From 9fe6f3c931c10c51e018ae77ae260a70f25058c1 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Thu, 7 Jan 2021 15:07:51 +0000
Subject: [PATCH] GitBook: [master] 8 pages and 18 assets modified

---
 ...=> image (25) (2) (2) (2) (2) (2) (1).png} | Bin
 ...=> image (25) (2) (2) (2) (2) (2) (2).png} | Bin
 ...2).png => image (253) (1) (2) (1) (1).png} | Bin
 ...age (254) (1) (1) (1) (1) (1) (1) (1).png} | Bin
 ...age (345) (2) (2) (2) (2) (2) (2) (1).png} | Bin
 ...age (345) (2) (2) (2) (2) (2) (2) (2).png} | Bin
 ...1).png => image (413) (3) (3) (3) (1).png} | Bin
 ...2).png => image (413) (3) (3) (3) (2).png} | Bin
 ...3).png => image (413) (3) (3) (3) (3).png} | Bin
 1911-pentesting-fox.md                        |   2 +-
 SUMMARY.md                                    |   1 +
 .../basic-forensics-esp/linux-forensics.md    |   2 +-
 linux-unix/privilege-escalation/seccomp.md    |  99 ++++++++++++++++++
 .../exploiting-content-providers.md           |   2 +-
 pentesting-web/formula-injection.md           |   2 +-
 pentesting-web/hacking-jwt-json-web-tokens.md |  16 +--
 phishing-methodology/README.md                |   2 +-
 17 files changed, 110 insertions(+), 16 deletions(-)
 rename .gitbook/assets/{image (25) (2) (2) (2) (2) (1).png => image (25) (2) (2) (2) (2) (2) (1).png} (100%)
 rename .gitbook/assets/{image (25) (2) (2) (2) (2).png => image (25) (2) (2) (2) (2) (2) (2).png} (100%)
 rename .gitbook/assets/{image (253) (1) (2).png => image (253) (1) (2) (1) (1).png} (100%)
 rename .gitbook/assets/{image (254) (1) (1) (1) (1) (1).png => image (254) (1) (1) (1) (1) (1) (1) (1).png} (100%)
 rename .gitbook/assets/{image (345) (2) (2) (2) (2) (2) (1).png => image (345) (2) (2) (2) (2) (2) (2) (1).png} (100%)
 rename .gitbook/assets/{image (345) (2) (2) (2) (2) (2).png => image (345) (2) (2) (2) (2) (2) (2) (2).png} (100%)
 rename .gitbook/assets/{image (413) (3) (3) (1).png => image (413) (3) (3) (3) (1).png} (100%)
 rename .gitbook/assets/{image (413) (3) (3) (2).png => image (413) (3) (3) (3) (2).png} (100%)
 rename .gitbook/assets/{image (413) (3) (3).png => image (413) (3) (3) (3) (3).png} (100%)
 create mode 100644 linux-unix/privilege-escalation/seccomp.md

