You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/AI/AI-MCP-Servers.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -90,6 +90,8 @@ Note that depending of the client settings it might be possible to run arbitrary
90
90
91
91
Moreover, note that the description could indicate to use other functions that could facilitate these attacks. For example, if there is already a function that allows to exfiltrate data maybe sending an email (e.g. the user is using a MCP server connect to his gmail ccount), the description could indicate to use that function instead of running a `curl` command, which would be more likely to be noticed by the user. An example can be found in this [blog post](https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/).
92
92
93
+
Furthermore, [**this blog post**](https://www.cyberark.com/resources/threat-research-blog/poison-everywhere-no-output-from-your-mcp-server-is-safe) describes how it's possible to add the prompt injection not only in the description of the tools but also in the type, in variable names, in extra fields returned in the JSON response by the MCP server and even in an unexpected response from a tool, making the prompt injection attack even more stealthy and difficult to detect.
Copy file name to clipboardExpand all lines: src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -357,6 +357,8 @@ In several occasions you will find that the **container has some volume mounted
357
357
docker run --rm -it -v /:/host ubuntu bash
358
358
```
359
359
360
+
Another interesting example can be found in [**this blog**](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce) where it's indicated that the host's `/usr/bin/` and `/bin/` folders are mounted inside the container allowing the root user of the container to modify binaries inside these folders. Therefore, if a cron job is using any binary from there, like `/etc/cron.d/popularity-contest` this allows to escape from the container by modifying a binary used by the cron job.
361
+
360
362
### Privilege Escalation with 2 shells and host mount
361
363
362
364
If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder.\
The following issues were detected in the Go JSON although they could be present in other languages as well. These issues were published in [**this blog post**](https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/).
8
+
9
+
Go’s JSON, XML, and YAML parsers have a long trail of inconsistencies and insecure defaults that can be abused to **bypass authentication**, **escalate privileges**, or **exfiltrate sensitive data**.
10
+
11
+
12
+
### (Un)Marshaling Unexpected Data
13
+
14
+
The goal is to exploit structs that allow an attacker to read/write sensitive fields (e.g., `IsAdmin`, `Password`).
15
+
16
+
- Example Struct:
17
+
```go
18
+
typeUserstruct {
19
+
Usernamestring`json:"username,omitempty"`
20
+
Passwordstring`json:"password,omitempty"`
21
+
IsAdminbool`json:"-"`
22
+
}
23
+
```
24
+
25
+
- Common Vulnerabilities
26
+
27
+
1.**Missing tag** (no tag = field is still parsed by default):
28
+
```go
29
+
typeUserstruct {
30
+
Usernamestring
31
+
}
32
+
```
33
+
34
+
Payload:
35
+
```json
36
+
{"Username": "admin"}
37
+
```
38
+
39
+
2.**Incorrect use of `-`**:
40
+
```go
41
+
typeUserstruct {
42
+
IsAdminbool`json:"-,omitempty"`// ❌ wrong
43
+
}
44
+
```
45
+
46
+
Payload:
47
+
```json
48
+
{"-": true}
49
+
```
50
+
51
+
✔️ Proper way to block field from being (un)marshaled:
52
+
```go
53
+
typeUserstruct {
54
+
IsAdminbool`json:"-"`
55
+
}
56
+
```
57
+
58
+
59
+
### Parser Differentials
60
+
61
+
The goal is to bypass authorization by exploiting how different parsers interpret the same payload differently like in:
62
+
-CVE-2017-12635: Apache CouchDB bypass via duplicate keys
63
+
- 2022: Zoom 0-click RCE via XML parser inconsistency
> Note that the endpoint **`http://169.254.169.254/metadata/v1/instanceinfo` doesn't require the `Metadata: True` header** which is great to show impact in SSRF vulnerabilities in Azure were you cannot add this header.
From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.
Copy file name to clipboardExpand all lines: src/pentesting-web/websocket-attacks.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,6 +95,10 @@ You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://g
95
95
96
96
In [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) you have a code to launch a web using websockets and in [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) you can find an explanation.
97
97
98
+
## Websocket Fuzzing
99
+
100
+
The burp extension [**Backslash Powered Scanner**](https://github.com/PortSwigger/backslash-powered-scanner) now allows to fuzz also WebSocket messages. You can read more infromation abou this [**here**](https://arete06.com/posts/fuzzing-ws/#adding-websocket-support-to-backslash-powered-scanner).
