPAINT.exe**
+    * Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
+    * Zoom in to make the following tasks easier
+    * Using the colour picker, set pixels values to (from left to right):
+        * 1st: R: 10, G: 0, B: 0
+        * 2nd: R: 13, G: 10, B: 13
+        * 3rd: R: 100, G: 109, B: 99
+        * 4th: R: 120, G: 101, B: 46
+        * 5th: R: 0, G: 0, B: 101
+        * 6th: R: 0, G: 0, B: 0
+    * Save it as 24-bit Bitmap (*.bmp;*.dib)
+    * Change its extension from bmp to bat and run 
+
+
+## Sticky Keys
+
+* Spawn the sticky keys dialog
+    * Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
+    * Hit 5 times [SHIFT]
+* Visit "Ease of Access Center"
+* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
+* Start the OSK (On-Screen-Keyboard)
+* You can now use the keyboard shortcut (CTRL+N)
+
+## Dialog Boxes
+
+### Creating new files
+
+* Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
+* Shortcuts – Right click > New > Shortcut > `%WINDIR%\system32`
+
+## Open a new Windows Explorer instance
+
+* Right click any folder > select `Open in new window`
+
+## Exploring Context Menus
+
+* Right click any file/folder and explore context menus
+* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
+
+### Save as
+
+* "Save as" / "Open as" option
+* "Print" feature – selecting "print to file" option (XPS/PDF/etc)
+* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
+
+### Input Boxes
+
+Many input boxes accept file paths; try all inputs with UNC paths such as `//attacker–pc/` or `//127.0.0.1/c$` or `C:\`
+
+
+### Bypass file restrictions
+
+Enter *.* or *.exe or similar in `File name` box
+
+## Internet Explorer
+
+### Download and Run/Open
+
+* Text files -> opened by Notepad
+
+### Menus
+
+* The address bar
+* Search menus
+* Help menus
+* Print menus
+* All other menus that provide dialog boxes
+
+### Accessing filesystem
+
+Enter these paths in the address bar:
+
+* file://C:/windows
+* C:/windows/
+* %HOMEDRIVE%
+* \\127.0.0.1\c$\Windows\System32
+
+### Unassociated Protocols
+
+It is possible to escape a browser based kiosk with other protocols than usual `http` or `https`. 
+If you have access to the address bar, you can use any known protocol (`irc`, `ftp`, `telnet`, `mailto`, etc.) 
+to trigger the *open with* prompt and select a program installed on the host.
+The program will than be launched with the uri as a parameter, you need to select a program that will not crash when recieving it.
+It is possible to send multiple parameters to the program by adding spaces in your uri.
+
+Note: This technique required that the protocol used is not already associated with a program.
+
+Example - Launching Firefox with a custom profile:
+
+This is a nice trick since Firefox launched with the custom profile may not be as much hardened as the default profile.
+
+0. Firefox need to be installed.
+1. Enter the following uri in the address bar: `irc://127.0.0.1 -P "Test"`
+2. Press enter to navigate to the uri.
+3. Select the firefox program.
+4. Firefox will be launched with the profile `Test`. 
+
+In this example, it's the equivalent of running the following command:
+```
+firefox irc://127.0.0.1 -P "Test"
+```
+
+
+## Shell URI Handlers
+
+* shell:DocumentsLibrary
+* shell:Librariesshell:UserProfiles
+* shell:Personal
+* shell:SearchHomeFolder
+* shell:System shell:NetworkPlacesFolder
+* shell:SendTo
+* shell:Common Administrative Tools
+* shell:MyComputerFolder
+* shell:InternetFolder
+
+## References
+
+* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
+* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
+* [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
+* [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)