diff --git a/.gitbook/assets/image (25) (2) (2) (2) (2) (1).png b/.gitbook/assets/image (25) (2) (2) (2) (2) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (25) (2) (2) (2) (2) (1).png
rename to .gitbook/assets/image (25) (2) (2) (2) (2) (2) (1).png
diff --git a/.gitbook/assets/image (25) (2) (2) (2) (2).png b/.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (25) (2) (2) (2) (2).png
rename to .gitbook/assets/image (25) (2) (2) (2) (2) (2) (2).png
diff --git a/.gitbook/assets/image (253) (1) (2).png b/.gitbook/assets/image (253) (1) (2) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (253) (1) (2).png
rename to .gitbook/assets/image (253) (1) (2) (1) (1).png
diff --git a/.gitbook/assets/image (254) (1) (1) (1) (1) (1).png b/.gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png
similarity index 100%
rename from .gitbook/assets/image (254) (1) (1) (1) (1) (1).png
rename to .gitbook/assets/image (254) (1) (1) (1) (1) (1) (1) (1).png
diff --git a/.gitbook/assets/image (345) (2) (2) (2) (2) (2) (1).png b/.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (1).png
similarity index 100%
rename from .gitbook/assets/image (345) (2) (2) (2) (2) (2) (1).png
rename to .gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (1).png
diff --git a/.gitbook/assets/image (345) (2) (2) (2) (2) (2).png b/.gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2).png
similarity index 100%
rename from .gitbook/assets/image (345) (2) (2) (2) (2) (2).png
rename to .gitbook/assets/image (345) (2) (2) (2) (2) (2) (2) (2).png
diff --git a/.gitbook/assets/image (413) (3) (3) (1).png b/.gitbook/assets/image (413) (3) (3) (3) (1).png
similarity index 100%
rename from .gitbook/assets/image (413) (3) (3) (1).png
rename to .gitbook/assets/image (413) (3) (3) (3) (1).png
diff --git a/.gitbook/assets/image (413) (3) (3) (2).png b/.gitbook/assets/image (413) (3) (3) (3) (2).png
similarity index 100%
rename from .gitbook/assets/image (413) (3) (3) (2).png
rename to .gitbook/assets/image (413) (3) (3) (3) (2).png
diff --git a/.gitbook/assets/image (413) (3) (3).png b/.gitbook/assets/image (413) (3) (3) (3) (3).png
similarity index 100%
rename from .gitbook/assets/image (413) (3) (3).png
rename to .gitbook/assets/image (413) (3) (3) (3) (3).png
diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md
index 703600dc..0c343d98 100644
--- a/1911-pentesting-fox.md
+++ b/1911-pentesting-fox.md
@@ -10,7 +10,7 @@ dht udp "DHT Nodes"
 
 ![](.gitbook/assets/image%20%28182%29.png)
 
-![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
+![](.gitbook/assets/image%20%28345%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29.png)
 
 InfluxDB
 
diff --git a/SUMMARY.md b/SUMMARY.md
index 8c00a331..ee6fda1b 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -24,6 +24,7 @@
 
 * [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
 * [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
+  * [Seccomp](linux-unix/privilege-escalation/seccomp.md)
   * [Containerd \(ctr\) Privilege Escalation](linux-unix/privilege-escalation/containerd-ctr-privilege-escalation.md)
   * [Docker Breakout](linux-unix/privilege-escalation/docker-breakout.md)
   * [electron/CEF/chromium debugger abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
diff --git a/forensics/basic-forensics-esp/linux-forensics.md b/forensics/basic-forensics-esp/linux-forensics.md
index dc24071d..a59a67f9 100644
--- a/forensics/basic-forensics-esp/linux-forensics.md
+++ b/forensics/basic-forensics-esp/linux-forensics.md
@@ -395,7 +395,7 @@ Partition Record Format:
 
 In order to mount a MBR in Linux you first need to get the start offset \(you can use `fdisk` and the the `p` command\)
 
-![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%281%29.png)
+![](../../.gitbook/assets/image%20%28413%29%20%283%29%20%283%29%20%283%29%20%281%29.png)
 