101
+
98
102
## Cross-site WebSocket hijacking (CSWSH)
99
103
100
104
**Cross-site WebSocket hijacking**, also known as **cross-origin WebSocket hijacking**, is identified as a specific case of **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** affecting WebSocket handshakes. This vulnerability arises when WebSocket handshakes authenticate solely via **HTTP cookies** without **CSRF tokens** or similar security measures.
## From Arbitrary Folder Delete/Move/Rename to SYSTEM EoP
1529
+
1530
+
The technique described [**in this blog post**](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) with a exploit code [**available here**](https://github.com/thezdi/PoC/tree/main/FilesystemEoPs).
1531
+
1532
+
The attack basically consist of abusing the Windows Installer's rollback feature to replace legitimate files with malicious ones during the uninstallation process. For this the attacker needs to create a **malicious MSI installer** that will be used to hijack the `C:\Config.Msi` folder, which will later be used by he Windows Installer to store rollback files during the uninstallation of other MSI packages where the rollback files would have been modified to contain the malicious payload.
1533
+
1534
+
The summarized technique is the following:
1535
+
1536
+
1. **Stage 1 – Preparing for the Hijack (leave `C:\Config.Msi` empty)**
1537
+
1538
+
- Step 1: Install the MSI
1539
+
- Create an `.msi` that installs a harmless file (e.g., `dummy.txt`) in a writable folder (`TARGETDIR`).
1540
+
- Mark the installer as **"UAC Compliant"**, so a **non-admin user** can run it.
1541
+
- Keep a **handle** open to the file after install.
1542
+
1543
+
- Step 2: Begin Uninstall
1544
+
- Uninstall the same `.msi`.
1545
+
- The uninstall process starts moving files to `C:\Config.Msi` and renaming them to `.rbf` files (rollback backups).
1546
+
- **Poll the open file handle** using `GetFinalPathNameByHandle` to detect when the file becomes `C:\Config.Msi\<random>.rbf`.
1547
+
1548
+
- Step 3: Custom Syncing
1549
+
- The `.msi` includes a **custom uninstall action (`SyncOnRbfWritten`)** that:
1550
+
- Signals when `.rbf` has been written.
1551
+
- Then **waits** on another event before continuing the uninstall.
1552
+
1553
+
- Step 4: Block Deletion of `.rbf`
1554
+
- When signaled, **open the `.rbf` file** without `FILE_SHARE_DELETE` — this **prevents it from being deleted**.
1555
+
- Then **signal back** so the uninstall can finish.
1556
+
- Windows Installer fails to delete the `.rbf`, and because it can’t delete all contents, **`C:\Config.Msi` is not removed**.
1557
+
1558
+
- Step 5: Manually Delete `.rbf`
1559
+
- You (attacker) delete the `.rbf` file manually.
1560
+
- Now **`C:\Config.Msi` is empty**, ready to be hijacked.
1561
+
1562
+
> At this point, **trigger the SYSTEM-level arbitrary folder delete vulnerability** to delete `C:\Config.Msi`.
1563
+
1564
+
2. **Stage 2 – Replacing Rollback Scripts with Malicious Ones**
1565
+
1566
+
- Step 6: Recreate `C:\Config.Msi` with Weak ACLs
1567
+
- Recreate the `C:\Config.Msi` folder yourself.
1568
+
- Set **weak DACLs** (e.g., Everyone:F), and **keep a handle open** with `WRITE_DAC`.
1569
+
1570
+
- Step 7: Run Another Install
1571
+
- Install the `.msi` again, with:
1572
+
- `TARGETDIR`: Writable location.
1573
+
- `ERROROUT`: A variable that triggers a forced failure.
1574
+
- This install will be used to trigger **rollback** again, which reads `.rbs` and `.rbf`.
1575
+
1576
+
- Step 8: Monitor for`.rbs`
1577
+
- Use `ReadDirectoryChangesW` to monitor `C:\Config.Msi`until a new `.rbs` appears.
1578
+
- Capture its filename.
1579
+
1580
+
- Step 9: Sync Before Rollback
1581
+
- The `.msi` contains a **custom install action (`SyncBeforeRollback`)** that:
1582
+
- Signals an event when the `.rbs` is created.
1583
+
- Then **waits** before continuing.
1584
+
1585
+
- Step 10: Reapply Weak ACL
1586
+
- After receiving the `.rbs created` event:
1587
+
- The Windows Installer **reapplies strong ACLs** to `C:\Config.Msi`.
1588
+
- But since you still have a handle with `WRITE_DAC`, you can **reapply weak ACLs** again.
1589
+
1590
+
> ACLs are **only enforced on handle open**, so you can still write to the folder.
1591
+
1592
+
- Step 11: Drop Fake `.rbs` and `.rbf`
1593
+
- Overwrite the `.rbs` file with a **fake rollback script** that tells Windows to:
1594
+
- Restore your `.rbf` file (malicious DLL) into a **privileged location** (e.g., `C:\Program Files\Common Files\microsoft shared\ink\HID.DLL`).
1595
+
- Drop your fake `.rbf` containing a **malicious SYSTEM-level payload DLL**.
1596
+
1597
+
- Step 12: Trigger the Rollback
1598
+
- Signal the sync event so the installer resumes.
1599
+
- A **type 19 custom action (`ErrorOut`)** is configured to **intentionally fail the install** at a known point.
1600
+
- This causes **rollback to begin**.
1601
+
1602
+
- Step 13: SYSTEM Installs Your DLL
1603
+
- Windows Installer:
1604
+
- Reads your malicious `.rbs`.
1605
+
- Copies your `.rbf` DLL into the target location.
1606
+
- You now have your **malicious DLL in a SYSTEM-loaded path**.
1607
+
1608
+
- Final Step: Execute SYSTEM Code
1609
+
- Run a trusted **auto-elevated binary** (e.g., `osk.exe`) that loads the DLL you hijacked.
1610
+
- **Boom**: Your code is executed **as SYSTEM**.
1611
+
1612
+
1613
+
### From Arbitrary File Delete/Move/Rename to SYSTEM EoP
1614
+
1615
+
The main MSI rollback technique (the previous one) assumes you can delete an **entire folder** (e.g., `C:\Config.Msi`). But what if your vulnerability only allows **arbitrary file deletion**?
1616
+
1617
+
You could exploit **NTFS internals**: every folder has a hidden alternate data stream called:
1618
+
1619
+
```
1620
+
C:\SomeFolder::$INDEX_ALLOCATION
1621
+
```
1622
+
1623
+
This stream stores the **index metadata** of the folder.
1624
+
1625
+
So, if you **delete the `::$INDEX_ALLOCATION` stream** of a folder, NTFS **removes the entire folder** from the filesystem.
1626
+
1627
+
You can do this using standard file deletion APIs like:
> Even though you're calling a *file* delete API, it **deletes the folder itself**.
1633
+
1634
+
### From Folder Contents Delete to SYSTEM EoP
1635
+
What if your primitive doesn’t allow you to delete arbitrary files/folders, but it **does allow deletion of the *contents* of an attacker-controlled folder**?
1636
+
1637
+
1. Step 1: Setup a bait folder and file
1638
+
- Create: `C:\temp\folder1`
1639
+
- Inside it: `C:\temp\folder1\file1.txt`
1640
+
1641
+
2. Step 2: Place an **oplock** on `file1.txt`
1642
+
- The oplock **pauses execution** when a privileged process tries to delete `file1.txt`.
1643
+
1644
+
```c
1645
+
// pseudo-code
1646
+
RequestOplock("C:\\temp\\folder1\\file1.txt");
1647
+
WaitForDeleteToTriggerOplock();
1648
+
```
1649
+
1650
+
3. Step 3: Trigger SYSTEM process (e.g., `SilentCleanup`)
1651
+
- This process scans folders (e.g., `%TEMP%`) and tries to delete their contents.
1652
+
- When it reaches `file1.txt`, the **oplock triggers** and hands control to your callback.
1653
+
1654
+
4. Step 4: Inside the oplock callback – redirect the deletion
1655
+
1656
+
- Option A: Move `file1.txt` elsewhere
1657
+
- This empties `folder1` without breaking the oplock.
1658
+
- Don't delete `file1.txt` directly — that would release the oplock prematurely.
1659
+
1660
+
- Option B: Convert `folder1` into a **junction**:
1661
+
1662
+
```bash
1663
+
# folder1 is now a junction to \RPC Control (non-filesystem namespace)
1664
+
mklink /J C:\temp\folder1 \\?\GLOBALROOT\RPC Control
1665
+
```
1666
+
1667
+
- Option C: Create a **symlink**in`\RPC Control`:
1668
+
```bash
1669
+
# Make file1.txt point to a sensitive folder stream
0 commit comments