 An then use the following code
 
diff --git a/linux-unix/privilege-escalation/seccomp.md b/linux-unix/privilege-escalation/seccomp.md
new file mode 100644
index 00000000..938ccfca
--- /dev/null
+++ b/linux-unix/privilege-escalation/seccomp.md
@@ -0,0 +1,99 @@
+# Seccomp
+
+## Basic Information
+
+**Seccomp** or Secure Computing mode is a feature of Linux kernel which can act as **syscall filter**.  
+Seccomp has 2 modes.
+
+### **Original/Strict Mode**
+
+In this mode ****Seccomp **only allow the syscalls**  `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL
+
+{% code title="seccomp\_strict.c" %}
+```c
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+
+//From https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/
+//gcc seccomp_strict.c -o seccomp_strict
+
+int main(int argc, char **argv)
+{
+    int output = open("output.txt", O_WRONLY);
+    const char *val = "test";
+    
+    //enables strict seccomp mode
+    printf("Calling prctl() to set seccomp strict mode...\n");
+    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
+    
+    //This is allowed as the file was already opened
+    printf("Writing to an already open file...\n");
+    write(output, val, strlen(val)+1);
+    
+    //This isn't allowed
+    printf("Trying to open file for reading...\n");
+    int input = open("output.txt", O_RDONLY);
+    
+    printf("You will not see this message--the process will be killed first\n");
+}
+```
+{% endcode %}
+
+### Seccomp-bpf
+
+This mode allows f**iltering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules.
+
+{% code title="seccomp\_bpf.c" %}
+```c
+#include <seccomp.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+
+//https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373
+//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp
+
+void main(void) {
+  /* initialize the libseccomp context */
+  scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
+  
+  /* allow exiting */
+  printf("Adding rule : Allow exit_group\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
+  
+  /* allow getting the current pid */
+  //printf("Adding rule : Allow getpid\n");
+  //seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);
+  
+  printf("Adding rule : Deny getpid\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0);
+  /* allow changing data segment size, as required by glibc */
+  printf("Adding rule : Allow brk\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0);
+  
+  /* allow writing up to 512 bytes to fd 1 */
+  printf("Adding rule : Allow write upto 512 bytes to FD 1\n");
+  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,
+    SCMP_A0(SCMP_CMP_EQ, 1),
+    SCMP_A2(SCMP_CMP_LE, 512));
+  
+  /* if writing to any other fd, return -EBADF */
+  printf("Adding rule : Deny write to any FD except 1 \n");
+  seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1,
+    SCMP_A0(SCMP_CMP_NE, 1));
+  
+  /* load and enforce the filters */
+  printf("Load rules and enforce \n");
+  seccomp_load(ctx);
+  seccomp_release(ctx);
+  //Get the getpid is denied, a weird number will be returned like
+  //this process is -9
+  printf("this process is %d\n", getpid());
+}
+```
+{% endcode %}
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
index e115832c..bff959d1 100644
--- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@@ -76,7 +76,7 @@ When checking the code of the Content Provider **look** also for **functions** n
 
 ![](../../../.gitbook/assets/image%20%28211%29.png)
 
-![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
+![](../../../.gitbook/assets/image%20%28254%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29%20%281%29.png)
 
 Because you will be able to call them
 
diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md
index 4e31dd35..fd010986 100644
--- a/pentesting-web/formula-injection.md
+++ b/pentesting-web/formula-injection.md
@@ -41,5 +41,5 @@ The good news is that **this payload is executed automatically when the file is
 
 It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
 
-![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
+![](../.gitbook/assets/image%20%2825%29%20%282%29%20%282%29%20%282%29%20%282%29%20%282%29%20%281%29.png)
 
diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
index 81d4f9b9..bfa2725e 100644
--- a/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -24,7 +24,7 @@ Check where the token originated in your proxy's request history. It should be c
 
 Check if the token lasts more than 24h... maybe it never expires. If there is a "exp" filed, check if the server is correctly handling it.
 
-## Brute-force HMAC secret 
+## Brute-force HMAC secret
 
 ```bash
 git clone https://github.com/Sjord/jwtcrack.git
@@ -51,7 +51,7 @@ The algorithm RS256 uses the private key to sign the message and uses the public
 
 If you change the algorithm from RS256 to HS256, the back end code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
 
-Then, using the public key and changing RS256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this: 
+Then, using the public key and changing RS256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this:
 
 ```bash
 openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.
@@ -73,7 +73,7 @@ If you get an HTTP interaction you now know that the server is trying to load ke
 
 ## Kid issues
 
- `kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
+`kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
 
 ### "kid" issues - reveal key:
 
@@ -123,17 +123,11 @@ Try to change this header to an URL under your control and check if any request
 
 You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
 
-
-
 ## JWT Registered claims
 
-{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" %}
+{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" caption="" %}
 
 ## Tools
 
-{% embed url="https://github.com/ticarpi/jwt\_tool" %}
-
-
-
-
+{% embed url="https://github.com/ticarpi/jwt\_tool" caption="" %}
 
diff --git a/phishing-methodology/README.md b/phishing-methodology/README.md
index ecd8117c..8ad78a45 100644
--- a/phishing-methodology/README.md
+++ b/phishing-methodology/README.md
@@ -320,7 +320,7 @@ The page www.mail-tester.com can indicate you if you your domain is being blocke
 * Decide from which account are you going to send the phishing emails. Suggestions: _noreply, support, servicedesk, salesforce..._
 * You can leave blank the username and password, but make sure to check the Ignore Certificate Errors
 
-![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29.png)
+![](../.gitbook/assets/image%20%28253%29%20%281%29%20%282%29%20%281%29%20%281%29.png)
 
 {% hint style="info" %}
 It's recommended to use the "**Send Test Email**" functionality to test that everything is working.